goodmase
commented
7 years ago JWT are stateless so you shouldn't have any issues. On the auth server you would want your settings to look something like this:
JWT_AUTH = {
'JWT_PUBLIC_KEY': <cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey object>,
'JWT_PRIVATE_KEY':<cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey object>,
'JWT_ALGORITHM': 'RS512',
'JWT_VERIFY': True,
}other servers:
JWT_AUTH = {
'JWT_PUBLIC_KEY': <cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey object>,
'JWT_ALGORITHM': 'RS512',
'JWT_VERIFY': True,
}This will allow only the auth server to issue new JWT and the other servers to verify the JWT without exposing your private key. You will need to use the cryptography library to set the JWT_PUBLIC_KEY and JWT_PRIVATE_KEY. Documentation can be found here and there is an example in the tests
If you're not super concerned with security you can just keep the default settings and use 'HS256'. Both your auth and other servers will have to have the same JWT_SECRET_KEY in order for this setup to work.
jpadilla
JakeMana
Is tehre any way (or best practice) how to implement this JWT for multiserver (multi app) system? for example: I want to have auth server as a separate application. Then I have multiple servers (apps) like warehouse, crm,... in the ecosystem. Auth server should be responsible for issuing tokens, handling permissions and user settings. other apps should be able to validate those tokens. Does anyone have ever tried this scenario?