Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DjangoCon - JSON Web Tokens
Search
José Padilla
September 04, 2014
Programming
15
11k
DjangoCon - JSON Web Tokens
DjangoCon US 2014 talk on JSON Web Tokens
José Padilla
September 04, 2014
Tweet
Share
More Decks by José Padilla
See All by José Padilla
Python, Government, and Contracts
jpadilla
0
47
Python, Government, and Contracts
jpadilla
0
4.9k
Python Type Hints
jpadilla
0
500
Developer Ergonomics
jpadilla
0
2.1k
BFTW: The Backend
jpadilla
4
200
eventos
jpadilla
0
160
JWT
jpadilla
2
430
Ember.js + Django
jpadilla
3
2.1k
UPRB Basic Workshop
jpadilla
2
200
Other Decks in Programming
See All in Programming
Blueskyのプラグインを作ってみた
hakkadaikon
1
290
primeNumberでのRBS導入の現在 && RBS::Traceでinline RBSを拡充してみた
mnmandahalf
0
250
Proxmoxをまとめて管理できるコンソール作ってみました
karugamo
1
410
Reactive Thinking with Signals, Resource API, and httpResource @Devm.io Angular 20 Launch Party
manfredsteyer
PRO
0
130
iOSアプリ開発もLLMで自動運転する
hiragram
6
2.1k
ユーザーにサブドメインの ECサイトを提供したい (あるいは) 2026年函館で一番熱くなるかもしれない言語の話
uvb_76
0
180
AIエージェントによるテストフレームワーク Arbigent
takahirom
0
280
TypeScript LSP の今までとこれから
quramy
0
110
バランスを見極めよう!実装の意味を明示するための型定義 TSKaigi 2025 Day2 (5/24)
whatasoda
2
780
テスト分析入門/Test Analysis Tutorial
goyoki
11
2.7k
DevTalks 25 - Create your own AI-infused Java apps with ease
kdubois
2
120
型付け力を強化するための Hoogle のすゝめ / Boosting Your Type Mastery with Hoogle
guvalif
1
230
Featured
See All Featured
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
5
620
Optimising Largest Contentful Paint
csswizardry
37
3.3k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
750
How STYLIGHT went responsive
nonsquared
100
5.6k
Balancing Empowerment & Direction
lara
1
87
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Speed Design
sergeychernyshev
30
970
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.6k
Faster Mobile Websites
deanohume
307
31k
Mobile First: as difficult as doing things right
swwweet
223
9.6k
RailsConf 2023
tenderlove
30
1.1k
Transcript
JWT
“jot”
JSON Web Tokens
José Padilla
Flickr: Bryan Vincent
Co-founder at blimp.io
/jpadilla
jpadilla.com
Why?
Single Sign-on
Action Links
Webhooks
Token-based Auth
What?
“Compact URL-safe means of representing claims to be transferred between
two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).” - IETF.
None
None
None
None
None
None
JOSE
JavaScript Object Signing and Encryption
JWA
JSON Web Algorithms
JWK
JSON Web Key
JWT
JSON Web Token
JWS
JSON Web Signature
JWE
JSON Web Encryption
Today it’s all about JWT
How?
Internet-Draft
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
{ "typ": "JWT", "alg": "HS256" } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
import json import hmac from hashlib import sha256 from base64
import urlsafe_b64encode ! segments = [] ! header_dict = { 'typ':'JWT', 'alg': 'HS256' } ! json_header = json.dumps(header_dict) ! header = urlsafe_b64encode(json_header).rstrip('=') segments.append(header) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
{! "user_id": 1! } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
payload_dict = { 'user_id': 1 } ! json_payload = json.dumps(payload)
! payload = urlsafe_b64encode(json_payload).rstrip('=') segments.append(payload) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
SECRET = 'abc123' ! signing_input = '.'.join(segments) ! sig =
hmac.new(SECRET, signing_input, sha256) signature = urlsafe_b64encode(sig.digest()).rstrip('=') segments.append(signature) ! token = '.'.join(segments) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
PyJWT
$ pip install PyJWT
import jwt ! SECRET_KEY = "abc123" payload = {"user_id": 1}
! jwt_token = jwt.encode(payload, SECRET_KEY) ! payload = jwt.decode(jwt_token, SECRET_KEY)
/progrium/pyjwt
Django JWT Auth
username/password JWT Error /login
Authorization: Bearer <JWT> JWT Error /restricted
$ pip install django-jwt
import json ! from django.views.generic import View from django.http import
HttpResponse ! from jwt_auth.mixins import JSONWebTokenAuthMixin ! ! class RestrictedView(JSONWebTokenAuthMixin, View): def get(self, request): data = json.dumps({ 'foo': 'bar' }) return HttpResponse(data, content_type='application/json')
from django.conf.urls import patterns from .views import RestrictedView urlpatterns =
patterns( '', ! (r'^login/$', 'jwt_auth.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )
/jpadilla/django-jwt-auth
DRF JWT Auth
$ pip install djangorestframework-jwt
from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.permissions
import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class RestrictedView(APIView): permission_classes = (IsAuthenticated, ) authentication_classes = (JSONWebTokenAuthentication, ) def get(self, request): data = { 'foo': 'bar' } ! return Response(data)
from django.conf.urls import patterns from .views import RestrictedView urlpatterns =
patterns( '', ! (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )
var url = 'http://localhost:8000/login/', creds = { username: 'admin', password:
'abc123' }; $.post(url, creds, function(auth) { $.ajax({ type: 'GET', url: 'http://localhost:8000/restricted/', beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + auth.token); }, success: function(data){ console.log(data); // { // foo: "bar" // } } }); });
/GetBlimp/django-rest-framework-jwt
Recap • It’s a standard • It’s simple • Third
party libraries • Single Sign-on • Action links • Authentication • CORS • Stateless • No CSRF • CDN • Mobile/WebSockets
Django REST Framework Sprint
Thanks Questions? http:/ /bit.ly/djangocon-jwt