I'm creating an API for an android application I'm using Django Rest framework JWT token for API authentication. In perticular case, I want to deactivate the token which is activated for a particular user.
JWT is stateless auth which means it is not stored anywhere on server. When you send JWT token in header of request your server just check if token is valid. Therefore you cannot deactivate token - you can only delete it in your Andriod app. More on JWT here.
Related
Need just hint, tried all possible ways.
Any approach is highly appreciated.
Problem statement: access jwt authenticated django rest api using azure ad access token in postman and local app. django app is hosted on azure app service.
Challenge: pass two token with different header values in authorisation header such that azure token is also reader with django jwt token.
A. All possible authorisation in postman.
B. Different authorization keys and header values in django jwt settings
I've deployed my django application on azure app service.
I'm using JWT authentication for all rest API's.
I've an azure directory and service principal linked to azure web app.
In postman,
I can get access token from azure active directory(using clientID, Secret, resource, etc.) and use the same token to call django rest api.
I can easily access unauthenticated API just by using azure access taken in authorization bearer header.
For JWT authenticated API, I'm not able to use them (crud operation) as none of my approach is working.
Azure access token header value : Bearer
Django JWT token header value: Bearer, Token, JWT.
---- EDIT ----
Django application will server as a backend to client applications. Thus client application have to generate azure token and provide while calling django app API. But django application API's are also authenticted with JWTAuthentication, thus 2 tokens have to provided.
Problem
Both Tokens have to be provided in 'Authorisation' key to use with HTTP_AUTHORISATION.
INFORMATION
JWT packages: simplt_jwt
simplt_jwt,django version: latest
client: react-js webapp, swift ios mobile app
resources: azure app service, azure active directory with service plan
django website is used as a backend for webapp and mobile app.
To elaborate, some images are added:
Need to use this architecture (api endpoint with jwt authentication):
Call an API with JWT authentication header value in (Bearer, Token, JWT), and have to provide Azure access token withheader value as (Bearer).
Both Tokens have to be provided in authorisation header.
[api endpoint with jwt authentication][1]
[1]: https://i.stack.imgur.com/y0Uvf.png
Called an API(wihout django JWT authentication) using only azure access token and was able to get response.
Correct me if I'm using some wrong approach.
Add another custom backend and verify your Azure token by its public key:
https://docs.djangoproject.com/en/4.1/topics/auth/customizing/
And add it next to your SimpleJWT auth backend.
In your settings.py file:
REST_FRAMEWORK = {
...
'DEFAULT_AUTHENTICATION_CLASSES': (
...
'rest_framework_simplejwt.authentication.JWTAuthentication',
# add your azure backend here
'your_app.auth_azure_backend.AzureAuthentication',
)
...
}
from django.contrib.auth.backends import BaseBackend
class AzureAuthentication(BaseBackend):
def authenticate(self, request, token=None):
azure_token = request.headers['AzureToken'] # you can use custom headers or just use `Authentication` with Bearer token. Django will go through every backend to verify it.
decoded = jwt.decode(azure_token, public_key, algorithms=["RS256"])
# return user instance based on decoded data from Azure
If you can decode without error that means your token is generated by Azure AD.
You can follow this question to get your public key https://learn.microsoft.com/en-us/answers/questions/793793/azure-ad-validate-access-token
So I found a solution, if wrong please provide feedback.
I have create an authentication class inheriting JWTAuthentication class. And reading custom headers in request.headers. this way I can provide multiple tokens in a request.
Actually, My application is hosted on azure app service. So have to authenticate send also application have some inbuilt authentication to manage user access, thus need token for the same.
I have been using built in token authentication for my projects in Django rest framework. But now I am shifting to simple jwt. But I am confused on one thing.
In Token Authentication user if logged in from front end returns a token, but in jwt documentation I have seen three requests as follows:
urlpatterns = [
url(r'^auth-jwt/', obtain_jwt_token),
url(r'^auth-jwt-refresh/', refresh_jwt_token),
url(r'^auth-jwt-verify/', verify_jwt_token),
]
I dont quite understand these requests. As a normal user, when a user visits a site he doesn't ask to get token, refresh token and verify token, he simply logs in and uses the features of the site. So, I am asking when these requests are made?
I hope I have explained well.
The usual flow of JWT authentication goes likes this:
The client will send a POST request with the authentication credentials, which need to be verified. If the credentials are valid the server needs to return JWT Token and a refresh token. This process is handled by the url(r'^auth-jwt/', obtain_jwt_token) URL.
The token returned after authentication is a short-lived token and to continue the user session, the client needs to get a new token using the refresh token.
This is done by url(r'^auth-jwt-refresh/', refresh_jwt_token) URL.
The third URL is not always required. You can use it to validate your JWT token in case it's required by your application.
I have a Django application that uses the Django Rest Framework. At first I was just using Session, and Token authentication, but now want to implement JWT Token authentication. I downloaded a package called djangorestframework-jwt that allows you to use JWT for authentication in DRF. The crux of the problem is that my client side application is using Auth0 which can return a lot of different information, first name, last name, userid, etc. We are using Auth0 with gmail as an identity provider to log into our client side EmberJS application. For our data adapters to get data from Django though, we are using 1 consistent token that we configured in our Auth0 account that is tied to a user in Django. What I would like to accomplish is to use the JWT returned from Auth0, instead of this 1 token, to authenticate all our requests to Django. Can you authenticate yourself in Django without using a Django User object?
I have developed an api wgich is protected using token authentication. I m able to fetch the token once when logging in to the webapp. The token is stored in a cookie. Every call to the api contains the token. But what after the token expires?
I've been unable to figure that out. How should I request a new one? I know I can request a new token using the login credentials. But what if the token expires every 300 seconds?
And what is the ideal duration before it expires?
Have I kept it too short-lived?
Any help is appreciated.
I am using Django-oauth-toolkit for social authentication. How to check if access token is expired so that I can send the request for a new access token by sending refresh token.