Introduction
JSON Web Tokens (JWT) have become a popular method for handling authentication in web and mobile applications. Their compact, self-contained format allows securely transmitting identity data between parties.
In this comprehensive guide, you’ll learn how to work with JWT authentication in Python. We’ll cover:
- How JWTs work
- Generating tokens
- Validating tokens
- Refreshing tokens
- Best practices for production
We’ll also look at several Python libraries that simplify working with JWTs. By the end, you’ll have all the knowledge needed to implement token-based authentication in your Python projects.
JWT Authentication in Python
How JWT Works for Authentication
JWTs contain encoded JSON objects that are cryptographically signed and transmitted between clients and servers:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o
This payload contains the header, claims like user ID and name, and the signature.
The signature is generated by combining the header and claims with a secret key using a hashing algorithm like HMAC SHA-256. This allows verifying the message is authentic and not tampered.
The backend services use the same key to validate tokens received from the client. The tokens are compact and can be easily transmitted via HTTP headers or URL parameters.
Generating JWTs in Python using PyJWT library
The PyJWT library makes generating signed JWT tokens easy in Python.
Install it:
pip install pyjwtThen generate a signed token:
import jwt
payload = {
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
secret = 'mysecret'
token = jwt.encode(payload, secret, algorithm='HS256')The JWT is now ready to send back to the client.
We specify the hashing algorithm HS256 for HMAC-SHA256. Other supported algorithms are listed in PyJWT library docs.
The payload typically contains user ID, issued at timestamp, expiration time, and any other claims required. We sign this with the secret key to prevent tampering.
Validating JWT in Python
To validate a token, we simply decode it using the same secret key:
import jwt
token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0N...'
try:
payload = jwt.decode(token, 'mysecret', algorithms=['HS256'])
print(f"Valid token for user {payload['name']}")
except jwt.InvalidTokenError:
print("Invalid token")This will raise an error if the token is expired, malformed, or signature invalid.
We can also decode without verification to inspect the payload for debugging.
Refreshing JWT Tokens
JWTs should have short expiry times for security. The client can refresh the token by re-authenticating when it expires.
Set two claims – iat for issued at time and exp for expiration time.
The server can check exp and if expired, force the client to re-authenticate to get a new valid token.
JWT Best Practices for Production
When using JWT authentication in production, follow these practices:
- Use short expiry times (under 15 minutes)
- Transmit over HTTPS to encrypt in transit
- Store secret keys securely – never in code
- Revoke tokens on the server if feasible
- Encode only necessary user data to minimize exposure
This minimizes the attack surface. Proper key management is also critical for protecting signing keys.
Python Libraries for Working with JWT
Besides PyJWT, here are some other good Python libraries for JWT:
- python-jose – Supports JOSE standards like JWT and JWE for encryption.
- Authlib – Extensive framework with JWT support via python-jose.
- django-jwt – Helper for JWT auth in Django framework.
Each provides helper functions for token generation, signing, validation and more. Pick one suitable for your stack.
Conclusion
JWT provides a secure and lightweight approach to handle authentication in Python apps and APIs. By following the best practices outlined here, you can implement token-based auth that is production-ready.
Start using the many excellent Python JWT libraries to add robust authentication to your projects!
Frequently Asked Questions
Q: What’s the difference between symmetric (HMAC) and asymmetric (RSA) signing?
A: HMAC uses one secret key. RSA uses a public/private key pair allowing more security. But RSA is slower and has key management overhead.
Q: Where should the server secret keys be stored?
A: Never store secrets in code or repos. Use secure key management systems like AWS KMS, Hashicorp Vault, or environment variables.
Q: Is there a standard for where to transmit JWTs?
A: Not strictly, but Authorization header and cookies are recommended. URL query parameters should be avoided.
Q: Can JWT sessions be extended after issuing token?
A: No, that would break the integrity. The client must obtain a new refreshed token if they need longer validity.
Q: What’s a good JWT expiration time for security?
A: Experts recommend under 15 minutes. Issues can arise past 20-30 minutes. But adjust based on your threat model.
Q: Which hashing algorithms are considered secure?
A: HS256, HS512, RS256 and RS512 are considered secure. Avoid none and HS384.
Q: Are JWTs only for APIs?
A: JWT is useful for any application needing token auth between decoupled systems. But they excel for stateless API authentication.