Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for django-rest-framework-simplejwt as JWT authentication backend #430

Open
JoelGoh92 opened this issue Apr 24, 2018 · 46 comments

Comments

@JoelGoh92
Copy link

JoelGoh92 commented Apr 24, 2018

According to issue #5838 on the DRF repository and a PR raised there, django-rest-framework-simplejwt provides an alternative approach over django-rest-framework-jwt, with regards to security and implementation of JWT as an authentication mechanism. Hence, I'm curious if you guys will be planning to include the simplejwt package as a supported JWT backend? Thanks

@Allan-Nava
Copy link

Yes I need to implement the viewsets.ModelViewSet with authentication_classes for specific action. For example update or create new instance.

Thank's in advance.
Allan

@Allan-Nava
Copy link

So I don't use https://github.com/GetBlimp/django-rest-framework-jwt but I have to use django-rest-framework-simplejwt? Correct?

But is possible for specific action like update or create ?

@Allan-Nava
Copy link

@JoelGoh92 But I have the JWT thanks to a keycloak

@JoelGoh92
Copy link
Author

@Allan-Nava currently for our project, we're not using the rest-auth jwt setup defined in the docs. Instead, after setting up simple-jwt with the steps in the docs, and configuring the settings, we then wrote our own JWTSocialLoginView, JWTLoginView and JWTLogoutView, which were fairly simple, and used them in the required areas.

However I still feel that it is better if these changes were to be supported and maintained by rest-auth instead.

@Allan-Nava
Copy link

Allan-Nava commented May 9, 2018 via email

@JoelGoh92
Copy link
Author

JoelGoh92 commented May 9, 2018

@Allan-Nava It may be possible, but I would not recommend the model viewsets though, because these defined view classes will be used in a similar way as to how the current LoginView/SocialLoginView/LogoutView provided by rest-auth are used, and we only need to override the rest-auth implementations' required methods for the JWT token response and usage flow.

The JWT views I mentioned previously are inheriting from the respective classes rest-auth provides, e.g.

class JWTSocialLoginView (SocialLoginView):
     def get_response (self):
     # override method(s) for JWT implementation
     # get JWT token via the simple-jwt package
     # return the generated token in the response

This is because such a class will be reused in a similar manner, e.g. the JWTSocialLoginView defined will be used similarly to how the SocialLoginView provided by rest-auth for OAuth apps is used, other than returning the JWT token(s) in the response

@JoelGoh92
Copy link
Author

JoelGoh92 commented May 9, 2018

Rather there are a few reasons why this issue is raised:

  1. In most JWT implementations, an access token + a refresh token is returned. Otherwise the other option, if only a single token is desired, is the sliding token approach.
    With simple-jwt, the jwt can be configured to either of these implementations, whichever is required.

  2. With the current django-rest-framework-jwt supported by rest-auth, the only approach available is similar to the sliding token approach, except that it has no way to blacklist a previously generated jwt token, e.g. by logout on user end. On the other hand, simple-jwt provides a way to perform this blacklisting of invalid tokens

@Allan-Nava
Copy link

But is possibile to use the permission class only for specific action like update or delete?

@JoelGoh92
Copy link
Author

@Allan-Nava I think the use of JWT here is more for authentication. With DRF, you can set it up pretty easily, e.g. as a default authentication class.

If you're looking to implement permissions control, I would advise you to look at DRF's docs on permissions control. This should not have anything to do with whether you're using jwt as an auth mechanism.

@lukeburden
Copy link

While django-rest-framework-simplejwt is a newer library with fewer contributors, it is more recently maintained, has higher code quality than django-rest-framework-jwt, allows for the more typical JWT implementation (refresh and access tokens are different) and has extras such as refresh token blacklisting built in.

@whwkong
Copy link

whwkong commented Jan 23, 2019

It would be good to have django-rest-framework-simplejwt support.
It doesn't look like django-rest-framework-jwt is being actively maintained. Last commit was Oct, 2017.

@aaronrosenberg
Copy link

aaronrosenberg commented May 8, 2019

Just throwing my support behind django-rest-framework-simplejwt. Would be a huge benefit and streamline the whole authentication workflow. Also simplejwt implements refresh and access tokens per Joel above unlike the seemingly aging regular jwt implementation.

@robypomoni
Copy link

+1 on this. Please add support to django-rest-framework-simplejwt

@superandrew
Copy link

+1, I would also love to have support for simplejwt!

@5uh417
Copy link

5uh417 commented Jul 9, 2019

+1 for the support of simplejwt

1 similar comment
@alexferrari88
Copy link

+1 for the support of simplejwt

@NidalM
Copy link

NidalM commented Jul 18, 2019

As per the latest status update on the django-rest-framework-jwt page, this repo is no longer being actively maintained.
jpadilla/django-rest-framework-jwt#484

@slystone
Copy link

+1 for the support of simplejwt!

@slystone
Copy link

@JoelGoh92 can you please be more specific about the solution of the problem? I'm not so confident with all the LoginView/SocialLoginView/LogoutView overriding thing you suggested

@sundeepdev
Copy link

This issue is more than year old. Does someone has a PR for this or suggestion on how to implement it? I just don't want to reinvent the wheel and can work on some other issue.

@NidalM
Copy link

NidalM commented Aug 5, 2019

How to use django-rest-framework-simplejwt as auth backend for django-rest-auth. Note: your needs may differ slightly based on how you implemented rest-auth.

First off, make sure you set simplejwt as your auth provider in settings.py:

REST_FRAMEWORK = {
   ...
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ),
    ...
}

Next, look at your urls.py for where you route the rest-auth endpoints:

urlpatterns = [
    ...
    url(r'^rest-auth/', include('rest_auth.urls')),
    ...
]

You need to override the /rest-auth/login/ path with the login view from django-rest-framework-simplejwt by including it before the rest-auth urls. Here's how:

from rest_framework_simplejwt.views import TokenObtainPairView
...
urlpatterns = [
    ...
    url(r'^rest-auth/login/$', TokenObtainPairView.as_view(), name='rest_login'),
    url(r'^rest-auth/', include('rest_auth.urls')),
    ...
]
...

This'll get you started but there may be other routes you may need to override/create (e.g. logout). If you want the token login response to have non-default data, then you can override TokenObtainPairView with a custom serializer. Finally, because you're migrating from drf-jwt, you may need to change the auth header in settings.py to:

SIMPLE_JWT = {
    ...
    'AUTH_HEADER_TYPES': ('JWT', 'Bearer'),
}

The above worked for me, but was specific to my use case.

@sundeepdev
Copy link

Thanks @NidalM. This is helpful. However, I'm actually going to use Simple-JWT for both email login as well as social login and I was trying to avoid writing my own end points for all the features supported by this library.
So if I override login by completely writing my own end point, wouldn't I need to write the end points for everything like Registration, Forgot Password, Social-Auth for every provider etc.
I was hoping that there should be a way to hook in simple-jwt instead of drw-jwt by overriding a common method of JWT token generation and the rest could remain the same.
I'm not sure if there's no way to do that and we have to either write all the end points or change the complete implementation of the JWT token part of this library.

@jamesdvance
Copy link

jamesdvance commented Sep 2, 2019

plus 1 for simple_jwt! Commenting to follow this chain

@birgert
Copy link

birgert commented Sep 9, 2019

As many others requested... Out of the box simplejwt support would make things so much easier. It's also the suggested JWT package by DRF.

@ankurpandeyvns
Copy link

+1 for simple JWT! It's an awesome library!

@ankurpandeyvns
Copy link

ankurpandeyvns commented Sep 18, 2019

ankurpandeyvns@794dac3

This may be helpful for those who are looking only for JWT Logins using SimpleJWT.

@MIRAMAXED
Copy link

+1 for the support of simplejwt

@newbro
Copy link

newbro commented Nov 6, 2019

+1 please, this library is extremely useful however the Django token authentication is simply too insecure for my taste.

@ankurpandeyvns
Copy link

+1 please, this library is extremely useful however the Django token authentication is simply too insecure for my taste.

ankurpandeyvns@794dac3

Try this one

@iamcb
Copy link

iamcb commented Dec 22, 2019

+1 for simple_JWT

@de-don
Copy link

de-don commented Jan 17, 2020

+1

1 similar comment
@vitzaoral
Copy link

+1

@bekaryukovmv
Copy link

bekaryukovmv commented Jan 24, 2020

+1 simple_JWT

@dedaldino3d
Copy link

+1 simpleJWT

2 similar comments
@quank123wip
Copy link

+1 simpleJWT

@rodrigondec
Copy link

+1 simpleJWT

@kikanny
Copy link

kikanny commented Mar 9, 2020

+1 simpleJWT pls!

@bplociennik
Copy link

+1 for simpleJWT

@birgert
Copy link

birgert commented Mar 13, 2020

Django-rest-auth was forked to dj-rest-auth. See #568 for some info. Lets hope this one becomes the new go to, it seems promising so far.

For all the people requesting simpleJWT, there's a pull request (ready to merge) in the new repo to add simplejwt support. iMerica/dj-rest-auth#3

@pickyuptruck
Copy link

+1 simple JWT

4 similar comments
@IsabelaLiberatoscioli
Copy link

+1 simple JWT

@gaara4896
Copy link

+1 simple JWT

@kaniak274
Copy link

+1 simple JWT

@CrhistyanSilva
Copy link

+1 simple JWT

@sSimuSs
Copy link

sSimuSs commented Oct 27, 2021

This works for me))

class FacebookLogin(SocialLoginView):
    adapter_class = FacebookOAuth2Adapter

    def get_response(self):
        from rest_framework_simplejwt.tokens import RefreshToken
        refresh = RefreshToken.for_user(self.user)
        data = {"refresh": str(refresh), "access": str(refresh.access_token)}
        response = Response(data, status=HTTP_200_OK)
        return response

    def login(self):
        self.user = self.serializer.validated_data['user']
        self.process_login()

@Issen007
Copy link

+1 simpleJWT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests