在 Django（drf 和 simplejwt）中究竟应该如何实现基于 JWT 的身份验证？

Question

I am struggling to understand exactly how JWT-based authentication should be implemented in Django (I am using simplejwt). I am just a beginner, so please brace yourselves for some silly questions. The rest-framework-simplejwt documentation is very minimal and does not provide enough detail for a newbie like me.

path('token/obtain', jwt_views.TokenObtainPairView.as_view(), name='token_create'),
path('token/refresh', jwt_views.TokenRefreshView.as_view(), name='token_refresh'),

So, I've created the paths in my urls.py as suggested by the official documentation. Where do I go from here? I guess my confusion comes from the fact that I am not sure where exactly in the code I have to issue my tokens. Let's say, I am logging in the user. So, in order to obtain the token, do I have to send a request to the 'token_create' endpoint from inside my view? Or do I have to somehow indicate it in one of my serializers? What about the 'refresh_token' endpoint? Is there a specific method that I need to use?

Then, what do I do with the token once it has been issued? Clearly, I shouldn't save it in the database since it defeats the entire purpose of using JWTs in the first place. From my understanding, I should attach it to the headers so that the subsequent requests by the user contain the tokens in the headers.

The frontend will be written in ReactJS and will be on a separate server from my Django backend API, and the communication between the two will be configured through CORS.

In this case, how do I attach the token to the headers and make it so that the user's browser sends in the token with each request? Is there some sort of package that could be useful for that?

Answer 1

I think you just mixed everything up, I'm gonna explain everything however you may already know some stuff.

JWT simply is a way to authorize users, you usually create an endpoint to create a token for the users, this endpoint can be named login , create_token , 'generate_token', or anything! doesn't really matter!

However maybe if u use a specific library maybe it forces you to use a specific endpoint but in Flask it's really what you like.

This login (whatever you call it) endpoint will take a username and password and checks if it exists and it's correct, then generates a JWT with a library like PyJWT , You can configure the JWT to be expired in for example 20 mins or more, then you encrypt a dictionary (JSON?) which usually contains user_id which you query from the database. example of the JSON you provide to the user with:

{
  "user_id": something,
  "role": something,
  ...
}

Then it will be encrypted to a long string.

now when the user sends a request, he/she needs to have that long string as the Authorization header of the request.

In postman --> Authorizations , choose Bearer Authorization and then insert that long string.

We also give the user a refresh_token .

This is the example of the JSON you provide the user with when he/she calls the login endpoint:

{
 token: some_long_string,
 refresh_token: some_long_string,

}

So what is refresh Token?

it's just the token that when the main token expires instead of making the user enter username and password again, he just sends the refresh token we gave him while he called login .

One more point: This was the whole flow and logic you need to implement. Do it as you like, libraries or anything you like, doesn't really matter.