search

humanitec / django-oauth-toolkit-jwt

django-oauth-toolkit extension that adds JWT support
MIT License
38 stars 25 forks source link

Can't access API because of permission denied #9

Closed hqtoan94 closed 6 years ago

hqtoan94 commented 6 years ago

Hi, Thank for your hard work on this repo.

My work for now required to integrate the JWT with OAuth2 so that I came here and use your repo to solve my problem. But look like your authenticate method only work for AnonymousUser?

class JWTAuthentication(BaseAuthentication):
    """
    Token based authentication using the JSON Web Token standard.
    Clients should authenticate by passing the token key in the "Authorization"
    HTTP header, prepended with the string specified in the setting
    `JWT_AUTH_HEADER_PREFIX`. For example:
        Authorization: JWT eyJhbGciOiAiSFMyNTYiLCAidHlwIj
    """
    www_authenticate_realm = 'api'

    def authenticate(self, request):
        """
        Returns a two-tuple of `User` and token if a valid signature has been
        supplied using JWT-based authentication.  Otherwise returns `None`.
        """
        jwt_value = self._get_jwt_value(request)
        if jwt_value is None:
            return None

        try:
            payload = decode_jwt(jwt_value)
        except jwt.ExpiredSignatureError:
            msg = 'Signature has expired.'
            raise exceptions.AuthenticationFailed(msg)
        except jwt.DecodeError:
            msg = 'Error decoding signature.'
            raise exceptions.AuthenticationFailed(msg)
        except jwt.InvalidTokenError:
            raise exceptions.AuthenticationFailed()

        self._add_session_details(request, payload)
        return AnonymousUser(), payload

I follow this method and see that you return an AnonymousUser instead of current user who use the token to access. Could you explain for me why you do that and how if I want to add permission for my views.

Thank you so much.

rafa-munoz commented 6 years ago

Yes, the current implementation does not authenticate against a User in the database. The reason to do so is that we need JWT authentication in microservices which are not connected to the users' database. It would be nice if you could contribute and add authentication, switch it by default and add an option in settings to turn on anonymous user auth (the current one).

rafa-munoz commented 6 years ago

Done in PR: https://github.com/Humanitec/django-oauth-toolkit-jwt/pull/10