Django library that implements the authentification for OpenId SSO with JWT from oauth2.
Project description
Django jwt
Django library that implements the authentification for OpenID Connect with JWT. This authentification is compatible with django session workflow and the RestFramework library.
Installation
- Install the library with pip
pip install django-jwt-oidc
- Add the
django_jwt
package into yourINSTALLED_APPS
in your settings.py file
INSTALLED_APPS = [
...
'django_jwt',
...
]
- Add django-jwt-oidc urls to your urls.py. You can change the path to the one you prefer.
urlpatterns = [
...
path('openid/', include('django_jwt.urls')),
...
]
Set up client
The django-jwt-oidc
is a library that allows to implement a OIDC client in order to identify a user from a provider.
Middleware
- Add
JWTAuthenticationMiddleware
into your middleware afterSessionMiddleware
. You can optionally remove theAuthenticationMiddleware
if you are not using other ways to log in.
MIDDLEWARE = [
...
'django.contrib.sessions.middleware.SessionMiddleware',
...
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django_jwt.middleware.JWTAuthenticationMiddleware',
...
]
- If you removed the
AuthenticationMiddleware
, you will need to add this settings:
SILENCED_SYSTEM_CHECKS = ['admin.E408']
- Set the django setting
LOGOUT_REDIRECT_URL
in order to redirect after logout. - Add redirects to the
oidc_login
andoidc_logout
. To make it default you can setLOGIN_URL = 'oidc_login'
.
Usage
- Getting authenticated user from request:
request.user
. - Getting the ID token claims from the user:
request.user_claims
. - Getting the userinfo from the endpoint from the user:
request.userinfo
. - Getting a valid access token from the user:
request.get_access_token()
.
RestFramework [Optional]
This settings are for views inherits RestFramework library from Django.
- You will need to install RestFramework on your own to your app first
View setting
You can add this to your APIviews class by adding JWTTokenAuthentication
to authentification_classes
attribute.
In this example, the view requires that all requests must have ID Token JWT Bearer Authentication.
from rest_framework import permissions, views
from django_jwt import JWTTokenAuthentication
class ExampleAPIView(view.APIView):
authentication_classes = [JWTTokenAuthentication]
permission_classes = [permissions.IsAuthenticated]
Global setting
If all your application can work with JWT Bearer Authentication you can add the JWTTokenAuthentication
class to DEFAULT_AUTHENTICATION_CLASSES
setting on settings.py of your app.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'django_jwt.rest_framework.JWTTokenAuthentication',
]
}
Settings
Settings
All settings from the django-jwt-oidc
library will be set inside a JWT_OIDC
dictionary on settings.py
.
JWT_OIDC = {
...
}
TYPE [Required]
Set this to client
.
JWT_OIDC = {
...
'TYPE': 'client',
...
}
DISCOVERY_ENDPOINT [Required]
Set this to the discovery endpoint of the provider.
JWT_OIDC = {
...
'DISCOVERY_ENDPOINT': 'https://domain/.well-known/openid-configuration',
...
}
CLIENT_ID [Required]
Set this to the client ID of your application in the provider.
JWT_OIDC = {
...
'CLIENT_ID': 'some_string',
...
}
RESPONSE_TYPE [Required]
Set this to the response type of your application in the provider. This determines the flow of your authentication.
JWT_OIDC = {
...
'RESPONSE_TYPE': 'code', # Recommended to use Authorization Code flow
...
}
CLIENT_SECRET
Set this to the client secret of your application in the provider. This setting is required if want to Hybrid flow or Authorization Code flow (Setting code
inside the RESPONSE_TYPE
)
JWT_OIDC = {
...
'CLIENT_SECRET': 'some_string',
...
}
SCOPE
Set this to set the scope of the authentication flow.
JWT_OIDC = {
...
'SCOPE': 'openid', # Default
...
}
IDENTIFICATION_CLAIM
Set this if you want to use some other claim as identifier for your user model. Default: 'sub'
JWT_OIDC = {
...
'IDENTIFICATION_CLAIM': 'sub', # default
...
}
ID_TOKEN_RENAME_ATTRIBUTES
Set this to change the claims names to be translated to your User model fields. {'claim_name': 'model_field_name'}
JWT_OIDC = {
...
'ID_TOKEN_RENAME_ATTRIBUTES': {}, # Default
...
}
CREATE_USER
Set this to True
if you want to create users that they not exist.
JWT_OIDC = {
...
'CREATE_USER': False, # Default
...
}
USER_DEFAULT_ATTRIBUTES
Set this to set defaults values to users that log in with the OIDC.
JWT_OIDC = {
...
'USER_DEFAULT_ATTRIBUTES': {}, # Default
...
}
PKCE_EXTENSION
Set this to activate the PKCE_EXTENSION. It is recommended.
JWT_OIDC = {
...
'PKCE_EXTENSION': False, # Default
...
}
CODE_CHALLENGE_METHOD
Set this for the PKCE_EXTENSION method. Only 'S256'
supported.
JWT_OIDC = {
...
'CODE_CHALLENGE_METHOD': 'S256', # Default
...
}
CLIENT_DISPLAY
Setting display for the authentication flow. Options: page, popup, touch and wap.
JWT_OIDC = {
...
'CLIENT_DISPLAY': '', # Default
...
}
CLIENT_PROMPT
Setting prompt for the authentication flow. Options: login, consent, select_account and none.
JWT_OIDC = {
...
'CLIENT_PROMPT': '', # Default
...
}
CLIENT_MAX_AGE
Setting max_age for the authentication flow. How many seconds the user has logged in the provider.
JWT_OIDC = {
...
'CLIENT_PROMPT': '', # Default
...
}
OTHER
Other settings for the authentication flow.
- CLIENT_UI_LOCALES
- CLIENT_CLAIMS_LOCALES
- CLIENT_ID_TOKEN_HINT
- CLIENT_LOGIN_HINT
- CLIENT_ACR_VALUES
Set up provider
This is an extra app of the django_jwt app that deploys a OpenID Connect provider with implicit flow (Not recommended), Hybrid flow, Authorization Code flow and Authorization Code flow with PKCE.
The JWTs are signed by RSA or ECC keys that are being regenerated to improve security.
Django JWT Server does not provide for a login view.
Installation
- Install django-cors-headers library into your app. Required in order to control the CORS policy from your apps. There is no need to add the domains one by one
- Install djangorestframework library into your app.
- Add
django_jwt.server
to your installed apps. - Migrate the database with
python manage.py migrate
. - Add your implemented Django log in into
LOGIN_URL
setting onsettings.py
. - Run your app in order to set up your hosts into the admin page.
Settings
All settings from the django-jwt-oidc
library will be set inside a JWT_OIDC
dictionary on settings.py
.
JWT_OIDC = {
...
}
TYPE [Required]
Set this to provider
.
JWT_OIDC = {
...
'TYPE': 'provider',
...
}
DISCOVERY_ENDPOINT [Required]
Set this to your discovery endpoint of the provider.
JWT_OIDC = {
...
'DISCOVERY_ENDPOINT': 'https://my-domain/.well-known/openid-configuration',
...
}
SIGNATURE_ALG
Set this to the algorithm used to sign tokens. ECC is recommended.
JWT_OIDC = {
...
'SIGNATURE_ALG': 'ES512', # Default
...
}
JWK_EXPIRATION_TIME
Expiration time (in seconds) of the RSA or ECC keys. They will be stopped to be used for signing after this time. They will be deleted after not needed again for validation.
JWT_OIDC = {
...
'JWK_EXPIRATION_TIME': 3600, # Default
...
}
JWT_ID_TOKEN_EXPIRATION_TIME
Expiration time (in seconds) of the ID tokens.
JWT_OIDC = {
...
'JWT_ID_TOKEN_EXPIRATION_TIME': 2700, # Default
...
}
JWT_ACCESS_TOKEN_EXPIRATION_TIME
Expiration time (in seconds) of the access tokens. Recommended to be low.
JWT_OIDC = {
...
'JWT_ACCESS_TOKEN_EXPIRATION_TIME': 600, # Default
...
}
JWT_REFRESH_TOKEN_EXPIRATION_TIME
Expiration time (in seconds) of the refresh tokens. Must be higher than access tokens.
JWT_OIDC = {
...
'JWT_ACCESS_TOKEN_EXPIRATION_TIME': 3600, # Default
...
}
MAX_REFRESH
Set this in order to only be able to refresh tokens x times.
JWT_OIDC = {
...
'MAX_REFRESH': 10, # Default
...
}
USERINFO_SERIALIZER
User model serializer.
JWT_OIDC = {
...
'USERINFO_SERIALIZER': 'django_jwt.server.serializers.UserSerializer', # Default
...
}
USERINFO_SERIALIZER_EXCLUDE
Exclude fields of the User model in the 'django_jwt.server.serializers.UserSerializer'
.
JWT_OIDC = {
...
'USERINFO_SERIALIZER_EXCLUDE': ['password'], # Default
...
}
Set up fake server for deployment
This is an extra functionality of the django_jwt
app that makes a OpenId server with oauth 2.0 with implicit flow with an input to "log in" as whatever sub value you want.
Not maintained to changes of the 1.0 version.
Installation
- Install django-cors-headers library into your app. Required in order to control the CORS policy from your frontend.
- Add your frontend domain into
CORS_ALLOWED_ORIGINS
. - Change the
JWT_OIDC['TYPE']
setting to'fake'
. - Set up the
JWT_OIDC['CLIENT_ID']
setting to the same client id your frontend is targeting. - Set up the
DEFAULT_DOMAIN
setting on your Django settings. Example:
DEFAULT_DOMAIN = 'https://localhost:8000'
- Set up your frontend url into the path that you included in
urls.py
.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file django-jwt-oidc-1.0.tar.gz
.
File metadata
- Download URL: django-jwt-oidc-1.0.tar.gz
- Upload date:
- Size: 26.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.16
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7309c6fab03a3fe84fd541ed56062838a7a3bd76bc38eff219aafb02adf11f8e |
|
MD5 | e9bd5585cb10e2bd0bdf63056dcb08bf |
|
BLAKE2b-256 | 649aa67f1d08add80d5ba0af27037596fee12b202d5fb18a8f6f62d216acb55a |
File details
Details for the file django_jwt_oidc-1.0-py3-none-any.whl
.
File metadata
- Download URL: django_jwt_oidc-1.0-py3-none-any.whl
- Upload date:
- Size: 31.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.16
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | e9fe931fc931c3ac042f5f93f1e8fdcf0d3d6b7ddc155eafabf0ef17cb2fb617 |
|
MD5 | 7f1ff8f021bc1ef7b9040eec784af3f9 |
|
BLAKE2b-256 | fe10d37e2e36c7ca83f77a10f3fbc79ab9ec6b3c570289ecb980679f4118d23e |