|
| 1 | +Part 3 - OAuth2 token authentication |
| 2 | +==================================== |
| 3 | + |
| 4 | +Scenario |
| 5 | +-------- |
| 6 | +You want to use an :term:`Access Token` to authenticate users against Django's authentication |
| 7 | +system. |
| 8 | + |
| 9 | +Setup a provider |
| 10 | +---------------- |
| 11 | +You need a fully-functional OAuth2 provider which is able to release access tokens: just follow |
| 12 | +the steps in :doc:`the part 1 of the tutorial <tutorial_01>`. To enable OAuth2 token authentication |
| 13 | +you need a middleware that checks for tokens inside requests and a custom authentication backend |
| 14 | +which takes care of token verification. In your settings.py: |
| 15 | + |
| 16 | +.. code-block:: python |
| 17 | +
|
| 18 | + AUTHENTICATION_BACKENDS = ( |
| 19 | + 'oauth2_provider.backends.OAuth2Backend', |
| 20 | + '...', |
| 21 | + ) |
| 22 | +
|
| 23 | + MIDDLEWARE_CLASSES = ( |
| 24 | + '...', |
| 25 | + 'oauth2_provider.middleware.OAuth2TokenMiddleware', |
| 26 | + '...', |
| 27 | + ) |
| 28 | +
|
| 29 | +You can use `django.contrib.auth.backends.ModelBackend` along with the OAuth2 backend, but pay |
| 30 | +attention to the order in which Django processes authentication backends. |
| 31 | + |
| 32 | +If you put the OAuth2 backend *after* the AuthenticationMiddleware and `request.user` is valid, |
| 33 | +the backend will do nothing; if `request.user` is the Anonymous user it will try to authenticate |
| 34 | +the user using the OAuth2 access token. |
| 35 | + |
| 36 | +If you put the OAuth2 backend *before* AuthenticationMiddleware, or AuthenticationMiddleware is |
| 37 | +not used at all, it will try to authenticate user with the OAuth2 access token and set |
| 38 | +`request.user` and `request._cached_user` fields so that AuthenticationMiddleware (when active) |
| 39 | +will not try to get user from the session. |
| 40 | + |
| 41 | +Protect your view |
| 42 | +----------------- |
| 43 | +The authentication backend will run smoothly with, for example, `login_required` decorators, so |
| 44 | +that you can have a view like this in your `views.py` module: |
| 45 | + |
| 46 | +.. code-block:: python |
| 47 | +
|
| 48 | + from django.contrib.auth.decorators import login_required |
| 49 | + from django.http.response import HttpResponse |
| 50 | +
|
| 51 | + @login_required() |
| 52 | + def secret_page(request, *args, **kwargs): |
| 53 | + return HttpResponse('Secret contents!', status=200) |
| 54 | +
|
| 55 | +To check everything works properly, mount the view above to some url: |
| 56 | + |
| 57 | +.. code-block:: python |
| 58 | +
|
| 59 | + urlpatterns = patterns( |
| 60 | + '', |
| 61 | + url(r'^secret$', 'my.views.secret_page', name='secret'), |
| 62 | + '...', |
| 63 | + ) |
| 64 | +
|
| 65 | +You should have an :term:`Application` registered at this point, if you don't follow the steps in |
| 66 | +the previous tutorials to create one. Obtain an :term:`Access Token`, either following the OAuth2 |
| 67 | +flow of your application or manually creating in the Django admin. |
| 68 | +Now supposing your access token value is `123456` you can try to access your authenticated view: |
| 69 | + |
| 70 | +:: |
| 71 | + |
| 72 | + curl -H "Authorization: Bearer 123456" -X GET http://localhost:8000/secret |
0 commit comments