Token verification view about django-rest-framework-jwt HOT 5 CLOSED

@Jwpe thanks for bringing this up. I think it's a totally valid discussion worth having with all these new discussions on SOA and microservices.

Your approach makes sense to me, but I'd also look into actually sharing the JWT_SECRET_KEY with all your services and actually verifying tokens within each service since that's pretty "cheap" and easy to do(no db calls needed to verify and decode the token). Your token can contain any information you'd need like the user's id. This would save you those extra requests.

Thoughts?

from django-rest-framework-jwt.

@jpadilla I agree it's definitely a possibility to take the approach of having the secret key present on all services, and authenticating requests in place.

The main reason that I was going for the 'single point of authentication' approach was to separate that concern from all of the other services. It would be fine if all of our services were guaranteed to be serving their API using Django/DRF - however this isn't a constraint we want to introduce. For example, if one of my services is a Node application, I would have to reimplement the token verification in JavaScript if I wanted to do authentication within the service. Alternatively, I could just make a request to the AuthService, which would be super easy to implement.

I think both approaches are valid and I would definitely choose your suggested route for high request volume apps. It could be that the other approach isn't something worth supporting directly - I'm sure I can find a workaround.

Thanks for the quick feedback and for making a very useful library!

from django-rest-framework-jwt.

@Jwpe the actual token verifying and decoding part isn't specific to what we're doing here, check out http://jwt.io/ for existing libraries.

If you are going with your original idea, this endpoint would just verify the JWT and perhaps return it's decoded content?

from django-rest-framework-jwt.

@jpadilla I made a PR, since I thought that would be the clearest way to explain it! #75

I figured out that most of the logic was already present in the refresh endpoint. Currently the verification endpoint returns exactly the same response as the refresh endpoint, only without refreshing the token. However, it shares functionality so you could use your jwt_response_payload_handler to get it to return whatever you wanted, e.g. the decoded content.

from django-rest-framework-jwt.

@Jwpe Released v1.3.0 with this. Thanks again!

from django-rest-framework-jwt.