Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add option to enable/disable verify jti claim (default: enabled) #195

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: add option to enable/disable verify jti claim (default: enabled) #195

wants to merge 2 commits into from

Conversation

tizbecool
Copy link

We have to deal with token without id and created from a third party so I had to make the JTI claim optional as it is in the RFC (https://tools.ietf.org/html/rfc7519#section-4.1.7).
I made this quick and it's may be not the most elegant or expected implementation :)

Andrew-Chen-Wang
Andrew-Chen-Wang requested changes Jul 1, 2020
View reviewed changes
Copy link
Member

@Andrew-Chen-Wang Andrew-Chen-Wang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain when this feature is necessary...? The point of this package is authentication... so without the JTI claim, then what's the point? You might as well override authentication.py

rest_framework_simplejwt/settings.py Outdated
@@ -14,6 +14,7 @@
'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
'ROTATE_REFRESH_TOKENS': False,
'BLACKLIST_AFTER_ROTATION': True,
'JTI_CLAIM_IS_MENDATORY': True,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mandatory, not mendatory

Copy link
Author

@tizbecool tizbecool Nov 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was necessary for my application as we have to authenticate users with a JWT token without a JTI claim. We don't own the JWT creation which is done by another external service and JWT comes without JTI claim.
We use django-rest-framework-simplejwt only to verify token with the private key (this is the important part of the authentication for me, not the jti ) and receive an authenticated user.
We don't use the token creation part.
A more precise name for the option would be:
ALLOW_THIRD_PARTY_TOKEN_WITHOUT_JTI_CLAIM : True

@tizbecool tizbecool force-pushed the jti-claim-is-optional branch from 05d01f3 to e8d38ec Compare November 7, 2020 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Andrew-Chen-Wang Andrew-Chen-Wang Andrew-Chen-Wang requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tizbecool @Andrew-Chen-Wang @TheTiz