auth0-samples / auth0-django-api Goto Github PK
View Code? Open in Web Editor NEWAuth0 Integration Samples for Django REST API Services
Home Page: https://auth0.com/docs/quickstart/backend/django
License: MIT License
Auth0 Integration Samples for Django REST API Services
Home Page: https://auth0.com/docs/quickstart/backend/django
License: MIT License
This tutorial is using django-rest-framework-jwt which seems to be abandoned.
The Django REST Framework website have been updated its documentation following this issue: encode/django-rest-framework#6138 and recommend using django-rest-framework-simplejwt
Downloaded project to test received: {"detail":"Incorrect authentication credentials."}
Tried in my own project. Same result.
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication',
),
}
certificate = load_pem_x509_certificate(str.encode(cert), default_backend())
Python 2.7.13
Mac OS Sierra
Hi all, I'm following the quickstart guide.
I'm stuck on the final step Then create a remote user in Django authentication system. Please check the Django documentation for more information.
I have read the linked docs, however its about authentication using REMOTE_USER and does not elaborate on how to actually create a remote user.
So how do I go about creating a remote user? Any help will be appreciated :)
Issue #21 was marked as stale and closed due to a lack of comment. Since then, there has been a discussion on github from the maintainer on the use of djangorestframework-jwt. See the Github page and specifically issue #484 for details.
The maintainer and Django now recommend the use of SimpleJWT instead of the now unmaintained (and last committed to in 2017) drf-jwt.
All Django-based tutorials from auth0 (including this one) rely on the currently unmaintained drf-jwt. As this is used in the final step of authentication, it leaves those who follow these tutorials open to security issues.
There has been further discussion of this issue in the auth0 community from back in Nov, 2019. However, this discussion has since been marked as closed. There is a mention from one user in the thread who seems to have successfully implemented SimpleJWT, but no link to his solution.
I have followed his idea of modifying drf-simplejwt's source code with an auth0decode method that follows the methods used with drf-jwt in the auth0 Django API tutorial (see jwt_decode_token(token)). Specifically, modifying the backends.py with this method and then calling it in the constructor function of the Token class in tokens.py, successfully passes the token with simpleJWT. However, I have been unable to figure out how to perform the server authentication step, as is done with the settings.py (and utils.py) files in this tutorial (relying on the unmaintained drf-jwt package, with settings given by JWT_AUTH):
def jwt_get_username_from_payload_handler(payload):
username = payload.get('sub').replace('|', '.')
authenticate(remote_user=username)
return username
JWT_AUTH = {
'JWT_PAYLOAD_GET_USERNAME_HANDLER':
jwt_get_username_from_payload_handler,
[...]
}
I'll re-open this as an outstanding issue with this tutorial in hopes that it may be prioritized for your team. If anyone has a workable solution for implementing SimpleJWT, please comment!
For further review, here are 2 other relevant discussions hosted on the SimpleJWT github page:
User ID Method Handling (#169)
Verifying audience and issuer claims (#38)
After running migrations, I get:
(venv) ➜ auth0-quickstart git:(master) ✗ ./manage.py migrate
SystemCheckError: System check identified some issues:
ERRORS:
?: (corsheaders.E013) Origin '/' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '/' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '0' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '0' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '0' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '3' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin ':' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin ':' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'a' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'c' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'h' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'h' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'l' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'l' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'o' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'o' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'p' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 's' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 't' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 't' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 't' in CORS_ORIGIN_WHITELIST is missing scheme or netloc
HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
When trying to install the requirements.txt, the console show an error, even when the Visual Studio 14 is installed.
This happens using Python 3.6-
Also, after further research, the error appears to be related to a deprecrated dependency in python-jose, as per recomendation, it is used the requirement python-jose-cryptodome
and get the error shown in the second image.
When calling the endpoint /api/public, the automate test show an error when calling this endpoint without authorization header, even when the response was code 200, the response has a Uncaught AssertionError.
Also, in all cases when calling endpoints ´/api/private´ and ´/api/private-scoped´ the returned response is a 401 error. When running this in individual test in Postman, got the same error in all cases:
The full display of the errores are in the following txt file:
Please check my code what I'm missing
Using the code from the example appears to create new Django User objects in an invalid state (one that will not pass full_clean()
) because no password is set.
Here's a test that fails:
def test(db, django_user_model):
payload = {
'sub': f'email|aaaaaaaaaaaaaaaaaaaaaaaa',
}
result = jwt_get_username_from_payload_handler(payload)
assert result == 'email.aaaaaaaaaaaaaaaaaaaaaaaa'
assert django_user_model.objects.count() == 1
new_user = django_user_model.objects.first()
assert new_user.username == result
assert new_user.full_clean() is None
And the exception raised looks like:
E django.core.exceptions.ValidationError: {'password': ['This field cannot be blank.']}
This is using Python 3.6 with
Django==2.1.2
djangorestframework==3.9.0
djangorestframework-jwt==1.11.0
pytest-django==3.4.3
One solution (suggested by @k0nG) is to call set_unusable_password()
on the newly created User. This seemed like a good idea, so extending the function as follows makes the test pass:
def jwt_get_username_from_payload_handler(payload):
username = payload.get('sub').replace('|', '.')
user = authenticate(remote_user=username)
user.set_unusable_password()
user.full_clean()
user.save()
return username
Assuming that it's "bad" to have objects in a Django database that do not pass full_clean()
, does this seem like a reasonable solution to generating valid Users returning from Auth0 auth? I can confirm that creating new Users this way still allows them to make API requests via DRF.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.