auth0 Django API tutorial relies on unmaintained djangorestframework-jwt

[jrsmartyn]

Issue #21 was marked as stale and closed due to a lack of comment. Since then, there has been a discussion on github from the maintainer on the use of djangorestframework-jwt. See the Github page and specifically issue #484 for details.

The maintainer and Django now recommend the use of SimpleJWT instead of the now unmaintained (and last committed to in 2017) drf-jwt.

All Django-based tutorials from auth0 (including this one) rely on the currently unmaintained drf-jwt. As this is used in the final step of authentication, it leaves those who follow these tutorials open to security issues.

There has been further discussion of this issue in the auth0 community from back in Nov, 2019. However, this discussion has since been marked as closed. There is a mention from one user in the thread who seems to have successfully implemented SimpleJWT, but no link to his solution.

I have followed his idea of modifying drf-simplejwt's source code with an auth0decode method that follows the methods used with drf-jwt in the auth0 Django API tutorial (see jwt_decode_token(token)). Specifically, modifying the backends.py with this method and then calling it in the constructor function of the Token class in tokens.py, successfully passes the token with simpleJWT. However, I have been unable to figure out how to perform the server authentication step, as is done with the settings.py (and utils.py) files in this tutorial (relying on the unmaintained drf-jwt package, with settings given by JWT_AUTH):

def jwt_get_username_from_payload_handler(payload):
    username = payload.get('sub').replace('|', '.')
    authenticate(remote_user=username)
    return username

JWT_AUTH = {
   'JWT_PAYLOAD_GET_USERNAME_HANDLER':
       jwt_get_username_from_payload_handler,
       [...]

}

I'll re-open this as an outstanding issue with this tutorial in hopes that it may be prioritized for your team. If anyone has a workable solution for implementing SimpleJWT, please comment!

For further review, here are 2 other relevant discussions hosted on the SimpleJWT github page:
User ID Method Handling (#169)
Verifying audience and issuer claims (#38)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️

[naquiroz]

Hi, I'm looking into this, but I haven't found any proper solution. Did you manage to implement auth0 using this library?

[andylamp]

why is this issue closed...? As far as I understand this has not been resolved...