Add support for django-rest-framework-simplejwt as JWT authentication backend

[JoelGoh92]

According to issue #5838 on the DRF repository and a PR raised there, django-rest-framework-simplejwt provides an alternative approach over django-rest-framework-jwt, with regards to security and implementation of JWT as an authentication mechanism. Hence, I'm curious if you guys will be planning to include the simplejwt package as a supported JWT backend? Thanks

[Allan-Nava]

Yes I need to implement the viewsets.ModelViewSet with authentication_classes for specific action. For example update or create new instance.

Thank's in advance. Allan

[Allan-Nava]

So I don't use https://github.com/GetBlimp/django-rest-framework-jwt but I have to use django-rest-framework-simplejwt? Correct?

But is possible for specific action like update or create ?

[Allan-Nava]

@JoelGoh92 But I have the JWT thanks to a keycloak

[JoelGoh92]

@Allan-Nava currently for our project, we're not using the rest-auth jwt setup defined in the docs. Instead, after setting up simple-jwt with the steps in the docs, and configuring the settings, we then wrote our own JWTSocialLoginView, JWTLoginView and JWTLogoutView, which were fairly simple, and used them in the required areas.

However I still feel that it is better if these changes were to be supported and maintained by rest-auth instead.

[Allan-Nava]

So is not possible in modelviewsets?

Inviato da iPhone

Il giorno 09 mag 2018, alle ore 12:27, JoelGoh92 notifications@github.com ha scritto:

@Allan-Nava currently for our project, we're not using the rest-auth jwt setup defined in the docs. Instead, after setting up simple-jwt with the steps in the docs, and configuring the settings, we then wrote our own JWTSocialLoginView, JWTLoginView and JWTLogoutView, which were fairly simple, and used them in the required areas.

However I still feel that it is better if these changes were to be supported and maintained by rest-auth instead.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[JoelGoh92]

@Allan-Nava It may be possible, but I would not recommend the model viewsets though, because these defined view classes will be used in a similar way as to how the current LoginView/SocialLoginView/LogoutView provided by rest-auth are used, and we only need to override the rest-auth implementations' required methods for the JWT token response and usage flow.

The JWT views I mentioned previously are inheriting from the respective classes rest-auth provides, e.g.

class JWTSocialLoginView (SocialLoginView):
     def get_response (self):
     # override method(s) for JWT implementation
     # get JWT token via the simple-jwt package
     # return the generated token in the response

This is because such a class will be reused in a similar manner, e.g. the JWTSocialLoginView defined will be used similarly to how the SocialLoginView provided by rest-auth for OAuth apps is used, other than returning the JWT token(s) in the response

[JoelGoh92]

Rather there are a few reasons why this issue is raised:

1) In most JWT implementations, an access token + a refresh token is returned. Otherwise the other option, if only a single token is desired, is the sliding token approach. With simple-jwt, the jwt can be configured to either of these implementations, whichever is required.

2) With the current django-rest-framework-jwt supported by rest-auth, the only approach available is similar to the sliding token approach, except that it has no way to blacklist a previously generated jwt token, e.g. by logout on user end. On the other hand, simple-jwt provides a way to perform this blacklisting of invalid tokens

[Allan-Nava]

But is possibile to use the permission class only for specific action like update or delete?

[JoelGoh92]

@Allan-Nava I think the use of JWT here is more for authentication. With DRF, you can set it up pretty easily, e.g. as a default authentication class.

If you're looking to implement permissions control, I would advise you to look at DRF's docs on permissions control. This should not have anything to do with whether you're using jwt as an auth mechanism.

[lukeburden]

While django-rest-framework-simplejwt is a newer library with fewer contributors, it is more recently maintained, has higher code quality than django-rest-framework-jwt, allows for the more typical JWT implementation (refresh and access tokens are different) and has extras such as refresh token blacklisting built in.

[whwkong]

It would be good to have django-rest-framework-simplejwt support.
It doesn't look like django-rest-framework-jwt is being actively maintained. Last commit was Oct, 2017.

[aaronrosenberg]

Just throwing my support behind django-rest-framework-simplejwt. Would be a huge benefit and streamline the whole authentication workflow. Also simplejwt implements refresh and access tokens per Joel above unlike the seemingly aging regular jwt implementation.

[robypomoni]

+1 on this. Please add support to django-rest-framework-simplejwt

[superandrew]

+1, I would also love to have support for simplejwt!

[5uh417]

+1 for the support of simplejwt

[alexferrari88]

+1 for the support of simplejwt

[NidalM]

As per the latest status update on the django-rest-framework-jwt page, this repo is no longer being actively maintained. https://github.com/jpadilla/django-rest-framework-jwt/issues/484

[slystone]

+1 for the support of simplejwt!

[slystone]

@JoelGoh92 can you please be more specific about the solution of the problem? I'm not so confident with all the LoginView/SocialLoginView/LogoutView overriding thing you suggested

[sundeepdev]

This issue is more than year old. Does someone has a PR for this or suggestion on how to implement it? I just don't want to reinvent the wheel and can work on some other issue.

[NidalM]

How to use django-rest-framework-simplejwt as auth backend for django-rest-auth. Note: your needs may differ slightly based on how you implemented rest-auth.

First off, make sure you set simplejwt as your auth provider in settings.py:

REST_FRAMEWORK = {
   ...
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ),
    ...
}

Next, look at your urls.py for where you route the rest-auth endpoints:

urlpatterns = [
    ...
    url(r'^rest-auth/', include('rest_auth.urls')),
    ...
]

You need to override the /rest-auth/login/ path with the login view from django-rest-framework-simplejwt by including it before the rest-auth urls. Here's how:

from rest_framework_simplejwt.views import TokenObtainPairView
...
urlpatterns = [
    ...
    url(r'^rest-auth/login/$', TokenObtainPairView.as_view(), name='rest_login'),
    url(r'^rest-auth/', include('rest_auth.urls')),
    ...
]
...

This'll get you started but there may be other routes you may need to override/create (e.g. logout). If you want the token login response to have non-default data, then you can override TokenObtainPairView with a custom serializer. Finally, because you're migrating from drf-jwt, you may need to change the auth header in settings.py to:

SIMPLE_JWT = {
    ...
    'AUTH_HEADER_TYPES': ('JWT', 'Bearer'),
}

The above worked for me, but was specific to my use case.

[sundeepdev]

Thanks @NidalM. This is helpful. However, I'm actually going to use Simple-JWT for both email login as well as social login and I was trying to avoid writing my own end points for all the features supported by this library. So if I override login by completely writing my own end point, wouldn't I need to write the end points for everything like Registration, Forgot Password, Social-Auth for every provider etc. I was hoping that there should be a way to hook in simple-jwt instead of drw-jwt by overriding a common method of JWT token generation and the rest could remain the same. I'm not sure if there's no way to do that and we have to either write all the end points or change the complete implementation of the JWT token part of this library.

[jamesdvance]

plus 1 for simple_jwt! Commenting to follow this chain

[birgert]

As many others requested... Out of the box simplejwt support would make things so much easier. It's also the suggested JWT package by DRF.

[ankurpandeyvns]

+1 for simple JWT! It's an awesome library!

[ankurpandeyvns]

https://github.com/ankurpandeyvns/django-rest-auth/commit/794dac308da75537d2af15174b8644c0163a2b5a

This may be helpful for those who are looking only for JWT Logins using SimpleJWT.

[MIRAMAXED]

+1 for the support of simplejwt

[newbro]

+1 please, this library is extremely useful however the Django token authentication is simply too insecure for my taste.

[ankurpandeyvns]

+1 please, this library is extremely useful however the Django token authentication is simply too insecure for my taste.

https://github.com/ankurpandeyvns/django-rest-auth/commit/794dac308da75537d2af15174b8644c0163a2b5a

Try this one

[iamcb]

+1 for simple_JWT

[de-don]

+1

[vitzaoral]

+1

[bekaryukovmv]

+1 simple_JWT

[dedaldino3d]

+1 simpleJWT

[quank123wip]

+1 simpleJWT

[rodrigondec]

+1 simpleJWT

[kikanny]

+1 simpleJWT pls!

[bplociennik]

+1 for simpleJWT

[birgert]

Django-rest-auth was forked to dj-rest-auth. See #568 for some info. Lets hope this one becomes the new go to, it seems promising so far.

For all the people requesting simpleJWT, there's a pull request (ready to merge) in the new repo to add simplejwt support. https://github.com/jazzband/dj-rest-auth/pull/3

[pickyuptruck]

+1 simple JWT

[IsabelaLiberatoscioli]

+1 simple JWT

[gaara4896]

+1 simple JWT

[kaniak274]

+1 simple JWT

[CrhistyanSilva]

+1 simple JWT

[sSimuSs]

This works for me))

class FacebookLogin(SocialLoginView):
    adapter_class = FacebookOAuth2Adapter

    def get_response(self):
        from rest_framework_simplejwt.tokens import RefreshToken
        refresh = RefreshToken.for_user(self.user)
        data = {"refresh": str(refresh), "access": str(refresh.access_token)}
        response = Response(data, status=HTTP_200_OK)
        return response

    def login(self):
        self.user = self.serializer.validated_data['user']
        self.process_login()

[Issen007]

+1 simpleJWT