Search code examples
restjwtsingle-page-applicationdjango-rest-framework-simplejwt

Do both SPAs and mobile applications hit the same endpoint for Authentication in case of JWTs?

I am making a REST server which will have both the web clients in form of Single Page application and in form of native mobile applications. I was studying about using JWTs to make server stateless. Till now what I understood is :

  1. The authentication Endpoint returns two tokens , i.e., access and refresh token after providing the correct credentials.
  2. These Tokens should be stored in a 'httpOnly' cookie on a browser for security reasons.

As far as I know Native Mobile applications don't have cookies store and hence they have some other datastore for an application such as database. So, do I need to implement two different endpoints for these different applications? What I am thinking to do is:

  1. Endpoint 1 (For Single Point Application): Accepts user credentials in json and Returns jwt inside cookies
  2. Endpoint 2 (For native mobile applications) : Accepts user credentials in json and Returns jwt in raw json body.

Is the above approach right or do we have a single endpoint for both of them. Also do help how to achieve this with django-rest-framework-simplejwt.

Solution

  • You shouldn't need to create two different authentication views for SPAs and mobile apps. On mobile, you'll just need to store both the refresh and access tokens on the device somehow whether it's in memory or on disk or whatever. But you'll get the tokens from the same view either way. And then you'll need to include them in the Authorization header with any requests to your API that require authorization as described in the docs here: https://github.com/davesque/django-rest-framework-simplejwt#usage