DRF: how to integrate django-rest-framework-jwt to Djoser

Question

I am planning to build an application with Django Rest Framework. I'm more interested in using Django-Rest-Framework-JWT authentication mechanism than Session or Token authentication mechanism.

But all the other packages like Django-Rest-Auth and Djoser (which helps in registrations process) uses Session and Token Authentication system.

How do I override the Token authentication mechanism in Djoser or Django-Rest-Auth with Django-Rest-Framework-JWT?

Answer 1

I know this question is almost a year old, but I just figured out how to get Djoser and django-rest-knox to play along and sure enough the same technique worked with djangorestframework-jwt as well. The trick is knowing that you can use Djoser's account endpoints without using its auth-related endpoints. You just have to put each library on its own endpoint.

Here's how I set up Django Rest Framework to use JWTs to log in and authenticate against Djoser endpoints (I'm going to take it from start to finish):

First, install djangorestframework-jwt and djoser:

pip install djangorestframework-jwt djoser

Specify that you want to use JWTs to authenticate by adding JSONWebTokenAuthentication to DEFAULT_AUTHENTICATION_CLASSES in your Django project's settings.py:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
    ),
}

Next, Add djoser.urls and rest_framework_jwt's obtain_jwt_token view to your urls:

from django.conf.urls import url, include
from rest_framework_jwt import views as jwt_views

urlpatterns = [
    url(r'^account/', include('djoser.urls')),
    url(r'^auth/login/', jwt_views.obtain_jwt_token, name='auth'),
]

That should be everything you need to get started. Just to be safe, run a migrate (I spun up a brand-new instance of Django Rest Framework for this post and hadn't yet run the initial commits before this point):

python manage.py migrate

To test things out, create a new user if you don't already have one:

python manage.py createsuperuser

Once you have a user account, runserver and then try logging in to get your JWT:

http POST http://localhost:800/auth/login/ username=admin password=password

You should get back a token:

{
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTg2ODI3MzYsInVzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6IiIsInVzZXJfaWQiOjJ9.JDoVCpfiE0uGhsv9OQfPgPc-wxjjQtcEjwAI6bTLWRM"
}

You can then use this token to authenticate against Djoser's /me/ endpoint to get your profile information. Just include your token within your request's header as Authorization: JWT:

http http://localhost:8000/account/me/ "Authorization: JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTg2ODI3MzYsInVzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6IiIsInVzZXJfaWQiOjJ9.JDoVCpfiE0uGhsv9OQfPgPc-wxjjQtcEjwAI6bTLWRM"

Here's what I got back:

{
    "email": "",
    "id": 2,
    "username": "admin"
}

As you can see, it's pretty easy to start using JWTs for authentication. My guess is that libraries like djoser and django-rest-auth focus on Basic, Session, or Token authentication because they're included out of the DRF box and thus are probably the most common method by which people authenticate calls against their server.

The beauty of all this is that it's easy to implement a more secure authentication scheme because Djoser isn't tightly coupled to its own authentication classes - it'll happily respect whatever you set for DEFAULT_AUTHENTICATION_CLASSES.