Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DjangoCon - JSON Web Tokens

José Padilla
September 04, 2014
Programming
15
11k

DjangoCon - JSON Web Tokens

DjangoCon US 2014 talk on JSON Web Tokens

José Padilla

September 04, 2014
Tweet

More Decks by José Padilla

See All by José Padilla
Python, Government, and Contracts
jpadilla
0
26
Python, Government, and Contracts
jpadilla
0
4.5k
Python Type Hints
jpadilla
0
260
Developer Ergonomics
jpadilla
0
1.9k
BFTW: The Backend
jpadilla
4
160
eventos
jpadilla
0
130
JWT
jpadilla
2
380
Ember.js + Django
jpadilla
3
2.1k
UPRB Basic Workshop
jpadilla
2
160

Other Decks in Programming

See All in Programming
NotionのURLをWorkersで綺麗にしよう!
totto2727
0
210
Compose로 Android&Desktop 멀티플랫폼 만들기
pangmoo
0
110
これだけは知っておきたいクラス設計の基礎知識
masuda220
PRO
7
3.9k
Kotlin Multiplatform Library 배포하기
fornewid
0
200
Hugo で作ったブログに閲覧数ランキングが欲しい!
track3jyo
PRO
2
430
KubeCon + CNCon Europe 2023 Recap Flux Beyond Git: Harnessing the Power of OCI
ksudate
0
260
サバンナ便り〜自動テストに関する連載で得られた知見のまとめ(2023年5月版)〜 / Automated Test Knowledge from Savanna 202305 edition
twada
PRO
15
4.9k
Firebase A/B TestingとRemote Config
を最大限に活用する方法
mukky620
1
340
オンボーディングのために 私はプロダクト考古学者になりました!
akitotsukahara
3
230
GitHub Copilotを使って ちょっと楽にUnitTestを書けるようになった
totokit4
2
1.8k
Yla's #Kaigieffect
little_rubyist
0
990
Swiftにおけるポリモーフィズム実現手段の検討
mot_techtalk
1
160

Featured

See All Featured
Building Applications with DynamoDB
mza
86
5.1k
A Tale of Four Properties
chriscoyier
149
21k
No one is an island. Learnings from fostering a developers community.
thoeni
13
1.7k
For a Future-Friendly Web
brad_frost
166
8k
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
Teambox: Starting and Learning
jrom
124
8k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Agile that works and the tools we love
rasmusluckow
322
20k
How STYLIGHT went responsive
nonsquared
89
4.3k
Practical Orchestrator
shlominoach
179
9.1k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.5k

Transcript

  1. JWT

    View Slide

  2. “jot”

    View Slide

  3. JSON Web Tokens

    View Slide

  4. José Padilla

    View Slide

  5. Flickr: Bryan Vincent

    View Slide

  6. Co-founder at
    blimp.io

    View Slide

  7. /jpadilla

    View Slide

  8. jpadilla.com

    View Slide

  9. Why?

    View Slide

  10. Single Sign-on

    View Slide

  11. Action Links

    View Slide

  12. Webhooks

    View Slide

  13. Token-based Auth

    View Slide

  14. What?

    View Slide

  15. “Compact URL-safe means of representing
    claims to be transferred between two parties. The
    claims in a JWT are encoded as a JSON object
    that is digitally signed using JSON Web
    Signature (JWS).” - IETF.

    View Slide

  16. View Slide

  17. View Slide

  18. View Slide

  19. View Slide

  20. View Slide

  21. View Slide

  22. JOSE

    View Slide

  23. JavaScript
    Object
    Signing and
    Encryption

    View Slide

  24. JWA

    View Slide

  25. JSON
    Web
    Algorithms

    View Slide

  26. JWK

    View Slide

  27. JSON
    Web
    Key

    View Slide

  28. JWT

    View Slide

  29. JSON
    Web
    Token

    View Slide

  30. JWS

    View Slide

  31. JSON
    Web
    Signature

    View Slide

  32. JWE

    View Slide

  33. JSON
    Web
    Encryption

    View Slide

  34. Today it’s
    all about
    JWT

    View Slide

  35. How?

    View Slide

  36. Internet-Draft

    View Slide

  37. eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  38. eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  39. {
    "typ": "JWT",
    "alg": "HS256"
    }
    eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  40. import json
    import hmac
    from hashlib import sha256
    from base64 import urlsafe_b64encode
    !
    segments = []
    !
    header_dict = {
    'typ':'JWT',
    'alg': 'HS256'
    }
    !
    json_header = json.dumps(header_dict)
    !
    header = urlsafe_b64encode(json_header).rstrip('=')
    segments.append(header)
    eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  41. eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  42. {!
    "user_id": 1!
    }
    eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  43. payload_dict = {
    'user_id': 1
    }
    !
    json_payload = json.dumps(payload)
    !
    payload = urlsafe_b64encode(json_payload).rstrip('=')
    segments.append(payload)
    eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  44. eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  45. SECRET = 'abc123'
    !
    signing_input = '.'.join(segments)
    !
    sig = hmac.new(SECRET, signing_input, sha256)
    signature = urlsafe_b64encode(sig.digest()).rstrip('=')
    segments.append(signature)
    !
    token = '.'.join(segments)
    eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  46. eyJ0eXAiOiJKV1QiLCJhbGciOi
    JIUzI1NiJ9.eyJ1c2VyX2lkIjo
    xfQ.xpCS8TTq1a53OIps1ByTdm
    6Sh-A1ZoCId3e2YYWjapU

    View Slide

  47. PyJWT

    View Slide

  48. $ pip install PyJWT

    View Slide

  49. import jwt
    !
    SECRET_KEY = "abc123"
    payload = {"user_id": 1}
    !
    jwt_token = jwt.encode(payload, SECRET_KEY)
    !
    payload = jwt.decode(jwt_token, SECRET_KEY)

    View Slide

  50. /progrium/pyjwt

    View Slide

  51. Django JWT Auth

    View Slide

  52. username/password
    JWT
    Error
    /login

    View Slide

  53. Authorization: Bearer
    JWT
    Error
    /restricted

    View Slide

  54. $ pip install django-jwt

    View Slide

  55. import json
    !
    from django.views.generic import View
    from django.http import HttpResponse
    !
    from jwt_auth.mixins import JSONWebTokenAuthMixin
    !
    !
    class RestrictedView(JSONWebTokenAuthMixin, View):
    def get(self, request):
    data = json.dumps({
    'foo': 'bar'
    })
    return HttpResponse(data, content_type='application/json')

    View Slide

  56. from django.conf.urls import patterns
    from .views import RestrictedView
    urlpatterns = patterns(
    '',
    !
    (r'^login/$', 'jwt_auth.views.obtain_jwt_token'),
    (r'^restricted/$', RestrictedView.as_view()),
    )

    View Slide

  57. /jpadilla/django-jwt-auth

    View Slide

  58. DRF JWT Auth

    View Slide

  59. $ pip install djangorestframework-jwt

    View Slide

  60. from rest_framework.views import APIView
    from rest_framework.response import Response
    from rest_framework.permissions import IsAuthenticated
    from rest_framework_jwt.authentication import JSONWebTokenAuthentication
    class RestrictedView(APIView):
    permission_classes = (IsAuthenticated, )
    authentication_classes = (JSONWebTokenAuthentication, )
    def get(self, request):
    data = {
    'foo': 'bar'
    }
    !
    return Response(data)

    View Slide

  61. from django.conf.urls import patterns
    from .views import RestrictedView
    urlpatterns = patterns(
    '',
    !
    (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'),
    (r'^restricted/$', RestrictedView.as_view()),
    )

    View Slide

  62. var url = 'http://localhost:8000/login/',
    creds = {
    username: 'admin',
    password: 'abc123'
    };
    $.post(url, creds, function(auth) {
    $.ajax({
    type: 'GET',
    url: 'http://localhost:8000/restricted/',
    beforeSend: function(xhr) {
    xhr.setRequestHeader("Authorization", "Bearer " + auth.token);
    },
    success: function(data){
    console.log(data);
    // {
    // foo: "bar"
    // }
    }
    });
    });

    View Slide

  63. /GetBlimp/django-rest-framework-jwt

    View Slide

  64. Recap
    • It’s a standard

    • It’s simple

    • Third party libraries

    • Single Sign-on

    • Action links
    • Authentication

    • CORS

    • Stateless

    • No CSRF

    • CDN

    • Mobile/WebSockets

    View Slide

  65. Django
    REST

    Framework
    Sprint

    View Slide

  66. Thanks
    Questions?
    http:/
    /bit.ly/djangocon-jwt

    View Slide