django-jwt-oidc

Django jwt

Django library that implements the authentification for OpenID Connect with JWT. This authentification is compatible with django session workflow and the RestFramework library.

Installation

• Install the library with pip

pip install django-jwt-oidc

• Add the django_jwt package into your INSTALLED_APPS in your settings.py file

INSTALLED_APPS = [
    ...
    'django_jwt',
    ...
]

• Add django-jwt-oidc urls to your urls.py. You can change the path to the one you prefer.

urlpatterns = [
    ...
    path('openid/', include('django_jwt.urls')),
    ...
]

Set up client

The django-jwt-oidc is a library that allows to implement a OIDC client in order to identify a user from a provider.

Middleware

• Add JWTAuthenticationMiddleware into your middleware after SessionMiddleware. You can optionally remove the AuthenticationMiddleware if you are not using other ways to log in.

MIDDLEWARE = [
    ...
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django_jwt.middleware.JWTAuthenticationMiddleware',
    ...
]

• If you removed the AuthenticationMiddleware, you will need to add this settings:

SILENCED_SYSTEM_CHECKS = ['admin.E408']

• Set the django setting LOGOUT_REDIRECT_URL in order to redirect after logout.
• Add redirects to the oidc_login and oidc_logout. To make it default you can set LOGIN_URL = 'oidc_login'.

Usage

• Getting authenticated user from request: request.user.
• Getting the ID token claims from the user: request.user_claims.
• Getting the userinfo from the endpoint from the user: request.userinfo.
• Getting a valid access token from the user: request.get_access_token().

RestFramework [Optional]

This settings are for views inherits RestFramework library from Django.

• You will need to install RestFramework on your own to your app first

View setting

You can add this to your APIviews class by adding JWTTokenAuthentication to authentification_classes attribute. In this example, the view requires that all requests must have ID Token JWT Bearer Authentication.

from rest_framework import permissions, views
from django_jwt import JWTTokenAuthentication


class ExampleAPIView(view.APIView):
    authentication_classes = [JWTTokenAuthentication]
    permission_classes = [permissions.IsAuthenticated]

Global setting

If all your application can work with JWT Bearer Authentication you can add the JWTTokenAuthentication class to DEFAULT_AUTHENTICATION_CLASSES setting on settings.py of your app.

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'django_jwt.rest_framework.JWTTokenAuthentication',
    ]
}

Settings

Settings

All settings from the django-jwt-oidc library will be set inside a JWT_OIDC dictionary on settings.py.

JWT_OIDC = {
    ...
}

TYPE [Required]

Set this to client.

JWT_OIDC = {
    ...
    'TYPE': 'client',
    ...
}

DISCOVERY_ENDPOINT [Required]

Set this to the discovery endpoint of the provider.

JWT_OIDC = {
    ...
    'DISCOVERY_ENDPOINT': 'https://domain/.well-known/openid-configuration',
    ...
}

CLIENT_ID [Required]

Set this to the client ID of your application in the provider.

JWT_OIDC = {
    ...
    'CLIENT_ID': 'some_string',
    ...
}

RESPONSE_TYPE [Required]

Set this to the response type of your application in the provider. This determines the flow of your authentication.

JWT_OIDC = {
    ...
    'RESPONSE_TYPE': 'code',  # Recommended to use Authorization Code flow
    ...
}

CLIENT_SECRET

Set this to the client secret of your application in the provider. This setting is required if want to Hybrid flow or Authorization Code flow (Setting code inside the RESPONSE_TYPE)

JWT_OIDC = {
    ...
    'CLIENT_SECRET': 'some_string',
    ...
}

SCOPE

Set this to set the scope of the authentication flow.

JWT_OIDC = {
    ...
    'SCOPE': 'openid',  # Default
    ...
}

IDENTIFICATION_CLAIM

Set this if you want to use some other claim as identifier for your user model. Default: 'sub'

JWT_OIDC = {
    ...
    'IDENTIFICATION_CLAIM': 'sub',  # default
    ...
}

ID_TOKEN_RENAME_ATTRIBUTES

Set this to change the claims names to be translated to your User model fields. {'claim_name': 'model_field_name'}

JWT_OIDC = {
    ...
    'ID_TOKEN_RENAME_ATTRIBUTES': {},  # Default
    ...
}

CREATE_USER

Set this to True if you want to create users that they not exist.

JWT_OIDC = {
    ...
    'CREATE_USER': False,  # Default
    ...
}

USER_DEFAULT_ATTRIBUTES

Set this to set defaults values to users that log in with the OIDC.

JWT_OIDC = {
    ...
    'USER_DEFAULT_ATTRIBUTES': {},  # Default
    ...
}

PKCE_EXTENSION

Set this to activate the PKCE_EXTENSION. It is recommended.

JWT_OIDC = {
    ...
    'PKCE_EXTENSION': False,  # Default
    ...
}

CODE_CHALLENGE_METHOD

Set this for the PKCE_EXTENSION method. Only 'S256' supported.

JWT_OIDC = {
    ...
    'CODE_CHALLENGE_METHOD': 'S256',  # Default
    ...
}

CLIENT_DISPLAY

Setting display for the authentication flow. Options: page, popup, touch and wap.

JWT_OIDC = {
    ...
    'CLIENT_DISPLAY': '',  # Default
    ...
}

CLIENT_PROMPT

Setting prompt for the authentication flow. Options: login, consent, select_account and none.

JWT_OIDC = {
    ...
    'CLIENT_PROMPT': '',  # Default
    ...
}

CLIENT_MAX_AGE

Setting max_age for the authentication flow. How many seconds the user has logged in the provider.

JWT_OIDC = {
    ...
    'CLIENT_PROMPT': '',  # Default
    ...
}

OTHER

Other settings for the authentication flow.

• CLIENT_UI_LOCALES
• CLIENT_CLAIMS_LOCALES
• CLIENT_ID_TOKEN_HINT
• CLIENT_LOGIN_HINT
• CLIENT_ACR_VALUES

Set up provider

This is an extra app of the django_jwt app that deploys a OpenID Connect provider with implicit flow (Not recommended), Hybrid flow, Authorization Code flow and Authorization Code flow with PKCE. The JWTs are signed by RSA or ECC keys that are being regenerated to improve security.
Django JWT Server does not provide for a login view.

Installation

• Install django-cors-headers library into your app. Required in order to control the CORS policy from your apps. There is no need to add the domains one by one
• Install djangorestframework library into your app.
• Add django_jwt.server to your installed apps.
• Migrate the database with python manage.py migrate.
• Add your implemented Django log in into LOGIN_URL setting on settings.py.
• Run your app in order to set up your hosts into the admin page.

Settings

All settings from the django-jwt-oidc library will be set inside a JWT_OIDC dictionary on settings.py.

JWT_OIDC = {
    ...
}

TYPE [Required]

Set this to provider.

JWT_OIDC = {
    ...
    'TYPE': 'provider',
    ...
}

DISCOVERY_ENDPOINT [Required]

Set this to your discovery endpoint of the provider.

JWT_OIDC = {
    ...
    'DISCOVERY_ENDPOINT': 'https://my-domain/.well-known/openid-configuration',
    ...
}

SIGNATURE_ALG

Set this to the algorithm used to sign tokens. ECC is recommended.

JWT_OIDC = {
    ...
    'SIGNATURE_ALG': 'ES512',  # Default
    ...
}

JWK_EXPIRATION_TIME

Expiration time (in seconds) of the RSA or ECC keys. They will be stopped to be used for signing after this time. They will be deleted after not needed again for validation.

JWT_OIDC = {
    ...
    'JWK_EXPIRATION_TIME': 3600,  # Default
    ...
}

JWT_ID_TOKEN_EXPIRATION_TIME

Expiration time (in seconds) of the ID tokens.

JWT_OIDC = {
    ...
    'JWT_ID_TOKEN_EXPIRATION_TIME': 2700,  # Default
    ...
}

JWT_ACCESS_TOKEN_EXPIRATION_TIME

Expiration time (in seconds) of the access tokens. Recommended to be low.

JWT_OIDC = {
    ...
    'JWT_ACCESS_TOKEN_EXPIRATION_TIME': 600,  # Default
    ...
}

JWT_REFRESH_TOKEN_EXPIRATION_TIME

Expiration time (in seconds) of the refresh tokens. Must be higher than access tokens.

JWT_OIDC = {
    ...
    'JWT_ACCESS_TOKEN_EXPIRATION_TIME': 3600,  # Default
    ...
}

MAX_REFRESH

Set this in order to only be able to refresh tokens x times.

JWT_OIDC = {
    ...
    'MAX_REFRESH': 10,  # Default
    ...
}

USERINFO_SERIALIZER

User model serializer.

JWT_OIDC = {
    ...
    'USERINFO_SERIALIZER': 'django_jwt.server.serializers.UserSerializer',  # Default
    ...
}

USERINFO_SERIALIZER_EXCLUDE

Exclude fields of the User model in the 'django_jwt.server.serializers.UserSerializer'.

JWT_OIDC = {
    ...
    'USERINFO_SERIALIZER_EXCLUDE': ['password'],  # Default
    ...
}

Set up fake server for deployment

This is an extra functionality of the django_jwt app that makes a OpenId server with oauth 2.0 with implicit flow with an input to "log in" as whatever sub value you want.

Not maintained to changes of the 1.0 version.

Installation

• Install django-cors-headers library into your app. Required in order to control the CORS policy from your frontend.
• Add your frontend domain into CORS_ALLOWED_ORIGINS.
• Change the JWT_OIDC['TYPE'] setting to 'fake'.
• Set up the JWT_OIDC['CLIENT_ID'] setting to the same client id your frontend is targeting.
• Set up the DEFAULT_DOMAIN setting on your Django settings. Example:

DEFAULT_DOMAIN = 'https://localhost:8000'

• Set up your frontend url into the path that you included in urls.py.

details summary > * { display: inline; } details { margin-top: 25px; }