* 📝 Update JWT docs with python-jose
* 📝 Update format and use python-jose in docs
* ➕ Add Python-jose to dependencies
Co-authored-by: Sebastián Ramírez <[email protected]>
@ -56,7 +56,7 @@ They are normally used to declare specific security permissions, for example:
First, let's quickly see the parts that change from the examples in the main **Tutorial - User Guide** for [OAuth2 with Password (and hashing), Bearer with JWT tokens](../../tutorial/security/oauth2-jwt.md){.internal-link target=_blank}. Now using OAuth2 scopes:
@ -68,7 +68,7 @@ The first change is that now we are declaring the OAuth2 security scheme with tw
The `scopes` parameter receives a `dict` with each scope as a key and the description as the value:
```Python hl_lines="63 64 65 66"
```Python hl_lines="62 63 64 65"
{!../../../docs_src/security/tutorial005.py!}
```
@ -93,7 +93,7 @@ And we return the scopes as part of the JWT token.
But in your application, for security, you should make sure you only add the scopes that the user is actually able to have, or the ones you have predefined.
```Python hl_lines="155"
```Python hl_lines="153"
{!../../../docs_src/security/tutorial005.py!}
```
@ -118,7 +118,7 @@ In this case, it requires the scope `me` (it could require more than one scope).
We are doing it here to demonstrate how **FastAPI** handles scopes declared at different levels.
```Python hl_lines="5 140 167"
```Python hl_lines="4 139 166"
{!../../../docs_src/security/tutorial005.py!}
```
@ -143,7 +143,7 @@ We also declare a special parameter of type `SecurityScopes`, imported from `fas
This `SecurityScopes` class is similar to `Request` (`Request` was used to get the request object directly).
```Python hl_lines="9 106"
```Python hl_lines="8 105"
{!../../../docs_src/security/tutorial005.py!}
```
@ -159,7 +159,7 @@ We create an `HTTPException` that we can re-use (`raise`) later at several point
In this exception, we include the scopes required (if any) as a string separated by spaces (using `scope_str`). We put that string containing the scopes in in the `WWW-Authenticate` header (this is part of the spec).
@ -26,20 +26,29 @@ And after a week, the token will be expired and the user will not be authorized
If you want to play with JWT tokens and see how they work, check <ahref="https://jwt.io/"class="external-link"target="_blank">https://jwt.io</a>.
## Install `PyJWT`
## Install `python-jose`
We need to install `PyJWT` to generate and verify the JWT tokens in Python:
We need to install `python-jose` to generate and verify the JWT tokens in Python:
<divclass="termy">
```console
$ pip install pyjwt
$ pip install python-jose[cryptography]
---> 100%
```
</div>
<ahref="https://github.com/mpdavis/python-jose"class="external-link"target="_blank">Python-jose</a> requires a cryptographic backend as an extra.
Here we are using the recommended one: <ahref="http://cryptography.io/"class="external-link"target="_blank">pyca/cryptography</a>.
!!! tip
This tutorial previously used <ahref="https://pyjwt.readthedocs.io/"class="external-link"target="_blank">PyJWT</a>.
But it was updated to use Python-jose instead as it provides all the features from PyJWT plus some extras that you might need later when building integrations with other tools.
## Password hashing
"Hashing" means converting some content (a password in this case) into a sequence of bytes (just a string) that looks like gibberish.
@ -100,7 +109,7 @@ And another utility to verify if a received password matches the hash stored.
And another one to authenticate and return a user.
@ -167,13 +176,13 @@ The JWT specification says that there's a key `sub`, with the subject of the tok
It's optional to use it, but that's where you would put the user's identification, so we are using it here.
JWT might be used for other things apart from identifying a user and allowing him to perform operations directly on your API.
JWT might be used for other things apart from identifying a user and allowing them to perform operations directly on your API.
For example, you could identify a "car" or a "blog post".
Then you could add permissions about that entity, like "drive" (for the car) or "edit" (for the blog).
And then, you could give that JWT token to a user (or bot), and he could use it to perform those actions (drive the car, or edit the blog post) without even needing to have an account, just with the JWT token your API generated for that.
And then, you could give that JWT token to a user (or bot), and they could use it to perform those actions (drive the car, or edit the blog post) without even needing to have an account, just with the JWT token your API generated for that.
Using these ideas, JWT can be used for way more sophisticated scenarios.
@ -247,7 +256,7 @@ Many packages that simplify it a lot have to make many compromises with the data
It gives you all the flexibility to choose the ones that fit your project the best.
And you can use directly many well maintained and widely used packages like `passlib` and `pyjwt`, because **FastAPI** doesn't require any complex mechanisms to integrate external packages.
And you can use directly many well maintained and widely used packages like `passlib` and `python-jose`, because **FastAPI** doesn't require any complex mechanisms to integrate external packages.
But it provides you the tools to simplify the process as much as possible without compromising flexibility, robustness, or security.
Brian Mboya
5 years ago
GitHub