Greetings,
In this tutorial, we are going to learn and write a JWT (JSON Web Token) Provider microservice with Django REST Framework.

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. ~jwt.io

Project Setup

We have created a Django project named JWT_Wala_Service
The app name is jwt_wala.

First, add the app name jwt_wala in INSTALLED_APPS in settings.py. Don't forget to add rest_framework also

Creating the Access Token View

Now we need to create a view to provide an access token. We will use ViewSet for this project.
 

from rest_framework.viewsets import ViewSet
from rest_framework.response import Response
from rest_framework import status
from jwt_wala.utils import GenerateAccessTokenUtil


class AccessTokenView(ViewSet):
    def create(self, request):
        print("data = ", request.data)

        data = {
            "user_uuid": request.data["user_uuid"],
            "user_type": request.data["user_type"]
        }

        access_token = GenerateAccessTokenUtil\
        .access_token_generator(data)

        api_response = {
            "error": False,
            "message": "Access token",
            "access_token": access_token
        }

        return Response(
            api_response, 
            status=status.HTTP_200_OK
        )

We have a utility class to generate the token. You can see the GenerateAccessTokenUtil class.

Access Token Utility Class

Here is the Utility class:

import os
import jwt
import datetime
import json
from django.conf import settings


class GenerateAccessTokenUtil:
    @staticmethod
    def access_token_generator(data):

        access_token_payload = {
            "user_uuid": data['user_uuid'],
            "user_type": data['user_type'],
            "exp": datetime.datetime.utcnow() \
            + datetime.timedelta(days=5, minutes=10),
            "iat": datetime.datetime.utcnow()
        }

        access_token = jwt.encode(
            access_token_payload,
            settings.SECRET_KEY,
            algorithm="HS256"
        )

        return access_token

In the class, we have a function access_token_generator that takes the parameter data.

From the view you can see we have passed the data dictionary with user_uuid and user_type

The access_token_payload variable holds the data from data variable and exp and iat keys. The exp is the token expiration time and iat is the time of issued at. We have assigned the token expiration time for 5 days and 10 minutes from the issued time.

Now let's generate an access token by encoding the payload data.

Here we are going to use the HS256 Algorithm. You can also use other algorithms, such as RSA, ECDSA, etc.

After encoding the payload, we will get an access token and return that.
Now add this view to your urls.py and let's try with Postman.

Now we can get a response with access token. You can try to decode that token on jwt.io

Refresh Token Implementation

We can add another view and utility class for the refresh token.

The View class is the same as the access token class, but you just need to call the refresh token utility class method. Here is the utility class:

import os
import json
import jwt
import datetime
from django.conf import settings


class GenerateRefreshTokenUtil:
    @staticmethod
    def refresh_token_generator(data):

        payload = {
            "user_uuid": data["user_uuid"],
            "user_type": data["user_type"],
            "iat": datetime.datetime.utcnow(),
            "nbf": datetime.datetime.utcnow() \
            + datetime.timedelta(minutes=5),
            "exp": datetime.datetime.utcnow() \
            + datetime.timedelta(days=3, minutes=5)
        }

        refresh_token = jwt.encode(
            payload,
            settings.REFRESH_TOKEN_SECRET,
            algorithm="HS256"

        )
        return refresh_token

Here nbf stands for "not before". That is, the refresh token will not work before 5 minutes from the time it is created.

We used REFRESH_TOKEN_SECRET with the same value as Django SECRET_KEY in settings.py. You can use your own secret key or secret key pair if you need.

BONUS SECTION: Docker Containerization

We will containerize the project on Docker.

In this tutorial, we have written how to deploy this API to Docker.