Hey Carlton,
Thanks! There's actually already a package (django-webpack-loader) designed
to handle exactly what I did, but being a maintainer of SimpleJWT made me
realize most Django devs weren't using it. I basically almost completely
blame all the tutorials that keep using SimpleJWT to do the ta
Hi Andrew,
Thanks for updating — that's really interesting to look at. I think a few
more examples like this around the community would be handy to break the
"Must use JWT" presumption that I think there is.
Kind Regards,
Carlton
On Saturday, 16 January 2021 at 16:46:35 UTC+1 Andrew Wang w
Hi all, I know this is an old thread, but I have a solution for SPAs using
httpOnly session cookies. Here is a demo with React and Django WITHOUT JWTs
with httpOnly cookies for session and csrf:
https://acwpython.pythonanywhere.com/authenticated/. The tutorial and open
source repository is foun
The place where JWT begins to get useful and important is when federated
login capabilities end-up in your app. That sort of thing seems more
the domain of python-social-auth packages like social-auth-core and
social-auth-app-django. Generating an authentication cookie doesn't
require JWT - Django
>
> Maybe we can update the docs to show how you you would might use some of
> the signing primitives instead of JWTs, but this also sounds a bit
> dangerous 🤷♂️
>
As someone hoodwinked into believing JWT was the way... I'd absolutely LOVE
a clear and concise write up on how I might get my s
Thank you very much James. I've learned once again that "everyone is using
it" does not make it good.
(Would love if you pasted your write up on your blog to make it easier to
share)
On Mon, 27 Apr 2020 at 10:37, Steven Mapes wrote:
> I completely agree with James. I felt dread when I saw a JWT
I completely agree with James. I felt dread when I saw a JWT Thread appear
as, for me synonymous with flaws security and I'd rather Django stay well
clear of them
On Monday, 27 April 2020 03:53:39 UTC+1, James Bennett wrote:
>
> On Sun, Apr 26, 2020 at 8:46 AM Adam Johnson >
> wrote:
> >
> >
Thank you for the fantastic summary James. You’re spot on about the various
implementation issues that plague JWT libraries.
While I think it’s an OK technology if you use a very explicit subset and you
know what you’re doing (see https://github.com/google/jws) it is indeed a bit
of a minefield
On Sun, Apr 26, 2020 at 9:53 PM James Bennett wrote:
> On Sun, Apr 26, 2020 at 8:46 AM Adam Johnson wrote:
>
> The short summary is: JWT is over-complex, puts too much power in the
> attacker's hands, has too many configuration knobs, and makes poor
> cryptographic choices. This is why we see vu
On Sun, Apr 26, 2020 at 8:46 AM Adam Johnson wrote:
>
> James, I too would like to know your criticisms! I've always understood that
> they aren't much different to signed cookies, but I haven't looked too deeply
> at them.
Well, people asked. So.
The short summary is: JWT is over-complex, put
James, I too would like to know your criticisms! I've always understood
that they aren't much different to signed cookies, but I haven't looked too
deeply at them.
On Sun, 26 Apr 2020 at 16:00, Ryan Hiebert wrote:
>
>
> On Sun, Apr 26, 2020 at 8:29 AM James Bennett
> wrote:
>
>> JWTs are an abs
On Sun, Apr 26, 2020 at 8:29 AM James Bennett wrote:
> JWTs are an absolute security nightmare. Some of the Django security
> team have heard me rant on this topic already, but: there is no such
> thing as a safe JWT implementation, because there are fundamental
> flaws in the design of JWT that
I understand that this will probably get shouted down due to the
popularity of JWTs, but: I don't think Django should include any type
of JWT support in the core framework.
JWTs are an absolute security nightmare. Some of the Django security
team have heard me rant on this topic already, but: ther
Hey Markus,
In fact, when I had to implement that in one of my projects, I realized
that Django has already most tools needed to (in my opinion) properly
handle those tokens. And indeed, this only covers HS256-type of JWTs, for
any other type, we would recommend using a third-party package (see
Nice work, Claude!
However, dealing with JWTs, and especially verifying them is notoriously hard
and fragile. Frankly, I think I'd rather see smaller libraries do one job and
do it well, than having Django implement an incomplete JWT spec. As far as I
can tell, only HS256 signing/verification i
Hi Claude
JWT's are indeed popular for API's. I think if Django was being created
"from the ground up" today, JWT's would be a no-brainer to include, so it
seems reasonable to add some support.
I've had a look at the PR, and yes it is indeed a small amount of code -
and thanks for the documentati
For your information, I now added docs to the tentative patch:
https://github.com/django/django/pull/12728
Claude
Le 15.04.20 à 21:26, Claude Paroz a écrit :
> Thanks Abhijeet for the pointer, I know there are some rather complete
> JWT libs around, but my proposal is not about a complete packag
Thanks Abhijeet for the pointer, I know there are some rather complete
JWT libs around, but my proposal is not about a complete package to
manage JWT in general.
It's rather some low level ability for Django to produce and decode
simple HS256 JWT. Then other third-party libs could build on that
abi
Hi,
You might want check out django-restframework-simplejwt. It requires the
Django Rest Framework. But, then again, if you are making an API, you'd
already be using it.
Regards,
Abhijeet
On Thu, 16 Apr, 2020, 00:39 Claude Paroz, wrote:
> Hi all,
>
> With the recent addition of the algorithm p
19 matches
Mail list logo
