First of all, i am still new to django rest framework jwt so pls excuse my stupidity if im wrong.
Im wondering about how to create a logout function for jwt as when user want to logout and switch account, they will need this function.
Based on the what i seen in many other logout post,
- there is no need for logout function as the token isnt save on server side so closing and opening will result in having to login again.
- jwt is using expire time for it so it will logout when the token has been expire , provided if the verify token is set to True
But what i want is to have like a remember me function where user will stay login when they close and open again, as one of the suggestion is turn the verify token to false or set expire time to weeks. But then how does the user logout if the token expire time hasnt reach yet ?
As i am using jwt and djoser, the logout function of djoser is for drf only and not for jwt. Since i am also using the api for mobile devices, so the user will stay login whenever they open the app (provided they did the first login) like facebook and many other apps.
Please give me guidance on this. Thank you
Ideally, you should be using JWT in a stateless manner, which means the there is no session(The JWT token has an expiration time and will be invalid after that time, clients need to implement some mechanism to re-authenticate or extend the token). Given that, you don't need a log out at all.
Related
So I've been trying to use Djoser JWT and I don't know how to login in it. As far as I know you create a request with your login credentials to this url /jwt/create/ and get the access and refresh token and maybe get the user object from /users/me/. This is where I got stuck, where do I go from here?
You correctly understood the first step of the process. Basically, you can now:
Add the access token in the header of your next requests.
This will transparently authenticate the user thanks to the Simple JWT plugin and you will be able to access him with the usual request.user in the views.
Refresh the access token each time you get a 401 response.
The access token is supposed to be short-living for security concerns and a 401 response from the server indicates that the one your are using is expired. So you have to get a new one by sending the refresh token to the token/refresh/ API and, then, make your request again.
You can read this article if you need more detailed explanations about this process or JWT.
I'm working on a Django-REST application that contains APIs that work with login mechanism.
I'm able to create API endpoints for login and logouts.
Login takes username, password and returns auth_token which is around 30 characters.
Logout takes auth_token and destroys it.
In between these login and logouts, there are few API calls that make use of auth_token.
How is it generally implemented ? How are the requests made with auth_token in general?
Where are those tokens stored? How do the backend validates it?
Can someone please explain me how it is done basically?
store the token in browser storage. and remove the token form browser storage on logout logic.
make sure you drf setting DEFAULT_AUTHENTICATION_CLASSES list contain TokenAuthentication class before SessionAuthentication , rest_framework.authtoken in you setting install app.
for any api call just attach the token like (Token your_toke) I mean "Toke" then space the your token and attach it to your request authentication header of the ajax request
I would like to use django-rest-framework token to authenticate users. My workflow would be:
User requests a page
If auth token is present, respond with the requested data.
If auth token is not present, redirect to the login page (with the request page).
Inside the login page, user submit their credentials
If credentials were correctly authenticated, get or create a token for that user and redirect back to the requested page with the token.
Else, respond with error.
Lastly,
When the user logs out, delete the token for that user.
So my question is, is it okay to delete and create a new token for every login if the user has already logged out? Also I assume the token will be unique, am I correct? Your help and guidance is very much appreciated. Thank you.
A REST API should be stateless, that means that there should not be a "session" hence no login and no logout, and no redirections to a login page.
If the request doesn't have a token then the API should return (probably) a 401 Unauthorized HTTP status code and not a redirection. You're making an API so there won't be human interaction. Django rest framework offers a human-friendly interface that does have sessions, login/logout, and if that's all you need the go for it, you can do whatever you want. But It'd be hard for another program to use your API.
why not using tokens with expiration dates or using another well known authentication method ?? :P
Hope this helps :)
I am developing mobile apps with Ionic2 for frontend, django rest framework for backend and django oauth2 toolkit for authentication. While the mobile app user submit the email and password server returns the client_id, access_token and refresh_token and save them in local storage of mobile phone. Whenever mobile app user open the app, it request with access token and client id so that they can automatically login the user. And if this procedure fails, it request again with refresh token to get new access token.
My question is that the way I am doing is right for mobile users to not have to login anymore after first time? and also even the mobile app user open the app after long time like for example 1 year, could it be still possible that mobile app user can be logged in without logging in again?
I just want to be sure if there is any limit time of refresh token or some possibilities.. Thanks in advance guys!
If you think that you mobile can access after a year, then you are wrong. Even you can't access it after a certain period of time. And this period should be given by you that, how much time you want to make your token live.
And it's really weird solution to make token for life time.
I think this may help you --
OAuth2 and Google API: Access token expiration time?
Why do access tokens expire?
I'm planning out adding Facebook integration to a web app I'm working on. For the most part, it's proceeding smoothly, but I am confused on the proper way to handle the OAuth token.
The sequence of events presented by Facebook here is:
Ask the user to authorize your application, which sends them to a Facebook window.
This will return an Authorization Code generated by Facebook
You then hit https://graph.facebook.com/oauth/access_token with your Authorization Code, which will give you a time-limited OAuth token.
Using the OAuth token, you can make requests to access the user's Facebook profile.
Facebook's documentation has the following to say about token expiration:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
When they say to re-run the steps above, what steps need to be re-run to get a new OAuth token? What data (Facebook UID, Authorization Code, OAuth token) does it make sense to save to my local database?
I would like to be able to have the user continue to interact with my site, and in response to certain user actions, I would like to be able to prompt to user if they want to post something to their Facebook wall.
The access token is time and session based and is unnecessary data to store and have no use after the user have closed the session.
The facebook uid is the only thing you need to identify the user.
Since the Facebook API sometimes is horrible slow you could store the username aswell.
But for identification, all you need is the uid.
The documentation that facebook provides has been updated since you asked this question. https://developers.facebook.com/docs/authentication/.