问题描述
我打算用 Django Rest Framework 构建一个应用程序.我对使用 Django-Rest-Framework-JWT 身份验证机制比使用 Session 或 Token 身份验证机制更感兴趣.
I am planning to build an application with Django Rest Framework. I'm more interested in using Django-Rest-Framework-JWT authentication mechanism than Session or Token authentication mechanism.
但所有其他包,如 Django-Rest-Auth 和 Djoser(有助于注册过程)都使用会话和令牌身份验证系统.
But all the other packages like Django-Rest-Auth and Djoser (which helps in registrations process) uses Session and Token Authentication system.
如何使用 Django-Rest-Framework-JWT 覆盖 Djoser 或 Django-Rest-Auth 中的 Token 身份验证机制?
How do I override the Token authentication mechanism in Djoser or Django-Rest-Auth with Django-Rest-Framework-JWT?
推荐答案
我知道这个问题已经快一年了,但我只是想出了如何获得 Djoser 和 django-rest-knox 一起玩,果然同样的技术也适用于 djangorestframework-jwt.诀窍是知道您可以使用 Djoser 的帐户端点而不使用其与身份验证相关的端点.您只需将每个库放在自己的端点上.
I know this question is almost a year old, but I just figured out how to get Djoser and django-rest-knox to play along and sure enough the same technique worked with djangorestframework-jwt as well. The trick is knowing that you can use Djoser's account endpoints without using its auth-related endpoints. You just have to put each library on its own endpoint.
以下是我如何设置 Django Rest Framework 以使用 JWT 登录并针对 Djoser 端点进行身份验证(我将从头到尾进行):
Here's how I set up Django Rest Framework to use JWTs to log in and authenticate against Djoser endpoints (I'm going to take it from start to finish):
首先,安装 djangorestframework-jwt 和 djoser:
pip install djangorestframework-jwt djoser
通过将 JSONWebTokenAuthentication 添加到 Django 项目的 settings.py 中的 DEFAULT_AUTHENTICATION_CLASSES 来指定您要使用 JWT 进行身份验证:
Specify that you want to use JWTs to authenticate by adding JSONWebTokenAuthentication to DEFAULT_AUTHENTICATION_CLASSES in your Django project's settings.py:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
),
}
接下来,将 djoser.urls 和 rest_framework_jwt 的 obtain_jwt_token 视图添加到您的 url:
Next, Add djoser.urls and rest_framework_jwt's obtain_jwt_token view to your urls:
from django.conf.urls import url, include
from rest_framework_jwt import views as jwt_views
urlpatterns = [
url(r'^account/', include('djoser.urls')),
url(r'^auth/login/', jwt_views.obtain_jwt_token, name='auth'),
]
这应该是您开始所需的一切.为了安全起见,运行 migrate(我为这篇文章创建了一个全新的 Django Rest Framework 实例,并且在此之前还没有运行初始提交):
That should be everything you need to get started. Just to be safe, run a migrate (I spun up a brand-new instance of Django Rest Framework for this post and hadn't yet run the initial commits before this point):
python manage.py migrate
要进行测试,如果您还没有新用户,请创建一个新用户:
To test things out, create a new user if you don't already have one:
python manage.py createsuperuser
一旦你有一个用户帐户,runserver 然后尝试登录以获取你的 JWT:
Once you have a user account, runserver and then try logging in to get your JWT:
http POST http://localhost:800/auth/login/ username=admin password=password
你应该取回一个令牌:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTg2ODI3MzYsInVzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6IiIsInVzZXJfaWQiOjJ9.JDoVCpfiE0uGhsv9OQfPgPc-wxjjQtcEjwAI6bTLWRM"
}
然后,您可以使用此令牌对 Djoser 的 /me/ 端点进行身份验证,以获取您的个人资料信息.只需将您的令牌作为 Authorization: JWT:
You can then use this token to authenticate against Djoser's /me/ endpoint to get your profile information. Just include your token within your request's header as Authorization: JWT:
://本地主机:8000/帐户/ME/授权:JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTg2ODI3MzYsInVzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6IiIsInVzZXJfaWQiOjJ9.JDoVCpfiE0uGhsv9OQfPgPc-wxjjQtcEjwAI6bTLWRM"
这是我得到的结果:
{
"email": "",
"id": 2,
"username": "admin"
}
如您所见,开始使用 JWT 进行身份验证非常容易.我的猜测是,像 djoser 和 django-rest-auth 这样的库专注于基本、会话或令牌身份验证,因为它们包含在 DRF 框中,因此可能人们对服务器的调用进行身份验证的最常用方法.
As you can see, it's pretty easy to start using JWTs for authentication. My guess is that libraries like djoser and django-rest-auth focus on Basic, Session, or Token authentication because they're included out of the DRF box and thus are probably the most common method by which people authenticate calls against their server.
所有这一切的美妙之处在于它很容易实现更安全的身份验证方案,因为 Djoser 没有与自己的身份验证类紧密耦合 - 它会很高兴地尊重您为 DEFAULT_AUTHENTICATION_CLASSES 设置的任何内容.
The beauty of all this is that it's easy to implement a more secure authentication scheme because Djoser isn't tightly coupled to its own authentication classes - it'll happily respect whatever you set for DEFAULT_AUTHENTICATION_CLASSES.
这篇关于DRF:如何将 django-rest-framework-jwt 集成到 Djoser的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!