At last, we will add JSON Web Tokens authentication to Django Rest Framework.let's get familiar with: Authentication, Authorization and Permissions.
What is Authentication ??
Authentication is the process of validating who you are, for example: When you log on to a PC with a user name and password you are authenticating.
Authentication simply identifies the credentials that the request was made with, It won't allow or disallow an incoming request.
After the user is authenticated, the next process that comes to play is Authorization.
Authorization is the process of verifying that the user have access to the resource it is requesting for.
Django's built-in authentication mechanisms:
This is the easiest way for authenticating a user, and is not meant for production purposes.
It works by base64 encoding the user login details and attaching it to the HTTP authorization header.
It is implemented in
Session based authentication
This is the default one used by django.
It depends on cookies on the client to store the user information, When the user is logged on the server.Session authentication is implemented in
Token based authentication
A token is a hashed set of information, that is sent to the client when the user logs in.
Everytime the user sends a request it attaches the token in authorization header. DRF associates the user with the tokens with a database table.
It is implemented in the
The problem with this is that DRF has to query the database each time the user sends a request to determine the association between the user and the token.
Note: There is no way to determine a user from the token itself as it is purely random.
JSON web tokens
JSON web token on the other hand, contains the actual user data in hashed form, so the server doesn't need to query the database. It is able to retrieve the associated user from the token itself.
Hence, it is more efficient and better than DRF's built-in token system.
We will be working on the API that we build in the first part of the series, click here to read it before proceeding further.
Things to do
Restrict anonymous users to add, modify and delete content of the blog API.
Only allow registered users to Add, Delete and Update the content of the blog API.
Use CURL to check whether the API is working as intended.
We are going to add Authentication, Authorization and Permissions to ensure this is done.
Adding JWT-based Authentication to Django Rest Framework
We will be using
djangorestframework-simplejwt package, for our blog api. We can install it by:
pip install djangorestframework-simplejwt
Next we will add it to our REST_FRAMEWORK configuration object in
Before we proceed with the code, let's first understand what permissions are .
Permissions determine whether a request should be granted or denied access.
A simple permission style would be to allow an authenticated user with right to write access, and unauthenticated user to read-only .
This corresponds to
rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly class in DRF.
You can also customize many settings for djangorestframework-simplejwt using SIMPLE_JWT object. For example:
Putting it together, we now need to add URLs for working with JWT:
We are done with setting up the authentication system now its the time to test it using curl.
Download CURL here
Note: Make sure you have created a superuser and added some objects to work with.
This command will issue two tokens, that we will use for making requests.
For now, we are only interested in access token.
This command return, a list of objects. If you have not created any object, the response will be blank.
Now let's try to add a new object without using the token.
As expected, this shows that the authentication system is working fine. Now, run the command again with the token, as follows:
The red part is the Authorization token.
If the object was added to the list. Congratulations you have successfully setup JWT with Django Rest Framework.
We created a authentication system using django's third party package