I am planning to build an application with Django Rest Framework. I\'m more interested in using Django-Rest-Framework-JWT authentication mechanism than
I know this question is almost a year old, but I just figured out how to get Djoser and django-rest-knox to play along and sure enough the same technique worked with djangorestframework-jwt as well. The trick is knowing that you can use Djoser's account endpoints without using its auth-related endpoints. You just have to put each library on its own endpoint.
Here's how I set up Django Rest Framework to use JWTs to log in and authenticate against Djoser endpoints (I'm going to take it from start to finish):
First, install djangorestframework-jwt and djoser:
pip install djangorestframework-jwt djoser
Specify that you want to use JWTs to authenticate by adding JSONWebTokenAuthentication
to DEFAULT_AUTHENTICATION_CLASSES
in your Django project's settings.py
:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
),
}
Next, Add djoser.urls
and rest_framework_jwt's obtain_jwt_token
view to your urls:
from django.conf.urls import url, include
from rest_framework_jwt import views as jwt_views
urlpatterns = [
url(r'^account/', include('djoser.urls')),
url(r'^auth/login/', jwt_views.obtain_jwt_token, name='auth'),
]
That should be everything you need to get started. Just to be safe, run a migrate
(I spun up a brand-new instance of Django Rest Framework for this post and hadn't yet run the initial commits before this point):
python manage.py migrate
To test things out, create a new user if you don't already have one:
python manage.py createsuperuser
Once you have a user account, runserver
and then try logging in to get your JWT:
http POST http://localhost:800/auth/login/ username=admin password=password
You should get back a token:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTg2ODI3MzYsInVzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6IiIsInVzZXJfaWQiOjJ9.JDoVCpfiE0uGhsv9OQfPgPc-wxjjQtcEjwAI6bTLWRM"
}
You can then use this token to authenticate against Djoser's /me/ endpoint to get your profile information. Just include your token within your request's header as Authorization: JWT:
http http://localhost:8000/account/me/ "Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTg2ODI3MzYsInVzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6IiIsInVzZXJfaWQiOjJ9.JDoVCpfiE0uGhsv9OQfPgPc-wxjjQtcEjwAI6bTLWRM"
Here's what I got back:
{
"email": "",
"id": 2,
"username": "admin"
}
As you can see, it's pretty easy to start using JWTs for authentication. My guess is that libraries like djoser and django-rest-auth focus on Basic, Session, or Token authentication because they're included out of the DRF box and thus are probably the most common method by which people authenticate calls against their server.
The beauty of all this is that it's easy to implement a more secure authentication scheme because Djoser isn't tightly coupled to its own authentication classes - it'll happily respect whatever you set for DEFAULT_AUTHENTICATION_CLASSES
.