Slide 1

Slide 1 text

JWT

Slide 2

Slide 2 text

“jot”

Slide 3

Slide 3 text

JSON Web Tokens

Slide 4

Slide 4 text

José Padilla

Slide 5

Slide 5 text

Flickr: Bryan Vincent

Slide 6

Slide 6 text

Co-founder at blimp.io

Slide 7

Slide 7 text

/jpadilla

Slide 8

Slide 8 text

jpadilla.com

Slide 9

Slide 9 text

Why?

Slide 10

Slide 10 text

Single Sign-on

Slide 11

Slide 11 text

Action Links

Slide 12

Slide 12 text

Webhooks

Slide 13

Slide 13 text

Token-based Auth

Slide 14

Slide 14 text

What?

Slide 15

Slide 15 text

“Compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).” - IETF.

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

JOSE

Slide 23

Slide 23 text

JavaScript Object Signing and Encryption

Slide 24

Slide 24 text

JWA

Slide 25

Slide 25 text

JSON Web Algorithms

Slide 26

Slide 26 text

JWK

Slide 27

Slide 27 text

JSON Web Key

Slide 28

Slide 28 text

JWT

Slide 29

Slide 29 text

JSON Web Token

Slide 30

Slide 30 text

JWS

Slide 31

Slide 31 text

JSON Web Signature

Slide 32

Slide 32 text

JWE

Slide 33

Slide 33 text

JSON Web Encryption

Slide 34

Slide 34 text

Today it’s all about JWT

Slide 35

Slide 35 text

How?

Slide 36

Slide 36 text

Internet-Draft

Slide 37

Slide 37 text

eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 38

Slide 38 text

eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 39

Slide 39 text

{ "typ": "JWT", "alg": "HS256" } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 40

Slide 40 text

import json import hmac from hashlib import sha256 from base64 import urlsafe_b64encode ! segments = [] ! header_dict = { 'typ':'JWT', 'alg': 'HS256' } ! json_header = json.dumps(header_dict) ! header = urlsafe_b64encode(json_header).rstrip('=') segments.append(header) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 41

Slide 41 text

eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 42

Slide 42 text

{! "user_id": 1! } eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 43

Slide 43 text

payload_dict = { 'user_id': 1 } ! json_payload = json.dumps(payload) ! payload = urlsafe_b64encode(json_payload).rstrip('=') segments.append(payload) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 44

Slide 44 text

eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 45

Slide 45 text

SECRET = 'abc123' ! signing_input = '.'.join(segments) ! sig = hmac.new(SECRET, signing_input, sha256) signature = urlsafe_b64encode(sig.digest()).rstrip('=') segments.append(signature) ! token = '.'.join(segments) eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 46

Slide 46 text

eyJ0eXAiOiJKV1QiLCJhbGciOi JIUzI1NiJ9.eyJ1c2VyX2lkIjo xfQ.xpCS8TTq1a53OIps1ByTdm 6Sh-A1ZoCId3e2YYWjapU

Slide 47

Slide 47 text

PyJWT

Slide 48

Slide 48 text

$ pip install PyJWT

Slide 49

Slide 49 text

import jwt ! SECRET_KEY = "abc123" payload = {"user_id": 1} ! jwt_token = jwt.encode(payload, SECRET_KEY) ! payload = jwt.decode(jwt_token, SECRET_KEY)

Slide 50

Slide 50 text

/progrium/pyjwt

Slide 51

Slide 51 text

Django JWT Auth

Slide 52

Slide 52 text

username/password JWT Error /login

Slide 53

Slide 53 text

Authorization: Bearer JWT Error /restricted

Slide 54

Slide 54 text

$ pip install django-jwt

Slide 55

Slide 55 text

import json ! from django.views.generic import View from django.http import HttpResponse ! from jwt_auth.mixins import JSONWebTokenAuthMixin ! ! class RestrictedView(JSONWebTokenAuthMixin, View): def get(self, request): data = json.dumps({ 'foo': 'bar' }) return HttpResponse(data, content_type='application/json')

Slide 56

Slide 56 text

from django.conf.urls import patterns from .views import RestrictedView urlpatterns = patterns( '', ! (r'^login/$', 'jwt_auth.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

Slide 57

Slide 57 text

/jpadilla/django-jwt-auth

Slide 58

Slide 58 text

DRF JWT Auth

Slide 59

Slide 59 text

$ pip install djangorestframework-jwt

Slide 60

Slide 60 text

from rest_framework.views import APIView from rest_framework.response import Response from rest_framework.permissions import IsAuthenticated from rest_framework_jwt.authentication import JSONWebTokenAuthentication class RestrictedView(APIView): permission_classes = (IsAuthenticated, ) authentication_classes = (JSONWebTokenAuthentication, ) def get(self, request): data = { 'foo': 'bar' } ! return Response(data)

Slide 61

Slide 61 text

from django.conf.urls import patterns from .views import RestrictedView urlpatterns = patterns( '', ! (r'^login/', 'rest_framework_jwt.views.obtain_jwt_token'), (r'^restricted/$', RestrictedView.as_view()), )

Slide 62

Slide 62 text

var url = 'http://localhost:8000/login/', creds = { username: 'admin', password: 'abc123' }; $.post(url, creds, function(auth) { $.ajax({ type: 'GET', url: 'http://localhost:8000/restricted/', beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + auth.token); }, success: function(data){ console.log(data); // { // foo: "bar" // } } }); });

Slide 63

Slide 63 text

/GetBlimp/django-rest-framework-jwt

Slide 64

Slide 64 text

Recap • It’s a standard • It’s simple • Third party libraries • Single Sign-on • Action links • Authentication • CORS • Stateless • No CSRF • CDN • Mobile/WebSockets

Slide 65

Slide 65 text

Django REST
 Framework Sprint

Slide 66

Slide 66 text

Thanks Questions? http:/ /bit.ly/djangocon-jwt