Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DjangoCon - JSON Web Tokens

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for José Padilla José Padilla
September 04, 2014
Programming
11k
15

DjangoCon - JSON Web Tokens

DjangoCon US 2014 talk on JSON Web Tokens

Avatar for José Padilla

José Padilla

September 04, 2014

More Decks by José Padilla

See All by José Padilla
Python, Government, and Contracts
Avatar for José Padilla jpadilla
0
73
Python, Government, and Contracts
Avatar for José Padilla jpadilla
0
5.1k
Python Type Hints
Avatar for José Padilla jpadilla
0
610
Developer Ergonomics
Avatar for José Padilla jpadilla
0
2.1k
BFTW: The Backend
Avatar for José Padilla jpadilla
4
230
eventos
Avatar for José Padilla jpadilla
0
220
JWT
Avatar for José Padilla jpadilla
2
480
Ember.js + Django
Avatar for José Padilla jpadilla
3
2.2k
UPRB Basic Workshop
Avatar for José Padilla jpadilla
2
240

Other Decks in Programming

See All in Programming
Vite+ Unified Toolchain for the Web
Avatar for Naoki Haba naokihaba
0
260
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
Avatar for nrs nrslib
3
1.3k
Claspは野良GASの夢をみるか
Avatar for てらうちたかし takter00
0
180
コンテキストの使い捨てをやめる — ビジネスルール駆動開発と miko —
Avatar for ioki ioki
0
190
LLMによるContent Moderationの本番運用の裏側と品質担保への挑戦
Avatar for suikabar suikabar
2
560
Signal Forms: Beyond the Basics @ngBaguette 2026 in Paris
Avatar for Manfred Steyer manfredsteyer
PRO
0
240
jQueryをバージョンアップする前に使いたいjQuery Migrate
Avatar for Atsushi Matsuo matsuo_atsushi
0
200
Make SRE Operations Easier with Azure SRE Agent
Avatar for KAMEGAWA Kazushi kkamegawa
0
5.3k
セキュリティの専門家じゃなくてもできる。「セキュリティ意識」をアップデートして サプライチェーン攻撃への耐性を高めよう。
Avatar for tk3fftk tk3fftk
5
710
Java × distroless で 軽量なコンテナイメージを / Java on Distroless
Avatar for Daisuke Garaike contour_gara
0
530
Technical Debt: Understanding it Rightly, Engaging it Rightly #LaravelLiveJP
Avatar for shogogg shogogg
0
220
The Arts and Crafts of Work in the AI Era — Toward Mastery in Software Development
Avatar for Yoshihito Kuranuki / 倉貫義人 kuranuki
1
750

Featured

See All Featured
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
Avatar for Mfonobong Umondia mfonobong
2
430
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
77
5.4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
35k
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
8
710
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.9k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.8k
A Soul's Torment
Avatar for Nat Ma seathinner
6
2.9k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
31
10k
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
390
AI Search:
Where Are We & What Can We Do About It?
Avatar for Aleyda Solis aleyda
0
7.6k
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
3.5k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
128
17k

Transcript

  1. JWT

  2. “jot”

  3. JSON Web Tokens

  4. José Padilla

  5. Flickr: Bryan Vincent

  6. Co-founder at blimp.io

  7. /jpadilla

  8. jpadilla.com

  9. Why?

  10. Single Sign-on

  11. Action Links

  12. Webhooks

  13. Token-based Auth

  14. What?

  15. “Compact URL-safe means of representing claims to be transferred between

    two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).” - IETF.
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None

  22. JOSE

  23. JavaScript Object Signing and Encryption

  24. JWA

  25. JSON Web Algorithms

  26. JWK

  27. JSON Web Key

  28. JWT

  29. JSON Web Token

  30. JWS

  31. JSON Web Signature

  32. JWE

  33. JSON Web Encryption

  34. Today it’s all about JWT

  35. How?

  36. Internet-Draft

  37. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  38. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  39. { "typ": "JWT", "alg": "HS256" } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  40. import json import hmac from hashlib import sha256 from base64

    import urlsafe_b64encode ! segments = [] ! header_dict = { 'typ':'JWT', 'alg': 'HS256' } ! json_header = json.dumps(header_dict) ! header = urlsafe_b64encode(json_header).rstrip('=') segments.append(header) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  41. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  42. {! "user_id": 1! } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  43. payload_dict = { 'user_id': 1 } ! json_payload = json.dumps(payload)

    ! payload = urlsafe_b64encode(json_payload).rstrip('=') segments.append(payload) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  44. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  45. SECRET = 'abc123' ! signing_input = '.'.join(segments) ! sig =

    hmac.new(SECRET, signing_input, sha256) signature = urlsafe_b64encode(sig.digest()).rstrip('=') segments.append(signature) ! token = '.'.join(segments) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  46. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  47. PyJWT

  48. $ pip install PyJWT

  49. import jwt ! SECRET_KEY = "abc123" payload = {"user_id": 1}

    ! jwt_token = jwt.encode(payload, SECRET_KEY) ! payload = jwt.decode(jwt_token, SECRET_KEY)

  50. /progrium/pyjwt

  51. Django JWT Auth

  52. username/password JWT Error /login

  53. Authorization: Bearer <JWT> JWT Error /restricted

  54. $ pip install django-jwt

  55. import json ! from django.views.generic import View from django.http import

    HttpResponse ! from jwt_auth.mixins import JSONWebTokenAuthMixin ! ! class RestrictedView(JSONWebTokenAuthMixin, View): def get(self, request): data = json.dumps({ 'foo': 'bar' }) return HttpResponse(data, content_type='application/json')

  56. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/$', 'jwt_auth.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  57. /jpadilla/django-jwt-auth

  58. DRF JWT Auth

  59. $ pip install djangorestframework-jwt

  60. from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.permissions

    import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class RestrictedView(APIView): permission_classes = (IsAuthenticated, ) authentication_classes = (JSONWebTokenAuthentication, ) def get(self, request): data = { 'foo': 'bar' } ! return Response(data)

  61. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  62. var url = 'http://localhost:8000/login/', creds = { username: 'admin', password:

    'abc123' }; $.post(url, creds, function(auth) { $.ajax({ type: 'GET', url: 'http://localhost:8000/restricted/', beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + auth.token); }, success: function(data){ console.log(data); // { // foo: "bar" // } } }); });

  63. /GetBlimp/django-rest-framework-jwt

  64. Recap • It’s a standard • It’s simple • Third

    party libraries • Single Sign-on • Action links • Authentication • CORS • Stateless • No CSRF • CDN • Mobile/WebSockets

  65. Django REST
 Framework Sprint

  66. Thanks Questions? http:/ /bit.ly/djangocon-jwt