Flask-JWT-Extended - Bad Authorization Header

Question

I'm using the following code to test out Flask JWT.

from flask import Flask, jsonify, request
from flask_jwt_extended import (
    JWTManager, jwt_required, create_access_token,
    get_jwt_identity
)

app = Flask(__name__)

# Setup the Flask-JWT-Extended extension
app.config['JWT_SECRET_KEY'] = 'super-secret'  # Change this!
jwt = JWTManager(app)


# Provide a method to create access tokens. The create_access_token()
# function is used to actually generate the token, and you can return
# it to the caller however you choose.
@app.route('/login', methods=['POST'])
def login():
    if not request.is_json:
        return jsonify({"msg": "Missing JSON in request"}), 400

    username = request.json.get('username', None)
    password = request.json.get('password', None)
    if not username:
        return jsonify({"msg": "Missing username parameter"}), 400
    if not password:
        return jsonify({"msg": "Missing password parameter"}), 400

    if username != 'test' or password != 'test':
        return jsonify({"msg": "Bad username or password"}), 401

    # Identity can be any data that is json serializable
    access_token = create_access_token(identity=username)
    return jsonify(access_token=access_token), 200


# Protect a view with jwt_required, which requires a valid access token
# in the request to access.
@app.route('/protected', methods=['GET'])
@jwt_required
def protected():
    # Access the identity of the current user with get_jwt_identity
    current_user = get_jwt_identity()
    return jsonify(logged_in_as=current_user), 200


if __name__ == '__main__':
    app.run()

By using POSTMAN, I am able to get the following access_token

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODkxMTg0MTcsIm5iZiI6MTU4OTExODQxNywianRpIjoiNDEwNzFlZjItZTE3OC00YzhkLThjN2ItNWIwN2MxNGNkYzI2IiwiZXhwIjoxNTg5MTE5MzE3LCJpZGVudGl0eSI6InRlc3QiLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.A1C1vMXnXt4IWO8j4H4LH6caxCqBg19lOEoVHhYnIyU"
}

But when I want to access the /protected page using GET with the Header

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODkxMTg0MTcsIm5iZiI6MTU4OTExODQxNywianRpIjoiNDEwNzFlZjItZTE3OC00YzhkLThjN2ItNWIwN2MxNGNkYzI2IiwiZXhwIjoxNTg5MTE5MzE3LCJpZGVudGl0eSI6InRlc3QiLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.A1C1vMXnXt4IWO8j4H4LH6caxCqBg19lOEoVHhYnIyU

I get this error in POSTMAN. Any recommendation on how to fix the issue will be very much appreciated.

{
    "msg": "Bad Authorization header. Expected value 'Bearer <JWT>'"
}

Answer 1

I was getting the same error while making api call from Angular app :

where Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1 ......

Here is the another approach to add auth token

export class TokenInterceptorService implements HttpInterceptor{ 
constructor(private injector: Injector ) { }
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
   let authService = this.injector.get(AuthService);
   let tokenizeReq = req.clone({
    setHeaders: {
      Authorization: `Bearer ${authService.getAccessToken()}`
    }
   });
  return next.handle(tokenizeReq);
 }
}

Where authService.getAccessToken will return the token. This will add token to http calls

Don't forget to add interceptor in app.modules

providers: [{
  provide: HTTP_INTERCEPTORS,
  useClass: TokenInterceptorService,
  multi: true
}]

Answer 2

Found the answer. Been having the problem for few days. The solution is that in POSTMAN, you don't add the

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODkxMTg0MTcsIm5iZiI6MTU4OTExODQxNywianRpIjoiNDEwNzFlZjItZTE3OC00YzhkLThjN2ItNWIwN2MxNGNkYzI2IiwiZXhwIjoxNTg5MTE5MzE3LCJpZGVudGl0eSI6InRlc3QiLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MifQ.A1C1vMXnXt4IWO8j4H4LH6caxCqBg19lOEoVHhYnIyU

into the header. You need to go into the Authorization tab in POSTMAN, Select Bearer and enter the token in the field. This is how to add the token as a bearer token. This will resolve the problem. Thanks.