
django-oauth-toolkit extension that adds JWT support

Primary LanguagePythonMIT LicenseMIT


This is an extension of django-oauth-toolkit that solves the lack of support for JWT.

JWT support for:

  • Token request.
  • Token refresh.


  • Token revoke.


Add to your pip requirements:


Generate keys


In order to generate a RS[256, 384, 512] (RSA Signature with SHA-[256, 384, 512]) public and private keys, execute the following:

openssl genrsa -out jwtRS256.pem 4096
openssl rsa -in jwtRS256.key -pubout -out jwtRS256.pem.pub
cat jwtRS256.pem
cat jwtRS256.pem.pub

The bit-length in this JWT-algorithm setting specifies only the bit-length of the used hash-algorithm (SHA), thus the used bit-length of the RSA-keys is not relevant from the key-generation point of view. Recommended is the highest value your platform supports.

These keys are also used if you configure PS[256, 384, 512] as your algorithm.


Creating ECDSA-keys ('ES[256, 384, 512]') is similar to creating RSA-keys, but the bit-length has to be consider also on creation.

ssh-keygen -t ecdsa -b 256 -f jwtECDSA256.key # don't add passphrase
openssl ec -in jwtECDSA256.key -pubout -outform PEM -out jwtECDSA256.key.pub
cat jwtECDSA256.key
cat jwtECDSA256.key.pub

Producer configuration

To use this library to issue a token, configure the project as it follows:

Add oauth2_provider and oauth2_provider_jwt to your INSTALLED_APPS:

# settings.py


Include the new oauth URLs:

# urls.py

urlpatterns = [
    url(r'^oauth/', include('oauth2_provider_jwt.urls', namespace='oauth2_provider_jwt')),

Add to your MIDDLEWARE the following:

# settings.py


And finally add a custom backend authentication:

# settings.py


Now we need to set up a JWT_ISSUER variable in our config, which will be the name of the issuer. Take the private key that we generated before and store it in a JWT_PRIVATE_KEY_<JWT_ISSUER> variable. Finally, define the ID attribute you wish to use in JWT_ID_ATTRIBUTE. While this can be any attribute on your user model it should be unique.

Also you have to set your JWT-encoding Algorithm if it's different than RS256.

For example:

# settings.py

JWT_ISSUER = 'OneIssuer'

* Note that storing hardcoded secrets in the settings is a bad practice and can lead to severe security breaches in your code. We recommend using environment variables for this purpose.

** Note that you can configure only one JWT-Encoding Algorithm in JWT_ENC_ALGORITHM. But you can set multiple allowed decoding(verifying) Algorithms in JWT_JWS_ALGORITHMS as an array of Strings. It is only useful if the JWT is from a 3rd Party and you don't know which Algorithm is used.

The payload of messages will be by default something like:

    "iss": "OneIssuer",
    "exp": 1234567890,
    "iat": 1234567789

But there is the possibility to add extra data to it. Just create a function that will enrich the payload and set the location to it in the JWT_PAYLOAD_ENRICHER variable:

# settings.py

JWT_PAYLOAD_ENRICHER = 'myapp.jwt_utils.payload_enricher'

# myproject/myapp/jwt_utils.py

def payload_enricher(request):
    return {
        'sub': 'mysubject',

Consumer configuration

In order to let users authenticate using JWT header and token we need to add the following configuration:

# settings.py

Also, you will need to add to the settings every public key of all the possible token issuers, if configured, using a variable JWT_PUBLIC_KEY_<JWT_ISSUER>:

# settings.py
-----END PUBLIC KEY-----

By default authentication will be enabled, use JWT_AUTH_DISABLED setting variable to disable that feature:

# settings.py

Local development

Have Docker and docker-compose installed as a first step.

docker-compose build

To run the tests on latest Python-version:

docker-compose run dot_jwt

To run the tests only for Python 3.6:

docker-compose run dot_jwt_36

There are tests configured for all currently supported Python-Versions. Just exchange the suffix of the docker-compose service tag with your major-minor combination.