API¶

Keys¶

class asymmetric_jwt_auth.keys.PublicKey(*args, **kwds)[source]¶

Represents a public key

property allowed_algorithms¶: Return a list of allowed JWT algorithms for this key, in order of most to least preferred.

property as_jwk¶: Return the public key in JWK format

property as_pem¶: Get the public key as a PEM-formatted byte string

property fingerprint¶: Get a sha256 fingerprint of the key.

classmethod load_openssh(key: bytes) → Union[asymmetric_jwt_auth.keys.RSAPublicKey, asymmetric_jwt_auth.keys.Ed25519PublicKey][source]¶: Load a openssh-format public key

classmethod load_pem(pem: bytes) → Union[asymmetric_jwt_auth.keys.RSAPublicKey, asymmetric_jwt_auth.keys.Ed25519PublicKey][source]¶: Load a PEM-format public key

classmethod load_serialized_public_key(key: bytes) → Tuple[Optional[Exception], Optional[Union[asymmetric_jwt_auth.keys.RSAPublicKey, asymmetric_jwt_auth.keys.Ed25519PublicKey]]][source]¶: Load a PEM or openssh format public key

class asymmetric_jwt_auth.keys.RSAPublicKey(key: cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey)[source]¶

Represents an RSA public key

property allowed_algorithms¶: Return a list of allowed JWT algorithms for this key, in order of most to least preferred.

property as_jwk¶: Return the public key in JWK format

class asymmetric_jwt_auth.keys.Ed25519PublicKey(key: cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey)[source]¶

Represents an Ed25519 public key

property allowed_algorithms¶: Return a list of allowed JWT algorithms for this key, in order of most to least preferred.

class asymmetric_jwt_auth.keys.PrivateKey(*args, **kwds)[source]¶

Represents a private key

classmethod load_pem(pem: bytes, password: Optional[bytes] = None) → Union[asymmetric_jwt_auth.keys.RSAPrivateKey, asymmetric_jwt_auth.keys.Ed25519PrivateKey][source]¶: Load a PEM-format private key

classmethod load_pem_from_file(filepath: os.PathLike, password: Optional[bytes] = None) → Union[asymmetric_jwt_auth.keys.RSAPrivateKey, asymmetric_jwt_auth.keys.Ed25519PrivateKey][source]¶: Load a PEM-format private key from disk.

class asymmetric_jwt_auth.keys.RSAPrivateKey(key: cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey)[source]¶

Represents an RSA private key

classmethod generate(size: int = 2048, public_exponent: int = 65537) → asymmetric_jwt_auth.keys.RSAPrivateKey [source]¶: Generate an RSA private key.

pubkey_cls¶: alias of asymmetric_jwt_auth.keys.RSAPublicKey

class asymmetric_jwt_auth.keys.Ed25519PrivateKey(key: cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey)[source]¶

Represents an Ed25519 private key

classmethod generate() → asymmetric_jwt_auth.keys.Ed25519PrivateKey [source]¶: Generate an Ed25519 private key.

pubkey_cls¶: alias of asymmetric_jwt_auth.keys.Ed25519PublicKey

Middleware¶

class asymmetric_jwt_auth.middleware.JWTAuthMiddleware(get_response: Callable[[django.http.request.HttpRequest], django.http.response.HttpResponse])[source]¶

Django middleware class for authenticating users using JWT Authentication headers

authorize_request(request: django.http.request.HttpRequest) → django.http.request.HttpRequest[source]¶

Process a Django request and authenticate users.

If a JWT authentication header is detected and it is determined to be valid, the user is set as request.user and CSRF protection is disabled (request._dont_enforce_csrf_checks = True) on the request.

Parameters: request – Django Request instance

Models¶

class asymmetric_jwt_auth.models.PublicKey(*args, **kwargs)[source]¶

Store a public key and associate it to a particular user.

Implements the same concept as the OpenSSH ~/.ssh/authorized_keys file on a Unix system.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

comment¶: Comment describing the key. Use this to note what system is authenticating with the key, when it was last rotated, etc.

key¶: Key text in either PEM or OpenSSH format.

last_used_on¶: Date and time that key was last used for authenticating a request.

save(*args, **kwargs) → None[source]¶

Save the current instance. Override this in a subclass if you want to control the saving process.

The ‘force_insert’ and ‘force_update’ parameters can be used to insist that the “save” must be an SQL insert or update (or equivalent for non-SQL backends), respectively. Normally, they should not be set.

user¶: Foreign key to the Django User model. Related name: public_keys.

class asymmetric_jwt_auth.models.JWKSEndpointTrust(*args, **kwargs)[source]¶

Associate a JSON Web Key Set (JWKS) URL with a Django User.

This accomplishes the same purpose of the PublicKey model, in a more automated fashion. Instead of manually assigning a public key to a user, the system will load a list of public keys from this URL.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

jwks_url¶: URL of the JSON Web Key Set (JWKS)

user¶: Foreign key to the Django User model. Related name: public_keys.

Tokens¶

class asymmetric_jwt_auth.tokens.Token(username: str, timestamp: Optional[int] = None)[source]¶

Represents a JWT that’s either been constructed by our code or has been verified to be valid.

create_auth_header(private_key: asymmetric_jwt_auth.keys.PrivateKey) → str[source]¶: Create an HTTP Authorization header

sign(private_key: asymmetric_jwt_auth.keys.PrivateKey) → str[source]¶: Create and return signed authentication JWT

class asymmetric_jwt_auth.tokens.UntrustedToken(token: str)[source]¶

Represents a JWT received from user input (and not yet trusted)

get_claimed_username() → Union[None, str][source]¶

Given a JWT, get the username that it is claiming to be without verifying that the signature is valid.

Parameters: token – JWT claim
Returns: Username

verify(public_key: asymmetric_jwt_auth.keys.PublicKey) → Union[None, asymmetric_jwt_auth.tokens.Token][source]¶: Verify the validity of the given JWT using the given public key.

Nonces¶

class asymmetric_jwt_auth.nonce.base.BaseNonceBackend[source]¶

class asymmetric_jwt_auth.nonce.django.DjangoCacheNonceBackend[source]¶

Nonce backend which uses DJango’s cache system.

Simple, but not great. Prone to race conditions.

log_used_nonce(username: str, timestamp: int, nonce: str) → None[source]¶: Log a nonce as being used, and therefore henceforth invalid.

validate_nonce(username: str, timestamp: int, nonce: str) → bool[source]¶: Confirm that the given nonce hasn’t already been used.

class asymmetric_jwt_auth.nonce.null.NullNonceBackend[source]¶

Nonce backend which doesn’t actually do anything

log_used_nonce(username: str, timestamp: int, nonce: str) → None[source]¶: Log a nonce as being used, and therefore henceforth invalid.

validate_nonce(username: str, timestamp: int, nonce: str) → bool[source]¶: Confirm that the given nonce hasn’t already been used.

Model Repositories¶

class asymmetric_jwt_auth.repos.base.BaseUserRepository[source]¶

class asymmetric_jwt_auth.repos.base.BasePublicKeyRepository[source]¶

class asymmetric_jwt_auth.repos.django.DjangoUserRepository[source]¶

get_user(username: str) → Union[None, django.contrib.auth.models.User][source]¶: Get a Django user by username

class asymmetric_jwt_auth.repos.django.DjangoPublicKeyListRepository[source]¶

attempt_to_verify_token(user: django.contrib.auth.models.User, untrusted_token: asymmetric_jwt_auth.tokens.UntrustedToken) → Optional[asymmetric_jwt_auth.tokens.Token][source]¶: Attempt to verify a JWT for the given user using public keys from the PublicKey model.

class asymmetric_jwt_auth.repos.django.DjangoJWKSRepository[source]¶

attempt_to_verify_token(user: django.contrib.auth.models.User, untrusted_token: asymmetric_jwt_auth.tokens.UntrustedToken) → Optional[asymmetric_jwt_auth.tokens.Token][source]¶: Attempt to verify a JWT for the given user using public keys the user’s JWKS endpoint.