DjangoCon - JSON Web Tokens

Becd166a81dc51c0009f602d175d0cc8?s=47 José Padilla
September 04, 2014
Programming
15
9.4k

DjangoCon - JSON Web Tokens

DjangoCon US 2014 talk on JSON Web Tokens

Becd166a81dc51c0009f602d175d0cc8?s=128

José Padilla

September 04, 2014
Tweet

More Decks by José Padilla

See All by José Padilla
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
11
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
3.7k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
130
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
1.9k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
4
150
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
0
120
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
2
330
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
3
2.1k
Becd166a81dc51c0009f602d175d0cc8?s=48 jpadilla
2
150

Other Decks in Programming

See All in Programming
Ffc500baeba9a1024e2c8273203c9f90?s=48 raulh82vlc
3
1.2k
Cfbe23392787cb3ad4689c5f72463fcc?s=48 makicamel
1
740
66988ef2ff1307f07c7c8d829a6dc4fa?s=48 rosariopfernandes
2
120
Fccbd625997f63e7b251d9725cb905a5?s=48 futo23
2
580
023b04c98f39cc041293d780352432ff?s=48 koic
4
1.6k
0fb2ce77513181750c384115cd0bc937?s=48 ksukenobe
2
230
264b44c0c6d60336f8b6a0fbab118984?s=48 mmazour
0
140
A6ba8150ec3d9e5f2c675ef8bd652ff5?s=48 vailkako
0
170
44f37c1fe3a6a56376bb41a338741355?s=48 ahiru
3
290
0b26590a0a8b0f1da140ed5de9b68379?s=48 usamik26
0
160
5bd19ec9172dcb6dd3cb8033d88b262e?s=48 rom1000
1
170
8fb8810e5e06a997bc13831b9b51007f?s=48 keinuma
0
680

Featured

See All Featured
0c6fd6a08d0f898159cda7cafcacf07f?s=48 afnizarnur
175
14k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
125
21k
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
11
3.9k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
356
62k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
6
730
245cee81a9c424266e5e401d844ea881?s=48 lara
13
2.4k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
3
360
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.3k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
61
7.5k
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
85
8.4k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
5
360
E13c31390e0369fcd5972292ce0e7b92?s=48 jnunemaker
PRO
40
4.4k

Transcript

  1. JWT

  2. “jot”

  3. JSON Web Tokens

  4. José Padilla

  5. Flickr: Bryan Vincent

  6. Co-founder at blimp.io

  7. /jpadilla

  8. jpadilla.com

  9. Why?

  10. Single Sign-on

  11. Action Links

  12. Webhooks

  13. Token-based Auth

  14. What?

  15. “Compact URL-safe means of representing claims to be transferred between

    two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).” - IETF.
  16. None
  17. None
  18. None
  19. None
  20. None
  21. None

  22. JOSE

  23. JavaScript Object Signing and Encryption

  24. JWA

  25. JSON Web Algorithms

  26. JWK

  27. JSON Web Key

  28. JWT

  29. JSON Web Token

  30. JWS

  31. JSON Web Signature

  32. JWE

  33. JSON Web Encryption

  34. Today it’s all about JWT

  35. How?

  36. Internet-Draft

  37. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  38. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  39. { "typ": "JWT", "alg": "HS256" } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  40. import json import hmac from hashlib import sha256 from base64

    import urlsafe_b64encode ! segments = [] ! header_dict = { 'typ':'JWT', 'alg': 'HS256' } ! json_header = json.dumps(header_dict) ! header = urlsafe_b64encode(json_header).rstrip('=') segments.append(header) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  41. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  42. {! "user_id": 1! } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  43. payload_dict = { 'user_id': 1 } ! json_payload = json.dumps(payload)

    ! payload = urlsafe_b64encode(json_payload).rstrip('=') segments.append(payload) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  44. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  45. SECRET = 'abc123' ! signing_input = '.'.join(segments) ! sig =

    hmac.new(SECRET, signing_input, sha256) signature = urlsafe_b64encode(sig.digest()).rstrip('=') segments.append(signature) ! token = '.'.join(segments) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  46. eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

  47. PyJWT

  48. $ pip install PyJWT

  49. import jwt ! SECRET_KEY = "abc123" payload = {"user_id": 1}

    ! jwt_token = jwt.encode(payload, SECRET_KEY) ! payload = jwt.decode(jwt_token, SECRET_KEY)

  50. /progrium/pyjwt

  51. Django JWT Auth

  52. username/password JWT Error /login

  53. Authorization: Bearer <JWT> JWT Error /restricted

  54. $ pip install django-jwt

  55. import json ! from django.views.generic import View from django.http import

    HttpResponse ! from jwt_auth.mixins import JSONWebTokenAuthMixin ! ! class RestrictedView(JSONWebTokenAuthMixin, View): def get(self, request): data = json.dumps({ 'foo': 'bar' }) return HttpResponse(data, content_type='application/json')

  56. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/$', 'jwt_auth.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  57. /jpadilla/django-jwt-auth

  58. DRF JWT Auth

  59. $ pip install djangorestframework-jwt

  60. from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.permissions

    import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class RestrictedView(APIView): permission_classes = (IsAuthenticated, ) authentication_classes = (JSONWebTokenAuthentication, ) def get(self, request): data = { 'foo': 'bar' } ! return Response(data)

  61. from django.conf.urls import patterns from .views import RestrictedView urlpatterns =

    patterns( '', ! (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

  62. var url = 'http://localhost:8000/login/', creds = { username: 'admin', password:

    'abc123' }; $.post(url, creds, function(auth) { $.ajax({ type: 'GET', url: 'http://localhost:8000/restricted/', beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + auth.token); }, success: function(data){ console.log(data); // { // foo: "bar" // } } }); });

  63. /GetBlimp/django-rest-framework-jwt

  64. Recap • It’s a standard • It’s simple • Third

    party libraries • Single Sign-on • Action links • Authentication • CORS • Stateless • No CSRF • CDN • Mobile/WebSockets

  65. Django REST
 Framework Sprint

  66. Thanks Questions? http:/ /bit.ly/djangocon-jwt