Great video - please keep this kind of content coming. As someone trying to learn more advanced concepts in Python this kind of content is very welcome - even if I don't have a project where I need this exact technology right now. Subscribed and liked.
Very nicely explained... Great Content!!! Can you let me know if we use Django framework then in which of it's file should this jwt token be written, i mean in middleware or any custom file that is created??
Hi Ankita thank you so much for your kind words! The natural place for JWT validation is the middleware, so in Django I'd create a JWT validation middleware. That middleware would validate the JWT token, extract information from it (user ID, claims, etc.), and enrich the request object with this information so that your view functions/methods can use it to validate access to resources and so on. I have a video in which I explain how to do this for FastAPI (ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-C92mjEKUfNQ.html) but the approach in Django would be the same. Hope it helps!
Thanks for your question Luis (and btw apologies for answering so late to all your question!). The answer to this is a bit elaborate, but here's the basics: in a REST API you use the contents of the PEM file's public key. Typically, an authorization server has a collection of keys which it uses to sign the tokens. The keys are frequently rotated for security, and they're available to your API under a /.jwks (i.e. JSON Web Keys) endpoint. Each access token has a header with a kid property which is the ID of the key that was used to sign the token. Your API uses the kid to identify the key from the /.jwks endpoint that needs to be used to verify the token's signature. The /.jwks endpoint contains a raw url-encoded representation of each key, which you can load with Python's cryptography library. I hope the explanation helped? I talk about this in my book "Microservice APIs" and I'm planning to write a few posts on this topic and release more videos.
Hi Shyam thanks for your question! When you're validating a JWT, the sub property will be available directly in the validated payload. If you're generating a JWT yourself, the value for sub should be an identifier for the user - typically the user ID from your database. For security, you can encrypt that value to avoid exposing it
