Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Review recommendation for JWT Authentication #5838
I tested out https://github.com/GetBlimp/django-rest-framework-jwt based on reading through http://www.django-rest-framework.org/api-guide/authentication/.
It doesn't seem to be well supported. It implements some sort of sliding token by default without blacklisting. It uses the 'access' token as the 'refresh' token. It's not a workflow I've found with tokens in any standards, which makes me fear that it hasn't been very well vetted for security.
To see some more typical flows for token/claim based auth read up on the specs for OpenID Connect, SAML, or Kerberos. They all use different types of tokens, but the procedures and workflows for handling tokens are well vetted.
I did a review of https://github.com/davesque/django-rest-framework-simplejwt. It's appears actively supported. The workflow uses separate access token and refresh tokens. It does have a sliding token option, and the docs mention it is a less secure albiet convenient approach. It also provides a blacklisting
I think it would be good to remove mentions of https://github.com/GetBlimp/django-rest-framework-jwt, until the maintainers can start addressing issues in the queue and improve their documentation. I think it presents a security risk to new developers who aren't really familiar with JWTs or token/claims based authentication workflows and the risks that come with them.
Hi @carltongibson ,
I want to use:
This is my serializer:
But it doesn't work, how can I implemente the JSONWebTokenAuthentication with ModelViewSet?
I am trying to build custom Jsonwebtoken based with django-rest-framework-jwt because I use keycloak.
And I have the viewset: