Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
DjangoCon - JSON Web Tokens
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
José Padilla
September 04, 2014
Programming
11k
15
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
DjangoCon - JSON Web Tokens
DjangoCon US 2014 talk on JSON Web Tokens
José Padilla
September 04, 2014
More Decks by José Padilla
See All by José Padilla
Python, Government, and Contracts
jpadilla
0
74
Python, Government, and Contracts
jpadilla
0
5.1k
Python Type Hints
jpadilla
0
610
Developer Ergonomics
jpadilla
0
2.1k
BFTW: The Backend
jpadilla
4
240
eventos
jpadilla
0
220
JWT
jpadilla
2
480
Ember.js + Django
jpadilla
3
2.2k
UPRB Basic Workshop
jpadilla
2
250
Other Decks in Programming
See All in Programming
IBM Bobを活用したレガシーアプリの最新化
oniak3ibm
PRO
1
240
ローカルLLMを使ってB2Bサービスを作っていての学び
yaotti
0
230
正しくソフトウェアを作る、前提を疑うための認知の視点 / doubt-premise
minodriven
21
7.2k
はてなアカウント基盤 State of the Union
cockscomb
1
1.2k
Honoでのサプライチェーン侵害対策 〜 3つのライブラリに学ぶ
yusukebe
7
1.7k
OS アップデート対応の取り組み方がもっと共有されてほしい
andpad
0
110
[2026年度第1回ORセミナー] 計画最適化ベンチャーと競技プログラミング人材
terryu16
0
280
LLMによるContent Moderationの本番運用の裏側と品質担保への挑戦
suikabar
3
810
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
230
Lessons from Spec-Driven Development
simas
PRO
0
240
Vite+ Unified Toolchain for the Web
naokihaba
0
410
Webフレームワークの ベンチマークについて
yusukebe
0
190
Featured
See All Featured
Technical Leadership for Architectural Decision Making
baasie
3
430
Six Lessons from altMBA
skipperchong
29
4.3k
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
400
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
Mozcon NYC 2025: Stop Losing SEO Traffic
samtorres
1
260
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
62
55k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
240
The Limits of Empathy - UXLibs8
cassininazir
1
380
Paper Plane
katiecoart
PRO
1
52k
Code Review Best Practice
trishagee
74
20k
Mind Mapping
helmedeiros
PRO
1
270
ラッコキーワード サービス紹介資料
rakko
1
3.8M
Transcript
JWT
“jot”
JSON Web Tokens
José Padilla
Flickr: Bryan Vincent
Co-founder at blimp.io
/jpadilla
jpadilla.com
Why?
Single Sign-on
Action Links
Webhooks
Token-based Auth
What?
“Compact URL-safe means of representing claims to be transferred between
two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).” - IETF.
None
None
None
None
None
None
JOSE
JavaScript Object Signing and Encryption
JWA
JSON Web Algorithms
JWK
JSON Web Key
JWT
JSON Web Token
JWS
JSON Web Signature
JWE
JSON Web Encryption
Today it’s all about JWT
How?
Internet-Draft
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
{ "typ": "JWT", "alg": "HS256" } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
import json import hmac from hashlib import sha256 from base64
import urlsafe_b64encode ! segments = [] ! header_dict = { 'typ':'JWT', 'alg': 'HS256' } ! json_header = json.dumps(header_dict) ! header = urlsafe_b64encode(json_header).rstrip('=') segments.append(header) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
{! "user_id": 1! } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
payload_dict = { 'user_id': 1 } ! json_payload = json.dumps(payload)
! payload = urlsafe_b64encode(json_payload).rstrip('=') segments.append(payload) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
SECRET = 'abc123' ! signing_input = '.'.join(segments) ! sig =
hmac.new(SECRET, signing_input, sha256) signature = urlsafe_b64encode(sig.digest()).rstrip('=') segments.append(signature) ! token = '.'.join(segments) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU
PyJWT
$ pip install PyJWT
import jwt ! SECRET_KEY = "abc123" payload = {"user_id": 1}
! jwt_token = jwt.encode(payload, SECRET_KEY) ! payload = jwt.decode(jwt_token, SECRET_KEY)
/progrium/pyjwt
Django JWT Auth
username/password JWT Error /login
Authorization: Bearer <JWT> JWT Error /restricted
$ pip install django-jwt
import json ! from django.views.generic import View from django.http import
HttpResponse ! from jwt_auth.mixins import JSONWebTokenAuthMixin ! ! class RestrictedView(JSONWebTokenAuthMixin, View): def get(self, request): data = json.dumps({ 'foo': 'bar' }) return HttpResponse(data, content_type='application/json')
from django.conf.urls import patterns from .views import RestrictedView urlpatterns =
patterns( '', ! (r'^login/$', 'jwt_auth.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )
/jpadilla/django-jwt-auth
DRF JWT Auth
$ pip install djangorestframework-jwt
from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.permissions
import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class RestrictedView(APIView): permission_classes = (IsAuthenticated, ) authentication_classes = (JSONWebTokenAuthentication, ) def get(self, request): data = { 'foo': 'bar' } ! return Response(data)
from django.conf.urls import patterns from .views import RestrictedView urlpatterns =
patterns( '', ! (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )
var url = 'http://localhost:8000/login/', creds = { username: 'admin', password:
'abc123' }; $.post(url, creds, function(auth) { $.ajax({ type: 'GET', url: 'http://localhost:8000/restricted/', beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + auth.token); }, success: function(data){ console.log(data); // { // foo: "bar" // } } }); });
/GetBlimp/django-rest-framework-jwt
Recap • It’s a standard • It’s simple • Third
party libraries • Single Sign-on • Action links • Authentication • CORS • Stateless • No CSRF • CDN • Mobile/WebSockets
Django REST Framework Sprint
Thanks Questions? http:/ /bit.ly/djangocon-jwt