Django GraphQL JWT Documentation

Release 0.3.1

mongkok

Apr 04, 2020

 Contents

1 Quickstart 3
1.1 Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Authentication 5
2.1 HTTP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Per-cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 Delete Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Per-argument . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.3 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Decorators 9
3.1 @login_required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 @user_passes_test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 @permission_required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.4 @staff_member_required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.5 @superuser_required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Refresh token 13
4.1 Single token refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1.1 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1.2 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 Long running refresh tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.1 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2.2 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2.3 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2.4 Per-cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.5 Unlimited refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.6 One time only use refresh token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.7 Clear refresh tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5 Customizing 17

i
6 Relay 19
6.1 Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.2 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.2.1 Single token refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.2.2 Long running refresh tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.2.3 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.3 Customizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

7 Signals 23
7.1 token_issued . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.2 token_refreshed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.3 refresh_token_rotated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.4 refresh_token_revoked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

8 Writing tests 25

9 Settings 27
9.1 PyJWT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
9.1.1 JWT_ALGORITHM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
9.1.2 JWT_AUDIENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
9.1.3 JWT_ISSUER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
9.1.4 JWT_LEEWAY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1.5 JWT_SECRET_KEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1.6 JWT_PUBLIC_KEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1.7 JWT_PRIVATE_KEY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1.8 JWT_VERIFY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1.9 JWT_ENCODE_HANDLER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1.10 JWT_DECODE_HANDLER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1.11 JWT_PAYLOAD_HANDLER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
9.1.12 JWT_PAYLOAD_GET_USERNAME_HANDLER . . . . . . . . . . . . . . . . . . . . . . 29
9.1.13 JWT_GET_USER_BY_NATURAL_KEY_HANDLER . . . . . . . . . . . . . . . . . . . . 29
9.2 Token expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
9.2.1 JWT_VERIFY_EXPIRATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
9.2.2 JWT_EXPIRATION_DELTA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
9.3 Refresh token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
9.3.1 JWT_ALLOW_REFRESH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
9.3.2 JWT_REFRESH_EXPIRATION_DELTA . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
9.3.3 JWT_LONG_RUNNING_REFRESH_TOKEN . . . . . . . . . . . . . . . . . . . . . . . . 29
9.3.4 JWT_REFRESH_TOKEN_MODEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.3.5 JWT_REFRESH_TOKEN_N_BYTES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.3.6 JWT_REUSE_REFRESH_TOKENS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.3.7 JWT_REFRESH_EXPIRED_HANDLER . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.3.8 JWT_GET_REFRESH_TOKEN_HANDLER . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.4 Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.4.1 JWT_ALLOW_ANY_HANDLER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.4.2 JWT_ALLOW_ANY_CLASSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.5 HTTP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.5.1 JWT_AUTH_HEADER_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.5.2 JWT_AUTH_HEADER_PREFIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.6 Per-argument . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.6.1 JWT_ALLOW_ARGUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.6.2 JWT_ARGUMENT_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.7 Cookie authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.7.1 JWT_COOKIE_NAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

ii
 9.7.2 JWT_REFRESH_TOKEN_COOKIE_NAME . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.7.3 JWT_COOKIE_SECURE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
9.7.4 JWT_COOKIE_PATH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
9.7.5 JWT_COOKIE_DOMAIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
9.7.6 JWT_HIDE_TOKEN_FIELDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
9.8 CSRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
9.8.1 JWT_CSRF_ROTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

10 Changelog 33
10.1 0.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
10.2 0.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
10.3 0.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
10.4 0.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
10.5 0.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
10.6 0.2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
10.7 0.1.14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
10.8 0.1.13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
10.9 0.1.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
10.10 0.1.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
10.11 0.1.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
10.12 0.1.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
10.13 0.1.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
10.14 0.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
10.15 0.1.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.16 0.1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.17 0.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.18 0.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.19 0.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.20 0.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.21 0.1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.22 0.0.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
10.23 0.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

11 Contributors 39
11.1 Credits and thanks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Index 41

iii
iv
 Django GraphQL JWT Documentation, Release 0.3.1

JSON Web Token authentication for Django GraphQL

Contents 1
Django GraphQL JWT Documentation, Release 0.3.1

2 Contents
 CHAPTER 1

Quickstart

1.1 Dependencies

• Python 3.4
• Django 1.11

1.2 Installation

Install last stable version v0.3.1 from Pypi:

pip install django-graphql-jwt

Add AuthenticationMiddleware middleware to your MIDDLEWARE settings:

MIDDLEWARE = [
...
'django.contrib.auth.middleware.AuthenticationMiddleware',
...
]

Add JSONWebTokenMiddleware middleware to your GRAPHENE settings:

GRAPHENE = {
'SCHEMA': 'mysite.myschema.schema',
'MIDDLEWARE': [
'graphql_jwt.middleware.JSONWebTokenMiddleware',
],
}

Add JSONWebTokenBackend backend to your AUTHENTICATION_BACKENDS:

3
Django GraphQL JWT Documentation, Release 0.3.1

AUTHENTICATION_BACKENDS = [
'graphql_jwt.backends.JSONWebTokenBackend',
'django.contrib.auth.backends.ModelBackend',
]

1.3 Schema

Add mutations to the root schema:

import graphene
import graphql_jwt

class Mutation(graphene.ObjectType):
token_auth = graphql_jwt.ObtainJSONWebToken.Field()
verify_token = graphql_jwt.Verify.Field()
refresh_token = graphql_jwt.Refresh.Field()

schema = graphene.Schema(mutation=Mutation)

1.4 Queries

• tokenAuth to authenticate the user and obtain a JSON Web Token.

The mutation uses your User’s model USERNAME_FIELD, which by default is username:

mutation TokenAuth($username: String!, $password: String!) {

tokenAuth(username: $username, password: $password) {
token
payload
refreshExpiresIn
}
}

• verifyToken to validate the token and obtain the token payload:

mutation VerifyToken($token: String!) {

verifyToken(token: $token) {
payload
}
}

• refreshToken to obtain a brand new token with renewed expiration time:

Configure your refresh token scenario and set to True the JWT_VERIFY_EXPIRATION setting.

4 Chapter 1. Quickstart
 CHAPTER 2

Authentication

Django-graphql-jwt uses a Graphene middleware to hook the authenticated user into context object. The simple, raw
way to limit access to data is to check info.context.user.is_authenticated:

import graphene

class Query(graphene.ObjectType):
viewer = graphene.Field(UserType)

def resolve_viewer(self, info, **kwargs):

user = info.context.user
if not user.is_authenticated:
raise Exception('Authentication credentials were not provided')
return user

As a shortcut, you can use decorators for your resolvers and mutations.

2.1 HTTP header

Now in order to access protected API you must include the Authorization HTTP header:

POST / HTTP/1.1
Host: domake.io
Authorization: JWT <token>
Content-Type: application/json;

2.2 Per-cookie

When a token is requested and jwt_cookie decorator is set, the response will set the given cookie with the token
string:

5
Django GraphQL JWT Documentation, Release 0.3.1

from django.urls import path

from graphene_django.views import GraphQLView

from graphql_jwt.decorators import jwt_cookie

urlpatterns = [
path('graphql/', jwt_cookie(GraphQLView.as_view())),
]

If the jwt_cookie decorator is set, consider adding CSRF middleware 'django.middleware.csrf.

CsrfViewMiddleware' to provide protection against Cross Site Request Forgeries.
A cookie-based authentication does not require sending the tokens as a mutation input argument.

2.2.1 Delete Cookies

In order to prevent XSS (cross-site scripting) attacks, cookies have the HttpOnly flag set, so you cannot delete them
on the client-side. This package includes some mutations to delete the cookies on the server-side.
Add mutations to the root schema:
import graphene
import graphql_jwt

class Mutation(graphene.ObjectType):
delete_token_cookie = graphql_jwt.DeleteJSONWebTokenCookie.Field()

# Long running refresh tokens

delete_refresh_token_cookie = \
graphql_jwt.refresh_token.DeleteRefreshTokenCookie.Field()

schema = graphene.Schema(mutation=Mutation)

• deleteTokenCookie to delete the JWT cookie:

mutation {
deleteTokenCookie {
deleted
}
}

• deleteRefreshTokenCookie to delete JWT-refresh-token cookie for long running refresh tokens.

mutation {
deleteRefreshTokenCookie {
deleted
}
}

2.3 Per-argument

Another option to send the token is using an argument within the GraphQL query, being able to send a batch of queries
authenticated with different credentials.

6 Chapter 2. Authentication
 Django GraphQL JWT Documentation, Release 0.3.1

Django-graphql-jwt looks for the token in the list of arguments sent and if it does not exists, it looks for the token in
the HTTP header.

2.3.1 Settings

Enable the argument authentication in your settings:

GRAPHQL_JWT = {
'JWT_ALLOW_ARGUMENT': True,
}

2.3.2 Schema

Add the token argument in any of your fields using the same name defined in JWT_ARGUMENT_NAME setting:

import graphene
from graphql_jwt.decorators import login_required

class Query(graphene.ObjectType):
viewer = graphene.Field(UserType, token=graphene.String(required=True))

@login_required
def resolve_viewer(self, info, **kwargs):
return info.context.user

2.3.3 Queries

Send the token as another variable within the query:

query GetViewer($token: String!) {

viewer(token: $token) {
username
email
}
}

Authenticate using multiple credentials:

query GetUsers($tokenA: String!, $tokenB: String!) {

viewerA: viewer(token: $tokenA) {
username
email
}
viewerB: viewer(token: $tokenB) {
username
email
}
}

2.3. Per-argument 7
Django GraphQL JWT Documentation, Release 0.3.1

8 Chapter 2. Authentication
 CHAPTER 3

Decorators

3.1 @login_required

login_required = <function user_passes_test.<locals>.decorator>

As a shortcut, you can use the login_required() decorator:
import graphene
from graphql_jwt.decorators import login_required

class Query(graphene.ObjectType):
viewer = graphene.Field(UserType)

@login_required
def resolve_viewer(self, info, **kwargs):
return info.context.user

• If the user isn’t logged in, raise PermissionDenied exception.

• If the user is logged in, execute the function normally.

3.2 @user_passes_test

user_passes_test(test_func, exc=<class ’graphql_jwt.exceptions.PermissionDenied’>)

As a shortcut, you can use the convenient user_passes_test() decorator which raises a PermissionDenied
exception when the callable returns False:
from django.contrib.auth import get_user_model

import graphene
from graphql_jwt.decorators import user_passes_test
(continues on next page)

9
Django GraphQL JWT Documentation, Release 0.3.1

(continued from previous page)

class Query(graphene.ObjectType):
users = graphene.List(UserType)

@user_passes_test(lambda user: user.email.contains('@staff'))

def resolve_users(self, info, **kwargs):
return get_user_model().objects.all()

user_passes_test() takes a required argument: a callable that takes a User object and returns True if the user
is allowed to perform the action. Note that user_passes_test() does not automatically check that the User is
not anonymous.

3.3 @permission_required

permission_required(perm)
Decorator to check whether a user has a particular permission.
Just like the has_perm() method, permission names take the form:

<app-label>.<permission-codename>

The decorator may also take an iterable of permissions, in which case the user must have all of the permissions in
order to access the resolver or mutation:

import graphene
from graphql_jwt.decorators import permission_required

class UpdateUser(graphene.Mutation):

class Arguments:
user_id = graphene.Int()

@classmethod
@permission_required('auth.change_user')
def mutate(cls, root, info, user_id):
...

3.4 @staff_member_required

staff_member_required = <function user_passes_test.<locals>.decorator>

A resolver or mutation decorated with this function will having the following behavior:
If the user is a staff member (User.is_staff=True), execute the function normally.
Otherwise, the PermissionDenied exception will be raised:

from django.contrib.auth import get_user_model

import graphene
from graphql_jwt.decorators import staff_member_required
(continues on next page)

10 Chapter 3. Decorators
 Django GraphQL JWT Documentation, Release 0.3.1

(continued from previous page)

class Query(graphene.ObjectType):
users = graphene.List(UserType)

@staff_member_required
def resolve_users(self, info, **kwargs):
return get_user_model().objects.all()

3.5 @superuser_required

superuser_required = <function user_passes_test.<locals>.decorator>

A resolver or mutation decorated with this function will having the following behavior:
If the user is superuser (User.is_superuser=True), execute the function normally.
Otherwise, the PermissionDenied exception will be raised:

import graphene
from graphql_jwt.decorators import superuser_required

class DeleteUser(graphene.Mutation):

class Arguments:
user_id = graphene.Int()

@classmethod
@superuser_required
def mutate(cls, root, info, user_id):
...

3.5. @superuser_required 11
Django GraphQL JWT Documentation, Release 0.3.1

12 Chapter 3. Decorators
 CHAPTER 4

Refresh token

This package supports two refresh methods:

• Single token refresh (by default)
• Long running refresh tokens

4.1 Single token refresh

4.1.1 Settings

GRAPHQL_JWT = {
'JWT_VERIFY_EXPIRATION': True,
'JWT_EXPIRATION_DELTA': timedelta(minutes=5),
'JWT_REFRESH_EXPIRATION_DELTA': timedelta(days=7),
}

It means that you need to refresh every 5 mins (payload.exp) and even you keep on refreshing token every 5 mins,
you will still be logout in 7 days after the first token has been issued (refreshExpiresIn).

4.1.2 Queries

• refreshToken to obtain a brand new token with renewed expiration time for non-expired tokens:

mutation RefreshToken($token: String!) {

refreshToken(token: $token) {
token
payload
refreshExpiresIn
}
}

13
Django GraphQL JWT Documentation, Release 0.3.1

Refresh and keeping tokens alive

Refresh after 4 minutes. . .

1. Token issued

exp = orig_iat + JWT_EXPIRATION_DELTA (payload.exp)

refreshToken (t): exp = t + JWT_EXPIRATION_DELTA

2. Signature expiration (login is required)

when: t = exp
exp = refresh_at + JWT_EXPIRATION_DELTA
verifyToken (t): error! if JWT_VERIFY_EXPIRATION=true

3. Refresh expiration

when: t = orig_iat + JWT_REFRESH_EXPIRATION_DELTA (refreshExpiresIn)

refreshToken (t): error!

4.2 Long running refresh tokens

Refresh tokens stored on database.

Add graphql_jwt.refresh_token to your INSTALLED_APPS:

INSTALLED_APPS = [
...
'graphql_jwt.refresh_token.apps.RefreshTokenConfig',
...
]

14 Chapter 4. Refresh token

 Django GraphQL JWT Documentation, Release 0.3.1

4.2.1 Settings

GRAPHQL_JWT = {
'JWT_VERIFY_EXPIRATION': True,
'JWT_LONG_RUNNING_REFRESH_TOKEN': True,
'JWT_EXPIRATION_DELTA': timedelta(minutes=5),
'JWT_REFRESH_EXPIRATION_DELTA': timedelta(days=7),
}

It means that you need to refresh every 5 mins (payload.exp) and you need to replace your refresh token in 7 days
after it has been issued (refreshExpiresIn).

4.2.2 Schema

Add mutations to the root schema:

import graphene
import graphql_jwt

class Mutation(graphene.ObjectType):
token_auth = graphql_jwt.ObtainJSONWebToken.Field()
verify_token = graphql_jwt.Verify.Field()
refresh_token = graphql_jwt.Refresh.Field()
revoke_token = graphql_jwt.Revoke.Field()

schema = graphene.Schema(mutation=Mutation)

4.2.3 Queries

• tokenAuth to authenticate the user and obtain a JSON Web Token and Refresh Token:

mutation TokenAuth($username: String!, $password: String!) {

tokenAuth(username: $username, password: $password) {
token
payload
refreshToken
refreshExpiresIn
}
}

• refreshToken to refresh your token, using the refreshToken you already got during authorization:

mutation RefreshToken($refreshToken: String!) {

refreshToken(refreshToken: $refreshToken) {
token
payload
refreshToken
refreshExpiresIn
}
}

• revokeToken to revoke a valid refreshToken. The invalidation takes place immediately, and the
refreshToken cannot be used again after the revocation:

4.2. Long running refresh tokens 15

Django GraphQL JWT Documentation, Release 0.3.1

mutation RevokeToken($refreshToken: String!) {

revokeToken(refreshToken: $refreshToken) {
revoked
}
}

4.2.4 Per-cookie

When a refresh token is requested and jwt_cookie decorator is set, the response will set the given cookie with the
refresh token string.

4.2.5 Unlimited refresh

Configure the JWT_REFRESH_EXPIRED_HANDLER setting that checks if the refresh token is expired:

GRAPHQL_JWT = {
'JWT_VERIFY_EXPIRATION': True,
'JWT_LONG_RUNNING_REFRESH_TOKEN': True,
'JWT_REFRESH_EXPIRED_HANDLER': lambda orig_iat, context: False,
}

4.2.6 One time only use refresh token

Automatically revoke a refresh token after it has been used:

from django.dispatch import receiver

from graphql_jwt.refresh_token.signals import refresh_token_rotated

@receiver(refresh_token_rotated)
def revoke_refresh_token(sender, request, refresh_token, **kwargs):
refresh_token.revoke(request)

4.2.7 Clear refresh tokens

Command.handle(expired, *args, **options)

The actual logic of the command. Subclasses must implement this method.
Delete revoked refresh tokens with cleartokens command.

$ python manage.py cleartokens --help

usage: cleartokens [--expired]

optional arguments:
--expired Clears expired tokens

The --expired argument allows the user to remove those refresh tokens whose lifetime is greater than the amount
specified by JWT_REFRESH_EXPIRATION_DELTA setting.

16 Chapter 4. Refresh token

 CHAPTER 5

Customizing

If you want to customize the ObtainJSONWebToken behavior, you’ll need to customize the resolve() method
on a subclass of:
class JSONWebTokenMutation(*args, **kwargs)

import graphene
import graphql_jwt

class ObtainJSONWebToken(graphql_jwt.JSONWebTokenMutation):
user = graphene.Field(UserType)

@classmethod
def resolve(cls, root, info, **kwargs):
return cls(user=info.context.user)

Authenticate the user and obtain a JSON Web Token and the user id:

mutation TokenAuth($username: String!, $password: String!) {

tokenAuth(username: $username, password: $password) {
token
payload
user {
id
}
}
}

17
Django GraphQL JWT Documentation, Release 0.3.1

18 Chapter 5. Customizing
 CHAPTER 6

Relay

Complete support for Relay.

6.1 Schema

Add mutations to the root schema:

import graphene
import graphql_jwt

class Mutation(graphene.ObjectType):
token_auth = graphql_jwt.relay.ObtainJSONWebToken.Field()
verify_token = graphql_jwt.relay.Verify.Field()
refresh_token = graphql_jwt.relay.Refresh.Field()
delete_token_cookie = graphql_jwt.relay.DeleteJSONWebTokenCookie.Field()

# Long running refresh tokens

revoke_token = graphql_jwt.relay.Revoke.Field()

delete_refresh_token_cookie = \
graphql_jwt.refresh_token.relay.DeleteRefreshTokenCookie.Field()

schema = graphene.Schema(mutation=Mutation)

6.2 Queries

Relay mutations only accepts one argument named input.

• tokenAuth to authenticate the user and obtain a JSON Web Token:

19
Django GraphQL JWT Documentation, Release 0.3.1

mutation TokenAuth($username: String!, $password: String!) {

tokenAuth(input: {username: $username, password: $password}) {
token
payload
refreshExpiresIn
}
}

• verifyToken to validate the token and obtain the token payload:

mutation VerifyToken($token: String!) {

verifyToken(input: {token: $token}) {
payload
}
}

6.2.1 Single token refresh

• refreshToken to obtain a brand new token with renewed expiration time for non-expired tokens:

mutation RefreshToken($token: String!) {

refreshToken(input: {token: $token}) {
token
payload
refreshExpiresIn
}
}

6.2.2 Long running refresh tokens

• refreshToken to refresh your token, using the refreshToken you already got during authorization:

mutation RefreshToken($refreshToken: String!) {

refreshToken(input: {refreshToken: $refreshToken}) {
token
payload
refreshToken
refreshExpiresIn
}
}

• revokeToken to revoke a valid refreshToken. The invalidation takes place immediately, and the
refreshToken cannot be used again after the revocation:

mutation RevokeToken($refreshToken: String!) {

revokeToken(input: {refreshToken: $refreshToken}) {
revoked
}
}

6.2.3 Cookies

• deleteTokenCookie to delete the JWT cookie:

20 Chapter 6. Relay
 Django GraphQL JWT Documentation, Release 0.3.1

mutation {
deleteTokenCookie(input: {}) {
deleted
}
}

• deleteRefreshTokenCookie to delete JWT-refresh-token cookie for long running refresh tokens.

mutation {
deleteRefreshTokenCookie(input: {}) {
deleted
}
}

6.3 Customizing

If you want to customize the ObtainJSONWebToken behavior, you’ll need to customize the resolve() method
on a subclass of:
class JSONWebTokenMutation(*args, **kwargs)

import graphene
import graphql_jwt

class ObtainJSONWebToken(graphql_jwt.relay.JSONWebTokenMutation):
user = graphene.Field(UserType)

@classmethod
def resolve(cls, root, info, **kwargs):
return cls(user=info.context.user)

Authenticate the user and obtain a JSON Web Token and the user id:

mutation TokenAuth($username: String!, $password: String!) {

tokenAuth(input: {username: $username, password: $password}) {
token
payload
refreshExpiresIn
user {
id
}
}
}

6.3. Customizing 21
Django GraphQL JWT Documentation, Release 0.3.1

22 Chapter 6. Relay
 CHAPTER 7

Signals

django-graphql-jwt uses the following signals:

7.1 token_issued

Sent when a user authenticates successfully.

Arguments sent with this signal:
• sender: The class of the Graphene’s mutation.
• request: The current HttpRequest instance.
• user: The user instance that just authenticated.

7.2 token_refreshed

Sent when a single token has been refreshed.

Arguments sent with this signal:
• sender: The class of the Graphene’s mutation.
• request: The current HttpRequest instance.
• user: The user instance that just refreshed a single token.

7.3 refresh_token_rotated

Sent when a long running refresh token has been rotated.

Arguments sent with this signal:

23
Django GraphQL JWT Documentation, Release 0.3.1

• sender: The class of the refresh_token that just rotated.

• request: The current HttpRequest instance.
• refresh_token: The old RefreshToken instance that just rotated.
• refresh_token_issued: The new RefreshToken instance issued.

7.4 refresh_token_revoked

Sent when a long running refresh token has been revoked.

Arguments sent with this signal:
• sender: The class of the refresh_token that just revoked.
• request: The current HttpRequest instance.
• refresh_token: The RefreshToken instance that just revoked.

24 Chapter 7. Signals
 CHAPTER 8

Writing tests

class JSONWebTokenTestCase(methodName=’runTest’)
This package includes a subclass of unittest.TestCase and improve support for making GraphQL queries using JSON
Web Token authentication:

from django.contrib.auth import get_user_model

from graphql_jwt.testcases import JSONWebTokenTestCase

class UsersTests(JSONWebTokenTestCase):

def setUp(self):
self.user = get_user_model().objects.create(username='test')
self.client.authenticate(self.user)

def test_get_user(self):
query = '''
query GetUser($username: String!) {
user(username: $username) {
id
}
}'''

variables = {
'username': self.user.username,
}

self.client.execute(query, variables)

25
Django GraphQL JWT Documentation, Release 0.3.1

26 Chapter 8. Writing tests

 CHAPTER 9

Settings

Django-graphql-jwt reads your configuration from a single Django setting named GRAPHQL_JWT:

GRAPHQL_JWT = {
'JWT_VERIFY_EXPIRATION': True,
'JWT_EXPIRATION_DELTA': timedelta(minutes=10),
}

Here’s a list of settings available in django-graphql-jwt and their default values:

9.1 PyJWT

9.1.1 JWT_ALGORITHM

Algorithm for cryptographic signing

Default: 'HS256'

9.1.2 JWT_AUDIENCE

Identifies the recipients that the JWT is intended for

Default: None

9.1.3 JWT_ISSUER

Identifies the principal that issued the JWT

Default: None

27
Django GraphQL JWT Documentation, Release 0.3.1

9.1.4 JWT_LEEWAY

Validate an expiration time which is in the past but not very far
Default: timedelta(seconds=0)

9.1.5 JWT_SECRET_KEY

The secret key used to sign the JWT

Default: settings.SECRET_KEY

9.1.6 JWT_PUBLIC_KEY

The RSA public key for RS256, RS384 or RS512 asymmetric algorithms. JWT_SECRET_KEY setting
will be ignored
Default: None

9.1.7 JWT_PRIVATE_KEY

The RSA private key for RS256, RS384 or RS512 asymmetric algorithms. JWT_SECRET_KEY setting
will be ignored
Default: None

9.1.8 JWT_VERIFY

Secret key verification

Default: True

9.1.9 JWT_ENCODE_HANDLER

A custom function to encode the token

jwt_encode(payload, context=None)

9.1.10 JWT_DECODE_HANDLER

A custom function to decode the token

jwt_decode(token, context=None)

9.1.11 JWT_PAYLOAD_HANDLER

A custom function to generate the token payload

jwt_payload(user, context=None)

28 Chapter 9. Settings
 Django GraphQL JWT Documentation, Release 0.3.1

9.1.12 JWT_PAYLOAD_GET_USERNAME_HANDLER

A custom function to obtain the username:

lambda payload: payload.get(get_user_model().USERNAME_FIELD)

9.1.13 JWT_GET_USER_BY_NATURAL_KEY_HANDLER

A custom function to get User object from username

get_user_by_natural_key(username)

9.2 Token expiration

9.2.1 JWT_VERIFY_EXPIRATION

Expiration time verification

Default: False

9.2.2 JWT_EXPIRATION_DELTA

Timedelta added to utcnow() to set the expiration time

Default: timedelta(minutes=5)

9.3 Refresh token

9.3.1 JWT_ALLOW_REFRESH

Enable token refresh

Default: True

9.3.2 JWT_REFRESH_EXPIRATION_DELTA

Limit on token refresh

Default: timedelta(days=7)

9.3.3 JWT_LONG_RUNNING_REFRESH_TOKEN

Enable long time running refresh token

Default: False

9.2. Token expiration 29

Django GraphQL JWT Documentation, Release 0.3.1

9.3.4 JWT_REFRESH_TOKEN_MODEL

The model to use to represent a refresh token

class RefreshToken(*args, **kwargs)
RefreshToken default model

9.3.5 JWT_REFRESH_TOKEN_N_BYTES

Long running refresh token number of bytes

Default: 20

9.3.6 JWT_REUSE_REFRESH_TOKENS

Reuse the long running refreshed token instead of generating a new one
Default: False

9.3.7 JWT_REFRESH_EXPIRED_HANDLER

A custom function to determine if refresh has expired

refresh_has_expired(orig_iat, context=None)

9.3.8 JWT_GET_REFRESH_TOKEN_HANDLER

A custom function to retrieve a long time refresh token instance

get_refresh_token_by_model(refresh_token_model, token, context=None)

9.4 Permissions

9.4.1 JWT_ALLOW_ANY_HANDLER

A custom function to determine the non-authentication per-field

allow_any(info, **kwargs)

9.4.2 JWT_ALLOW_ANY_CLASSES

A list or tuple of Graphene classes that do not need authentication

Default: ()

30 Chapter 9. Settings
 Django GraphQL JWT Documentation, Release 0.3.1

9.5 HTTP header

9.5.1 JWT_AUTH_HEADER_NAME

Authorization header name

Default: 'HTTP_AUTHORIZATION'

9.5.2 JWT_AUTH_HEADER_PREFIX

Authorization header prefix

Default: 'JWT'

9.6 Per-argument

9.6.1 JWT_ALLOW_ARGUMENT

Allow per-argument authentication system

Default: False

9.6.2 JWT_ARGUMENT_NAME

Argument name for per-argument authentication system

Default: 'token'

9.7 Cookie authentication

9.7.1 JWT_COOKIE_NAME

The name of the cookie when HTTP cookies are used as a valid transport for the token
Default: 'JWT'

9.7.2 JWT_REFRESH_TOKEN_COOKIE_NAME

The name of the cookie when HTTP cookies are used as a valid transport for the refresh token
Default: 'JWT-refresh-token'

9.7.3 JWT_COOKIE_SECURE

Whether to use a secure cookie for the JWT cookie. If this is set to True, the cookie will be marked as
“secure”, which means browsers may ensure that the cookie is only sent under an HTTPS connection
Default: False

9.5. HTTP header 31

Django GraphQL JWT Documentation, Release 0.3.1

9.7.4 JWT_COOKIE_PATH

Document location for the cookie

Default: '/'

9.7.5 JWT_COOKIE_DOMAIN

Use domain if you want to set a cross-domain cookie

Default: None

9.7.6 JWT_HIDE_TOKEN_FIELDS

For cookie-based authentications, remove the token fields from the GraphQL schema in order to prevent
XSS exploitation
Default: False

9.8 CSRF

9.8.1 JWT_CSRF_ROTATION

Rotate CSRF tokens each time a token or refresh token is issued

Default: False

32 Chapter 9. Settings
 CHAPTER 10

Changelog

10.1 0.3.1

• Set JWT-refresh-token cookie on tokenAuth mutation

• Read token/refresh-token from cookies (TokenAuth, Refresh, Verify and Revoke mutations)
• Add refreshExpiredIn field
• Add token payload to tokenAuth mutation
• Add DeleteJSONWebTokenCookie and DeleteRefreshTokenCookie mutations
• Add JWT_REUSE_REFRESH_TOKENS setting in order to reuse the refresh token instances
• Add JWT_HIDE_TOKEN_FIELDS setting (prevent XSS exploitation)
• Add JWT_CSRF_ROTATION setting
• Add JWT_COOKIE_PATH and JWT_COOKIE_DOMAIN settings
• Removed ugettext in favor of gettext

10.2 0.3.0

• Added Django 3.0 support

• Removed Python 2.7 support

10.3 0.2.3

• Fixed refresh_token cookie

• Added middleware method to SchemaRequestFactory

33
Django GraphQL JWT Documentation, Release 0.3.1

• Added arabic, french and portuguese translations

10.4 0.2.2

• Removed DjangoMiddleware
• Added dutch and french locales
• Added JWT Refresh token cookie
• Added signals
• Added JWT_GET_USER_BY_NATURAL_KEY_HANDLER

10.5 0.2.1

• Added JWT cookie authentication

• Added refresh_token_lazy
• Fixed RefreshToken related name
• WARNING: Added kwargs argument to JSONWebTokenMutation.resolve()
• Fixed @context decorator to determine the info argument
• Added _cached_token to refresh token instances to allow hashed tokens
• Added JWT_GET_REFRESH_TOKEN_HANDLER setting variable
• Improved argument authentication using multiple credentials
• Added execute method to SchemaTestCase
• Added graphql_jwt classes to JWT_ALLOW_ANY_CLASSES
• Added @superuser_required decorator

10.6 0.2.0

• Added Graphene middleware

• Added JWT_ALLOW_ANY_HANDLER setting
• Added Per-argument authentication
• Added JSONWebTokenExpired exception
• Included Sphinx documentation
• Renamed JWT_AUTH_HEADER to JWT_AUTH_HEADER_NAME

10.7 0.1.14

• Added long running refresh tokens

• Renamed orig_iat to origIat

34 Chapter 10. Changelog

 Django GraphQL JWT Documentation, Release 0.3.1

• Added request argument to get_user_by_token

10.8 0.1.13

• Added unittest subclasses for writing tests

• Renamed GraphQLJWTError to JSONWebTokenError

10.9 0.1.12

• Fixed context.META attribute

10.10 0.1.11

• Removed environment settings variables

• Added JWT_AUTH_HEADER setting
• Added JWT_PAYLOAD_GET_USERNAME_HANDLER setting
• Fixed TokenAuth mutation when user is already authenticated

10.11 0.1.10

• Added JWTSettings
• Added jwt-handlers to settings
• Added context argument to jwt-handlers

10.12 0.1.9

• Included auth decorators

10.13 0.1.8

• Added old style middleware support

10.14 0.1.7

• Added anonymous-hyperlink

10.8. 0.1.13 35
Django GraphQL JWT Documentation, Release 0.3.1

10.15 0.1.6

• Added Python 2.7 support

10.16 0.1.5

• Removed login() usage

• Renamed do_auth() to resolve()

10.17 0.1.4

• Renamed JWTMiddleware to JSONWebTokenMiddleware

• Renamed JWTBackend to JSONWebTokenBackend
• ObtainJSONWebToken mutation
• Customizing, JSONWebTokenMutation abstract class

10.18 0.1.3

• Complete support for Relay

10.19 0.1.2

• Shortcuts, get_token
• Modified Refresh output fields
• Updated README, don’t include the token as a UserType field

10.20 0.1.1

• Fixed rst paragraphs blocks

10.21 0.1.0

• Fixed ‘es’ locale directory

• Removed JWT_VERIFY_REFRESH_EXPIRATION
• JWT_LEEWAY timedelta type
• 100% coverage
• A pretty README
• Support Python 3.7

36 Chapter 10. Changelog

 Django GraphQL JWT Documentation, Release 0.3.1

10.22 0.0.2

• Fixed auth backend missing token

10.23 0.0.1

• xin chào!

10.22. 0.0.2 37
Django GraphQL JWT Documentation, Release 0.3.1

38 Chapter 10. Changelog

 CHAPTER 11

Contributors

• Dani, @mongkok
• Lennart Kerkvliet, @lennartkerkvliet
• Abdullah Hilson, @abumalick
• Vaibhav Shelke, @vshelke
• Kleber Soares, @klebercode
• @jxltom
• Sultan Iman, @imanhodjaev
• Øyvind Saltvik, @fivethreeo
• William Mai, @wmai
• Víðir Valberg Guðmundsson, @valberg
• Patryk, @patryk-tech
• Christian González, @nerdoc
• @mr-asher
• Florian Schade, @fschade
• Aaron Boman @frenchtoast747
• Colton Hicks @coltonbh
• Jarosław Wygoda, @jwygoda
• Kamil Rykowski, @vintage
• @mtszsobczak
• Lasse Steffen @lassesteffen
• @TitanFighter

39
Django GraphQL JWT Documentation, Release 0.3.1

11.1 Credits and thanks

• @jpadilla / django-rest-framework-jwt
• @jonatasbaldin / howtographql

40 Chapter 11. Contributors

 Index

A superuser_required (in module

allow_any() (in module graphql_jwt.middleware), 30 graphql_jwt.decorators), 11

G U
get_refresh_token_by_model() (in module user_passes_test() (in module
graphql_jwt.refresh_token.utils), 30 graphql_jwt.decorators), 9
get_user_by_natural_key() (in module
graphql_jwt.utils), 29

H
handle() (Command method), 16

J
JSONWebTokenMutation (class in graphql_jwt), 17
JSONWebTokenMutation (class in
graphql_jwt.relay), 21
JSONWebTokenTestCase (class in
graphql_jwt.testcases), 25
jwt_decode() (in module graphql_jwt.utils), 28
jwt_encode() (in module graphql_jwt.utils), 28
jwt_payload() (in module graphql_jwt.utils), 28

L
login_required (in module
graphql_jwt.decorators), 9

P
permission_required() (in module
graphql_jwt.decorators), 10

R
refresh_has_expired() (in module
graphql_jwt.utils), 30
RefreshToken (class in
graphql_jwt.refresh_token.models), 30

S
staff_member_required (in module
graphql_jwt.decorators), 10

41