JSON Web Tokens With Django REST Framework

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone it's an the--for pretty printed here in today's video I'll be talking about how to use JSON web tokens with Django rest framework so if you don't know about JSON web tokens I'll explain those in a moment but first I just have to mention that on my website pretty pretty calm you can sign up for a free django database essentials course it has about two hours of video that covers pretty much anything you need to know about working with the models in django so you can check that out on my website pretty printed comm and there's going to be a link in the description below as well so to use JSON web tokens first it helps to understand what JSON web tokens are and they're basically a way for you to verify some information without using a database so normally when you use tokens for something like API authentication you would actually save the token on the database and when that's how can changes then you update it in the database but with jason web tokens you don't have to use a database for anything because the way to encode and decode the tokens is public so here on the json web token site geo you can see here on the right hand side the data inside the token so this number 1 2 3 4 5 6 7 8 9 0 a name John Doe and IAC and this number here which is basically a date and then on the left hand side you can see the token representation so if I change the name to something else you'll see how the token on the left-hand side changes just like that and you can see down here that the signature is verified meaning that this token is valid so if you have the secret when generating the token then you can validate it if anybody sends you that same token back and that way you don't have to verify on the database and if they change one little character so let me find this i if i change this i to a.j you see how it immediately switches to invalid signature so the data inside of the token as always opens to be read but if you modify then you will alert the person who created the token so that's the advantage so of course you don't want to put any sensitive data inside of the token but as far as authentication information normally the stuff that you will play in the token is pretty safe when I generate the token in my project I'll show you how the data is stored in there so to use JSON web tokens with the Django rest framework we need to install an extension and this is called simple jots are simple JWT and to install it you just install Django rest framework underscores simple JWT so I'll go ahead and do that so install Django rest framework underscore simple JWT okay so it's installing and you'll see how it's very easy to use this and as you can imagine it's just as easy to use as using Django rest framework itself so just gonna wait a moment for this to install it's pretty quick to install and then once it's done I need to update the settings that I have so for my app I'm going to go to the settings file and I'm going to go down to the rest framework dictionary that I have here from the last video so you can see the default permission class is still there so now I'm dealing with authentication so with authentication I'll be using Django rest framework or Django rest framework simple will jot so I need to specify the default authentication classes so let me just make sure it's done installing it's still installing but it's okay that it's not done because I still have to write a little bit of code so here I'm going to pass a tuple of strings that represent the available authentication classes so in this case I only want one which is simple job so rest underscore framework underscore simple JWT dot authentication and then I believe it is JWT authentication so capital J capital t and then there we go I think it's like that and then with that I should have it enabled on my app so it's still installing it shouldn't take that long it's really not that big of a package but I'll go ahead and wait and with that I have the JWT authentication available to be used in my Django rest framework app so now I'll go to URLs and with URLs I need to modify something as well because if I have a JSON web tokens available to be used then I need a way for the users to actually get them because you can't use the token in any of your requests to the API without getting the token in the first place so this extension allows you to create two endpoints one will allow you to get a token for the first time and the second will allow you to refresh that token so you can get a new one so if I do that here my URL patterns what I'm going to do first is import a couple of classes so from rests underscore framework underscore simple JWT dot views I'm going to import two classes so one is token obtain pair view and then the other is token refresh view and by pair it means the pair of tokens one is an access token and one is a refresh token so when your access token expires and you'll use the Refresh one to get a new access token so that's why it's a Paris because you get two tokens and then you're going to create two new URLs once you get the token and once you refresh the token so the documentation recommends API slash token this can be whatever you want of course but just to keep it simple we'll stick with that so API token slash refresh will be the other one and then what I want to do is I want to add in two views so token obtain pair of you as view for the first one and then the second one is going to be token refresh view as view and these are classes that's why I have to use the as view there so once I have that I actually have everything that I need to use JSON web tokens so I really only had to add one line to the settings and then import a couple of things and then add two more URLs and that's it I can use it now so using it on the front end doesn't work quite as well anymore so let me show you what I mean by that and I need to get into the right directory so API example and then I'll start at my server and we see that I can't get the details here okay so it's telling me that I'm locked out I need to provide my authentication credentials but if I were to log in using this again log in I still can't see it and the reason why I can't see it is because I changed the default authentication class the default the actual default is simple login which allows you to use this login like we did in the last video but because I'm using JSON web tokens now I can only authenticate myself with JSON web tokens if I don't use JSON web tokens then I won't be able to see the information in my API so to get the token the first thing I need to do is send a request to the endpoint that I created so remember if I go back to you or else I have API slash token so what I'm going to do is I'm going to type in the URL here so I'm using postman postman as a tool to sin requests and it's pretty easy to use because it's so visual so there is my URL and then API slash token okay so if I send what happens is Method get not allowed and the reason why I Method get is not allowed is because it only accepts post requests so I will change this to post request I'll send again and now it's telling me that a user name and password field are required so I need to supply the username and password so using postman to do that I'll go to the body and then I'll use this second form URL encoded and this is basically mimicking the type of form that you will have if you typed it into a browser and then you supply the username as a key and the password is a key so this is something that the consumer of your API would do and I pass in the username which is Anthony and a password is password 11 with a capital P so now when I send this I get this result so you can see here it is now two things I have a refresh token and I have an access token so with these things I can actually view something from my API so what I'll do over here is I'll create a new request and I'll use paradigms so get paradigms and this is slightly wrong there we go and you see how it says authentication credentials were not provided and those authentication credentials are this token so first what I'll do is I'll take the token here copy it and I'll go to jot IO and I'll paste it in here so now we can see here on the right hand side it tells me some information it tells me the token type access j TI so some kind of this is a date yeah so this represents the date the expiration and the user ID represents the user ID in my system of anthony and it's telling me that it's an invalid signature probably because I have something cut off so let me just try copying that again and seeing if I can get it to display correctly it's probably because of I'm copying pasting from postman instead of typing it directly let's try the other token okay so both are invalid but then again the token only lasts for a moment so let me try sending again and then getting the access token and pasting it here okay still well I'll ignore the invalid signature here oh the reason why the signatures invalid because I'm not signing it in the same way so if I change this to secret okay yeah there we go signature verified so depending on how you sign the token then you will get a different verify for each method of signing the token so just know that JSON web tokens this website has one way and then the extension simple JSON web tokens has a certain way of doing it and of course if you're only working with the API directly then you don't have to worry about that it was a little different because I'm using this little tool here to see inside the token anyway the jti is just some other token inside of the token that's used internally in simple JWT so now that I have that I can actually perform a request using this token so I'll go here and remember it says authentication credentials were not provided so to provide them I'll click here on the authorization tab and for type I'll go to bearer token because that's what it is and now paste the bearer token in there and then when I send the request I can see the data so now if I want to do anything like if I want to add a new um let's see where is it raw Jason I want to add a new paradigm I can do that so name is going to be C functionable procedural object-oriented and let's say recursive I don't think that's an actual paradigm but I can't think of anything else so I'll send that and it allows me to add it because I have the authorization token there and then if I go back to get and get everything I can see the the list and if I change one character in this token so I just deleted some random character in there and if I sin it now gives me this information telling me that the access token is invalid or expired so now what I want to do is I want to show you the way to get the updated token when the original token expires use refresh so this is how you use refresh first I'll copy it and then I'll go here and I will type in the URL for the Refresh in point so 8000 API token slash refresh and then for it's going to be a post request and then the body is going to be that form URL encoded again and that he is going to be refreshed and the value is going to be the token so if I send that it gives me a new access token here then I can take this access token and put it here and get the list of things in my database from my API so fairly straightforward so now what I want to show you how to do is how to use this using requests because it's pretty much the same thing it's just instead of using a tool I'll be writing code so I'll create a simple file here in my project let's see new file I'll name this send dot pi and with this I'm going to import requests so I think I need to install a request so let me do that pip and install requests and that will just install in the background and then I'm just going to use requests in the normal way so first I'll create headers and because I'm writing code I have to specify the headers directly so the headers is just going to be a dictionary the first and only header that I need is authorization and then the value is going to be bearer so B e AR ER with capital B space and then the token so if I go back to postman I can just copy the token that I have here and put it into my code just like that and that's going to pass that token along and then I can send the request so requests gets and then same endpoints paradigms I feel like I spell paradigm wrong there we go and then I need to pass in the headers so headers equals headers just like that and what I'm going to do is I'm going to print our dot text so let's see if request is done installing it is so now I'll simply run this file so the file is sinned so Python sin dot pi and we see the list of paradigms here so this is just printing out the results here I mean if I change one thing about the token so I'll just remove this leading e and I'll try sending it again I now get this error message telling me that the token is invalid if I put that back it should start working again and there we go so you see I can use this in a request or I can use a tool or whatever you use to send requests it's pretty similar I'm assuming that if you know how to send requests then you know a little bit about how they work so you can just use it in whatever way that you think is necessary for your application so that's really all I wanted to cover for this video I hope that you understand how you can use JSON web tokens a little more this extension makes it so easy to use because you barely have to do anything I think I added like three or four lines of code to get all that extra functionality which is pretty nice so if you have any questions about this you can always leave a comment down below and like I said if you haven't signed up for my free course django database essentials you can check that out on my website or click the link in the description below so thank you for watching this video and I will talk to you guys next time

Info

Channel: Pretty Printed

Views: 80,313

Rating: 4.9077168 out of 5

Keywords: jwt django rest framework, json web tokens, rest api jwt, jwt, django

Id: Fhcn2qx-4VQ

Channel Id: undefined

Length: 16min 58sec (1018 seconds)

Published: Sat Mar 17 2018