Django library that implements the authentification for OpenID Connect with JWT. This authentification is compatible with django session workflow and the RestFramework library.
- Install the library with pip
pip install django-jwt-oidc- Add the
django_jwtpackage into yourINSTALLED_APPSin your settings.py file
INSTALLED_APPS = [
...
'django_jwt',
...
]- Add django-jwt-oidc urls to your urls.py. You can change the path to the one you prefer.
urlpatterns = [
...
path('openid/', include('django_jwt.urls')),
...
]The django-jwt-oidc is a library that allows to implement a OIDC client in order to identify a user from a provider.
- Add
JWTAuthenticationMiddlewareinto your middleware afterSessionMiddleware. You can optionally remove theAuthenticationMiddlewareif you are not using other ways to log in.
MIDDLEWARE = [
...
'django.contrib.sessions.middleware.SessionMiddleware',
...
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django_jwt.middleware.JWTAuthenticationMiddleware',
...
]- If you removed the
AuthenticationMiddleware, you will need to add this settings:
SILENCED_SYSTEM_CHECKS = ['admin.E408']- Set the django setting
LOGOUT_REDIRECT_URLin order to redirect after logout. - Add redirects to the
oidc_loginandoidc_logout. To make it default you can setLOGIN_URL = 'oidc_login'.
- Getting authenticated user from request:
request.user. - Getting the ID token claims from the user:
request.user_claims. - Getting the userinfo from the endpoint from the user:
request.userinfo. - Getting a valid access token from the user:
request.get_access_token().
This settings are for views inherits RestFramework library from Django.
- You will need to install RestFramework on your own to your app first
You can add this to your APIviews class by adding JWTTokenAuthentication to authentification_classes attribute.
In this example, the view requires that all requests must have ID Token JWT Bearer Authentication.
from rest_framework import permissions, views
from django_jwt import JWTTokenAuthentication
class ExampleAPIView(view.APIView):
authentication_classes = [JWTTokenAuthentication]
permission_classes = [permissions.IsAuthenticated]If all your application can work with JWT Bearer Authentication you can add the JWTTokenAuthentication class to DEFAULT_AUTHENTICATION_CLASSES setting on settings.py of your app.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'django_jwt.rest_framework.JWTTokenAuthentication',
]
}All settings from the django-jwt-oidc library will be set inside a JWT_OIDC dictionary on settings.py.
JWT_OIDC = {
...
}Set this to client.
JWT_OIDC = {
...
'TYPE': 'client',
...
}Set this to the discovery endpoint of the provider.
JWT_OIDC = {
...
'DISCOVERY_ENDPOINT': 'https://domain/.well-known/openid-configuration',
...
}Set this to the client ID of your application in the provider.
JWT_OIDC = {
...
'CLIENT_ID': 'some_string',
...
}Set this to the response type of your application in the provider. This determines the flow of your authentication.
JWT_OIDC = {
...
'RESPONSE_TYPE': 'code', # Recommended to use Authorization Code flow
...
}Set this to the client secret of your application in the provider. This setting is required if want to Hybrid flow or Authorization Code flow (Setting code inside the RESPONSE_TYPE)
JWT_OIDC = {
...
'CLIENT_SECRET': 'some_string',
...
}Set this to set the scope of the authentication flow.
JWT_OIDC = {
...
'SCOPE': 'openid', # Default
...
}Set this if you want to use some other claim as identifier for your user model. Default: 'sub'
JWT_OIDC = {
...
'IDENTIFICATION_CLAIM': 'sub', # default
...
}Set this to change the claims names to be translated to your User model fields. {'claim_name': 'model_field_name'}
JWT_OIDC = {
...
'ID_TOKEN_RENAME_ATTRIBUTES': {}, # Default
...
}Set this to True if you want to create users that they not exist.
JWT_OIDC = {
...
'CREATE_USER': False, # Default
...
}Set this to set defaults values to users that log in with the OIDC.
JWT_OIDC = {
...
'USER_DEFAULT_ATTRIBUTES': {}, # Default
...
}Set this to activate the PKCE_EXTENSION. It is recommended.
JWT_OIDC = {
...
'PKCE_EXTENSION': False, # Default
...
}Set this for the PKCE_EXTENSION method. Only 'S256' supported.
JWT_OIDC = {
...
'CODE_CHALLENGE_METHOD': 'S256', # Default
...
}Setting display for the authentication flow. Options: page, popup, touch and wap.
JWT_OIDC = {
...
'CLIENT_DISPLAY': '', # Default
...
}Setting prompt for the authentication flow. Options: login, consent, select_account and none.
JWT_OIDC = {
...
'CLIENT_PROMPT': '', # Default
...
}Setting max_age for the authentication flow. How many seconds the user has logged in the provider.
JWT_OIDC = {
...
'CLIENT_PROMPT': '', # Default
...
}Other settings for the authentication flow.
- CLIENT_UI_LOCALES
- CLIENT_CLAIMS_LOCALES
- CLIENT_ID_TOKEN_HINT
- CLIENT_LOGIN_HINT
- CLIENT_ACR_VALUES
This is an extra app of the django_jwt app that deploys a OpenID Connect provider with implicit flow (Not recommended), Hybrid flow, Authorization Code flow and Authorization Code flow with PKCE.
The JWTs are signed by RSA or ECC keys that are being regenerated to improve security.
Django JWT Server does not provide for a login view.
- Install django-cors-headers library into your app. Required in order to control the CORS policy from your apps. There is no need to add the domains one by one
- Install djangorestframework library into your app.
- Add
django_jwt.serverto your installed apps. - Migrate the database with
python manage.py migrate. - Add your implemented Django log in into
LOGIN_URLsetting onsettings.py. - Run your app in order to set up your hosts into the admin page.
All settings from the django-jwt-oidc library will be set inside a JWT_OIDC dictionary on settings.py.
JWT_OIDC = {
...
}Set this to provider.
JWT_OIDC = {
...
'TYPE': 'provider',
...
}Set this to your discovery endpoint of the provider.
JWT_OIDC = {
...
'DISCOVERY_ENDPOINT': 'https://my-domain/.well-known/openid-configuration',
...
}Set this to the algorithm used to sign tokens. ECC is recommended.
JWT_OIDC = {
...
'SIGNATURE_ALG': 'ES512', # Default
...
}Expiration time (in seconds) of the RSA or ECC keys. They will be stopped to be used for signing after this time. They will be deleted after not needed again for validation.
JWT_OIDC = {
...
'JWK_EXPIRATION_TIME': 3600, # Default
...
}Expiration time (in seconds) of the ID tokens.
JWT_OIDC = {
...
'JWT_ID_TOKEN_EXPIRATION_TIME': 2700, # Default
...
}Expiration time (in seconds) of the access tokens. Recommended to be low.
JWT_OIDC = {
...
'JWT_ACCESS_TOKEN_EXPIRATION_TIME': 600, # Default
...
}Expiration time (in seconds) of the refresh tokens. Must be higher than access tokens.
JWT_OIDC = {
...
'JWT_ACCESS_TOKEN_EXPIRATION_TIME': 3600, # Default
...
}Set this in order to only be able to refresh tokens x times.
JWT_OIDC = {
...
'MAX_REFRESH': 10, # Default
...
}User model serializer.
JWT_OIDC = {
...
'USERINFO_SERIALIZER': 'django_jwt.server.serializers.UserSerializer', # Default
...
}Exclude fields of the User model in the 'django_jwt.server.serializers.UserSerializer'.
JWT_OIDC = {
...
'USERINFO_SERIALIZER_EXCLUDE': ['password'], # Default
...
}This is an extra functionality of the django_jwt app that makes a OpenId server with oauth 2.0 with implicit flow with an input to "log in" as whatever sub value you want.
Not maintained to changes of the 1.0 version.
- Install django-cors-headers library into your app. Required in order to control the CORS policy from your frontend.
- Add your frontend domain into
CORS_ALLOWED_ORIGINS. - Change the
JWT_OIDC['TYPE']setting to'fake'. - Set up the
JWT_OIDC['CLIENT_ID']setting to the same client id your frontend is targeting. - Set up the
DEFAULT_DOMAINsetting on your Django settings. Example:
DEFAULT_DOMAIN = 'https://localhost:8000'- Set up your frontend url into the path that you included in
urls.py.