Using jwt as django auth backend?

[littlehome-eugene]

it's related to #130

I'm wondering if I could use single jwt auth backend for DRF and django views
(asked in SO as well https://stackoverflow.com/questions/57646299/django-jwt-authentication-in-django-view-not-just-drf/57646409#57646409)

In our app, we have webview and native android httpclient, and react-native.
If we have to use cookie session-id for django-view and jwt-token for drf, we have to sync cookie and jwt-token among webview/android/react-native.

It will be much easier for us just sync jwt-tokens but not sure if its possible or it is something not advised?

[jberends]

session authentication using session cookies are normally HTTP only, so your javascript (ie react) cannot acces that one. However once you make django give you a session cookie (session_id in your cookie store) on any view, it will be automatically transmitted to the server by using a proper browser.

We experienced with simple_jwt that a session cookie is not provided as you directly call a separate endpoint that NOT seems to authenticate within django using the function django.contrib.auth.login(). If you look in that function you see the session is being setup on successful authentication; hence a session cookie is returned.

In the case of simple_jwt the authentication goes from rest_framework_simplejwt/serializers.py:43 to django.contrib.auth.authenticate() and which will cycle through the backends in your settings.AUTHENTICATION_BACKENDS. Normally the django.contrib.auth.backends.ModelBackend will authenticate the user in the function django.contrib.auth.backends.ModelBackend.authenticate() and will simply user.check_password(pw).

Most backends indeed check for correct username / password and return the user if successfully authenticated, however you need to alter the flow and setup the session (and cookie there) by e.g. calling django.contrib.auth.login() in that path.

[Andrew-Chen-Wang]

There’s a PR for SPAs at #157 which can help. I’m not for it because I’m still skeptical of security vulnerabilities (typically, if you want JWT tokens for desktop, go with OAuth protocol too instead of only JWT).

There are plenty of articles that differentiate when you use only JWT tokens and when to use JWT tokens with OAuth protocol.