python/fastapi-users
1
0
Fork 0
mirror of https://github.com/fastapi-users/fastapi-users.git synced 2025-08-15 03:04:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
fastapi-users/docs/configuration/authentication/strategies/jwt.md
Joe Taylor b054383fbf Enable RS256/ES256 and other algorithms for JWT strategy (#943) 
* Implement RS256 for JWT auth

* Update docs with RS256 example

* Added ES256 tests

* Format with isort and black

* Removed example RSA key pair (so as not to tempt people to use it)

* Added pyjwt[crypto] to requirements

* Removed pycryptodome by hardcoding example keys

* Removed unnecessary Tuple import from typing
2022-03-22 10:28:00 +01:00

2.3 KiB
Raw Permalink Blame History

JWT

JSON Web Token (JWT) is an internet standard for creating access tokens based on JSON. They don't need to be stored in a database: the data is self-contained inside and cryptographically signed.

Configuration

from fastapi_users.authentication import JWTStrategy

SECRET = "SECRET"

def get_jwt_strategy() -> JWTStrategy:
    return JWTStrategy(secret=SECRET, lifetime_seconds=3600)

As you can see, instantiation is quite simple. It accepts the following arguments:

  • secret (Union[str, pydantic.SecretStr]): A constant secret which is used to encode the token. Use a strong passphrase and keep it secure.
  • lifetime_seconds (Optional[int]): The lifetime of the token in seconds. Can be set to None but in this case the token will be valid forever; which may raise serious security concerns.
  • token_audience (Optional[List[str]]): A list of valid audiences for the JWT token. Defaults to ["fastapi-users:auth"].
  • algorithm (Optional[str]): The JWT encryption algorithm. See RFC 7519, section 8. Defaults to "HS256".
  • public_key (Optional[Union[str, pydantic.SecretStr]]): If the JWT encryption algorithm requires a key pair instead of a simple secret, the key to decrypt the JWT may be provided here. The secret parameter will always be used to encrypt the JWT.

!!! tip "Why it's inside a function?" To allow strategies to be instantiated dynamically with other dependencies, they have to be provided as a callable to the authentication backend.

For `JWTStrategy`, since it doesn't require dependencies, it can be as simple as the function above.

RS256 example

from fastapi_users.authentication import JWTStrategy

PUBLIC_KEY = """-----BEGIN PUBLIC KEY-----
# Your RSA public key in PEM format goes here
-----END PUBLIC KEY-----"""

PRIVATE_KEY = """-----BEGIN RSA PRIVATE KEY-----
# Your RSA private key in PEM format goes here
-----END RSA PRIVATE KEY-----"""

def get_jwt_strategy() -> JWTStrategy:
    return JWTStrategy(
        secret=PRIVATE_KEY, 
        lifetime_seconds=3600,
        algorithm="RS256",
        public_key=PUBLIC_KEY,
    )

Logout

On logout, this strategy won't do anything. Indeed, a JWT can't be invalidated on the server-side: it's valid until it expires.