oauth2 authentication backend and middleware

Massimiliano Pippi · Massimiliano Pippi · commit 9b1a5f975c2e · 2013-09-11T11:33:21.000+02:00
diff --git a/oauth2_provider/backends.py b/oauth2_provider/backends.py
@@ -0,0 +1,27 @@
+from django.contrib.auth import get_user_model
+
+from .oauth2_backends import get_oauthlib_core
+
+UserModel = get_user_model()
+OAuthLibCore = get_oauthlib_core()
+
+
+class OAuth2Backend(object):
+    """
+    Authenticate against an OAuth2 access token
+    """
+
+    def authenticate(self, **credentials):
+        request = credentials.get('request')
+        if request is not None:
+            oauthlib_core = get_oauthlib_core()
+            valid, r = oauthlib_core.verify_request(request, scopes=[])
+            if valid:
+                return r.user
+        return None
+
+    def get_user(self, user_id):
+        try:
+            return UserModel.objects.get(pk=user_id)
+        except UserModel.DoesNotExist:
+            return None
diff --git a/oauth2_provider/middleware.py b/oauth2_provider/middleware.py
@@ -0,0 +1,26 @@
+from django.contrib.auth import authenticate
+
+
+class OAuth2TokenMiddleware(object):
+    """
+    Middleware for OAuth2 user authentication
+
+    This middleware is able to work along with AuthenticationMiddleware and its behaviour depends
+    on the order it's processed with.
+
+    If it comes *after* AuthenticationMiddleware and request.user is valid, leave it as is and does
+    not proceed with token validation. If request.user is the Anonymous user proceeds and try to
+    authenticate the user using the OAuth2 access token.
+
+    If it comes *before* AuthenticationMiddleware, or AuthenticationMiddleware is not used at all,
+    tries to authenticate user with the OAuth2 access token and set request.user field. Setting
+    also request._cached_user field makes AuthenticationMiddleware use that instead of the one from
+    the session.
+    """
+    def process_request(self, request):
+        # do something only if request contains a Bearer token
+        if request.META.get('HTTP_AUTHORIZATION', '').startswith('Bearer'):
+            if not hasattr(request, 'user') or request.user.is_anonymous():
+                user = authenticate(request=request)
+                if user:
+                    request.user = request._cached_user = user
