marmo
marmo2mo ago

passing jwt secrets between django app and windmill via api

Hey all, i am trying to securely pass bearer tokens between my django app and windmill to authenticate API calls and create a hashed payload for data exchange. In my django app i am using python-jwt (import jwt). This doesnt seem to be compatible within windmill. Since jwt doesnt seem to be supported in Windmill, I tried creating a custom encode_jwt function in Windmill using hmac, hashlib, and base64 to match Django’s HS256 encoded JWTs. Despite this, the tokens still aren’t matching up as expected. I know in the documentation there are specifics that need to be passed from the windmill side in the payload, I do have those listed as part of the payload referencing this doc. Is there a better way to do this? I can do it in params if needed... After narrowing down, I think this might have to do with my middlware and how it's authorizing the call back from windmill to my django app. Maybe something to do with listing the user in windmill to then be authenticated as it comes into django. This would mean potentially setting up a windmill user model in my django database in order to be authenticated properly, i believe. I just cannot seem to bypass the "unauthorized header" piece that is set in my windmill script. Wondering if i'm just going about this incorrectly.
No description
No description
No description
No description
No description
No description
7 Replies
rubenf
rubenf2mo ago
Hi @marmo , we support external jwt_auth on EE yes Are y ou using self-hosted EE or cloud ?
marmo
marmoOP2mo ago
right now we are on the - "Team plan (usage-based)", from what i can see in our workspace settings. but I do also see "Windmill EE v1.416.0" in user settings.
rubenf
rubenf2mo ago
Yes that should work actually no it shouldn't we would need at the instance level to trust your own public key which we do not obviously otherwise you could login as anyone you can however create a string payload and pass it as an arg and decode it in your script
marmo
marmoOP2mo ago
so instead of creating a payload as an object, construct it as a string, and use the secret were storing within windmill and doppler to decode it? Would this still require all payload fields being asked on the windmill side? like username, email, is_admin.. etc?
rubenf
rubenf2mo ago
because it's not your own instance, you can't use jwt for auth at the windmill level, so you're just passing an arg that you "trust". You might as well just pass the payload of the data directly the auth that guarantees that the request is coming from a trusted emitter is that you need a webhook specific token to auth to windmill anyway you might however just pass the jwt token as convenience since it's a single string
marmo
marmoOP2mo ago
okay, I'll give that a try! Thank you 🙏 hey @rubenf the problem that i'm actually running into is within windmill, generating a jwt token that can be authenticated by my django app. In Django im using the Jose package to verify and sign tokens, is there an equivalent i can use in the windmill script as an alternative to manually generating my own tokens in windmill?
rubenf
rubenf2mo ago
wmill.getIdToken ?