API¶
Keys¶
-
class
asymmetric_jwt_auth.keys.
PublicKey
(*args, **kwds)[source]¶ Represents a public key
-
property
allowed_algorithms
¶ Return a list of allowed JWT algorithms for this key, in order of most to least preferred.
-
property
as_jwk
¶ Return the public key in JWK format
-
property
as_pem
¶ Get the public key as a PEM-formatted byte string
-
property
fingerprint
¶ Get a sha256 fingerprint of the key.
-
classmethod
load_openssh
(key: bytes) → Union[asymmetric_jwt_auth.keys.RSAPublicKey, asymmetric_jwt_auth.keys.Ed25519PublicKey][source]¶ Load a openssh-format public key
-
classmethod
load_pem
(pem: bytes) → Union[asymmetric_jwt_auth.keys.RSAPublicKey, asymmetric_jwt_auth.keys.Ed25519PublicKey][source]¶ Load a PEM-format public key
-
classmethod
load_serialized_public_key
(key: bytes) → Tuple[Optional[Exception], Optional[Union[asymmetric_jwt_auth.keys.RSAPublicKey, asymmetric_jwt_auth.keys.Ed25519PublicKey]]][source]¶ Load a PEM or openssh format public key
-
property
-
class
asymmetric_jwt_auth.keys.
RSAPublicKey
(key: cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey)[source]¶ Represents an RSA public key
-
property
allowed_algorithms
¶ Return a list of allowed JWT algorithms for this key, in order of most to least preferred.
-
property
as_jwk
¶ Return the public key in JWK format
-
property
-
class
asymmetric_jwt_auth.keys.
Ed25519PublicKey
(key: cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey)[source]¶ Represents an Ed25519 public key
-
property
allowed_algorithms
¶ Return a list of allowed JWT algorithms for this key, in order of most to least preferred.
-
property
-
class
asymmetric_jwt_auth.keys.
PrivateKey
(*args, **kwds)[source]¶ Represents a private key
-
classmethod
load_pem
(pem: bytes, password: Optional[bytes] = None) → Union[asymmetric_jwt_auth.keys.RSAPrivateKey, asymmetric_jwt_auth.keys.Ed25519PrivateKey][source]¶ Load a PEM-format private key
-
classmethod
load_pem_from_file
(filepath: os.PathLike, password: Optional[bytes] = None) → Union[asymmetric_jwt_auth.keys.RSAPrivateKey, asymmetric_jwt_auth.keys.Ed25519PrivateKey][source]¶ Load a PEM-format private key from disk.
-
classmethod
-
class
asymmetric_jwt_auth.keys.
RSAPrivateKey
(key: cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey)[source]¶ Represents an RSA private key
-
classmethod
generate
(size: int = 2048, public_exponent: int = 65537) → asymmetric_jwt_auth.keys.RSAPrivateKey[source]¶ Generate an RSA private key.
-
pubkey_cls
¶
-
classmethod
Middleware¶
-
class
asymmetric_jwt_auth.middleware.
JWTAuthMiddleware
(get_response: Callable[[django.http.request.HttpRequest], django.http.response.HttpResponse])[source]¶ Django middleware class for authenticating users using JWT Authentication headers
Process a Django request and authenticate users.
If a JWT authentication header is detected and it is determined to be valid, the user is set as
request.user
and CSRF protection is disabled (request._dont_enforce_csrf_checks = True
) on the request.- Parameters
request – Django Request instance
Models¶
-
class
asymmetric_jwt_auth.models.
PublicKey
(*args, **kwargs)[source]¶ Store a public key and associate it to a particular user.
Implements the same concept as the OpenSSH
~/.ssh/authorized_keys
file on a Unix system.-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
comment
¶ Comment describing the key. Use this to note what system is authenticating with the key, when it was last rotated, etc.
-
key
¶ Key text in either PEM or OpenSSH format.
-
last_used_on
¶ Date and time that key was last used for authenticating a request.
-
save
(*args, **kwargs) → None[source]¶ Save the current instance. Override this in a subclass if you want to control the saving process.
The ‘force_insert’ and ‘force_update’ parameters can be used to insist that the “save” must be an SQL insert or update (or equivalent for non-SQL backends), respectively. Normally, they should not be set.
-
user
¶ Foreign key to the Django User model. Related name:
public_keys
.
-
exception
-
class
asymmetric_jwt_auth.models.
JWKSEndpointTrust
(*args, **kwargs)[source]¶ Associate a JSON Web Key Set (JWKS) URL with a Django User.
This accomplishes the same purpose of the PublicKey model, in a more automated fashion. Instead of manually assigning a public key to a user, the system will load a list of public keys from this URL.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
jwks_url
¶ URL of the JSON Web Key Set (JWKS)
-
user
¶ Foreign key to the Django User model. Related name:
public_keys
.
-
exception
Tokens¶
-
class
asymmetric_jwt_auth.tokens.
Token
(username: str, timestamp: Optional[int] = None)[source]¶ Represents a JWT that’s either been constructed by our code or has been verified to be valid.
-
create_auth_header
(private_key: asymmetric_jwt_auth.keys.PrivateKey) → str[source]¶ Create an HTTP Authorization header
-
sign
(private_key: asymmetric_jwt_auth.keys.PrivateKey) → str[source]¶ Create and return signed authentication JWT
-
-
class
asymmetric_jwt_auth.tokens.
UntrustedToken
(token: str)[source]¶ Represents a JWT received from user input (and not yet trusted)
-
get_claimed_username
() → Union[None, str][source]¶ Given a JWT, get the username that it is claiming to be without verifying that the signature is valid.
- Parameters
token – JWT claim
- Returns
Username
-
verify
(public_key: asymmetric_jwt_auth.keys.PublicKey) → Union[None, asymmetric_jwt_auth.tokens.Token][source]¶ Verify the validity of the given JWT using the given public key.
-
Nonces¶
-
class
asymmetric_jwt_auth.nonce.django.
DjangoCacheNonceBackend
[source]¶ Nonce backend which uses DJango’s cache system.
Simple, but not great. Prone to race conditions.
Model Repositories¶
-
class
asymmetric_jwt_auth.repos.django.
DjangoPublicKeyListRepository
[source]¶ -
attempt_to_verify_token
(user: django.contrib.auth.models.User, untrusted_token: asymmetric_jwt_auth.tokens.UntrustedToken) → Optional[asymmetric_jwt_auth.tokens.Token][source]¶ Attempt to verify a JWT for the given user using public keys from the PublicKey model.
-
-
class
asymmetric_jwt_auth.repos.django.
DjangoJWKSRepository
[source]¶ -
attempt_to_verify_token
(user: django.contrib.auth.models.User, untrusted_token: asymmetric_jwt_auth.tokens.UntrustedToken) → Optional[asymmetric_jwt_auth.tokens.Token][source]¶ Attempt to verify a JWT for the given user using public keys the user’s JWKS endpoint.
-