Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Review recommendation for JWT Authentication #5838

Closed
dopry opened this issue Feb 19, 2018 · 6 comments
Closed

Review recommendation for JWT Authentication #5838

dopry opened this issue Feb 19, 2018 · 6 comments

Comments

@dopry
Copy link

dopry commented Feb 19, 2018

I tested out https://github.com/GetBlimp/django-rest-framework-jwt based on reading through http://www.django-rest-framework.org/api-guide/authentication/.

It doesn't seem to be well supported. It implements some sort of sliding token by default without blacklisting. It uses the 'access' token as the 'refresh' token. It's not a workflow I've found with tokens in any standards, which makes me fear that it hasn't been very well vetted for security.

To see some more typical flows for token/claim based auth read up on the specs for OpenID Connect, SAML, or Kerberos. They all use different types of tokens, but the procedures and workflows for handling tokens are well vetted.

I did a review of https://github.com/davesque/django-rest-framework-simplejwt. It's appears actively supported. The workflow uses separate access token and refresh tokens. It does have a sliding token option, and the docs mention it is a less secure albiet convenient approach. It also provides a blacklisting
app. It's a much better implementation.

I think it would be good to remove mentions of https://github.com/GetBlimp/django-rest-framework-jwt, until the maintainers can start addressing issues in the queue and improve their documentation. I think it presents a security risk to new developers who aren't really familiar with JWTs or token/claims based authentication workflows and the risks that come with them.

@carltongibson
Copy link
Collaborator

Hi @dopry. Could you put a PR together with your suggested changes? This will give us something concrete to review.

@Allan-Nava

This comment has been minimized.

@carltongibson
Copy link
Collaborator

The discussion group is the best place to take this discussion and other usage questions. Thanks!

@carltongibson
Copy link
Collaborator

Ei, sorry. There's an issue here too. Would be happy to review a PR on the docs resolving this.

@Allan-Nava

This comment has been minimized.

@mscansian
Copy link
Contributor

We have also fallen in the trap of using GetBlimp/django-rest-framework-jwt because of the recommendation. It looks like the project is abandoned and also it does not work with django-axes since version 4.x.x :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants