Django API: Authorization

View on Github

Django API: Authorization

Gravatar for andres.aguiar@auth0.com
By Andres Aguiar
Auth0

This tutorial demonstrates how to add authorization to a Django REST Framework API. We recommend you to Log in to follow this quickstart with examples configured for your account.

I want to explore a sample app

2 minutes

Get a sample configured with your account settings or check it on Github.

View on Github
System requirements: Python 2.7, 3.3 and up | Django 1.8 and up | djangorestframework 3.0 and up | djangorestframework-jwt 1.11.0 | python-jose 1.3.2 | cryptography 2.0.3

New to Auth? Learn How Auth0 works and read about API authorization.

Configure Auth0 APIs

Create an API

In the APIs section of the Auth0 dashboard, click Create API. Provide a name and an identifier for your API, for example https://quickstarts/api. You will use the identifier as an audience later, when you are configuring the Access Token verification. For Signing Algorithm, select RS256.

Create API

By default, your API uses RS256 as the algorithm for signing tokens. Since RS256 uses a private/public keypair, it verifies the tokens against the public key for your Auth0 account. The public key is in the JSON Web Key Set (JWKS) format, and can be accessed here.

Define scopes

Scopes let you define which resources can be accessed by the user with a given Access Token. For example, you might choose to grant read access to the messages resource if users have the manager access level, and a write access to that resource if they have the administrator access level.

You can add the required scopes in the Scopes tab of the Auth0 Dashboard's APIs section.

Configure Scopes

This example uses the read:messages scope.

This example demonstrates:

  • How to check for a JSON Web Token (JWT) in the Authorization header of an incoming HTTP request.

  • How to check if the token is valid, using the JSON Web Key Set (JWKS) for your Auth0 account. To learn more about validating Access Tokens, read the Verify Access Tokens tutorial.

Setup the Django Application

Install dependencies

Add the following dependencies to your requirements.txt and run pip install -r requirements.txt.

django
djangorestframework
djangorestframework-jwt
cryptography
pyjwt
python-dotenv

Create a Django project

This guide assumes you already have a Django application set up. If that is not the case, follow the steps in the Django Tutorial.

The sample project was created with the following commands:

$ django-admin startproject apiexample
$ cd apiexample
$ python manage.py startapp auth0authorization

Add a Django remote user

You need to define a way to map the username from the Access Token payload to the Django authentication system user.

Add RemoteUserMiddleware middleware component after AuthenticationMiddleware to middleware list.

# apiexample/settings.py

MIDDLEWARE = [
    # ...
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.RemoteUserMiddleware',
]

Add ModelBackend and RemoteUserBackend to the Authentication Backends.

# apiexample/settings.py

AUTHENTICATION_BACKENDS = [
    'django.contrib.auth.backends.ModelBackend',
    'django.contrib.auth.backends.RemoteUserBackend',
]

Create user.py file in your application's folder and define a function that maps the sub field from the access_token to the username.

# auth0authorization/user.py

from django.contrib.auth import authenticate

def jwt_get_username_from_payload_handler(payload):
    username = payload.get('sub').replace('|', '.')
    authenticate(remote_user=username)
    return username

Then create a remote user in Django authentication system. Please check the Django documentation for more information.

Validate Access Tokens

The settings.py file contains the configuration of the Django project.

Add the following imports in settings.py file.

# apiexample/settings.py

import json
from six.moves.urllib import request

from cryptography.x509 import load_pem_x509_certificate
from cryptography.hazmat.backends import default_backend

Add rest_framework app to the INSTALLED_APPS entry.

# apiexample/settings.py

INSTALLED_APPS = [
    # ...
    'rest_framework'
]

Add JSONWebTokenAuthentication to Django REST framework's DEFAULT_AUTHENTICATION_CLASSES.

# apiexample/settings.py

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.BasicAuthentication',
    ),
}

Add code to download the JWKS for your Auth0 domain and create a public key variable with it:

# apiexample/settings.py

jsonurl = request.urlopen("https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json")
jwks = json.loads(jsonurl.read())
cert = '-----BEGIN CERTIFICATE-----\n' + jwks['keys'][0]['x5c'][0] + '\n-----END CERTIFICATE-----'

certificate = load_pem_x509_certificate(str.encode(cert), default_backend())
publickey = certificate.public_key()

Configure the Django REST Framework JWK by setting the JWT_AUTH variable.

Set the JWT_AUDIENCE to your API identifier and the JWT_ISSUER to your Auth0 domain. By default those values will be retrieved from the .env file.

# apiexample/settings.py

JWT_AUTH = {
    'JWT_PAYLOAD_GET_USERNAME_HANDLER':
        'auth0authorization.user.jwt_get_username_from_payload_handler',
    'JWT_PUBLIC_KEY': publickey,
    'JWT_ALGORITHM': 'RS256',
    'JWT_AUDIENCE': 'YOUR_API_IDENTIFIER',
    'JWT_ISSUER': 'YOUR_AUTH0_DOMAIN',
    'JWT_AUTH_HEADER_PREFIX': 'Bearer',
}

Validate scopes

Add the following methods to the views.py file to create a decorator that will check the granted scopes from the access_token.

# auth0authorization/views.py

def get_token_auth_header(request):
    """Obtains the Access Token from the Authorization Header
    """
    auth = request.META.get("HTTP_AUTHORIZATION", None)
    parts = auth.split()
    token = parts[1]

    return token

def requires_scope(required_scope):
    """Determines if the required scope is present in the Access Token
    Args:
        required_scope (str): The scope required to access the resource
    """
    def require_scope(f):
        @wraps(f)
        def decorated(*args, **kwargs):
            token = get_token_auth_header(args[0])
            unverified_claims = jwt.get_unverified_claims(token)
            token_scopes = unverified_claims["scope"].split()
            for token_scope in token_scopes:
                if token_scope == required_scope:
                    return f(*args, **kwargs)
            response = JsonResponse({'message': 'You don\'t have access to this resource'})
            response.status_code = 403
            return response
        return decorated
    return require_scope

Protect API Endpoints

The routes shown below are available for the following requests:

  • GET /api/public: available for non-authenticated requests
  • GET /api/private: available for authenticated requests containing an Access Token with no additional scopes
  • GET /api/private-scoped: available for authenticated requests containing an Access Token with the read:messages scope granted

In the file views.py add public and private endpoints. Add the @api_view decorator to the private endpoint to indicate that the method requires authentication.

# auth0authorization/views.py

from functools import wraps

from rest_framework.decorators import api_view
from django.http import JsonResponse
from jose import jwt

def public(request):
    return JsonResponse({'message': 'Hello from a public endpoint! You don\'t need to be authenticated to see this.'})


@api_view(['GET'])
def private(request):
    return JsonResponse({'message': 'Hello from a private endpoint! You need to be authenticated to see this.'})

Use the requires_scope decorator in the methods that require specific scopes granted. The method below requires the read:messages scope granted.

# auth0authorization/views.py

@api_view(['GET'])
@requires_scope('read:messages')
def private_scoped(request):
    return JsonResponse("Hello from a private endpoint! You need to be authenticated and have a scope of read:messages to see this.")

Add URL mappings

In previous steps we added methods to the views.py file. We need to map those methods to URLs.

Django has a URL dispatcher that lets you map URL patterns to views.

Create the file urls.py in your application folder. Add the URL patterns.

# auth0authorization/urls.py

from django.conf.urls import url

from . import views

urlpatterns = [
    url(r'^api/public$', views.public),
    url(r'^api/private$', views.private),
    url(r'^api/private-scoped$', views.private_scoped),
]

The Django project also has a urls.py file. Add a reference to your application's urls.py file.

# apiexample/urls.py

from django.conf.urls import url, include
from django.contrib import admin

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^', include('auth0authorization.urls'))
]
Use Auth0 for FREE