Password less JWT generation from DRF

I am developing a Django web application. I have used built in user authentication of Django. In this app it uses user_auth table for authentication. user_auth table contains entries for our end users (customers). A given end user logs to Django app using built in authentication using user name password. I have created a customer facing mobile app that uses JWT token for API calls from mobile app. JWT token is created using Django REST framework which uses username password to issue JWT token.

Additionally I have another table that holds information about our vendors. This is a separate model in our Django app so far. I don’t want to make any major changes to our DB schema (for now not going into Base User and then Student type user and Teacher type user setup). We have to generate a simple mobile app for our vendors. I wanted to use password less authentication using OTP (after validating vendor’s email, DOB and mobile number entered during login to mobile app). Idea is to validate in Django app and then generate a JWT token and then subsequently use it in rest of my Vendor mobile app for further APIs calls from mobile to Django web app.

Let me know if what I want to do is possible or not and if possible can you provide any assistance on how to approach this. I started looking into creating class CustomTokenObtainPairView(TokenObtainPairView) and its custom serialiser class CustomTokenObtainPairSerializer(TokenObtainPairSerializer) but not getting much further. Can provide further assistance as to how to proceed or just confirm this is not possible as user name and password is must.

I can go as far as to confirm that what you want to do is possible.

Django has a separate authentication process, independent of pretty much everything else. The basic function of this process is to allow whatever middleware you’re using for authentication to assign a user to the request object.

It doesn’t matter whether you’re passing credentials with every request, or a session cookie, or a token - something that you’re sending with each request is going to be used by the corresponding middleware to assign a user to that request.

Note that the actual authentication doesn’t need to even be done within Django itself. Django can be configured to accept a username from an external source, where that source is responsible for validating the credentials. (See How to authenticate using REMOTE_USER.)

So the question of “Can this be done” is a definite yes.

Whether or not it should be done in the manner you describe is a different issue. Only you can decide if this process you’re intending to implement is sufficiently secure for the system you’re creating and the environment in which it’s going to be used.