I'm implementing OAuth2 provider with Django Rest Framework and Django OAuth Toolkit.
Django OAuth Toolkit already has a set of views for managing OAuth Applications. This views let third-party application developer to do basic CRUD on an Application model. There's also a sample view for a resource owner to authorize the third-party app.
However I can't figure out a proper way for the resource owner to revoke the third-party app authorization. There's a revoke-token endpoint but if I get it right it serves a different job.
Essentially I try to build a view similar to the GitHub's "Authorized applications" page:
It looks like the RefreshToken model is the one I should use to list the connections. But works not as expected when the user reauthorizes the app. The RefreshToken instance is created after each successful authorization prompts and the connection list grows with duplicates.
Has anyone successfuly implemented a similar view with Django OAuth Toolkit?
Related
I have one DRF project called users where I will handle authentication and I have setup oauth2 and my API URL is
http://localhost:8000/auth/login
and this running fine
and I have one more DRF project called products and I have a URL
http:localhost:8001/products/getProduct/1
but I am not able to get the solution on how to access the user model from
users project
into
products project
I am trying to implement the central authentication system(CAS) for my microservice-based project
Trying to import users in your products project is against the principle of a microservice architecture.
You should handle authentication with an auth server where the user can log in and obtain something that identifies the user (typically a token).
And then the microservice (or some proxy/API gateway) has to validate this token againt the auth server
You can look at JWT for django rest framework for example to implement your solution.
I have to set up the API part of an application.
To summarize, there is a private oauth provider, a front-end angular app, and a django rest framework resource API.
The Angular app is unaccessible if not logged, and redirect to the oauth provider. The user have to login there and is redirected to the front-end.
So far so good, the provider give the front-end a JWT access token.
Then the front ask for resources to the DRF API providing the JWT.
That's where I'm stuck, all the tutorials I find on google explain how to create your own provider.
But I just want to get the token, check with the oauth provider that it's valid, login the user, provide the resources, and then logout the user until the next request.
If someone can give me some usefull tuto/doc/library?
Thanks.
So, I ended up creating my own custom authentication class extending BaseAuthentication (and custom user, user manager, ...) as I did not found any existing library.
If someone in interested in details, you can check the DRF documentation and many resources on the internet.
P.S. don't forget to extend authenticate_header is you want to return 401 with "raise AuthenticationFailed" and not 403 (for some reason).
I'm building an API using Django Rest Framework. Later this API is supposed to be consumed by iOS and Android devices. I want to allow my users to sign-up with oauth2-providers like Facebook and Google. In this case, they shouldn't have to create an account with my platform at all. But users should also be able to sign-up when not having a Facebook/Google account, for which I'm using django-oauth-toolkit, so I have my own oauth2-provider.
For external providers I'm using python-social-auth, which works fine and automatically creates the user objects.
I want the clients to authenticate by using bearer tokens, which works fine for users that signed up with my provider (django-oauth-toolkit provides authentication scheme and permission classes for Django REST Framework).
However, python-social-auth only implements session based authentication, so there is no straightforward way to make authenticated API requests on behalf of users that registered by an external oauth2 provider.
If I use an access_token that has been generated by django-oauth-toolkit, doing a request like this works:
curl -v -H "Authorization: Bearer <token_generated_by_django-oauth-toolkit>" http://localhost:8000/api/
However, the following doesn't work since there is no corresponding authentication scheme for Django REST Framework and the AUTHENTICATION_BACKENDS provided by python-social-auth only work for session-based authentication:
curl -v -H "Authorization: Bearer <token_stored_by_python-social-auth>" http://localhost:8000/api/
Using the browseable API provided by Django REST Framework after authenticating with python-social-auth works just fine, only API calls without a session cookie don't work.
I'm wondering what the best approach is for this problem. The way I see it, I have basically two options:
A: When a user signs up with an external oauth2 provider (handled by python-social-auth), hook into the process to create an oauth2_provider.models.AccessToken and continue to use 'oauth2_provider.ext.rest_framework.OAuth2Authentication', now authenticating also users that registered with an external provider. This approach is suggested here:
https://groups.google.com/d/msg/django-rest-framework/ACKx1kY7kZM/YPWFA2DP9LwJ
B: Use python-social-auth for API request authentication. I could get my own users into python-social-auth by writing a custom backend and using register_by_access_token. However, since API calls cannot utilize Django sessions this would mean I would have to write an authentication scheme for Django Rest Framework that utilizes the data stored by python-social-auth. Some pointers on how to do this can be found here:
http://psa.matiasaguirre.net/docs/use_cases.html#signup-by-oauth-access-token
http://blog.wizer.fr/2013/11/angularjs-facebook-with-a-django-rest-api/
http://cbdev.blogspot.it/2014/02/facebook-login-with-angularjs-django.html
However, the way I understand it python-social-auth only verifies the token when doing a login and relies on the Django session afterwards. This would mean I would have to find a way to prevent python-social-auth from doing the whole oauth2-flow for each stateless API request and rather check against the data stored in the DB, which isn't really optimized for querying since it's stored as JSON (I could use UserSocialAuth.objects.get(extra_data__contains=) though).
I would also have to take care of verifying the scopes of an access token and use them to check permissions, something django-oauth-toolkit already does (TokenHasScope, required_scopes etc).
At the moment, I'm leaning towards using option A, since django-oauth-toolkit provides good integration with Django Rest Framework and I get everything I need out of the box. The only drawback is that I have to "inject" the access_tokens retrieved by python-social-auth into the AccessToken model of django-oauth-toolkit, which feels wrong somehow, but would probably be by far the easiest approach.
Does anybody have any objections on doing that or has maybe tackled the same problem in a different way? Am I missing something obvious and making my life harder than necessary?
If anybody has already integrated django-oauth-toolkit with python-social-auth and external oauth2 providers I would be very thankful for some pointers or opinions.
A lot of the difficulty in implementing OAuth comes down to understanding how the authorization flow is supposed to work. This is mostly because this is the "starting point" for logging in, and when working with a third-party backend (using something like Python Social Auth) you are actually doing this twice: once for your API and once for the third-party API.
Authorizing requests using your API and a third-party backend
The authentication process that you need is go through is:
Mobile App -> Your API : Authorization redirect
Your API -> Django Login : Displays login page
Django Login -> Facebook : User signs in
Facebook -> Django Login : User authorizes your API
Django Login -> Your API : User signs in
Your API -> Mobile App : User authorizes mobile app
I'm using "Facebook" as the third-party backend here, but the process is the same for any backend.
From the perspective of your mobile app, you are only redirecting to the /authorize url provided by Django OAuth Toolkit. From there, the mobile app waits until the callback url is reached, just like in the standard OAuth authorization flow. Almost everything else (Django login, social login, etc.) is handled by either Django OAuth Toolkit or Python Social Auth in the background.
This will also be compatible with pretty much any OAuth libraries that you use, and the authorization flow will work the same no matter what third party backend is used. It will even handle the (common) case where you need to be able to support Django's authentication backend (email/username and password) as well as a third-party login.
Mobile App -> Your API : Authorization redirect
Your API -> Django Login : Displays login page
Django Login -> Your API : User signs in
Your API -> Mobile App : User authorizes mobile app
What's also important to note here is that the mobile app (which could be any OAuth client) never receives the Facebook/third-party OAuth tokens. This is incredibly important, as it makes sure your API acts as an intermediary between the OAuth client and you user's social accounts.
Mobile App -> Your API : Authorization redirect
Your API -> Mobile App : Receives OAuth token
Mobile App -> Your API : Requests the display name
Your API -> Facebook : Requests the full name
Facebook -> Your API : Sends back the full name
Your API -> Mobile App : Send back a display name
Otherwise, the OAuth client would be able to bypass your API and make requests on your behalf to the third-party APIs.
Mobile App -> Your API : Authorization redirect
Your API -> Mobile App : Receives Facebook token
Mobile App -> Facebook : Requests all of the followers
Facebook -> Mobile App : Sends any requested data
You'll notice that at this point you would have lost all control over the third-party tokens. This is especially dangerous because most tokens can access a wide range of data, which opens the door to abuse and eventually goes down under your name. Most likely, those logging into your API/website did not intend on sharing their social information with the OAuth client, and were instead expecting you to keep that information private (as much as possible), but instead you are exposing that information to everyone.
Authenticating requests to your API
When the mobile application then uses your OAuth token to make requests to your API, all of the authentication happens through Django OAuth Toolkit (or your OAuth provider) in the background. All you see is that there is a User associated with your request.
Mobile App -> Your API : Sends request with OAuth token
Your API -> Django OAuth Toolkit : Verifies the token
Django OAuth Toolkit -> Your API : Returns the user who is authenticated
Your API -> Mobile App : Sends requested data back
This is important, because after the authorization stage it shouldn't make a difference if the user is coming from Facebook or Django's authentication system. Your API just needs a User to work with, and your OAuth provider should be able to handle the authentication and verification of the token.
This isn't much different from how Django REST framework authenticates the user when using session-backed authentication.
Web Browser -> Your API : Sends session cookie
Your API -> Django : Verifies session token
Django -> Your API : Returns session data
Your API -> Django : Verifies the user session
Django -> Your API : Returns the logged in user
Your API -> Web Browser : Returns the requested data
Again, all of this is handled by Django OAuth Toolkit and does not require extra work to implement.
Working with a native SDK
In most cases, you are going to be authenticating the user through your own website and using Python Social Auth to handle everything. But the one notable exception is when using a native SDK, as authentication and authorization is handled through the native system, which means you are bypassing your API entirely. This is great for applications which need to sign in with a third party, or applications which don't use your API at all, but it's a nightmare when both come together.
This is because your server can't validate the login and is forced to assume that the login is valid and genuine, which means it bypasses any and all security that Python Social Auth gives you.
Mobile App -> Facebook SDK : Opens the authorization prompt
Facebook SDK -> Mobile App : Gets the Facebook token
Mobile App -> Your API : Sends the Facebook token for authorization
Your API -> Django Login : Tries to validate the token
Django Login -> Your API : Returns a matching user
Your API -> Mobile App : Sends back an OAuth token for the user
You'll notice that this skips over your API during the authentication phase, and then forces your API to make assumptions about the token that is passed in. But there are definitely cases where this risk may be worth it, so you should evaluate that before throwing it out. It's a trade off between quick and native logins for your user and potentially handling bad or malicious tokens.
I solved it by using your A. option.
What I do is registering users that use a third party to sign up by their third party access token.
url(r'^register-by-token/(?P<backend>[^/]+)/$',
views.register_by_access_token),
This way, I can issue a GET request like this one:
GET http://localhost:8000/register-by-token/facebook/?access_token=123456
And register_by_access_token gets called. request.backend.do_auth will query the provider for the user info from the token and magically register a user account with the info or sign in the user if he's already registered.
Then, I create a token manually and return it as JSON for letting the client query my API.
from oauthlib.common import generate_token
...
#psa('social:complete')
def register_by_access_token(request, backend):
# This view expects an access_token GET parameter, if it's needed,
# request.backend and request.strategy will be loaded with the current
# backend and strategy.
third_party_token = request.GET.get('access_token')
user = request.backend.do_auth(third_party_token)
if user:
login(request, user)
# We get our app!
app = Application.objects.get(name="myapp")
# We delete the old token
try:
old = AccessToken.objects.get(user=user, application=app)
except:
pass
else:
old.delete()
# We create a new one
my_token = generate_token()
# We create the access token
# (we could create a refresh token too the same way)
AccessToken.objects.create(user=user,
application=app,
expires=now() + timedelta(days=365),
token=my_token)
return "OK" # you can return your token as JSON here
else:
return "ERROR"
I'm just not sure about the way I generate the token, is this good practice? Well, in the mean time, it works!!
Maybe django-rest-framework-social-oauth2 is what you're looking for. This package depends on python-social-auth and django-oauth-toolkit, which you already use. I quickly scanned through the documentation, and it seems to implement just what you are trying to do.
I was doing React Native with expo and Django with Django REST framework. This blogpost ended being the way I solved registration (signup) with facebook https://medium.com/#gabriel_gamil/react-native-expo-django-facebook-authentication-sign-in-83625c49da7
tldr; use django-rest-auth https://django-rest-auth.readthedocs.io/en/latest/index.html
use Django-allauth https://django-allauth.readthedocs.io/en/latest/
I'm writing a Django app that uses django-allauth for Facebook integration, and uses django-tastypie for a backend for an iOS app. The iOS app will use the native Facebook iOS SDK. I'd like to be able to sign up and verify both Facebook and non-Facebook users from the iOS app, in addition to the website.
The issue is that django-allauth doesn't seem to have an API that can be accessed externally. The only clean way to plugin to allauth's functionality seems to be via Django template tags. Is there a way I can expose this functionality to be used with tastypie?
Django-allauth is all open source, so I've tried to parse through the code. My initial idea is to authenticate users on the iOS side using the native Facebook SDK, and then manually fill in information for SocialAccount, SocialToken, and add the SocialAccount to SocialApp (those are all django-allauth models). However, that seems to be quite a hacky solution. I'd love a way to cleanly create all those models given a Facebook ID, or something similar.
Update:
There's been some discussion concerning this issue on the GitHub. Basically, there's no built-in functionality yet. I'm going to whip up a custom solution that only deals with Facebook (because that's all I'm using in my application). I'll post what I did here later if it works.
Quick look into django-allauth shows that they are using SocialAccount model to hold data on specific method of authentication and type of social account.
You need to create an API endpoint based on SocialAccount model. You need to pass there variables like: account type (facebook, local, twitter etc), additional auth variables needed by social auth providers. Then, in your code you can create SocialAccount model instances, feed with data received from API endpoint call and trigger corresponding auth call via django-allauth. Finally you should return result of your auth call.
I don't see a big reason to use django-allauth for local/facebook auth only, with some small effort you can have whole range of social auth providers.
I used requests library to deal with facebook API and it works great, I think no social login plugin for Django works for others but the author, if you want to do something seriously.
PS. I used django-rest-framework to build the rest backend for mobile apps, also including local account login and social site login.
I have created a Django application. The app has a login functionality.
Can somebody help to find a way to make it possible to login using Facebook credential or point me some tutorials to implement it ?
Summary;
https://github.com/mlavin/django-all-access
https://github.com/pennersr/django-allauth
https://github.com/omab/django-social-auth
https://github.com/uswaretech/Django-Socialauth
https://github.com/hiidef/oauth2app
https://github.com/timetric/django-oauth
https://github.com/daaku/django-oauth-consumer
https://github.com/eldarion/django-oauth-access
https://github.com/dgouldin/python-oauth2
https://github.com/henriklied/django-twitter-oauth
https://launchpad.net/django-openid-auth
https://www.djangopackages.com/grids/g/oauth/
http://peterhudec.github.io/authomatic/
django-all-access
django-all-access is a reusable application for user registration and authentication from OAuth 1.0 and OAuth 2.0 providers such as Twitter and Facebook.
The goal of this project is to make it easy to create your own workflows for authenticating with these remote APIs. django-all-access will provide the simple views with sane defaults along with hooks to override the default behavior.
There is a simple demo application running on at http://allaccess-mlavin.dotcloud.com/ The full source of this application is include in the repository.
django-allauth
Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.
Supported Flows
Signup of both local and social accounts
Connecting more than one social account to a local account
Disconnecting a social account -- requires setting a password if only the local account remains
Optional instant-signup for social accounts -- no questions asked
E-mail address management (multiple e-mail addresses, setting a primary)
Password forgotten flow
E-mail address verification flow
Supported Providers
Dropbox (OAuth)
Facebook (both OAuth2 and JS SDK)
Github
Google (OAuth2)
LinkedIn
OpenId
Persona
SoundCloud (OAuth2)
Stack Exchange (OAuth2)
Twitch (OAuth2)
Twitter
Weibo (OAuth2)
Django Social Auth
Django Social Auth is an easy way to setup social authentication/authorization mechanism for Django projects.
Crafted using base code from django-twitter-oauth and django-openid-auth, it implements a common interface to define new authentication providers from third parties.
Supported Providers
Google OpenID
Google OAuth
Google OAuth2
Yahoo OpenID
OpenId like myOpenID
Twitter OAuth
Facebook OAuth
Django-Socialauth
What it does
Allow logging in via various providers.
Import contacts from various third party sites, to find out which of your
friends already use our service.
Logging In
This is a application to enable authentication via various third party sites.
In particular it allows logging in via
Twitter
Gmail
Facebook
Yahoo(Essentially openid)
OpenId
oauth2app
The oauth2app module helps Django site operators provide an OAuth 2.0 interface. The module is registered as an application.
django-oauth
This is a forked version of David Larlet's django-oauth.
One very important difference is that this version requires that you be running a real cache behind Django's caching framework.
django-oauth-access
Supported Providers
Twitter
LinkedIn
Yahoo
Facebook (using OAuth 2.0 — it is functional, but needs more work)
Likely any OAuth 1.0a compliant site
django-oauth-consumer
A django application providing infrastructure for consuming OAuth services. It is not for providing OAuth services.
Also useful:
http://developers.facebook.com/docs/guides/web/#login
http://developers.facebook.com/docs/guides/canvas/#auth
https://github.com/dgouldin/python-oauth2
https://github.com/henriklied/django-twitter-oauth
https://launchpad.net/django-openid-auth
https://www.djangopackages.com/grids/g/oauth/
http://peterhudec.github.io/authomatic/examples/django-simple.html
I highly recommend using django-social-auth. The README is very complete, and it also includes information for authenticating against other OAuth sources such as twitter, and against OpenID sources like Google and Yahoo. Of course, if you just wanted Facebook authentication, you can just use it for that.
There's also an included example application, which gives you some sample code to play with.
FOR MOBILE APPLICATION, if you are developing an application for ios/android with django in the backend, what you can do is login to facebook in the frontend using the facebook ios/android api. But this is not the final login for your app. Upon facebook-login, facebook gives you an access token which you can then send to your django backend along with your facebook username/email. In the back, django can use something like facebook python sdk to verify the username-access token pair by communicating with facebook. If verified, you can finally log in the user for your app.
Using the python sdk is easy, just read the tutorial and you will be communicating with facebook in seconds.
The new way of doing that is by using python-social-auth, as django-social-auth was deprecated in favor of python-social-auth and now supports other frameworks than Django such as Flask, Pyramid, Web.py and Tornado.
It also supports other major auth providers such as Microsoft, Google, Twitter, Amazon, GitHub and many more.
Here is a quick get-started way to configure it on Django:
How to sign in with the Google+ API using Django?
I can totally recommend django-allauth.
It just works!