JWT with Djoser

Introduction

Djoser is a library that provides a set of Django Rest Framework(DRF) views to handle basic actions such as registration, login, logout, password reset and account activation. It also works with a custom user model.

In this article, I’ll show you how to implement JSON Web Token(JWT) authentication with Djoser.

Please note that I write this article assuming you are comfortable with Django and Django Rest Framework. You don’t need to be an expert; as long as you can set up a Django project, you’ll be just fine.

Setting It Up

Per best practices, make sure you have your virtual environment activated.Then proceed to install Djoser by typing this in your terminal.

pip install -U djoser

Next, you’ll install Simple JWT. This is the package we would use to implement our JWT authentication.

pip install djangorestframework-simplejwt

After installation is complete, proceed to your settings.py to configure the package. Append the following code to the bottom of the file:

<span>from</span> <span>datetime</span> <span>import</span> <span>timedelta</span>
<span>SIMPLE_JWT</span> <span>=</span> <span>{</span>
    <span>'ACCESS_TOKEN_LIFETIME'</span><span>:</span> <span>timedelta</span><span>(</span><span>minutes</span><span>=</span><span>15</span><span>),</span>
    <span>'REFRESH_TOKEN_LIFETIME'</span><span>:</span> <span>timedelta</span><span>(</span><span>days</span><span>=</span><span>1</span><span>),</span>
    <span>'AUTH_HEADER_TYPES'</span><span>:</span> <span>(</span><span>'JWT'</span><span>,),</span>
    <span>'AUTH_HEADER_NAME'</span><span>:</span> <span>'HTTP_AUTHORIZATION'</span><span>,</span>
    <span>'USER_ID_FIELD'</span><span>:</span> <span>'id'</span><span>,</span>
    <span>'USER_ID_CLAIM'</span><span>:</span> <span>'user_id'</span><span>,</span>
<span>}</span>
<span>from</span> <span>datetime</span> <span>import</span> <span>timedelta</span>

<span>SIMPLE_JWT</span> <span>=</span> <span>{</span>
    <span>'ACCESS_TOKEN_LIFETIME'</span><span>:</span> <span>timedelta</span><span>(</span><span>minutes</span><span>=</span><span>15</span><span>),</span>
    <span>'REFRESH_TOKEN_LIFETIME'</span><span>:</span> <span>timedelta</span><span>(</span><span>days</span><span>=</span><span>1</span><span>),</span>
    <span>'AUTH_HEADER_TYPES'</span><span>:</span> <span>(</span><span>'JWT'</span><span>,),</span>
    <span>'AUTH_HEADER_NAME'</span><span>:</span> <span>'HTTP_AUTHORIZATION'</span><span>,</span>
    <span>'USER_ID_FIELD'</span><span>:</span> <span>'id'</span><span>,</span>
    <span>'USER_ID_CLAIM'</span><span>:</span> <span>'user_id'</span><span>,</span>
<span>}</span>
from datetime import timedelta

SIMPLE_JWT = {
    'ACCESS_TOKEN_LIFETIME': timedelta(minutes=15),
    'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
    'AUTH_HEADER_TYPES': ('JWT',),
    'AUTH_HEADER_NAME': 'HTTP_AUTHORIZATION',
    'USER_ID_FIELD': 'id',
    'USER_ID_CLAIM': 'user_id',
}

Enter fullscreen mode Exit fullscreen mode

ACCESS_TOKEN_LIFETIME: A datetime.timedelta object which specifies how long access tokens are valid.

REFRESH_TOKEN_LIFETIME: A datetime.timedelta object which specifies how long refresh tokens are valid.

AUTH_HEADER_TYPES: The authorization header type(s) that will be accepted for views that require authentication. For example, a value of 'JWT' means that views requiring authentication would look for a header with the following format:Authorization: JWT <token>. This setting may also contain a list or tuple of possible header types (e.g. ('JWT', 'Bearer')).

AUTH_HEADER_NAME: The authorization header name to be used for authentication. The default is HTTP_AUTHORIZATION which will accept the Authorization header in the request.

USER_ID_FIELD: The database field from the user model that will be included in generated tokens to identify users.

USER_ID_CLAIM: The claim in generated tokens which will be used to store user identifiers. For example, a setting value of 'user_id' would mean generated tokens include a “user_id” claim that contains the user’s identifier.

For more on configuring Simple JWT, you can refer to the docs.

Wrapping Up

Djoser already has inbuilt urls to manage JWT Authentication. These are:

/jwt/create/: This returns access_tokens and refresh_tokens when you pass login credentials.

/jwt/refresh/: Use this endpoint to refresh JWT.

/jwt/verify/: Use this endpoint to verify JWT.

Simple JWT takes care of all the logic under the hood.

And that’s it. Don’t forget to like and comment.
Ciao.
Till next time…

原文链接：JWT with Djoser