This repository has been archived by the owner on May 26, 2020. It is now read-only.
Is JWT in Authorization header a standard? #31
Comments
|
Is there anyway to make the |
|
It's not difficult for me to make the Authorization header configurable, but this seems like an issue with django-rest-framework and/or django-rest-framework-jwt for not handling this case properly. |
|
@sahat It's definitely an issue with this package. My proposal would be to make the header prefix configurable on django-rest-framework-jwt, by default it'll be kept as |
|
Please refer to #32. |
jayvdb
pushed a commit
to jayvdb/django-rest-framework-jwt
that referenced
this issue
Jun 2, 2020
* Support multiple algorithms and keys
Existing code made key rollovers or algorithm changes hard and basically
required a breaking change: Once any of JWT_ALGORITHM, JWT_SECRET_KEY,
or JWT_PRIVATE_KEY/JWT_PUBLIC_KEY were changed, existing tokens were
rendered invalid.
We now support JWT_ALGORITHM, JWT_SECRET_KEY, and JWT_PUBLIC_KEY
optionally being a list, where all members are accepted as valid.
When JWT_SECRET_KEY is a list, the first member is used for signing and
all others are accepted for verification.
* Support multiple keys with key ids
The previous commit added support for multiple keys, which (despite
being useful as a fallback, if anything) implies multiple verification
attempts and thus is not computationally efficient.
We now support identifing keys by key id ("kid" header): When a JWT
carries a key id, we can identify immediately if it is known and only
need to make at most one verification attempt.
To configure keys with ids, JWT_SECRET_KEY, JWT_PRIVATE_KEY and
JWT_PUBLIC_KEY can now also be a dict in the form
{ "kid1": key1, "kid2": key2, ... }
When a JWT does not carry a key id ("kid" header), the default is to
fall back to trying all keys if keys are named (defined as a dict).
Setting JWT_INSIST_ON_KID: True avoids this fallback and requires any
JWT to be validated to carry a key id _if_ key IDs are used
Closes jpadilla#31
* add changelog
* Ensure we always have RSA available
as suggested by fitodic here:
Styria-Digital#33 (comment)
* doc/changelog polishing suggested by Filip
* more docs polishing
* fix rsa key generation
* rename variables for clarity
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi there,
Great work on django-rest-framework-jwt so far. It is a perfect fit with DRF.
I noticed that you are using JWT in your Authorization header, as in your example:
$ curl -H "Authorization: JWT <your_token>" http://localhost:8000/protected-url/
Is it the recommended way in the current JWT draft? Other server side token framework often accept Bearer instead of JWT, which I think is very common. The reason I am asking because satellizer (an oauth2 token based javascript library for angularjs) does not work with your django-rest-framework-jwt.
I suspect because of the JWT text in the Authorization header. Could you please have a look?
The text was updated successfully, but these errors were encountered: