分享程序员开发的那些事...
更新时间:2022-10-15 14:23:02
DEFAULT_PERMISSION_CLASSES对REST_FRAMEWORK进行的身份验证被禁止非验证请求。
如果您计划使用javascript访问您的REST API,请参阅 https://github.com/evonove/django-oauth-toolkit/blob/master/oauth2_provider/tests/test_implicit.py
对于隐性赠款流,您必须:
基于lib
https://oauthlib.readthedocs.org/en/latest/oauth2/grants/grants.html
或者您可以使用更简单的资源所有者密码,如DOT文档所述...
I attempting to use the Django OAuth Toolkit in a project I'm working on. I've set up two servers - one as the OAuth provider and another as a client service that is accessed only by authenticated users.
The OAuth provider seems to be working just fine. I'm able to create a link on the client service that directs to the OAuth provider. The user then logs in, and is prompted whether to allow/deny the application. If the user allows the application, the user is then redirected back to the client service, and the URI contains the access token. Because this service needs to be accessible from both a website and a mobile client, I'm using an implicit grant, and following this way of doing things: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps.
Everything with the provider seems to work as expected, but I'm having issues with the client service app, which is also a Django application. It doesn't appear to recognize the token in the redirect URI, and as a result I'm unable to make any authenticated requests against the service.
I've made the following changes to the client service's settings.py:
I've added the AUTHENTICATION_BACKENDS section, as follows:
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'oauth2_provider.backends.OAuth2Backend',
)
I've added oauth2_provider.middleware.OAuth2TokenMiddleware to the MIDDLEWARE_CLASSES section.
I've added oauth2_provider to the INSTALLED_APPS.
The REST_FRAMEWORK section now looks like:
REST_FRAMEWORK = {
'DEFAULT_MODEL_SERIALIZER_CLASS':
'rest_framework.serializers.HyperlinkedModelSerializer',
'DEFAULT_AUTHENTICATION_CLASSES': (
'oauth2_provider.ext.rest_framework.OAuth2Authentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
}
I've also added the OAUTH_PROVIDER section:
OAUTH2_PROVIDER = {
# this is the list of available scopes
'SCOPES': {'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups'}
}
As near as I can figure, there must be something else that I'm missing in my settings.py that will tell Django to look for the token, but I'm at a bit of a loss on what this might be.
Can someone point me in the right direction on what I might be missing here?
EDIT: I should clarify the results I'm getting when attempting to call something on the client service. When I make a curl request to the client service, like so (except with real values plugged in):
curl -H "Authorization: Bearer token_goes_here" https://service.com/api/some_api/call
I get a result of:
{"detail": "Authentication credentials were not provided."}
It's as if the client service isn't looking in the right place for the credentials, which makes me think that something isn't set up quite right.
DEFAULT_PERMISSION_CLASSES IsAuthenticated for REST_FRAMEWORK is blocked non auth requests.
If you planned using javascript to access your REST API see https://github.com/evonove/django-oauth-toolkit/blob/master/oauth2_provider/tests/test_implicit.py
For "Implicit Grant Flow" you must:
And, i think, at this workflow we do not need auth_backends and middleware because we have DEFAULT_AUTHENTICATION_CLASSES in REST_FRAMEWORK.
All grant types you can see in DOT based on lib https://oauthlib.readthedocs.org/en/latest/oauth2/grants/grants.html
Or you can use more simplest "Resource owner password-based" as in DOT documentation described...