Getting started¶
Installation¶
$ pip install django-oauth2
Configuration¶
Add OAuth2 Provider to INSTALLED_APPS¶
INSTALLED_APPS = (
# ...
'provider',
'provider.oauth2',
)
Modify your settings to match your needs¶
The default settings are available in provider.constants.
Include the OAuth 2 views¶
Add provider.oauth2.urls to your root urls.py file.
path('oauth2/', include(('provider.oauth2.urls', 'oauth2'))),
Note
The namespace argument is required.
Sync your database¶
$ python manage.py syncdb
$ python manage.py migrate
How to request an access token for the first time ?¶
Create a client entry in your database¶
Note
To find out which type of client you need to create, read Section 2.1.
To create a new entry simply use the Django admin panel.
Request an access token¶
Assuming that you’ve used the same URL configuration as above, your
client needs to submit a POST request to
/oauth2/access_token including the following parameters:
client_id- The client ID you’ve configured in the Django admin.client_secret- The client secret configured in the Django admin.username- The username with which you want to log in.password- The password corresponding to the user you’re logging in with.
Request
$ curl -X POST -d "client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD" http://localhost:8000/oauth2/access_token/
Response
{"access_token": "<your-access-token>", "scope": "read", "expires_in": 86399, "refresh_token": "<your-refresh-token>"}
This particular way of obtaining an access token is called a Password Grant. All the other ways of acquiring an access token are outlined in Section 4.
Note
Remember that you should always use HTTPS for all your OAuth 2 requests otherwise you won’t be secured.
Request an Access Token using AWS credentials¶
The new aws_identity grant_type uses the parameters for a signed GetCallerIdentity request to prove the caller’s identity.
Your client needs to submit a POST request to
/oauth2/access_token including the following parameters:
region- AWS Regionpost_body- The post body used for signing the request. UsuallyAction=GetCallerIdentity&Version=2011-06-15headers_json- The headers produced by the AWSv4 signing process
The region value is used to produce the standard https://sts.(region).amazonaws.com/ url used to make the GetCallerIdentity request. The URL is generated server side to reduce the risk of an attack based on sending an improperly crafted full URL.
The aws-v4-signature library implements awsv4sign.generate_http11_header(). An example is presented in the root of the repository in aws_identity_examply.py.
Integrate with Django Authentication¶
Add OAuth2 Middleware to MIDDLEWARE_CLASSES¶
MIDDLEWARE_CLASSES = (
...
'django.contrib.auth.middleware.AuthenticationMiddleware',
'provider.oauth2.middleware.Oauth2UserMiddleware',
...
)
Add RemoteUserBackend to AUTHENTICATION_BACKENDS¶
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'django.contrib.auth.backends.RemoteUserBackend',
)
Note
The Oauth2UserMiddleware class reuses functionality used by the RemoteUserMiddleware class. Omitting the RemoteUserBackend will result in 500 errors.