How to protect endpoints with None Auth method ?
Hello, I am new to auth systems and I am trying to protect my endpoint in flask
https://zitadel.com/docs/examples/secure-api/python-flask
However I don't understand how to introspect my access token with PKCE method which is recommended by Zitadel.
ZITADEL Docs
This example shows you how to secure a Python3 Flask API with both authentication and authorization using ZITADEL.
1 Reply
Hi @Angel, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
To protect your Flask endpoint using ZITADEL and introspect the access token (even if you use PKCE for the frontend) , you need to validate the access token on your backend by calling the ZITADEL introspection endpoint. The backend Flask example uses the following approach:
- The backend receives the access token (as a Bearer token) .
- It sends a POST request to the ZITADEL introspection endpoint at
${ZITADEL_DOMAIN}/oauth/v2/introspect with the access token.
- For authentication, it uses your API application's Client ID and Client Secret with HTTP Basic Auth.
- The backend checks the introspection response to see if the token is active and validates scopes/roles.
Here is the relevant code from the example:
(1)
The PKCE method is used on the frontend to obtain the token securely, but token introspection on the backend always requires the API application's credentials (Client ID/Secret) as shown above. This process works regardless of how the token was originally issued (PKCE, client credentials, etc.) (1) (2) (3) .
To learn more, see the sources I considered:
[1] ZITADEL with Python
[2] OpenID Connect Endpoints in ZITADEL
[3] Frontend and Back-end API Communication in ZITADEL
Feel free to tag @Ask Inkeep with additional questions.
Glad I could be helpful. Feel free to create a new thread with any new questions you may have.