This tutorial is using django-rest-framework-jwt which seems to be abandoned.

The Django REST Framework website have been updated its documentation following this issue: encode/django-rest-framework#6138 and recommend using django-rest-framework-simplejwt

Downloaded project to test received: {"detail":"Incorrect authentication credentials."}

Tried in my own project. Same result.

https://stackoverflow.com/questions/72102911/could-not-import-rest-framework-jwt-authentication-jsonwebtokenauthentication

1. The following should be updated:

apiexample/settings.py

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.BasicAuthentication',
    ),
}

2. Update the requirements.txt as well to reflect using the simplejwt dependencies as well.

certificate = load_pem_x509_certificate(str.encode(cert), default_backend())

Python 2.7.13
Mac OS Sierra

When trying to use the instruction python manage.py runserver 0.0.0.0:3010 I get an error.

When using python manage.py runserver 3010, the server run.

This happen using Python 3.6.3.

Hi all, I'm following the quickstart guide.

I'm stuck on the final step Then create a remote user in Django authentication system. Please check the Django documentation for more information.
I have read the linked docs, however its about authentication using REMOTE_USER and does not elaborate on how to actually create a remote user.

So how do I go about creating a remote user? Any help will be appreciated :)

Issue #21 was marked as stale and closed due to a lack of comment. Since then, there has been a discussion on github from the maintainer on the use of djangorestframework-jwt. See the Github page and specifically issue #484 for details.

The maintainer and Django now recommend the use of SimpleJWT instead of the now unmaintained (and last committed to in 2017) drf-jwt.

All Django-based tutorials from auth0 (including this one) rely on the currently unmaintained drf-jwt. As this is used in the final step of authentication, it leaves those who follow these tutorials open to security issues.

There has been further discussion of this issue in the auth0 community from back in Nov, 2019. However, this discussion has since been marked as closed. There is a mention from one user in the thread who seems to have successfully implemented SimpleJWT, but no link to his solution.

I have followed his idea of modifying drf-simplejwt's source code with an auth0decode method that follows the methods used with drf-jwt in the auth0 Django API tutorial (see jwt_decode_token(token)). Specifically, modifying the backends.py with this method and then calling it in the constructor function of the Token class in tokens.py, successfully passes the token with simpleJWT. However, I have been unable to figure out how to perform the server authentication step, as is done with the settings.py (and utils.py) files in this tutorial (relying on the unmaintained drf-jwt package, with settings given by JWT_AUTH):

def jwt_get_username_from_payload_handler(payload):
    username = payload.get('sub').replace('|', '.')
    authenticate(remote_user=username)
    return username

JWT_AUTH = {
   'JWT_PAYLOAD_GET_USERNAME_HANDLER':
       jwt_get_username_from_payload_handler,
       [...]

}

I'll re-open this as an outstanding issue with this tutorial in hopes that it may be prioritized for your team. If anyone has a workable solution for implementing SimpleJWT, please comment!

For further review, here are 2 other relevant discussions hosted on the SimpleJWT github page:
User ID Method Handling (#169)
Verifying audience and issuer claims (#38)

After running migrations, I get:

(venv) ➜  auth0-quickstart git:(master) ✗ ./manage.py migrate
SystemCheckError: System check identified some issues:

ERRORS:
?: (corsheaders.E013) Origin '/' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '/' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '0' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '0' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '0' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin '3' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin ':' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin ':' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'a' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'c' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'h' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'h' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'l' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'l' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'o' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'o' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 'p' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 's' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 't' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 't' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).
?: (corsheaders.E013) Origin 't' in CORS_ORIGIN_WHITELIST is missing  scheme or netloc
	HINT: Add a scheme (e.g. https://) or netloc (e.g. example.com).

When trying to install the requirements.txt, the console show an error, even when the Visual Studio 14 is installed.

This happens using Python 3.6-

Also, after further research, the error appears to be related to a deprecrated dependency in python-jose, as per recomendation, it is used the requirement python-jose-cryptodome and get the error shown in the second image.

When calling the endpoint /api/public, the automate test show an error when calling this endpoint without authorization header, even when the response was code 200, the response has a Uncaught AssertionError.

Also, in all cases when calling endpoints ´/api/private´ and ´/api/private-scoped´ the returned response is a 401 error. When running this in individual test in Postman, got the same error in all cases:

The full display of the errores are in the following txt file:

test.txt

I follow the quickstart tutorial to implement auth0 authentication but it returns me an error: {"details": "Error while decoding the token"}

Please check my code what I'm missing

revealix_project.zip

In the readme file, mention a variable called "API_ID" that is in the .env files, but in the .env file is the AUTH0_AUDIENCE variable.
In theory is the same variable, but different name.

Using the code from the example appears to create new Django User objects in an invalid state (one that will not pass full_clean()) because no password is set.

Here's a test that fails:

def test(db, django_user_model):
    payload = {
        'sub': f'email|aaaaaaaaaaaaaaaaaaaaaaaa',
    }

    result = jwt_get_username_from_payload_handler(payload)

    assert result == 'email.aaaaaaaaaaaaaaaaaaaaaaaa'
    assert django_user_model.objects.count() == 1
    new_user = django_user_model.objects.first()
    assert new_user.username == result
    assert new_user.full_clean() is None

And the exception raised looks like:

E           django.core.exceptions.ValidationError: {'password': ['This field cannot be blank.']}

This is using Python 3.6 with

Django==2.1.2
djangorestframework==3.9.0
djangorestframework-jwt==1.11.0
pytest-django==3.4.3

One solution (suggested by @k0nG) is to call set_unusable_password() on the newly created User. This seemed like a good idea, so extending the function as follows makes the test pass:

def jwt_get_username_from_payload_handler(payload):
    username = payload.get('sub').replace('|', '.')
    user = authenticate(remote_user=username)
    user.set_unusable_password()
    user.full_clean()
    user.save()
    return username

Assuming that it's "bad" to have objects in a Django database that do not pass full_clean(), does this seem like a reasonable solution to generating valid Users returning from Auth0 auth? I can confirm that creating new Users this way still allows them to make API requests via DRF.