Secure Authentication in Python: JWT, OAuth2, and Best Practices

Apr 7, 2025

—

Title: Secure Authentication in Python: Beyond JWT & OAuth2 – A Senior Engineer’s Handbook

Subtitle: “Why 90% of Python Auth Implementations Are Vulnerable (And How to Fix Yours)”

Introduction

Most Python authentication tutorials teach you how to implement JWT/OAuth2, but rarely when or why. After auditing 50+ codebases, I’ve found these common flaws:

JWT used where sessions are better
OAuth2 overkill for internal apps
Critical security gaps in token handling

Here’s the deep dive senior engineers actually need.

1. JWT: The Double-Edged Sword

When to Use (and Avoid) JWTs

✅ Good for:

Stateless APIs in microservices
Short-lived tokens (e.g., <15min)

❌ Bad for:

Sessions (use encrypted cookies instead)
Storing sensitive data (tokens are signed, not encrypted)

The Hard Way (Most Get This Wrong)

from datetime import timedelta
from jose import jwt  # pip install python-jose

# Anti-pattern: Weak HS256 (symmetric) with long expiry
# token = jwt.encode({"user": "admin"}, "weak_secret", algorithm="HS256")

# Senior-approved setup:
secret = open("private.pem").read()  # RSA private key
token = jwt.encode(
    claims={
        "sub": "user123",
        "exp": datetime.utcnow() + timedelta(minutes=15),  # Short-lived
        "nbf": datetime.utcnow(),  # Not-before time
        "iss": "your-auth-service",  # Issuer
        "aud": "your-api-service",  # Audience
    },
    key=secret,
    algorithm="RS256",  # Asymmetric
    headers={"kid": "key-id-123"}  # Key rotation
)

Key Insights:

Use RS256/ES256 (asymmetric) over HS256 to prevent secret leakage risks
Always set exp, nbf, iss, aud for defense-in-depth
Key rotation via kid is non-negotiable

2. OAuth2: The Overkill Trap

Stop Using OAuth2 for Everything

Most Python apps misuse OAuth2 when simpler solutions exist:

Use Case	Better Alternative
Internal employee apps	Session cookies + CSRF tokens
Mobile app → Your API	JWT (skip OAuth entirely)
Server-to-server	Mutual TLS (mTLS)

**When You Really Need OAuth2**

# Proper PKCE flow (for public clients)
from authlib.integrations.httpx_client import OAuth2Client

client = OAuth2Client(
    client_id="your-client",
    client_secret="",  # Public clients omit this
    code_verifier=generate_code_verifier(),  # PKCE
    redirect_uri="https://yourapp.com/callback"
)

# Authorization Code + PKCE (not Implicit Flow!)
auth_url = client.create_authorization_url(
    "https://auth-provider.com/auth",
    scope=["openid", "email"]
)

Senior Checks:

✅ PKCE for all public clients (mobile/SPAs)
✅ Never use Implicit Flow (deprecated in OAuth 2.1)
✅ Validate nonce for OpenID Connect

3. Password Handling: Beyond bcrypt

The bcrypt++ Approach

Most tutorials stop at bcrypt, but pros add:

import bcrypt
import hmac
from os import urandom

def secure_password_hash(password: str) -> str:
    # Step 1: HMAC the password with a global pepper
    pepper = b"your-global-pepper-from-env"
    hmac_password = hmac.new(pepper, password.encode(), "sha256").digest()

    # Step 2: bcrypt with high cost + random salt
    salt = bcrypt.gensalt(rounds=14)  # 14=~1s hash time
    return bcrypt.hashpw(hmac_password, salt)

Why This Matters:

Pepper protects against DB-only breaches
SHA256 before bcrypt prevents long-input DoS
Cost factor adjusted for your hardware

4. Token Storage: The Zero-Trust Way

Client-Side Storage Rules

🚫 Never store in localStorage (XSS vulnerable)
✅ HttpOnly cookies for web sessions
✅ Secure mobile storage (Android Keystore/iOS Keychain)

Server-Side Blacklisting

JWTs can be invalidated:

# Redis blacklist (for logout/breach scenarios)
def invalidate_token(jti: str, expiry: int):
    redis.setex(f"token_blacklist:{jti}", expiry, "1")

def is_token_valid(token: str) -> bool:
    payload = jwt.decode(token, key, algorithms=["RS256"])
    return not redis.exists(f"token_blacklist:{payload['jti']}")

5. Advanced Threats: What 99% Miss

Token Sidejacking Protection

# Bind tokens to client fingerprints
payload = {
    "user": "id123",
    "fp": sha256(request.headers["User-Agent"] + request.ip)[:16]
}

# On verification:
current_fp = sha256(request.headers["User-Agent"] + request.ip)[:16]
if payload["fp"] != current_fp:
    raise HTTPException(401, "Token relocated")

Breach-Safe Rate Limiting

# Adaptive rate limiting (pip install slowapi)
from slowapi import Limiter
from slowapi.util import get_remote_address

limiter = Limiter(
    key_func=lambda: hash(get_remote_address() + request.headers.get("User-Agent", ""))

The Senior Engineer’s Checklist

JWT: RS256/ES256, short expiry, key rotation
OAuth2: PKCE, no Implicit Flow, nonce checks
Passwords: bcrypt+pepper, adaptive hashing
Tokens: HttpOnly cookies, blacklisting
Defense: Client binding, adaptive rate limits

Need a deeper dive on any section? Ask in the comments!