Skip to main content

Django library that implements the authentification for OpenId SSO with JWT from oauth2.

Project description

Django jwt

Django library that implements the authentification for OpenID Connect with JWT. This authentification is compatible with django session workflow and the RestFramework library.

Installation

  • Install the library with pip
pip install django-jwt-oidc
  • Add the django_jwt package into your INSTALLED_APPS in your settings.py file
INSTALLED_APPS = [
    ...
    'django_jwt',
    ...
]
  • Add django-jwt-oidc urls to your urls.py. You can change the path to the one you prefer.
urlpatterns = [
    ...
    path('openid/', include('django_jwt.urls')),
    ...
]

Set up client


The django-jwt-oidc is a library that allows to implement a OIDC client in order to identify a user from a provider.

Middleware


  • Add JWTAuthenticationMiddleware into your middleware after SessionMiddleware. You can optionally remove the AuthenticationMiddleware if you are not using other ways to log in.
MIDDLEWARE = [
    ...
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django_jwt.middleware.JWTAuthenticationMiddleware',
    ...
]
  • If you removed the AuthenticationMiddleware, you will need to add this settings:
SILENCED_SYSTEM_CHECKS = ['admin.E408']
  • Set the django setting LOGOUT_REDIRECT_URL in order to redirect after logout.
  • Add redirects to the oidc_login and oidc_logout. To make it default you can set LOGIN_URL = 'oidc_login'.

Usage

  • Getting authenticated user from request: request.user.
  • Getting the ID token claims from the user: request.user_claims.
  • Getting the userinfo from the endpoint from the user: request.userinfo.
  • Getting a valid access token from the user: request.get_access_token().

RestFramework [Optional]


This settings are for views inherits RestFramework library from Django.

View setting

You can add this to your APIviews class by adding JWTTokenAuthentication to authentification_classes attribute. In this example, the view requires that all requests must have ID Token JWT Bearer Authentication.

from rest_framework import permissions, views
from django_jwt import JWTTokenAuthentication


class ExampleAPIView(view.APIView):
    authentication_classes = [JWTTokenAuthentication]
    permission_classes = [permissions.IsAuthenticated]

Global setting

If all your application can work with JWT Bearer Authentication you can add the JWTTokenAuthentication class to DEFAULT_AUTHENTICATION_CLASSES setting on settings.py of your app.

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'django_jwt.rest_framework.JWTTokenAuthentication',
    ]
}

Settings


Settings

All settings from the django-jwt-oidc library will be set inside a JWT_OIDC dictionary on settings.py.

JWT_OIDC = {
    ...
}

TYPE [Required]

Set this to client.

JWT_OIDC = {
    ...
    'TYPE': 'client',
    ...
}

DISCOVERY_ENDPOINT [Required]

Set this to the discovery endpoint of the provider.

JWT_OIDC = {
    ...
    'DISCOVERY_ENDPOINT': 'https://domain/.well-known/openid-configuration',
    ...
}

CLIENT_ID [Required]

Set this to the client ID of your application in the provider.

JWT_OIDC = {
    ...
    'CLIENT_ID': 'some_string',
    ...
}

RESPONSE_TYPE [Required]

Set this to the response type of your application in the provider. This determines the flow of your authentication.

JWT_OIDC = {
    ...
    'RESPONSE_TYPE': 'code',  # Recommended to use Authorization Code flow
    ...
}

CLIENT_SECRET

Set this to the client secret of your application in the provider. This setting is required if want to Hybrid flow or Authorization Code flow (Setting code inside the RESPONSE_TYPE)

JWT_OIDC = {
    ...
    'CLIENT_SECRET': 'some_string',
    ...
}

SCOPE

Set this to set the scope of the authentication flow.

JWT_OIDC = {
    ...
    'SCOPE': 'openid',  # Default
    ...
}

IDENTIFICATION_CLAIM

Set this if you want to use some other claim as identifier for your user model. Default: 'sub'

JWT_OIDC = {
    ...
    'IDENTIFICATION_CLAIM': 'sub',  # default
    ...
}

ID_TOKEN_RENAME_ATTRIBUTES

Set this to change the claims names to be translated to your User model fields. {'claim_name': 'model_field_name'}

JWT_OIDC = {
    ...
    'ID_TOKEN_RENAME_ATTRIBUTES': {},  # Default
    ...
}

CREATE_USER

Set this to True if you want to create users that they not exist.

JWT_OIDC = {
    ...
    'CREATE_USER': False,  # Default
    ...
}

USER_DEFAULT_ATTRIBUTES

Set this to set defaults values to users that log in with the OIDC.

JWT_OIDC = {
    ...
    'USER_DEFAULT_ATTRIBUTES': {},  # Default
    ...
}

PKCE_EXTENSION

Set this to activate the PKCE_EXTENSION. It is recommended.

JWT_OIDC = {
    ...
    'PKCE_EXTENSION': False,  # Default
    ...
}

CODE_CHALLENGE_METHOD

Set this for the PKCE_EXTENSION method. Only 'S256' supported.

JWT_OIDC = {
    ...
    'CODE_CHALLENGE_METHOD': 'S256',  # Default
    ...
}

CLIENT_DISPLAY

Setting display for the authentication flow. Options: page, popup, touch and wap.

JWT_OIDC = {
    ...
    'CLIENT_DISPLAY': '',  # Default
    ...
}

CLIENT_PROMPT

Setting prompt for the authentication flow. Options: login, consent, select_account and none.

JWT_OIDC = {
    ...
    'CLIENT_PROMPT': '',  # Default
    ...
}

CLIENT_MAX_AGE

Setting max_age for the authentication flow. How many seconds the user has logged in the provider.

JWT_OIDC = {
    ...
    'CLIENT_PROMPT': '',  # Default
    ...
}

OTHER

Other settings for the authentication flow.

  • CLIENT_UI_LOCALES
  • CLIENT_CLAIMS_LOCALES
  • CLIENT_ID_TOKEN_HINT
  • CLIENT_LOGIN_HINT
  • CLIENT_ACR_VALUES

Set up provider


This is an extra app of the django_jwt app that deploys a OpenID Connect provider with implicit flow (Not recommended), Hybrid flow, Authorization Code flow and Authorization Code flow with PKCE. The JWTs are signed by RSA or ECC keys that are being regenerated to improve security.
Django JWT Server does not provide for a login view.

Installation

  • Install django-cors-headers library into your app. Required in order to control the CORS policy from your apps. There is no need to add the domains one by one
  • Install djangorestframework library into your app.
  • Add django_jwt.server to your installed apps.
  • Migrate the database with python manage.py migrate.
  • Add your implemented Django log in into LOGIN_URL setting on settings.py.
  • Run your app in order to set up your hosts into the admin page.

Settings


All settings from the django-jwt-oidc library will be set inside a JWT_OIDC dictionary on settings.py.

JWT_OIDC = {
    ...
}

TYPE [Required]

Set this to provider.

JWT_OIDC = {
    ...
    'TYPE': 'provider',
    ...
}

DISCOVERY_ENDPOINT [Required]

Set this to your discovery endpoint of the provider.

JWT_OIDC = {
    ...
    'DISCOVERY_ENDPOINT': 'https://my-domain/.well-known/openid-configuration',
    ...
}

SIGNATURE_ALG

Set this to the algorithm used to sign tokens. ECC is recommended.

JWT_OIDC = {
    ...
    'SIGNATURE_ALG': 'ES512',  # Default
    ...
}

JWK_EXPIRATION_TIME

Expiration time (in seconds) of the RSA or ECC keys. They will be stopped to be used for signing after this time. They will be deleted after not needed again for validation.

JWT_OIDC = {
    ...
    'JWK_EXPIRATION_TIME': 3600,  # Default
    ...
}

JWT_ID_TOKEN_EXPIRATION_TIME

Expiration time (in seconds) of the ID tokens.

JWT_OIDC = {
    ...
    'JWT_ID_TOKEN_EXPIRATION_TIME': 2700,  # Default
    ...
}

JWT_ACCESS_TOKEN_EXPIRATION_TIME

Expiration time (in seconds) of the access tokens. Recommended to be low.

JWT_OIDC = {
    ...
    'JWT_ACCESS_TOKEN_EXPIRATION_TIME': 600,  # Default
    ...
}

JWT_REFRESH_TOKEN_EXPIRATION_TIME

Expiration time (in seconds) of the refresh tokens. Must be higher than access tokens.

JWT_OIDC = {
    ...
    'JWT_ACCESS_TOKEN_EXPIRATION_TIME': 3600,  # Default
    ...
}

MAX_REFRESH

Set this in order to only be able to refresh tokens x times.

JWT_OIDC = {
    ...
    'MAX_REFRESH': 10,  # Default
    ...
}

USERINFO_SERIALIZER

User model serializer.

JWT_OIDC = {
    ...
    'USERINFO_SERIALIZER': 'django_jwt.server.serializers.UserSerializer',  # Default
    ...
}

USERINFO_SERIALIZER_EXCLUDE

Exclude fields of the User model in the 'django_jwt.server.serializers.UserSerializer'.

JWT_OIDC = {
    ...
    'USERINFO_SERIALIZER_EXCLUDE': ['password'],  # Default
    ...
}

Set up fake server for deployment


This is an extra functionality of the django_jwt app that makes a OpenId server with oauth 2.0 with implicit flow with an input to "log in" as whatever sub value you want.

Not maintained to changes of the 1.0 version.

Installation

  • Install django-cors-headers library into your app. Required in order to control the CORS policy from your frontend.
  • Add your frontend domain into CORS_ALLOWED_ORIGINS.
  • Change the JWT_OIDC['TYPE'] setting to 'fake'.
  • Set up the JWT_OIDC['CLIENT_ID'] setting to the same client id your frontend is targeting.
  • Set up the DEFAULT_DOMAIN setting on your Django settings. Example:
DEFAULT_DOMAIN = 'https://localhost:8000'
  • Set up your frontend url into the path that you included in urls.py.
<style> details summary > * { display: inline; } details { margin-top: 25px; } </style>

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-jwt-oidc-1.0.5.tar.gz (26.5 kB view details)

Uploaded Source

Built Distribution

django_jwt_oidc-1.0.5-py3-none-any.whl (31.6 kB view details)

Uploaded Python 3

File details

Details for the file django-jwt-oidc-1.0.5.tar.gz.

File metadata

  • Download URL: django-jwt-oidc-1.0.5.tar.gz
  • Upload date:
  • Size: 26.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.9.16

File hashes

Hashes for django-jwt-oidc-1.0.5.tar.gz
Algorithm Hash digest
SHA256 3d83802e6a9c4af0d43b614afe16da5b816b9c0861f799e1c1156835c9ebc9a8
MD5 1dd9a76840d1b2d0c21c43d5f3e69803
BLAKE2b-256 1c6c23f8872db9a9d511864c9e0e3acaa737d12bbb93cb4d5342b4d67b587ffd

See more details on using hashes here.

File details

Details for the file django_jwt_oidc-1.0.5-py3-none-any.whl.

File metadata

File hashes

Hashes for django_jwt_oidc-1.0.5-py3-none-any.whl
Algorithm Hash digest
SHA256 6ba09cbb3d2bbd48bf67faa1e9659a27cc0aab234d1d4779de1f72cb6f38e36a
MD5 b82438f9cbf6ac1868d502c14e2e9126
BLAKE2b-256 31cc280578499ac5dc104d5871c7e10f4e18482963cba4761402e1f52d1d3db3

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page