I want to implement JWT authentication for my project since this seems to be the most simple one out of all the authentication procedures - but I don't quite understand how an User can actually login using the JWT-auth. It would be helpful if anyone could share some reading materials or provide some insights on the workflow of the login of an user using JWT.
My own thoughts were somewhat along these lines:
The frontend sends a obtain_jwt request to the backend via drf api
The api returns a token in json format, if username and password were provided
It's from here I don't understand what needs to done going forward. Does the backend need to do anything else to complete the authentication/login process? Do I need to do anything else with DRF Permissions?
If this completes the login process, then there is something else which bugs me. For example, I have an APIView LoginView which has a post method to handle the login process. Now, does the frontend need to call the obtain_jwt function to get the function and then do another post-method to the LoginView? Or is there a way to return the json-web-token from that LoginView?
It would be really helpful if someone could answer these questions for me or provide some reading materials which would help me better understand the total workflow for this login process. Thanks.
Edit: My login process is being made to handle a facebook login - just to let the viewer know :)
It's not that complicated after its explained to you. General workflow is:
Client sends a username and password with a POST request via javascript(ajax).
DRF receives it, authenticates and return a token to the client in json format.
Client receives the token and stores it. Token is stored on the header of ajax setup, so all subsequent calls in this app have the token in the header.
Now just make regular api calls, and authetication is submitted automatically through the header that DRF reads and accepts.
See this.
Related
I am currently building an ETL job in Talend Open Studio, that calls a banking API in order to retrieve customer data. The API works with OAuth 2.0. Using Postman, I can easily get an Access Token, which I then use in Talend to retrieve the customer data in JSON format. However, before I get the access token, the customer whose data I want to pull from the API, has to grant me permission for doing so. Using Postman, this is easy enough, as I get redirected to a page where the customer enters his/her credentials and then gives my App permission to pull the data:
My plan was, to setup the Talend job in a way, that this gets done automatically. My current approach is to use a tRESTClient component which calls the page on above screenshot and enters the credentials. Now there are several options with the tRESTClient component, but none of it works. First I tried to make a GET call with "Use Authentication Basic HTTP", parsing username and password of the user. That does not end with an error, but the response is just the html of the login page itself. When I try to make a POST call parsing the customer credentials to the TRESTClient component in JSON format, I am getting a 400 Bad Request. This is how my component looks in this case:
I also asked that question in the Talend Community forum, but so far no one replied to it. I dont know if I am completely off-trail here?! Any hint would be greatly appreciated, I am struggling with that task for 3 days now...
EDIT: to be more straightforward:Is it possible to perform these 2 steps in Talend alone:
Good day everyone. I am stumped at the moment and would appreciate some guidance. I feel like I am a great googler to usually find my answers or resources but for the life of me I can't seem to find any good learning material on JSON requests and responses.
So I took a course that builds a 3 part app. Web app with Django, and 2 mobile apps that make API calls to it. The instructor uses Facebook authentication from the mobile apps and I am trying to set up the apps for username and login and a registration page as well.
I have django models setup and and can make users from the web app but I can't seem to wrap my head around how to make JSON calls from app to Django. When I search for possible terms like authenticate django I get results that talk about only django usage.
Does anyone have some tips or links to resources that would help me understand the login process better. I realize that almost every app has a login which is why I'm surprised that I can't find any good learning material on how its done. Or I'm just searching for wrong keywords.
Any help would be great thanks.
It's really a general question, But i give you a brief on how mobile and django server should interact with each other:
First of all, in your situation I really suggest to use django rest framework, Because of it's rich modules and functionallity like serializers, routers and ...
read more about it from origin documentation here.
For authentication system, You should use a token based system (or session). I suggest use one of django suggested token based solutions for that. In my case i really suggest to use django-restframework-jwt library
(JSON Web Token Authentication support for Django REST Framework).
so whenever you want to send a request to mobile you should provide that token (based on token authentication backend you choose) in your headers of request.
And for login and register you should create APIViews that takes user input, then register or authenticated it with backend and then gives user the generated token for future requests.
And for social auth system like facebook, the main concept is to redirect user from app to facebook oauth links, which if the user authenticate in his facebook will redirect you redirect url of your backend server, then you should capture that request in callback, fetch data and create or get the user and generate the token for that user and return it. so that for furture requests, by sending token to server, server will know that which user is sending this request and handle response properly for that.
And if you want to create a login with mobile, then you need to setup APIs for login, register with django rest which is really easy and you can learn from it here.
I have used lifeary service builder to build my services. some of my services require that the user is authenticated before he can use them.
how can i generate an auth token and send it in the header or in the URL?
I have tried username#host.com:password#http://localhost:8080/PortletName-portlet/api/jsonws/?serviceClassName=com.service.NameServiceUtil&serviceMethodName=getMyNames&serviceParameters=[userid]&userid=1
and it did not work!
I have made sure i have added the below line in my portal-ext.properties and restarted the server.
json.service.auth.token.enabled=true
What more should i do to be able to pass Auth Token? is there a better method that i can use?
You actually want to use AuthVerifier. This is the best way how to access the Liferay API and be authenticated. It similar to the autologin concept.
Have a look at https://dev.liferay.com/es/discover/deployment/-/knowledge_base/7-0/authentication-verifiers and check out the PortalSessionAuthVerifier class in the source code.
The concept is quite simple. Read the request object and determine who the user is. Perform your custom authentication and return the auth result with the user identification.
I am currently working on a website using React where I want to be able to have user login. Right now my strategy is to send form data to the server (express) on submit, and if the info matches a user in my DB, the server sends back a signed JWT with no sensitive information (just the username).
Once the client receives the JWT, I am adding it to localStorage as well as adding the decoded data of it to my redux store. I plan to have my redux store holding the currently logged in user.
I believe there may be a security issue in my site because currently I have it so when the user first arrives at the site, If there is a JWT, it is added to my axios headers and the decoded JWT is set to be the current user. The code looks like this:
if(localStorage.jwtToken) { // If token present, most likely a user is signed in
setAuthorizationToken(localStorage.jwtToken) // Set that token to head all api calls
store.dispatch(setCurrentUser(jwt.decode(localStorage.jwtToken))) // Set user in redux store
}
Currently I've found that if someone just goes into my localStorage, copies my JWT and adds it to their localStorage then bam, they are me. I'm unsure if this is really a security flaw because the only way I've recreated this myself is by physically copying the token from one browser to another. But in general this seems very unsafe that just taking my token steals my identity.
If anyone knows a way to make this more secure or if there is a better strategy, or at least tell me what I'm doing wrong that would be highly appreciated.
How can another person get your token? Give expire time to token needed. Maybe try different way for securing token, especially give more security in API side. When logging in, store log activity in database and create unique field to identificate it such ip address or user-agent, or maybe detect is that user have been hit login endpoint before or not.
I've wrote a tiny script that retrieves publicly available data from some APIs, in JSON format. I'm now trying to get some protected data out from bit.ly (click stats from a given user) and so I obviously need to authenticate via OAuth.
I don't seem to understand the role of client id and secret, as well as the user API key. I also don't get how to grab an access token (maybe generated during OAuth authentication?) to authenticate my HTTP requests of protected data. Do you guys know any good (e)book, article or any other resources I should read to understand in detail these architectural nuances of authenticated data retrievals and HTTP requests?
It is exactly as you suspect. The access token is granted during the OAuth process, which is basically a three step rocket of getting
Temporary credentials for your application
An end user needs to authenticate those temporary credentials, which grants you a verifier token
And finally you exchange your temporary credentials and the user verification for an access token.
Depending on which language/framework you are using, there are often good libaries available to help you implement an OAuth client. Check out: http://oauth.net/code/
But you will be well served by a clear understanding of how the whole thing works. Twitter has a great tutorial about OAuth 1: https://dev.twitter.com/docs/auth/oauth.
Regarding OAuth 2. Check out http://hueniverse.com/2010/05/introducing-oauth-2-0/. Hueniverse is a good resource for all things OAuth by the way.