search

mcueto / djangorestframework-auth0

Library to simply use Auth0 token authentication in DRF within djangorestframework-jwt
MIT License
91 stars 19 forks source link

can not authenticate #13

Closed dbinetti closed 7 years ago

dbinetti commented 7 years ago

i'm hoping to make this library work; it's exactly what i need.

however, i'm getting an "Incorrect authentication credentials" error and don't have a clue how to debug.

I think i'm missing something fundamental, because in the final analysis i am not understanding how DRF would know about Auth0 and thus, how it can provide authorization.

Would love some ideas on where to start... thanks

mcueto commented 7 years ago

Hi @dbinetti, first at all, thanks for use this library :)

Note that if the JWT keyword is changed in your API call(for example, for Bearer or Token), this MUST ber changed in the library config(JWT_AUTH_HEADER_PREFIX)

If all above is correct, this library should create the User automagically, so after the creation you can give permissions, control access to your api or whatever you want, this user is created based on the sub attribute on the decoded payload.

You can also verify your token in https://jwt.io/

I hope this answer can be usefull for you. Cheers, i'll be alert :)

dbinetti commented 7 years ago

Thank you for replying so quickly.

Yes, this passes all your constraints, and I've verified the token signature.

In the end I think there might be some incompatibilities: for instance, I use a UUID, have a custom user model, and use a third-party permissions that doesn't include Groups, -- which are three fairly big deviations from the norm.

but i guess my question is more fundamental: how does DRF work with a third-party system like Auth0 under these circumstances? is it assumed that there will be two User tables (one local and one Auth0) that maintain the same data? if the data is only in Auth0, then how do i do things like relate my existing users to other tables in django? for instance, I have a permissions system that relies on other models -- how do i connect them to the current user?

in short, I am mostly getting the authentication process but the authorization process (specifically using DRF) is escaping me.

On Fri, Sep 2, 2016 at 11:16 PM, Marcelo Cueto notifications@github.com wrote:

Hi @dbinetti https://github.com/dbinetti, first at all, thanks for use this library :)

  • The main consideration about using auth0 with djangorestframework is to have the same _clientid, _clientsecret in both client(usually written in javascript) and DRF API
  • Having the same client_id and client_secret, we must check that the algorithm is the same that the auth0 service provides (HS256)
  • Also you must verify that the API call includes in the header, the token given after login by auth0(lockjs library), the format to include that is the following: Authorization: JWT

Note that if the JWT keyword is changed in your API call(for example, for Bearer or Token), this MUST ber changed in the library config(JWT_AUTH_HEADER_PREFIX)

  • same _clientid and _clientsecret in client and REST API
  • Algorithm ok?
  • Authorization header present?
  • Authorization header prefix present in API Call is the same that the one in our DRF config?

If all above is correct, this library should create the User automagically, so after the creation you can give permissions, control access to your api or whatever you want, this user is created based on the sub attribute on the decoded payload.

You can also verify your token in https://jwt.io/

I hope this answer can be usefull for you. Cheers, i'll be alert :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mcueto/djangorestframework-auth0/issues/13#issuecomment-244529663, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJ3uky1h081X63IFl0q4byufh2fCFyHks5qmRClgaJpZM4J0Oga .

ajbeach2 commented 7 years ago

The other way of doing the JWT auth with Django is the http://django-rest-framework-jwt/ an overriding the jwt decode methods to include the your auth0 audience and id

import jwt
import base64
def jwt_decode(token):
    return jwt.decode(
        token,
        base64.b64decode(os.environ["AUTH0_ID"].replace("_","/").replace("-","+")),
        audience=os.environ["AUTH0_AUD"]
    )

def jwt_get_nickname(payload):
    return payload.get('sub')

JWT_AUTH = {
    'JWT_DECODE_HANDLER': jwt_decode,
    'JWT_PAYLOAD_GET_USERNAME_HANDLER': jwt_get_nickname
}
dbinetti commented 7 years ago

thank you -- you steered me in the right direction. i got it to work. much appreciated.

On Sat, Sep 3, 2016 at 12:22 PM, Alex notifications@github.com wrote:

The other way of doing the JWT auth with Django is the http://django-rest-framework-jwt/ an overriding the jwt decode methods to include the your auth0 audience and id

import jwt import base64 def jwt_decode(token): return jwt.decode( token, base64.b64decode(os.environ["AUTH0ID"].replace("","/").replace("-","+")), audience=os.environ["AUTH0_AUD"] )

def jwt_get_nickname(payload): return payload.get('sub')

JWT_AUTH = { 'JWT_DECODE_HANDLER': jwt_decode, 'JWT_PAYLOAD_GET_USERNAME_HANDLER': jwt_get_nickname }

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mcueto/djangorestframework-auth0/issues/13#issuecomment-244565129, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJ3ugf1gp0jiPiYLpEz4Qpo8xMRQrd1ks5qmcjjgaJpZM4J0Oga .

mcueto commented 7 years ago

In the future i'll write some documentation for the process of integrating this api in your projects(right now i'm too busy), thanks @ajbeach2 by help in @dbinetti problem fixing.

Have a nice weekend.