Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DjangoCon - JSON Web Tokens

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for José Padilla José Padilla
September 04, 2014
Programming
15
11k

DjangoCon - JSON Web Tokens

DjangoCon US 2014 talk on JSON Web Tokens

Avatar for José Padilla

José Padilla

September 04, 2014
Tweet

More Decks by José Padilla

See All by José Padilla
Python, Government, and Contracts
Avatar for José Padilla jpadilla
0
58
Python, Government, and Contracts
Avatar for José Padilla jpadilla
0
5k
Python Type Hints
Avatar for José Padilla jpadilla
0
580
Developer Ergonomics
Avatar for José Padilla jpadilla
0
2.1k
BFTW: The Backend
Avatar for José Padilla jpadilla
4
220
eventos
Avatar for José Padilla jpadilla
0
200
JWT
Avatar for José Padilla jpadilla
2
460
Ember.js + Django
Avatar for José Padilla jpadilla
3
2.2k
UPRB Basic Workshop
Avatar for José Padilla jpadilla
2
230

Other Decks in Programming

See All in Programming
AIエージェント、”どう作るか”で差は出るか? / AI Agents: Does the "How" Make a Difference?
Avatar for r-kagaya rkaga
4
2k
CSC307 Lecture 06
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
690
CSC307 Lecture 05
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
500
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
Avatar for がむ gam0022
1
310
Package Management Learnings from Homebrew
Avatar for Mike McQuaid mikemcquaid
0
230
React 19でつくる「気持ちいいUI」- 楽観的UIのすすめ
Avatar for Hiroshi Morishige himorishige
11
7.4k
OCaml 5でモダンな並列プログラミングを Enjoyしよう!
Avatar for Haochen Kotoi-Xie haochenx
0
140
高速開発のためのコード整理術
Avatar for sutetotanuki sutetotanuki
1
400
Fluid Templating in TYPO3 14
Avatar for Simon Praetorius s2b
0
130
16年目のピクシブ百科事典を支える最新の技術基盤 / The Modern Tech Stack Powering Pixiv Encyclopedia in its 16th Year
Avatar for ahu ahuglajbclajep
5
1k
登壇資料を作る時に意識していること #登壇資料_findy
Avatar for konifar konifar
4
1.2k
Honoを使ったリモートMCPサーバでAIツールとの連携を加速させる!
Avatar for とすり tosuri13
1
180

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Reality Check: Gamification 10 Years Later
Avatar for Sebastian Deterding codingconduct
0
2k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
sira's awesome portfolio website redesign presentation
Avatar for ElsiraPls elsirapls
0
150
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
240
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
2.3k
The #1 spot is gone: here's how to win anyway
Avatar for Tamara Novitovic tamaranovitovic
2
940
Organizational Design Perspectives: An Ontology of Organizational Design Elements
Avatar for Dr. Kim W Petersen kimpetersen
PRO
1
200
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
Avatar for Sara Fernández Carmona sarafernandez
0
120
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
46
2.7k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
750

Transcript

  1. JWT

  2. “jot”

  3. JSON Web Tokens

  4. José Padilla

  5. Flickr: Bryan Vincent

  6. Co-founder at blimp.io

  7. /jpadilla

  8. jpadilla.com

  9. Why?

  10. Single Sign-on

  11. Action Links

  12. Webhooks

  13. Token-based Auth

  14. What?

  15. “Compact URL-safe means of representing claims to be transferred between

    two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).” - IETF.
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None

  22. JOSE

  23. JavaScript Object Signing and Encryption

  24. JWA

  25. JSON Web Algorithms

  26. JWK

  27. JSON Web Key

  28. JWT

  29. JSON Web Token

  30. JWS

  31. JSON Web Signature

  32. JWE

  33. JSON Web Encryption

  34. Today it’s all about JWT

  35. How?

  36. Internet-Draft

  37. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  38. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  39. { "typ": "JWT", "alg": "HS256" } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  40. import json import hmac from hashlib import sha256 from base64

    import urlsafe_b64encode ! segments = [] ! header_dict = { 'typ':'JWT', 'alg': 'HS256' } ! json_header = json.dumps(header_dict) ! header = urlsafe_b64encode(json_header).rstrip('=') segments.append(header) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  41. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  42. {! "user_id": 1! } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  43. payload_dict = { 'user_id': 1 } ! json_payload = json.dumps(payload)

    ! payload = urlsafe_b64encode(json_payload).rstrip('=') segments.append(payload) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  44. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  45. SECRET = 'abc123' ! signing_input = '.'.join(segments) ! sig =

    hmac.new(SECRET, signing_input, sha256) signature = urlsafe_b64encode(sig.digest()).rstrip('=') segments.append(signature) ! token = '.'.join(segments) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  46. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  47. PyJWT

  48. $ pip install PyJWT

  49. import jwt ! SECRET_KEY = "abc123" payload = {"user_id": 1}

    ! jwt_token = jwt.encode(payload, SECRET_KEY) ! payload = jwt.decode(jwt_token, SECRET_KEY)

  50. /progrium/pyjwt

  51. Django JWT Auth

  52. username/password JWT Error /login

  53. Authorization: Bearer <JWT> JWT Error /restricted

  54. $ pip install django-jwt

  55. import json ! from django.views.generic import View from django.http import

    HttpResponse ! from jwt_auth.mixins import JSONWebTokenAuthMixin ! ! class RestrictedView(JSONWebTokenAuthMixin, View): def get(self, request): data = json.dumps({ 'foo': 'bar' }) return HttpResponse(data, content_type='application/json')

  56. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/$', 'jwt_auth.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  57. /jpadilla/django-jwt-auth

  58. DRF JWT Auth

  59. $ pip install djangorestframework-jwt

  60. from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.permissions

    import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class RestrictedView(APIView): permission_classes = (IsAuthenticated, ) authentication_classes = (JSONWebTokenAuthentication, ) def get(self, request): data = { 'foo': 'bar' } ! return Response(data)

  61. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  62. var url = 'http://localhost:8000/login/', creds = { username: 'admin', password:

    'abc123' }; $.post(url, creds, function(auth) { $.ajax({ type: 'GET', url: 'http://localhost:8000/restricted/', beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + auth.token); }, success: function(data){ console.log(data); // { // foo: "bar" // } } }); });

  63. /GetBlimp/django-rest-framework-jwt

  64. Recap • It’s a standard • It’s simple • Third

    party libraries • Single Sign-on • Action links • Authentication • CORS • Stateless • No CSRF • CDN • Mobile/WebSockets

  65. Django REST
 Framework Sprint

  66. Thanks Questions? http:/ /bit.ly/djangocon-jwt