Accept ready-made JWTs in API #2483

lunkwill42 · 2022-10-26T07:49:39Z

A sort of MVP for JWT tokens in NAV would be to have the API simply accept valid JWT tokens as authorization:

The API must require JWTs to be cryptographically signed by a trusted key (RS256).
The API must require JWTs to have an expiry date claim.
The API must require JWTs to have a not-before date claim.

SimpleJWT is a potential candidate for library to use here - BUT, SimpleJWT seems to have a dependency on the Django user model that NAV does not support. API endpoints in NAV do not perform operations on behalf of specific users, so the user model is irrelevant for NAV API atm. We might want to fork some of SimpleJWT's code to complete this MVP.

This functionality can be tested by manually constructing and signing a JWT token, submitting this to any API endpoint in NAV for authorization.

This MVP does not need to consider access claims at all. These can be defined later.

lunkwill42 mentioned this issue Oct 26, 2022

Replace current API token implemention with a JWT implementation #2481

Open

5 tasks

lunkwill42 added enhancement api labels Oct 26, 2022

lunkwill42 assigned stveit Oct 26, 2022

stveit mentioned this issue Nov 2, 2022

Authenticate API with JWT tokens #2485

Closed

stveit mentioned this issue Jan 16, 2023

Support JWT token authentication #2511

Merged

lunkwill42 closed this as completed in #2511 Jan 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Accept ready-made JWTs in API #2483

Accept ready-made JWTs in API #2483

lunkwill42 commented Oct 26, 2022 •

edited

Loading

Accept ready-made JWTs in API #2483

Accept ready-made JWTs in API #2483

Comments

lunkwill42 commented Oct 26, 2022 • edited Loading

lunkwill42 commented Oct 26, 2022 •

edited

Loading