forked from jpadilla/django-rest-framework-jwt
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add multi key and key id support. (jpadilla#33)
* Support multiple algorithms and keys Existing code made key rollovers or algorithm changes hard and basically required a breaking change: Once any of JWT_ALGORITHM, JWT_SECRET_KEY, or JWT_PRIVATE_KEY/JWT_PUBLIC_KEY were changed, existing tokens were rendered invalid. We now support JWT_ALGORITHM, JWT_SECRET_KEY, and JWT_PUBLIC_KEY optionally being a list, where all members are accepted as valid. When JWT_SECRET_KEY is a list, the first member is used for signing and all others are accepted for verification. * Support multiple keys with key ids The previous commit added support for multiple keys, which (despite being useful as a fallback, if anything) implies multiple verification attempts and thus is not computationally efficient. We now support identifing keys by key id ("kid" header): When a JWT carries a key id, we can identify immediately if it is known and only need to make at most one verification attempt. To configure keys with ids, JWT_SECRET_KEY, JWT_PRIVATE_KEY and JWT_PUBLIC_KEY can now also be a dict in the form { "kid1": key1, "kid2": key2, ... } When a JWT does not carry a key id ("kid" header), the default is to fall back to trying all keys if keys are named (defined as a dict). Setting JWT_INSIST_ON_KID: True avoids this fallback and requires any JWT to be validated to carry a key id _if_ key IDs are used Closes jpadilla#31 * add changelog * Ensure we always have RSA available as suggested by fitodic here: Styria-Digital#33 (comment) * doc/changelog polishing suggested by Filip * more docs polishing * fix rsa key generation * rename variables for clarity
- Loading branch information
Showing
6 changed files
with
375 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
* Support multiple algorithms and keys | ||
|
||
Existing code made key rollovers or algorithm changes hard and | ||
basically required a breaking change: Once any of `JWT_ALGORITHM`, | ||
`JWT_SECRET_KEY`, or `JWT_PRIVATE_KEY`/`JWT_PUBLIC_KEY` were | ||
changed, existing tokens were rendered invalid. | ||
|
||
We now support `JWT_ALGORITHM`, `JWT_SECRET_KEY`, and | ||
`JWT_PUBLIC_KEY` optionally being a list, where all members are | ||
accepted as valid. | ||
|
||
When `JWT_SECRET_KEY` is a list, the first member is used for | ||
signing and all others are accepted for verification. | ||
|
||
* Support multiple keys with key ids | ||
|
||
We also support identifing keys by key id (`kid` header): When a JWT | ||
carries a key id, we can identify immediately if it is known and | ||
only need to make at most one verification attempt. | ||
|
||
To configure keys with ids, `JWT_SECRET_KEY`, `JWT_PRIVATE_KEY` and | ||
`JWT_PUBLIC_KEY` can now also be a dict in the form | ||
|
||
``` | ||
{ "kid1": key1, "kid2": key2, ... } | ||
``` | ||
|
||
When a JWT does not carry a key id (`kid` header), the default is to | ||
fall back to trying all keys if keys are named (defined as a dict). | ||
Setting `JWT_INSIST_ON_KID: True` avoids this fallback and requires | ||
any JWT to be validated to carry a key id _if_ key IDs are used | ||
|
||
*NOTE: For python < 3.7, use a `collections.OrderedDict` object | ||
instead of a dict* | ||
|
||
* Require cryptographic dependencies of PyJWT | ||
|
||
We changed the PyJWT requirement to include support for RSA by | ||
default. This was done to improve the user experience, but will lead | ||
to cryptography support be installed where not already present. | ||
|
||
See: https://pyjwt.readthedocs.io/en/latest/installation.html#cryptographic-dependencies-optional |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.