Djangorestframework-simplejwt: no validation for Customizing token claims

Created on 23 May 2019  Â·  8Comments  Â·  Source: jazzband/djangorestframework-simplejwt

no need of Serializer for the custome token claims

class MyTokenObtainPairView(TokenObtainPairView): # serializer_class = MyTokenObtainPairSerializer print('check')
when i just call the view i got the acess token and refresh token,there is no need of security,
also i cant add any custom claim in Serializer.
class MyTokenObtainPairSerializer(TokenObtainPairSerializer): @classmethod def get_token(cls, user): token = super().get_token(user) token['name'] = user.first_name return token
it just return the token ,nothing my custom claim

Most helpful comment

Im found a solution, example on mainpage is wrong.

class TokenObtainSerializer(TokenObtainPairSerializer):

    def validate(self, attrs):
        data = super().validate(attrs)

        refresh = self.get_token(self.user)

        data["refresh"] = str(refresh)
        data["access"] = str(refresh.access_token)

        data["ololo"] = "this is my custom data"

        return data

All 8 comments

Im found a solution, example on mainpage is wrong.

class TokenObtainSerializer(TokenObtainPairSerializer):

    def validate(self, attrs):
        data = super().validate(attrs)

        refresh = self.get_token(self.user)

        data["refresh"] = str(refresh)
        data["access"] = str(refresh.access_token)

        data["ololo"] = "this is my custom data"

        return data

@psv-git it works,thanks bro.
@psv-git is it possible to authenticate user from another table.

@psv-git is it possible to authenticate user from another table.

You may override default user class like this:

class User(AbstractBaseUser, PermissionsMixin):

    username = models.CharField(_("username"), max_length=150, unique=True)
    password = models.CharField(_("password"), max_length=128, unique=False)
    ...

    objects = UserManager()

    USERNAME_FIELD = "username"
    REQUIRED_FIELDS = []

    class Meta:
        verbose_name = _("user")
        verbose_name_plural = _("users")
        db_table = "user"
        get_latest_by = "joined_date"

But it not full example. Detailed description you may found in google by "custom user django" keyword.

TokenObtainSerializer

Im found a solution, example on mainpage is wrong.

class TokenObtainSerializer(TokenObtainPairSerializer):

    def validate(self, attrs):
        data = super().validate(attrs)

        refresh = self.get_token(self.user)

        data["refresh"] = str(refresh)
        data["access"] = str(refresh.access_token)

        data["ololo"] = "this is my custom data"

        return data

Hi there, sorry to be dense, but I was working on extending the claims myself, and was only getting back the original access/refresh response, as you described.

Are you suggesting a code modification for the built-in TokenObtainSerializer class, or adding in your own subclass which inherits the above?

@jhouse-solvd

Hi there, sorry to be dense, but I was working on extending the claims myself, and was only getting back the original access/refresh response, as you described.

Are you suggesting a code modification for the built-in TokenObtainSerializer class, or adding in your own subclass which inherits the above?

If I understand your question correctly, I just inherite my own class by TokenObtainPairSerializer and override his "validate" method.

In this example I add only one string:

data["ololo"] = "this is my custom data"

Other code its a just copy-paste from original method.

Cool, thank you for the response and clarification.

With gratitude,
Jesse House · *Head of Products and Services*
E: [email protected] | M: 415.374.9562
slvd.io | Twitter https://twitter.com/slvdio

On Mon, Jun 24, 2019 at 2:51 PM PSV notifications@github.com wrote:

Hi there, sorry to be dense, but I was working on extending the claims
myself, and was only getting back the original access/refresh response, as
you described.

Are you suggesting a code modification for the built-in
TokenObtainSerializer class, or adding in your own subclass which inherits
the above?

If I understand your question correctly, I just inherite my own class by
TokenObtainPairSerializer and override his "validate" method.

In this example I add only one string:

data["ololo"] = "this is my custom data"

Other code its a just copy-paste from original method.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/davesque/django-rest-framework-simplejwt/issues/121?email_source=notifications&email_token=ALFI2ZCGGG7IRCH6FJM537TP4E6WPA5CNFSM4HO2UHB2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYOKY3Q#issuecomment-505195630,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ALFI2ZFHAONXC2WYMLIMIWLP4E6WPANCNFSM4HO2UHBQ
.

Man... this reaaally shoud be changed in the documentation. I wasted too much time trying to make the example in the docs works.

@psv-git Thank you!

The title is misleading as OP did not understand what a token claim is. What OP has shown is how to edit the returned data (i.e. add data to the JSON that is given to the user). A token claim is part of the payload of the token itself which only the server can edit in order to be properly decoded/encoded.

Just to show a little bit of education, visit the Wikipedia: https://en.wikipedia.org/wiki/JSON_Web_Token

A JWT is made up of a header, payload, and signature. The payload contains the token claims.

Was this page helpful?
0 / 5 - 0 ratings