Introduction

Learn about the prerequisites, structure, and goals of this course.

We'll cover the following

Prerequisites

To follow this course, a learner should be familiar with the basics of the Python programming language, Django, and the Django REST framework.

Course goals

In this course, we’ll learn how to:

  • Register custom users using the Django REST API framework.
  • Send user activation emails after user registration.
  • Log in users using the Django REST API framework and Simple JWT.
  • Reset user passwords using the Django REST framework.

JSON web token

The JSON Web Token (JWT) is an authorization token that users provide when making requests to protected resources. It verifies that a user is who they say they are. In our case, we’ll use it to secure some of our endpoints. JWT has two types of tokens:

  • Access tokens: Used when making requests to protected views.Views that require the user to be authenticated in order to access them
  • Refresh tokens: Used to request a new access token

Here is a sample JWT:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNjU1MjA3OTQ0LCJpYXQiOjE2NTUyMDc2NDQsImp0aSI6IjQxYjQ4ZGI2YTQ0ZTRhN2I4OTQ3ZjA2MTczMzFhMTM3IiwidXNlcl9pZCI6Mjl9.AVK8C2Qv9YZHcYMKsfcCAQjyhEz2I7Y_7Ebxq8pwE30

Both the access and refresh tokens have the same structure. They consist of three parts separated by the decimal.

As we can see from the image above:

  • The first part, also known as header, stores information about the algorithm used for encoding and the type of token.
  • The second part, also called the payload, is the data that we intend to hide in the token. In this case, we’ll use it to store, token_type, its expiration date, its date of issue, its unique identifier, and the ID of the user issued with it.
  • The last part, the signature, takes the encoded header, the encoded payload, a secret, and the algorithm specified in the header, and signs it.

JWT authentication flow

Once we’ve created a new user in Django, we’ll log them in. After that, they get an access token and a refresh token. This is similar to when an existing user logs in using the correct credentials. The access token has a relatively shorter lifespan (five minutes), compared to the refresh token, which lasts for 24 hours. However, their lifespans can be adjusted.

When users are trying to access protected viewsViews that require the user to be authenticated in order to access them, they will be required to provide the access token. If it has already expired, they can get a new access token using the refresh token, and then use it to access the protected views. This way, we can keep our protected views safe.

In this course, we’ll use Simple JWT to accomplish this, which is a Django package that helps us integrate JWT authentication with our Django REST APIs.

Advantages of using JWT over session-based authentication

  • Scalability: Unlike sessions that are stored on the server, JWTs are stored on the client’s side. So many users can access their tokens without delay.

  • Multiple device access: A single JWT can also be used to access multiple servers, unlike in sessions, where some servers might not have sessions that others have.

Teaching methodology

Throughout the course, we have provided code samples followed by detailed explanations and code playgrounds to practice what we learn in each lesson. What we practice in the playgrounds will help us meet the objectives of each chapter.