DjangoCon - JSON Web Tokens

Becd166a81dc51c0009f602d175d0cc8?s=47 José Padilla
September 04, 2014
Programming
15
9.2k

DjangoCon - JSON Web Tokens

DjangoCon US 2014 talk on JSON Web Tokens

Becd166a81dc51c0009f602d175d0cc8?s=128

José Padilla

September 04, 2014
Tweet

More Decks by José Padilla

See All by José Padilla
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
9
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
3k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
130
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
1.9k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
4
150
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
120
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
2
320
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
3
2.1k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
2
150

Other Decks in Programming

See All in Programming
Db8efd836c9a09b71e3d8e1c60d6ea84?s=48 colinfay
0
130
A10e41b0a61d59f2258d7f6172c33479?s=48 kaityo256
0
440
F54b73a93fb75a12fa6c28b26ca0bb62?s=48 kawakawaryuryu
0
130
0a98ad166f9cdf8d27d92c37438c6e9d?s=48 matsumana
0
350
D9e4d5a4b36f83fbde1076815df1362f?s=48 bmack
0
180
F28abade40c3fa0565f578f7dbae6560?s=48 orumin
2
2.2k
D882856fd493248c73331872a516d1b5?s=48 exsoul
1
120
38a509643276213e62730e92ef220405?s=48 masatakamiki
0
200
Fc96157614ee73039c4a575906167979?s=48 fukumura
0
260
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
120
Acb6390b6c4b5192f40e10601b63dafc?s=48 twkiiim
0
1.2k
B7caf463b7dbc6c305ba290ec3c16521?s=48 eroispaziali
0
300

Featured

See All Featured
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
60
2.4k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
69
1.2k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
17
1.2k
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
283
110k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
65
2.9k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
308
21k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
1
14
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
189
17k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
70
3.3k
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
144
11k
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
249
19k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
353
62k

Transcript

  1. JWT

  2. “jot”

  3. JSON Web Tokens

  4. José Padilla

  5. Flickr: Bryan Vincent

  6. Co-founder at blimp.io

  7. /jpadilla

  8. jpadilla.com

  9. Why?

  10. Single Sign-on

  11. Action Links

  12. Webhooks

  13. Token-based Auth

  14. What?

  15. “Compact URL-safe means of representing claims to be transferred between

    two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).” - IETF.
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None

  22. JOSE

  23. JavaScript Object Signing and Encryption

  24. JWA

  25. JSON Web Algorithms

  26. JWK

  27. JSON Web Key

  28. JWT

  29. JSON Web Token

  30. JWS

  31. JSON Web Signature

  32. JWE

  33. JSON Web Encryption

  34. Today it’s all about JWT

  35. How?

  36. Internet-Draft

  37. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  38. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  39. { "typ": "JWT", "alg": "HS256" } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  40. import json import hmac from hashlib import sha256 from base64

    import urlsafe_b64encode ! segments = [] ! header_dict = { 'typ':'JWT', 'alg': 'HS256' } ! json_header = json.dumps(header_dict) ! header = urlsafe_b64encode(json_header).rstrip('=') segments.append(header) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  41. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  42. {! "user_id": 1! } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  43. payload_dict = { 'user_id': 1 } ! json_payload = json.dumps(payload)

    ! payload = urlsafe_b64encode(json_payload).rstrip('=') segments.append(payload) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  44. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  45. SECRET = 'abc123' ! signing_input = '.'.join(segments) ! sig =

    hmac.new(SECRET, signing_input, sha256) signature = urlsafe_b64encode(sig.digest()).rstrip('=') segments.append(signature) ! token = '.'.join(segments) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  46. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  47. PyJWT

  48. $ pip install PyJWT

  49. import jwt ! SECRET_KEY = "abc123" payload = {"user_id": 1}

    ! jwt_token = jwt.encode(payload, SECRET_KEY) ! payload = jwt.decode(jwt_token, SECRET_KEY)

  50. /progrium/pyjwt

  51. Django JWT Auth

  52. username/password JWT Error /login

  53. Authorization: Bearer <JWT> JWT Error /restricted

  54. $ pip install django-jwt

  55. import json ! from django.views.generic import View from django.http import

    HttpResponse ! from jwt_auth.mixins import JSONWebTokenAuthMixin ! ! class RestrictedView(JSONWebTokenAuthMixin, View): def get(self, request): data = json.dumps({ 'foo': 'bar' }) return HttpResponse(data, content_type='application/json')

  56. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/$', 'jwt_auth.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  57. /jpadilla/django-jwt-auth

  58. DRF JWT Auth

  59. $ pip install djangorestframework-jwt

  60. from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.permissions

    import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class RestrictedView(APIView): permission_classes = (IsAuthenticated, ) authentication_classes = (JSONWebTokenAuthentication, ) def get(self, request): data = { 'foo': 'bar' } ! return Response(data)

  61. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  62. var url = 'http://localhost:8000/login/', creds = { username: 'admin', password:

    'abc123' }; $.post(url, creds, function(auth) { $.ajax({ type: 'GET', url: 'http://localhost:8000/restricted/', beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + auth.token); }, success: function(data){ console.log(data); // { // foo: "bar" // } } }); });

  63. /GetBlimp/django-rest-framework-jwt

  64. Recap • It’s a standard • It’s simple • Third

    party libraries • Single Sign-on • Action links • Authentication • CORS • Stateless • No CSRF • CDN • Mobile/WebSockets

  65. Django REST
 Framework Sprint

  66. Thanks Questions? http:/ /bit.ly/djangocon-jwt