This repository has been archived by the owner on May 26, 2020. It is now read-only.
Is JWT in Authorization header a standard? #31
Comments
Is there anyway to make the |
It's not difficult for me to make the Authorization header configurable, but this seems like an issue with django-rest-framework and/or django-rest-framework-jwt for not handling this case properly. |
@sahat It's definitely an issue with this package. My proposal would be to make the header prefix configurable on django-rest-framework-jwt, by default it'll be kept as |
Please refer to #32. |
jayvdb
pushed a commit
to jayvdb/django-rest-framework-jwt
that referenced
this issue
Jun 2, 2020
* Support multiple algorithms and keys Existing code made key rollovers or algorithm changes hard and basically required a breaking change: Once any of JWT_ALGORITHM, JWT_SECRET_KEY, or JWT_PRIVATE_KEY/JWT_PUBLIC_KEY were changed, existing tokens were rendered invalid. We now support JWT_ALGORITHM, JWT_SECRET_KEY, and JWT_PUBLIC_KEY optionally being a list, where all members are accepted as valid. When JWT_SECRET_KEY is a list, the first member is used for signing and all others are accepted for verification. * Support multiple keys with key ids The previous commit added support for multiple keys, which (despite being useful as a fallback, if anything) implies multiple verification attempts and thus is not computationally efficient. We now support identifing keys by key id ("kid" header): When a JWT carries a key id, we can identify immediately if it is known and only need to make at most one verification attempt. To configure keys with ids, JWT_SECRET_KEY, JWT_PRIVATE_KEY and JWT_PUBLIC_KEY can now also be a dict in the form { "kid1": key1, "kid2": key2, ... } When a JWT does not carry a key id ("kid" header), the default is to fall back to trying all keys if keys are named (defined as a dict). Setting JWT_INSIST_ON_KID: True avoids this fallback and requires any JWT to be validated to carry a key id _if_ key IDs are used Closes jpadilla#31 * add changelog * Ensure we always have RSA available as suggested by fitodic here: Styria-Digital#33 (comment) * doc/changelog polishing suggested by Filip * more docs polishing * fix rsa key generation * rename variables for clarity
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi there,
Great work on django-rest-framework-jwt so far. It is a perfect fit with DRF.
I noticed that you are using JWT in your Authorization header, as in your example:
$ curl -H "Authorization: JWT <your_token>" http://localhost:8000/protected-url/
Is it the recommended way in the current JWT draft? Other server side token framework often accept Bearer instead of JWT, which I think is very common. The reason I am asking because satellizer (an oauth2 token based javascript library for angularjs) does not work with your django-rest-framework-jwt.
I suspect because of the JWT text in the Authorization header. Could you please have a look?
The text was updated successfully, but these errors were encountered: