Allow passing in an audience to verify_signature.

Is it possible to use the JWT signature check to get the userId, but without User model and without checking if the user exists in our DB?

Thanks!

When adding

url(r'^api-token-auth/', 'rest_framework_jwt.views.obtain_jwt_token'),

to my urls, as specified in the doc, I get

File "/xxx/local/lib/python2.7/site-packages/rest_framework_jwt/views.py" in

1. from .serializers import JSONWebTokenSerializer
   File "/xxx/local/lib/python2.7/site-packages/rest_framework_jwt/serializers.py" in
2. class JSONWebTokenSerializer(serializers.Serializer):
   File "/xxx/local/lib/python2.7/site-packages/rest_framework_jwt/serializers.py" in JSONWebTokenSerializer

3. password = serializers.CharField(write_only=True)
   

   File "/xxx/local/lib/python2.7/site-packages/rest_framework/fields.py" in init

4.     super(CharField, self).**init**(_args, *_kwargs)
   

   Exception Type: TypeError at /
   Exception Value: init() got an unexpected keyword argument 'write_only'

Maybe I've missed something, but shouldn't there be a possibility to encrypt or hash the password on the client side before sending it to the REST endpoint? When you don't have a TLS encrypted connection this could add some security.
Of course you would then have to compare the encrypted password directly with the one from the django database.

The current implementation relies on the one Django user model. I'd like to issue multiple types of token for multiple entity types that are not users. I could go in and subclass JSONWebTokenAuthentication and RefreshJSONWebTokenSerializer for each type, but I just want to make a suggestion to reduce those necessary customization points. Thanks.

cookiecutter-django-rest-framework has the right setup for docs.

If a client tries to POST to the obtain_jwt_token endpoint to get a new token but passes in auth HTTP headers from an expired token, it returns 401 ({"detail": "Signature has expired."}).

I guess you could make sure the client doesn't send auth headers but it seems kind of silly to be checking auth to begin with for the endpoint intended to give you a new token. That said, I think the same problem exists on the token endpoint that comes with Django Rest Framework.

This isn't really the right point to ask this, I guess, but I can't figure out where to ask elsewhere. So, sorry if this is slightly OT.

I am wondering how I would use the django-rest-framework-jwt when using it for several APIs? Problem description:

• api1 holds user db, JWT auth endpoint, and some other API calls
• api2 holds a different API but no user db (except what's needed for authorization)
• clients untrusted, ie browser apps such as angular-based

Authenticating clients against api1 and using resources of it using the REST framework is pretty straightforward. Now, if api2 comes into the mix, I am a bit at a loss. Ideally, unauthenticated clients accessing api2 would need to obtain an access token at api1 and present this to api2. But how would api2 then verify this token? And how would redirection work?

I am a bit at a loss. Is that even possible with the current form of django-rest-framework-jwt (or JWT in general)? Is there some working example I could check out?

I noticed that in the package fetched from pypi, you included jwt.py taken from an old version of pyjwt (without the try/except block around the import of Crypto)

So i wondered why this integration of a fixed version, instead of relying on the pyjwt package ?

Hi all,

I'd like to add the support for jti claim to the package. The idea basically would be to store a list of expired jti's somewhere on the server side, and allow to blacklist specific tokens.

The way I'm thinking about the implementation is:

• Use pymongo to store the blacklist (rather than a django specific mongo package, makes our solution portable to vanilla python or other frameworks)
• Generate a long enough jti claim that will have negligible probability of being produced twice before the first one expired (string of 20 random ascii_letters and digits maybe?)
• Store the jti and the entire payload in mongodb, this will help us clean up the collection when a JWT is past the expiry date (so we don't grow the collection ad infinitum)
• Add a flag in api_settings.JWT_ENABLE_BLACKLIST, if True we add the jti claim to the payload in jwt_payload_handler()
• Check against the mongodb collection everytime we decode a JWT (if JWT_ENABLE_BLACKLIST is True) and if the jti is blacklisted treat it as if the JWT is expired

I have made an initial commit to a fork of the package, with my suggestion on how to implement this, you can find it here: https://github.com/avimeir/django-rest-framework-jwt/commits/master

Happy to discuss this!

Cheers,
Avi

Would it be a good idea to add a RevokeJSONWebToken? For instance, a user is logging out of the session?

Discussed here: https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/

Allow passing in an issuer to verify_signature.

Even though there is no user with username "0" in the system.

I'm not sure if this is an issue or just because of the implementation, but I was using middleware to log user_id against records being edited, and I couldn't get request.user at the middleware level (and so of course request.user.is_authorized() returned False).

The middleware was the last one on the list, and authorization was working (I would get a 403 requesting assets without my token header). I tried putting 'rest_framework_jwt.authentication.JSONWebTokenAuthentication' at the top of DEFAULT_AUTHENTICATION_CLASSES, and also making it the only item in the tuple; neither worked.

I've managed to work around my issue by accessing the header and using the tools directly in the app to retrieve the user; essentially I copied chunks of your code into my middleware, but I thought you should know :)

If you're interested, here's the middleware:

from django.db.models import signals
from django.utils.functional import curry
from django.utils import timezone
from threading import local

import jwt
from rest_framework.authentication import get_authorization_header
from rest_framework_jwt.settings import api_settings
from django.conf import settings
try:
    from django.contrib.auth import get_user_model
except ImportError:  # Django < 1.5
    from django.contrib.auth.models import User
else:
    User = get_user_model()

_user = local()

class AuditMiddleware(object):
    def process_request(self, request):
        if not request.method in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
            if hasattr(request, 'user') and request.user.is_authenticated():
                user = request.user
            else:
                user = self.get_user_from_auth_header(request)
                if user is not None:
                    request.user = user

            _user.value = user

            mark_whodid = curry(self.mark_whodid, _user.value)
            signals.pre_save.connect(mark_whodid,  dispatch_uid = (self.__class__, request,), weak = False)

    def process_response(self, request, response):
        signals.pre_save.disconnect(dispatch_uid =  (self.__class__, request,))
        return response

    def mark_whodid(self, user, sender, instance, **kwargs):
        # user logging here

    def get_user_from_auth_header(self, request):
        try:
            auth_keyword, token = get_authorization_header(request).split()
            jwt_header, claims, signature = token.split('.')

            try:
                payload = api_settings.JWT_DECODE_HANDLER(token)
                try:
                    user_id = api_settings.JWT_PAYLOAD_GET_USER_ID_HANDLER(payload)

                    if user_id:
                        user = User.objects.get(pk=user_id, is_active=True)
                        return user
                    else:
                        msg = 'Invalid payload'
                        return None
                except User.DoesNotExist:
                    msg = 'Invalid signature'
                    return None

            except jwt.ExpiredSignature:
                msg = 'Signature has expired.'
                return None
            except jwt.DecodeError:
                msg = 'Error decoding signature.'
                return None
        except ValueError:
            return None

For example, I'd like to be able to specify an override for JWT_EXPIRATION_DELTA in urls.py for the view. The reason I'd like to override is because I have multiple JWT types, each with its own view.

Thanks for this useful library. As far as I can tell, you're not using database to store the tokens. May I ask

• Where they are stored and how?
• Is there any way I can include the iat in Response?

Hi there,

Great work on django-rest-framework-jwt so far. It is a perfect fit with DRF.
I noticed that you are using JWT in your Authorization header, as in your example:

$ curl -H "Authorization: JWT <your_token>" http://localhost:8000/protected-url/

Is it the recommended way in the current JWT draft? Other server side token framework often accept Bearer instead of JWT, which I think is very common. The reason I am asking because satellizer (an oauth2 token based javascript library for angularjs) does not work with your django-rest-framework-jwt.
I suspect because of the JWT text in the Authorization header. Could you please have a look?

When I try to download the latest version using pip, I receive the following error:

Could not find a version that satisfies the requirement djangorestframework-jwt==1.3.0 (from -r requirements.txt (line 8)) (from versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 0.1.6, 1.0.0, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0)

A simple Google search gives me this question on SO.

Can you please properly package this version so I can install it using pip?

Hi,

First, I would like to say thanks for creating this project and making it publicly available - it's great!
One small suggestion though:
Please consider using user.pk Instead of user.id in utils.jwt_payload_handler since some Django projects implement a custom ID field for their User model.

Thanks!

I've been thinking about the possibility of signing each JWT with a user-specific secret key. Imagine something like:

def jwt_encode_handler(payload, user):
    return jwt.encode(
        payload,
        user.secret_key,
        api_settings.JWT_ALGORITHM
    ).decode('utf-8')

This would make a web application less vulnerable to an attack if their master JWT_SECRET_KEY were somehow leaked--user privacy would not be compromised because each user has an individual key.

Having JWTs signed on a per-user basis, would also conveniently allow a user to "log out of all sessions." (If a user's secret key is updated, then all previous JWTs issued to them are immediately made invalid.)

I wanted to see what you thought about this; the current implementation would not really adapt its self well to the above idea, but I'd be happy to come up with a more flexible implementation that might be able to accommodate per-user secrets.

Hello @jpadilla ,

I'm now having two issues from the Ember side but it may relate to backend, I'm not sure. One is when I try to navigate to any url directly such as entering e.g. http://localhost:8000/users/1/ into the browser, I get logged out immediately and it says 401 Unauthorized.

Second issue is relating to my previous issue I posted here which I had worked as of last week but seems to now break. That is my custom initializer that takes the decoded user id from the JWT token is failing at line:

https://github.com/erichonkanen/cl-frontend/blob/master/app/initializers/session.coffee#L25

It tries to GET /api/v1/users/ and it seems that it's not authenticated yet so it results in 401 Unauthorized error.

Is there a better way to do that or does that look wrong? My repo above has latest code...

PS: I took the initializer code idea from below and what you said in my last issue post:

https://github.com/simplabs/ember-simple-auth/blob/master/examples/4-authenticated-account.html#L102

Is there a method to return the authorised user when using JSONWebTokenAuthentication in DEFAULT_AUTHENTICATION_CLASSES? I'm calling a view very similar to this http://stackoverflow.com/a/20569205 but this doesn't work as request.user returns AnonymousUser.

Hi there!

I'm a bit of a Python neophyte so huge apologies if this is way more obvious than I'm making it out to be, but any suggestions how I'd override JSONWebTokenSerializer.validate() so that, instead of validating against django.contrib.auth.authenticate() here, it passes the details to a 3rd-party API and then validates based on a response from that?

(Essentially, I work at a news org with a giant non-metered paywall, and I need to pass details from the user's paywall cookie to the paywall API to validate that it's a valid cookie. I'm thinking DRFJWT will then generate a JWT that gets passed back to the user, and then every request thereafter just validates based on that, thus reducing load on the paywall API. If I'm totally out to lunch with my thinking, please let me know.)

Thanks!

Hi there, I've just upgraded to the latest Django Rest Framework, and am getting this error...

ImportError: Could not import 'rest_framework_jwt.authentication.JSONWebTokenAuthentication' for API setting 'DEFAULT_AUTHENTICATION_CLASSES'. ImportError: cannot import name smart_text.

I believe this will happen on a clean install of DRF and DRF-JWT, but if it doesn't let me know and I'll provide more details.

Hello @jpadilla,

Recently I had to implement an authenticator that received the token via query parameters. Use case is creating a download file button that hits an endpoint e.g. /api/reports/somereport?export=csv

I thought I'd paste it here to see if you would like it added to the lib, maybe others could use it?

import jwt

from rest_framework_jwt.settings import api_settings
from rest_framework_jwt.authentication import JSONWebTokenAuthentication


class QueryParameterAuthentication(JSONWebTokenAuthentication):

    def authenticate(self, request):
        """
        Parses the request's Query Parameters for a `token` and sets it
        on the authorization header for authentication.
        """
        if 'token' not in request.QUERY_PARAMS:
            return None

        token = request.QUERY_PARAMS['token']
        header = '{} {}'.format(api_settings.JWT_AUTH_HEADER_PREFIX, token)
        request.META['HTTP_AUTHORIZATION'] = header

        return super(QueryParameterAuthentication, self).authenticate(request)

Quick question: the default token payload contains the expiration time as a unix time stamp, is that correct? As in:

{"user_id": 1, "email": "[email protected]", "username": "example", "exp":1417715305}`

Btw, thanks for the lightning fast merge + release of DRF 3.0 support!

If authenticating using a recent JWT, the request fails with

{"detail": "Invalid payload"}

in case a field is empty (tested here with user account that was lacking an email address)

When using both authentication classes at the same time, only the first of them in the authentication_classes list will be checked for authenticating a user, whether successfully or raising a AuthenticationFailed exception.

The source of this conflict seems to be that both classes use the same authorization header keyword 'Bearer'.

Possible solutions I see viable, range from using a different authorization header keyword, to validating the token format to distinguish it from the OAuth2 one.

This seems to happen because the pyjwt dependency is declared as PyJWT>=0.1.8, and PyJWT has since refactored the signature of the decode method in the following commit
jpadilla/pyjwt@23d1293

from
def decode(jwt, key='', verify=True, verify_expiration=True, leeway=0)

to
def decode(jwt, key='', verify=True, **kwargs):

This causes https://github.com/GetBlimp/django-rest-framework-jwt/blob/master/rest_framework_jwt/utils.py#L48 to fail because the args are passed positionally.

TypeError: decode() takes at most 3 arguments (5 given)

I'll probably fix this later today and put in a PR, just documenting this in case other people run into it between now and then.

Hi, this app is working really well with DRF and I'm getting a token back, but when I use python-social-auth. I can't an access token for the given username and password . how do you handle that problem?
I get this instead:
{"non_field_errors": ["Unable to login with provided credentials."]}
since python-social-auth doesn't have the password and it can only get an access_token (e.g. from google-oauth2) then how can I make it work with this username/password auth that your app is providing?

What's confusing me is that in the user table; in my case account_account, I have a value for password for the user that was registered by python-social-auth.
password length is 41 for that record which is different from the default SHA256

Right now I have another service issuing jwts and I want to use these tokens for authentication on a DRF service. I am able to get django-rest-framework-jwt to validate the token and extract the user_id but then I get down to here and there is no existing User with that user_pk. Is there any way for this to work?

Presumably I would need to create a new User object on the DRF service the first time the service receives the jwt:

user, _ = User.objects.get_or_create(username=user_id, is_active=True)

Thoughts?

Is there any way to generate tokens programmatically without sending request?

For the RSASSA-PKCS1-v1_5 algorithms, the "secret" argument in jwt.encode is supposed to be a private RSA key as imported with Crypto.PublicKey.RSA.importKey. Likewise, the "secret" argument in jwt.decode is supposed to be the public RSA key imported with the same method.

1. It isn't clear what library has Crypto.PublicKey.RSA.importKey
2. Probably want to use cryptography anyways
3. pyjwt handles strings now in some cases so no special action is needed,

Hey Jose,

I just saw your message on IRC regarding jwt and including the user ID... I didn't know you also authored the ember simple auth token package which I am also using :)

I'm new to the ember side of things but have made progress using ember-cli with django. What I want to do is set the user object on the simple auth session. I have actually done this already by creating an initializer, modifying this package on the backend to include the user id with the token and then set it so I can do e.g. {{session.user.email}}

However now that I see you include it by default, Im wondering how/where can I decode that on the frontend and set it in Ember?

Here is my initializer as current:

import Ember from 'ember'
import Session from 'simple-auth/session'

# Set the current user on the session.
UserSession = Session.extend
  user: (->
    userId = @get 'id'
    if not Ember.isEmpty userId
      @container.lookup('store:main').find('user', userId)
    ).property 'id'

# Takes two parameters: container and app
initialize = (container, app) ->
  container.register 'session:usersession', UserSession

UserSessionInitializer =
  name: 'user-session'
  before: 'simple-auth'
  initialize: initialize

export default UserSessionInitializer

Any help appreciated, thanks and appreciate your work!

PS - I was thinking of maybe extending this package to allow adding arbitrary data to the JWT payload, what do you think?

Hello!
Is the file "rest_framework_jwt/test.py" should not be included for easy import "APIJWTTestCase" module?

I know this has been talked about a little, but the ability to refresh the JWT token would be a great feature. I have a Django app that communicates to the REST framework via JWT. I stick the JWT token in the apps session scope but I have no control on how to refresh the token if the use is not done and it expires. I'd rather not have to have them login again and obviously storing the user credentials defeats the purpose of using JTW.

This is a bit more of a philosophical questions: why are you encoding the username and password the way you do? Wouldn't it be more consistent to post also this data using JSON?

When trying to make a call to a restricted resource as the user with user_id 0, you get an "Invalid payload" error.

This seems to be caused by the following code in authentication.py:

        if user_id:
            user = User.objects.get(pk=user_id, is_active=True)
        else:
            msg = 'Invalid payload'
            raise exceptions.AuthenticationFailed(msg)

(if user_id evaluates to False if user_id == 0)
Not sure if this is by design or not.

I am writing a backend api using django rest-framework. I would like jwt authentication using email or username interchangeably (one or other) and password instead of using username and password.
Is there any way using your djangorestframework-jwt package?

Thanks in advance.

Xavier Monfort Faure

Hello @jpadilla,

I was having discussion with another dev and thinking about the ember jwt app and the potential to add an enhancement that allows activity based token expiration.

At a high level the frontend would authenticate as usual but begin a countdown timer after last activity of user. If the countdown got to 0 it would issue an api request to invalidate the token on the backend and log them out on the frontend.

Just wanted to see what your thoughts are on this? Is it a logical use case? I know i've seen sites (banking etc) that log you out after inactivity....

-E

Does this library support multiple tokens for a single user? Let's say, a user authenticate from Web and mobile app at the same time. Does the user get the same token?

How would a logout procedure look like? Deleting Token? If so, with single Token per user, the user is logged out of all active sessions (web & mobile) which is not desired.

The docs show keeping the existing auth mechanisms:

    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.BasicAuthentication',
....

but I assume that if I want to use only jwt I can remove those two? If I do remove SessionAuthentication, I assume that I can then remove django.contrib.sessions.middleware.SessionMiddleware and django.contrib.auth.middleware.SessionAuthenticationMiddleware from the MIDDLEWARE_CLASSES? (per: this note)

Might be worth tossing a note in the docs about this.

We are thinking of using this library to create an authentication microservice in a cluster of server-side applications.The current implementation is great for when your protected resources are on the same server as your JWT endpoint, but would need some alteration for if these were on separate apps.

The authentication flow I am considering is as follows: a user would log on from our client-side single page app by hitting an endpoint on the auth microservice (AuthService) that serves the obtain_jwt_token view. They would then store their JWT in-browser. If the client-side application needed to request a resource from another server-side application (ResourceService), it would pass the JWT in the header. However, the idea is that ResourceService would not have to verify the authenticity of the JWT itself - rather it would make a secondary HTTP call to AuthService to check if the JWT was valid.

This would mean setting up a second type of view on the AuthService which received a JWT and verified its authenticity. I don't think this would be difficult to do by abstracting out most of the authenticate method of the JSONWebTokenAuthentication class to give it the flexibility to be used either as a function in a view or as a REST framework authentication class.

I wondered if you think a view like this would be a useful addition to the library, or if it is outside the scope of what you are wanting to achieve?

JSONWebTokenSerializer forces to log in with username+password credentials. It is not always compatible with custom Users. Neither is the call to get_user_model() at the module level.

Falcon / Talons really needs JWT auth.

https://github.com/racker/falcon
https://github.com/talons/talons

Any chance you guys might consider porting your JWT auth solution to Talons?

The doc says: "This is the secret key used to encrypt the JWT." but it looks to me like the JWT is only ever encoded or signed. Have I misunderstood something?

Experiencing this same error described here :: http://stackoverflow.com/questions/25830491/trying-to-implement-django-authentication-through-django-rest-framework-jwt-why

This will deal with this use case #31 and make this package even more useful/flexible.

We still have to keep JWT as the default because of PR #4.