-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use this with Django-rest-framework? (Client-side OAuth2 flow?) #502
Comments
Hello there! I am not one of the developers of this library, but I use it in a project with Django Rest Framework. 1) My settings.py has several variables, including:
This means that after login, the access token will be stored in the Django Session object (https://mozilla-django-oidc.readthedocs.io/en/stable/settings.html#OIDC_STORE_ACCESS_TOKEN)
2) My urls.py file have something similar to
3) I login via https://myappurl.com/oidc/authenticate And after login I redirect to my app home page 4) I make requests to the api in the front-end normally, like a POST or GET to https://myappurl.com/api/ 5) The front-end calls to the api trigger functions in the back-end and I can use the access token there
|
If you are using curl to make requests, there is no way that I know of to get the access token because there will not be a session created (sessions are created for browsers). Whenever I need to test something in the REST api using curl I either: 1) use Django Tokens authentication OR 2) have an access token string saved beforehand and pass it in the request HTTP header/body. But I usually avoid using curl because I can generally test the api calls in the browser. |
Finally, you could of course implement every call to your OIDC Provider yourself. I use Keycloak as an OIDC Provider. But then again, if you are doing that, I don't see the reason to use this library. |
Thanks for the info! |
A rather late follow-up, but did you manage to combine this package with token authentication instead of the session authentication? Or do you use token authentication without mozilla-django-oidc? |
Hello there! I believe you are referring to Django token authentication, in which each user is assigned a token stored in the app's database managed by Django. I have experience using this authentication method. These tokens are created and managed by Django, often through the Django Admin web app. Therefore, these "Django tokens" are distinct from OAuth tokens, to the best of my knowledge. They are typically used as an authentication option in a REST API when OAuth is not in use. To use them, you include the "Django tokens" in every API request, enabling it to validate the requesting user, much like a password. To implement OAuth tokens with the mozilla-django-oidc library, I had to switch to session authentication in Django. Fortunately, Django allows you to enable multiple authentication systems simultaneously. You can choose between them as needed by configuring the DEFAULT_AUTHENTICATION_CLASSES variable in your settings.py file. It will attempt each authentication method in order until it finds a valid one. Here's an example configuration:
|
With the browsable api everything works and I can access my endpoints and admin page using the OIDC provider login, but I am unsure how to format a curl call to include authentication without the browser-session.
I am trying to set up an Oauth2 flow where the front-end gets an access token from the OIDC provider and sends that to my django rest backend to exchange it for a django token. Does that work with this package? Or should I user a server-side OAuth flow where the callback is send to my django server?
Any help is much appreciated!
The text was updated successfully, but these errors were encountered: