python/fastapi-users
1
0
Fork 0
mirror of https://github.com/fastapi-users/fastapi-users.git synced 2025-08-16 11:53:40 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
fastapi-users/docs/configuration/authentication/strategies/jwt.md
Joe Taylor b054383fbf Enable RS256/ES256 and other algorithms for JWT strategy (#943) 
* Implement RS256 for JWT auth

* Update docs with RS256 example

* Added ES256 tests

* Format with isort and black

* Removed example RSA key pair (so as not to tempt people to use it)

* Added pyjwt[crypto] to requirements

* Removed pycryptodome by hardcoding example keys

* Removed unnecessary Tuple import from typing
2022-03-22 10:28:00 +01:00

54 lines
2.3 KiB
Markdown
Raw Blame History

# JWT
[JSON Web Token (JWT)](https://jwt.io/introduction) is an internet standard for creating access tokens based on JSON. They don't need to be stored in a database: the data is self-contained inside and cryptographically signed.
## Configuration
```py
from fastapi_users.authentication import JWTStrategy
SECRET = "SECRET"
def get_jwt_strategy() -> JWTStrategy:
return JWTStrategy(secret=SECRET, lifetime_seconds=3600)
```
As you can see, instantiation is quite simple. It accepts the following arguments:
- `secret` (`Union[str, pydantic.SecretStr]`): A constant secret which is used to encode the token. **Use a strong passphrase and keep it secure.**
- `lifetime_seconds` (`Optional[int]`): The lifetime of the token in seconds. Can be set to `None` but in this case the token will be valid **forever**; which may raise serious security concerns.
- `token_audience` (`Optional[List[str]]`): A list of valid audiences for the JWT token. Defaults to `["fastapi-users:auth"]`.
- `algorithm` (`Optional[str]`): The JWT encryption algorithm. See [RFC 7519, section 8](https://datatracker.ietf.org/doc/html/rfc7519#section-8). Defaults to `"HS256"`.
- `public_key` (`Optional[Union[str, pydantic.SecretStr]]`): If the JWT encryption algorithm requires a key pair instead of a simple secret, the key to **decrypt** the JWT may be provided here. The `secret` parameter will always be used to **encrypt** the JWT.
!!! tip "Why it's inside a function?"
To allow strategies to be instantiated dynamically with other dependencies, they have to be provided as a callable to the authentication backend.
For `JWTStrategy`, since it doesn't require dependencies, it can be as simple as the function above.
## RS256 example
```py
from fastapi_users.authentication import JWTStrategy
PUBLIC_KEY = """-----BEGIN PUBLIC KEY-----
# Your RSA public key in PEM format goes here
-----END PUBLIC KEY-----"""
PRIVATE_KEY = """-----BEGIN RSA PRIVATE KEY-----
# Your RSA private key in PEM format goes here
-----END RSA PRIVATE KEY-----"""
def get_jwt_strategy() -> JWTStrategy:
return JWTStrategy(
secret=PRIVATE_KEY,
lifetime_seconds=3600,
algorithm="RS256",
public_key=PUBLIC_KEY,
)
```
## Logout
On logout, this strategy **won't do anything**. Indeed, a JWT can't be invalidated on the server-side: it's valid until it expires.
Reference in New Issue View Git Blame Copy Permalink