Token endpoint in Python 3

This article presents a simple token endpoint example for creating JSON Web Tokens (JWT) implemented in python. The tokens are used by CKEditor Cloud Services to authenticate users.

All code examples use the pyjwt, Flask and Flask-Cors libraries.

If you are using Python Package Index, you can run the following command in a terminal:

python3 -m pip install flask flask_cors pyjwt

When creating a token endpoint to integrate with Collaboration, the token payload should contain the environment ID and user data.

import jwt

from time import time
from flask import Flask
from flask_cors import CORS

accessKey = 'w1lnWEN63FPKxBNmxHN7WpfW2IoYVYca5moqIUKfWesL1Ykwv34iR5xwfWLy'
environmentId = 'LJRQ1bju55p6a47RwadH'

app = Flask(__name__)
CORS(app)


@app.route('/')
def main():
    timestamp = int(time())

    payload = {
        'aud': environmentId,
        'iat': timestamp,
        'sub': 'user-123',
        'user': {
            'email': 'joe.doe@example.com',
            'name': 'Joe Doe'
        },
        'auth': {
            'collaboration': {
                '*': {
                    'role': 'writer'
                }
            }
        }
    }

    return jwt.encode(payload, accessKey)

if __name__ == '__main__':
    app.run(port='8080')

accessKey and environmentId should be replaced with the keys provided by the Customer Portal for SaaS or by the Management Panel for the On-Premises application. User data can be taken from the session or the database.

You should then pass the token to the client, for example by sending a plain string or by rendering a page that will contain this token. If the user is unauthenticated, the token endpoint should return an error or redirect to the login page. Also, you should make sure that the token is sent via an encrypted channel.

The token endpoint for Easy Image and the Export to Word/PDF features does not require adding user data. You can therefore skip the user and auth properties in the token payload.

Tokens for PDF Converter and DOCX Converter On-Premises do not require any additional claims, so you can create the token with an empty payload.

In this implementation, accessKey has been replaced by SECRET_KEY - a variable set during the Import and Export to Word/Export to PDF On-Premises instance installation.

import jwt

from time import time
from flask import Flask
from flask_cors import CORS

secretKey = 'w1lnWEN63FPKxBNmxHN7WpfW2IoYVYca5moqIUKfWesL1Ykwv34iR5xwfWLy'

app = Flask(__name__)
CORS(app)


@app.route('/')
def main():
    timestamp = int(time())

    payload = {
        'iat': timestamp
    }

    return jwt.encode( payload, secretKey)

if __name__ == '__main__':
    app.run(port='8080')

If you create your own token endpoint, do not forget to authenticate the user before you send the token.

Start the server by running:

python index.py

Now you can get the token with a simple request:

http://localhost:8080/

The response should be in a plain text format.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJMSlJRMWJqdTU1cDZhNDdSd2FkSCIsImlhdCI6MTY0ODgwNzY2Miwic3ViIjoidXNlci0xMjMiLCJ1c2VyIjp7ImVtYWlsIjoiam9lLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2UgRG9lIn0sImF1dGgiOnsiY29sbGFib3JhdGlvbiI6eyIqIjp7InJvbGUiOiJ3cml0ZXIifX19fQ.QZLzRz9SF8JP2zK9vENewmD75Og6z1a83fDt5SXuLF4

For debugging purposes jwt.io can be used.