Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using jwt as django auth backend? #151

Closed
littlehome-eugene opened this issue Aug 25, 2019 · 2 comments
Closed

Using jwt as django auth backend? #151

littlehome-eugene opened this issue Aug 25, 2019 · 2 comments

Comments

@littlehome-eugene
Copy link

it's related to #130

I'm wondering if I could use single jwt auth backend for DRF and django views
(asked in SO as well https://stackoverflow.com/questions/57646299/django-jwt-authentication-in-django-view-not-just-drf/57646409#57646409)

In our app, we have webview and native android httpclient, and react-native.
If we have to use cookie session-id for django-view and jwt-token for drf, we have to sync cookie and jwt-token among webview/android/react-native.

It will be much easier for us just sync jwt-tokens but not sure if its possible or it is something not advised?
@jberends
Copy link

jberends commented Sep 30, 2019
edited
Loading

session authentication using session cookies are normally HTTP only, so your javascript (ie react) cannot acces that one. However once you make django give you a session cookie (session_id in your cookie store) on any view, it will be automatically transmitted to the server by using a proper browser.

We experienced with simple_jwt that a session cookie is not provided as you directly call a separate endpoint that NOT seems to authenticate within django using the function django.contrib.auth.login(). If you look in that function you see the session is being setup on successful authentication; hence a session cookie is returned.

In the case of simple_jwt the authentication goes from rest_framework_simplejwt/serializers.py:43 to django.contrib.auth.authenticate() and which will cycle through the backends in your settings.AUTHENTICATION_BACKENDS. Normally the django.contrib.auth.backends.ModelBackend will authenticate the user in the function django.contrib.auth.backends.ModelBackend.authenticate() and will simply user.check_password(pw).

Most backends indeed check for correct username / password and return the user if successfully authenticated, however you need to alter the flow and setup the session (and cookie there) by e.g. calling django.contrib.auth.login() in that path.

@Andrew-Chen-Wang
Copy link
Member

There’s a PR for SPAs at #157 which can help. I’m not for it because I’m still skeptical of security vulnerabilities (typically, if you want JWT tokens for desktop, go with OAuth protocol too instead of only JWT).

There are plenty of articles that differentiate when you use only JWT tokens and when to use JWT tokens with OAuth protocol.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jberends @littlehome-eugene @Andrew-Chen-Wang