Does django-oauth-toolkit support JWT Tokens? If it does, how should it be configured? If it doesn't, what are the alternatives?
Closed this issue · 0 comments
I am using Django (django-oauth-toolkit) as an OAuth2 server, with the following configuration:
OAUTH2_PROVIDER = {
'ACCESS_TOKEN_EXPIRE_SECONDS': 36000,
'REFRESH_TOKEN_EXPIRE_SECONDS': 360000,
'ROTATE_REFRESH_TOKEN': True,
'OIDC_JWKS_MAX_AGE_SECONDS':36000,
'OIDC_ENABLED': True,
'SCOPES': {
'read': 'Read scope',
'write': 'Write scope',
'userinfo': 'User info scope',
'openid': 'openid scope'
},
'OIDC_ISS_ENDPOINT': "http://127.0.0.1:8000/o",
'DEFAULT_SCOPES': ['read', 'write', 'userinfo','openid'],
'OIDC_RSA_PRIVATE_KEY': open(os.path.join(BASE_DIR, 'test/private_key.pem')).read(),
'OIDC_RSA_PUBLIC_KEY': open(os.path.join(BASE_DIR, 'test/public_key.pem')).read(),
'ALLOWED_REDIRECT_URI_SCHEMES': ['http', 'https'],
}
Then I use a Spring Boot application as the OAuth2 client and Resource Server, using the spring-security-oauth2 client module, with the following configuration:
security:
oauth2:
client:
registration:
django:
client-id: ........
client-secret: ..................
authorization-grant-type: authorization_code
redirect-uri: "${local.baseUrl}/login/oauth2/code/{registrationId}"
# redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
scope: read, write, userinfo, openid
provider:
django:
authorization-uri: ${local.url}/o/authorize/
token-uri: ${local.url}/o/token/
user-info-uri: ${local.url}/o/userinfo/
jwk-set-uri: ${local.url}/o/.well-known/jwks.json
resourceserver:
jwt:
issuer-uri: http://10.20.3.15:8080/o
jwk-set-uri: ${local.url}/o/.well-known/jwks.json
Then I obtain the token through the following code, but the token format is not in JWT format; instead, it is a string. I want the token to be in JWT format. How should I configure this?
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http, CustomRequestMatcher customRequestMatcher) throws Exception {
http.csrf(csrfCustomizer -> csrfCustomizer.ignoringRequestMatchers(customRequestMatcher))
.authorizeHttpRequests(authorizeRequests ->
authorizeRequests
// .requestMatchers("/m/**","/assets/**","/logo.svg","/favicon.ico", "/api/m/**").permitAll()
// .requestMatchers(new AntPathRequestMatcher(UriEnum.API.getAntMatcher()), customRequestMatcher).permitAll()
.anyRequest().authenticated()
)
.oauth2ResourceServer(outh->outh.jwt(jwt->jwt.jwkSetUri(jwkSetUri)))
.oauth2Login(Customizer.withDefaults());
return http.build();
}
@GetMapping("/hejlogin")
public String hejlogin(Principal principal) {
OAuth2AuthorizedClient authorizedClient = authorizedClientService.loadAuthorizedClient(
"django", principal.getName());
log.info("Authorized Client: {}", authorizedClient);
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
String tokenValue = accessToken.getTokenValue();
log.info("Access Token: {}", tokenValue);
return "redirect:http://127.0.0.1:5173/?token=" + tokenValue;
}
the result of the tokenValue is : 9AIimWuozpKJrwQs5V1xNDbdaLp0BK . This is not a JWT Token.
When I call it via JavaScript, The server of springboot app tells me that the token is not in JWT format.
I want to know:
- Does django-oauth-toolkit support JWT Tokens? If it does, how can it be configured? How can I obtain a JWT Token through Spring Boot or directly through the Django Server? How can I authenticate using JWT in Spring Boot?
- If it doesn't support JWT Tokens, are there any other solutions available in Django?
I am a beginner, so I hope you can guide me. Thank you very much!