Comments (5)
@Jwpe thanks for bringing this up. I think it's a totally valid discussion worth having with all these new discussions on SOA and microservices.
Your approach makes sense to me, but I'd also look into actually sharing the JWT_SECRET_KEY
with all your services and actually verifying tokens within each service since that's pretty "cheap" and easy to do(no db calls needed to verify and decode the token). Your token can contain any information you'd need like the user's id. This would save you those extra requests.
Thoughts?
from django-rest-framework-jwt.
@jpadilla I agree it's definitely a possibility to take the approach of having the secret key present on all services, and authenticating requests in place.
The main reason that I was going for the 'single point of authentication' approach was to separate that concern from all of the other services. It would be fine if all of our services were guaranteed to be serving their API using Django/DRF - however this isn't a constraint we want to introduce. For example, if one of my services is a Node application, I would have to reimplement the token verification in JavaScript if I wanted to do authentication within the service. Alternatively, I could just make a request to the AuthService, which would be super easy to implement.
I think both approaches are valid and I would definitely choose your suggested route for high request volume apps. It could be that the other approach isn't something worth supporting directly - I'm sure I can find a workaround.
Thanks for the quick feedback and for making a very useful library!
from django-rest-framework-jwt.
@Jwpe the actual token verifying and decoding part isn't specific to what we're doing here, check out http://jwt.io/ for existing libraries.
If you are going with your original idea, this endpoint would just verify the JWT and perhaps return it's decoded content?
from django-rest-framework-jwt.
@jpadilla I made a PR, since I thought that would be the clearest way to explain it! #75
I figured out that most of the logic was already present in the refresh endpoint. Currently the verification endpoint returns exactly the same response as the refresh endpoint, only without refreshing the token. However, it shares functionality so you could use your jwt_response_payload_handler
to get it to return whatever you wanted, e.g. the decoded content.
from django-rest-framework-jwt.
@Jwpe Released v1.3.0 with this. Thanks again!
from django-rest-framework-jwt.
Related Issues (20)
- Is there a way that we can avoid multiple token generations for a single user if he/she try to login on different browsers? HOT 2
- JSONWebTokenAuthentication object has no attribute 'media_type'
- external server
- Call an endpoint without Authorization header HOT 1
- Add support for ES256 signing algorithm
- [feature] permit to use custom header instead of `Authorization`
- registration
- how to refresh existing tokens??? HOT 6
- redis cache HOT 1
- WinError 123 after tutorial HOT 1
- How to use this library by only using Http Only Cookie? HOT 1
- Curious Whether JWT Still Works Given Libraries Requirements Mismatch? HOT 3
- Status HOT 12
- Documentation not found HOT 2
- Dead Link in readme.md HOT 1
- DeprecationWarning: The following fields will be removed in the future: `email` and `user_id`. HOT 1
- Hope to support the response format of custom authentication failure HOT 1
- Unreachable code when user is_active is False in. HOT 1
- Can we use allauth only for the things, where we can get involved with email verification, and jwt for others purposes like login/get api request/ post api requests....????
- Cookie not removed in request when response is 401
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rest-framework-jwt.