Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DjangoCon - JSON Web Tokens

Becd166a81dc51c0009f602d175d0cc8?s=47 José Padilla
September 04, 2014
Programming
15
9.9k

DjangoCon - JSON Web Tokens

DjangoCon US 2014 talk on JSON Web Tokens

Becd166a81dc51c0009f602d175d0cc8?s=128

José Padilla

September 04, 2014
Tweet

More Decks by José Padilla

See All by José Padilla
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
17
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
4.2k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
170
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
1.9k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
4
150
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
120
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
2
360
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
3
2.1k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
2
150

Other Decks in Programming

See All in Programming
80a3a3857a55f154d23acb705eff72cc?s=48 star_zero
2
4.2k
0e726052fdb28ba1c004aa90eccbe261?s=48 scenee
2
140
D8da26d8c2f31098cb33d5d6087e6668?s=48 shuheiyamada
0
520
Ee4cc84c4dedde009c013c6d5f1a2e84?s=48 tatchnicolas
2
2.4k
0ed400174f90a4bcee05f3455597932f?s=48 ohbarye
3
450
7a0892afffbcbd35fd84d46508b3a914?s=48 dropout009
2
800
Ae7cc81ee2744719c66282681a219110?s=48 lnicolet
0
130
B3b2139e4f2c0eca4efe2379fcebc1c5?s=48 afilina
PRO
1
670
D63b0683b8fdd02c71c802691f97c04c?s=48 jogannaoki
0
1.3k
7166bc2cbc462ab5fd1987a76d0fe709?s=48 takahirom
1
230
Cfbe23392787cb3ad4689c5f72463fcc?s=48 makicamel
3
780
64fb973c47087ece7fb9b45d5b8593a4?s=48 yag_ays
7
5.6k

Featured

See All Featured
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
277
17k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.7k
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
204
10k
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
13
1k
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
75
3.8k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
633
49k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
85
8.2k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
58
3.8k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1021
400k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
64
10k
C1daf20e5c49ff910745198ef9869ac2?s=48 hatefulcrawdad
256
17k
11c84dff30266b907714802088852677?s=48 jasonvnalue
87
8.4k

Transcript

  1. JWT

  2. “jot”

  3. JSON Web Tokens

  4. José Padilla

  5. Flickr: Bryan Vincent

  6. Co-founder at blimp.io

  7. /jpadilla

  8. jpadilla.com

  9. Why?

  10. Single Sign-on

  11. Action Links

  12. Webhooks

  13. Token-based Auth

  14. What?

  15. “Compact URL-safe means of representing claims to be transferred between

    two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).” - IETF.
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None

  22. JOSE

  23. JavaScript Object Signing and Encryption

  24. JWA

  25. JSON Web Algorithms

  26. JWK

  27. JSON Web Key

  28. JWT

  29. JSON Web Token

  30. JWS

  31. JSON Web Signature

  32. JWE

  33. JSON Web Encryption

  34. Today it’s all about JWT

  35. How?

  36. Internet-Draft

  37. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  38. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  39. { "typ": "JWT", "alg": "HS256" } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  40. import json import hmac from hashlib import sha256 from base64

    import urlsafe_b64encode ! segments = [] ! header_dict = { 'typ':'JWT', 'alg': 'HS256' } ! json_header = json.dumps(header_dict) ! header = urlsafe_b64encode(json_header).rstrip('=') segments.append(header) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  41. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  42. {! "user_id": 1! } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  43. payload_dict = { 'user_id': 1 } ! json_payload = json.dumps(payload)

    ! payload = urlsafe_b64encode(json_payload).rstrip('=') segments.append(payload) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  44. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  45. SECRET = 'abc123' ! signing_input = '.'.join(segments) ! sig =

    hmac.new(SECRET, signing_input, sha256) signature = urlsafe_b64encode(sig.digest()).rstrip('=') segments.append(signature) ! token = '.'.join(segments) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  46. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  47. PyJWT

  48. $ pip install PyJWT

  49. import jwt ! SECRET_KEY = "abc123" payload = {"user_id": 1}

    ! jwt_token = jwt.encode(payload, SECRET_KEY) ! payload = jwt.decode(jwt_token, SECRET_KEY)

  50. /progrium/pyjwt

  51. Django JWT Auth

  52. username/password JWT Error /login

  53. Authorization: Bearer <JWT> JWT Error /restricted

  54. $ pip install django-jwt

  55. import json ! from django.views.generic import View from django.http import

    HttpResponse ! from jwt_auth.mixins import JSONWebTokenAuthMixin ! ! class RestrictedView(JSONWebTokenAuthMixin, View): def get(self, request): data = json.dumps({ 'foo': 'bar' }) return HttpResponse(data, content_type='application/json')

  56. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/$', 'jwt_auth.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  57. /jpadilla/django-jwt-auth

  58. DRF JWT Auth

  59. $ pip install djangorestframework-jwt

  60. from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.permissions

    import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class RestrictedView(APIView): permission_classes = (IsAuthenticated, ) authentication_classes = (JSONWebTokenAuthentication, ) def get(self, request): data = { 'foo': 'bar' } ! return Response(data)

  61. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  62. var url = 'http://localhost:8000/login/', creds = { username: 'admin', password:

    'abc123' }; $.post(url, creds, function(auth) { $.ajax({ type: 'GET', url: 'http://localhost:8000/restricted/', beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + auth.token); }, success: function(data){ console.log(data); // { // foo: "bar" // } } }); });

  63. /GetBlimp/django-rest-framework-jwt

  64. Recap • It’s a standard • It’s simple • Third

    party libraries • Single Sign-on • Action links • Authentication • CORS • Stateless • No CSRF • CDN • Mobile/WebSockets

  65. Django REST
 Framework Sprint

  66. Thanks Questions? http:/ /bit.ly/djangocon-jwt