+You will need a JWK public key set and the token issuer to verify the signature and source of the received JWS token.
+All the latest public Logto Authorization Configurations can be found at {appendPath(props.endpoint, '/oidc/.well-known/openid-configuration')}
.
+
+e.g. You can locate the following two fields in the response body if you request the above endpoint.
+
+
+{`{
+ "issuer": "${appendPath(props.endpoint, '/oidc')}",
+ "jwks_uri": "${appendPath(props.endpoint, '/oidc/jwks')}"
+}`}
+
+
+
+### Create the authorization validation decorator
+
+
+
+{`"""requires-auth.py
+"""
+
+import json
+from flask import request, _request_ctx_stack
+from six.moves.urllib.request import urlopen
+from functools import wraps
+from jose import jwt
+
+def requires_auth(f):
+ @wraps(f)
+ def decorated(*args, **kwargs):
+ token = get_token_auth_header()
+
+ # jwks_uri endpoint retrieved from Logto
+ jwks_uri = urlopen('${appendPath(props.endpoint, '/oidc/jwks')}')
+
+ # issuer retrieved from Logto
+ issuer = '${appendPath(props.endpoint, '/oidc')}'
+
+ jwks = json.loads(jwks_uri.read())
+
+ try:
+ payload = jwt.decode(
+ token,
+ jwks,
+ # The jwt encode algorithm retrieved along with jwks. ES384 by default
+ algorithms=jwt.get_unverified_header(token).get('alg'),
+ # The API's registered resource indicator in Logto
+ audience='${props.audience}',
+ issuer=issuer,
+ options={
+ 'verify_at_hash': False
+ }
+ )
+ except Exception:
+ # exception handler
+ raise Error({code: 'invalid_token', status: 401})
+
+ # Custom code to process payload
+ _request_ctx_stack.top.user_id = payload.get('sub')
+
+ return f(*args, **kwargs)
+ return decorated`}
+
+
+
+