jazzband / django-oauth-toolkit Goto Github PK
View Code? Open in Web Editor NEWOAuth2 goodies for the Djangonauts!
Home Page: https://django-oauth-toolkit.readthedocs.io
License: Other
OAuth2 goodies for the Djangonauts!
Home Page: https://django-oauth-toolkit.readthedocs.io
License: Other
The current authorization form is a little bit ugly. I don't want to include any assets but we can add some basic style based on Twitter Bootstrap using http://www.bootstrapcdn.com.
Form also lacks of some information like the list of scopes.
Let users use the playground as a provider using authorization flow. Provide a way to reset all the data periodically (let's say every midnight).
Part of the sentence inside the Note box is placed outside the box itself.
Update documentation to use the the new set of views for the Application management
With reference to oauthlib/oauthlib#182 we should keep track of the upcoming changes in oauthlib regarding refresh token grant.
In particolar, confirm_scopes
method in RequestValidator
does not longer exist and we should implement get_original_scopes
instead.
The change has to be ready when we will upgrade the supported oauthlib version. For the moment I set the milestone for this issue at 0.4.0
Change ClientIdGenerator and ClientSecretGenerator uses oauthlib[1] functions to generate client_secret and client_id. OAuth 2 specify the format of client_id in [2].
[1] https://github.com/idan/oauthlib/blob/master/oauthlib/common.py#L236
[2] http://tools.ietf.org/html/rfc6749#appendix-A.
In Django admin, when setting a redirect_uri for a certain Application, if you put a trailing slash, like:
http://localhost:8000/exchange/
the authorization view responses with this error:
mismatching_redirect_uri
This error is not raised on sqlite, due to the lax way it works checking relational dependencies.
However, when I syncdb/migrate on postgresql, I get:
Running migrations for oauth2_provider:
oauth2_provider:0001_initial
FATAL ERROR - The following SQL query failed: ALTER TABLE "oauth2_provider_application" ADD CONSTRAINT "user_id_refs_id_f9cca3bd" FOREIGN KEY ("user_id") REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED;
The error was: relation "auth_user" does not exist
Error in migration: oauth2_provider:0001_initial
DatabaseError: relation "auth_user" does not exist
I use a custom user model called "Account". You can even see the code here:
https://github.com/hasadna/omuni-budget/blob/develop/openbudget/apps/accounts/models.py#L10
There's information that 'corsheaders' are needed for the sake of the tutorial, but it would be nice to have 1-2 sentences shortly explaining the reason for that.
Link: https://django-oauth-toolkit.readthedocs.org/en/latest/tutorial/tutorial_01.html
It would be convenient for me to not tied a User to Application for credentials grant this way the access token could be associated to None or AnonymousUser (I've applied a hack in my validate_bearer_token validator in the meantime).
why the User is required in this model?
During Token exchange, Heroku app make a POST to localhost and this cause an error because user's django app doesn't support CORS requests. Add a minimal explaination to add CORS middleware.
If you try to authorize an application without the redirect_uris an IndexError exception will be raised. I used an authorization grant type implicit. Not sure it can raise a better error
RedirectURINotFound or it should be enforced in application form.
/o/authorize/?client_id=c873c692338138235c0d14ba025d64d0d96ee0db&response_type=code
IndexError at /o/authorize/
pop from empty list
/home/wiliam/devel/canelada-django/src/django-oauth-toolkit/oauth2_provider/oauth2_validators.py in get_default_redirect_uri
return request.client.default_redirect_uri ...
/home/wiliam/devel/canelada-django/src/django-oauth-toolkit/oauth2_provider/models.py in default_redirect_uri
return self.redirect_uris.split().pop(0) ...
I'd like to have explanatory pages with usage examples
I am writing a new app, and I an using Django's custom user model. I want to make my id a uuid (string). django-oauth-toolkit seems to accept only an integer in the relation between a user and AbstractApplication.
because of this, I can't migrate with django-oauth-toolkit:
Error in migration: oauth2_provider:0001_initial
DatabaseError: foreign key constraint "user_id_refs_id_ce8b3416" cannot be implemented
DETAIL: Key columns "user_id" and "id" are of incompatible types: integer and uuid.
It is expected to get access token by type=confidential, grant_type=authorization-code scheme from django-rest-framework with oauth-toolkit as oauth2 flow. At last, the client validation failed and report Internal Server Error at line 57 of oauth2_validators.py
HTTP/1.0 200 OK
Date: Mon, 16 Sep 2013 03:03:57 GMT
Server: WSGIServer/0.1 Python/2.7.3
Vary: Cookie
Content-Type: text/html; charset=utf-8
Set-Cookie: csrftoken=PrI88VPP3OnOTo04HNZSJFR0fNsAMnkc; expires=Mon, 15-Sep-2014 03:03:57 GMT; Max-Age=31449600; Path=/
HTTP/1.0 302 FOUND
Date: Mon, 16 Sep 2013 03:04:00 GMT
Server: WSGIServer/0.1 Python/2.7.3
Vary: Cookie
Content-Type: text/html; charset=utf-8
Location: http://localhost:8000/auth/ogcio/callback?code=jIvbl8BS2xlvin8hYjZEhr5p0DTCb9
HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Date: Mon, 16 Sep 2013 03:04:00 GMT
Connection: keep-alive
Transfer-Encoding: chunked
Thanks
Tommy Tang
Describe the meaning of the parameters accepted by the decorators and provide a few examples to show how decorators could be used for protecting function-based endpoints.
Hello,
I'm following the tutorial for Django Rest Framework. I set up my application in the admin and I'm sending a POST request just like in the tutorial, but always get
{"error": "invalid_client"}
as a response:
$ curl -vK user -X POST -d "grant_type=password&username=myuser&password=mypass" http://localhost:8000/o/token/
* About to connect() to localhost port 8000 (#0)
* Trying 127.0.0.1...
* connected
* Connected to localhost (127.0.0.1) port 8000 (#0)
* Server auth using Basic with user 'RgmI&_Y A5mdjuAh2T/]m_ZeD|u'[8`$r|`k'!'
> POST /o/token/ HTTP/1.1
> Authorization: Basic UmdtSSZfWSBBNW1kanVBaDJUL11tX1plRHx1J1s4YCRyfGBrJyE6dnZdWWw/LUB3YWNBI2Q+NEcyNWEkbkZCclogJGQ/e1ZtYm4rMl5GYnRNSl9ZTitiVHB6b3UjXkRdaFhMeGxNL28jJz95MCV0ZXQ8Z3w8OEZTZHVPMkIvN3Y6dG5EUz99ZGxla3B2dTchWTssJDA8VEQ1UmwucA==
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: localhost:8000
> Accept: */*
> Content-Length: 55
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 55 out of 55 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 400 BAD REQUEST
< Date: Sun, 08 Sep 2013 17:30:37 GMT
< Server: WSGIServer/0.1 Python/2.7.5
< Content-Language: it
< Vary: Accept-Language, Cookie
< Pragma: no-cache
< Cache-Control: no-store
< X-Frame-Options: SAMEORIGIN
< Content-Type: application/json;charset=UTF-8
<
* Closing connection #0
{"error": "invalid_client"}
Hi,
I'm using django-oauth-toolkit to protect an API in a django project using class-based views.
If I understand correctly the function validate_bearer_token in oauth2_validators.py is supposed to set the request.user to the same value as the access_token.user. But when I access the request.user from a view I get AnonymousUser.
Am I misreading the code? Is there another way to get the user?
Thanks in advance,
João
Make sure to import from oauthlib.oauth2 and not oauthlib.oauth2.draft25. draft25 package may be dropped in future oauthlib releases
We should support confidential clients authentication through request-body parameters.
Note that, as in http://tools.ietf.org/html/rfc6749#section-2.3.1 :
Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme
This should solve #52 (comment)
It would be splendid to have an example or two around using the toolkit for "Facebook/Twitter-like" authentication. Considering there are other kits like django-social-auth out there, I'm struggling to find The Easy Way™ to do it apart from depending on and subclassing social-auth's classes.
This seems like a great library. Unfortunately, I can't use it yet as it will not pass our automated unit testing since we are using a custom user model. Please replace direct references to Django's User model with django.contrib.auth.get_user_model().
Thank you.
I've been attempting to get the awesome stuff in #54 to work and I ran into the following:
Traceback:
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
115. response = callback(request, *callback_args, **callback_kwargs)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/views/generic/base.py" in view
68. return self.dispatch(request, *args, **kwargs)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/views/generic/base.py" in dispatch
86. return handler(request, *args, **kwargs)
File "/Users/Bryan/Code/Revyver/hello-base/base/components/accounts/views.py" in get
68. user = authenticate(request=request)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/contrib/auth/__init__.py" in authenticate
58. for backend in get_backends():
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/contrib/auth/__init__.py" in get_backends
33. backends.append(load_backend(backend_path))
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/contrib/auth/__init__.py" in load_backend
17. mod = import_module(module)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/utils/importlib.py" in import_module
35. __import__(name)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauth2_provider/backends.py" in <module>
2. from .oauth2_backends import get_oauthlib_core
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauth2_provider/oauth2_backends.py" in <module>
5. from .oauth2_validators import OAuth2Validator
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauth2_provider/oauth2_validators.py" in <module>
14. Application = get_application_model()
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauth2_provider/models.py" in get_application_model
239. raise ImproperlyConfigured(e.format(oauth2_settings.APPLICATION_MODEL))
Exception Type: ImproperlyConfigured at /accounts/authenticated/
Exception Value: APPLICATION_MODEL refers to model oauth2_provider.Application that has not been installed
It seems that the validators depend on APPLICATION_MODEL
existing, but I'm trying to SSO from a separate client, so I shouldn't have to have another instance of Application
on my client.
/cc @masci
The goal is to provide a view for registering application that can be easily customized. That way the admin is no more required.
On 'Start your app' it's better to inform the user to add oauth2_provider to django urls.py
This is related to issue #24.
Problem is here:
class OAuth2Validator(RequestValidator):
def authenticate_client(self, request, *args, **kwargs):
# ...
auth_string_decoded = base64.b64decode(auth_string).decode(encoding)
client_id, client_secret = auth_string_decoded.split(':')
# ...
We should split the base64 unencoded string only at the first colon.
Use session to avoid users copy and paste the same infos across the steps to get an access token. For example, the application ID could be inserted at the very beginning, then reused later.
I've been following the tutorial to try and get an SSO working for my project and I've been able to use the provider against the Heroku test app. Outside of that though, I've had no luck getting things working as I consistently get AccessDenied
errors thrown.
I'm using requests_oauthlib
to try and get through the authentication process and I'm not sure what to try anymore. I've tried putting client_id
and client_secret
in the response body as well as the auth=
parameter shown below (the second method found mentioned here, https://groups.google.com/forum/#!topic/django-oauth-toolkit/KsDyKtrhhVg).
For clarity, the Application is a public, authorization-code application.
>>> from django.conf import settings
>>> client_id = settings.CLIENT_ID
>>> client_secret = settings.CLIENT_SECRET
>>> authorization_base_url = 'https://localhost:8443/authorize/'
>>> token_url = 'https://localhost:8443/token/'
>>> redirect_uri = 'https://localhost:8444/accounts/authenticated/'
>>> from requests_oauthlib import OAuth2Session
>>> base = OAuth2Session(client_id)
>>> authorization_url, state = base.authorization_url(authorization_base_url)
>>> print authorization_url
https://localhost:8443/authorize/?response_type=code&client_id=c4Jev7re0fLCmeWs%3DcmJ%3DXhXKrVA6f%40TyGaMUqju&state=RW0SLFm9SgllPrm01aZGDkaeZigUTu
>>> authorization_response = 'https://localhost:8444/accounts/authenticated/?state=RW0SLFm9SgllPrm01aZGDkaeZigUTu&code=rqoG2aZ5NrXYEj4xbeobxb3RjBirN7'
>>> token = base.fetch_token(token_url, authorization_response=authorization_response, auth=(client_id, client_secret))
Traceback (most recent call last):
File "<input>", line 1, in <module>
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/requests_oauthlib/oauth2_session.py", line 144, in fetch_token
self._client.parse_request_body_response(r.text, scope=self.scope)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/clients/web_application.py", line 271, in parse_request_body_response
self.token = parse_token_response(body, scope=scope)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 297, in parse_token_response
validate_token_parameters(params, scope)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 304, in validate_token_parameters
raise_from_error(params.get('error'), params)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 223, in raise_from_error
raise cls(**kwargs)
AccessDeniedError
>>>
This is needed to avoid clashes
The idea is to have a view where the use can see and eventually revoke the authorizations (aka tokens) issued to third party clients.
This is mostly a question, so I'm sorry if it belongs to mailing list.
Imagine a scenario with single app registered with password grant type. I'm using this app on 2 devices. I log in on device A, get access token and refresh token. Everything is peachy. I do the same on device B, everything is still great. When I come back to device A and access token expires, I can no longer use refresh token as it was overwritten when I got tokens on device B.
Is it possible to fix this somehow? I'd imagine having multiple refresh tokens could help this scenario, but I guess that would have also negative security implications.
I'd like to improve the Application model providing additional informative fields to be shown to the user in the authorization form. These are examples:
As reported by @ib-lundgren in issue #14 we should also consider the new dynamic client registration specification http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-12.
I've been able to get a client and a provider working in development, but once I've tried to get the same two applications working in production, I've been getting this really odd error with no traceback.
TypeError: isinstance() arg 2 must be a class, type, or tuple of classes and types
I experience this after pressing the "Authorize" button, getting sent to /authorize
. I have no isinstance()
calls in my code, so I can only deduce that there's something wrong with the toolkit.
Here's the logging, apparently the grants work and are made, but throws a 500 before redirecting to the callback URI. Below are the logs generated from oauthlib
.
2013-09-26T01:35:10.259563+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,259 authorization 13 44584784 Dispatching response_type code request to <oauthlib.oauth2.rfc6749.grant_types.authorization_code.AuthorizationCodeGrant object at 0x32fbc50>.
2013-09-26T01:35:10.264069+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,263 authorization_code 13 44584784 Validating redirection uri https://<example>.com/accounts/authenticated/ for client Y1VEHZ!8.73lA!afOkTq!BkuoIEFq;GCRSNNdeUv.
2013-09-26T01:35:10.264069+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,264 authorization_code 13 44584784 Using provided redirect_uri https://<example>.com/accounts/authenticated/
2013-09-26T01:35:10.311315+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,311 base 13 44584784 Validating access to scopes [u'read', u'write'] for client u'Y1VEHZ!8.73lA!afOkTq!BkuoIEFq;GCRSNNdeUv' (<Client: Example (Y1VEHZ!8.73lA!afOkTq!BkuoIEFq;GCRSNNdeUv)>).
2013-09-26T01:35:10.311474+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,311 authorization_code 13 44584784 Pre resource owner authorization validation ok for <oauthlib.common.Request object at 0x32fbdd0>.
2013-09-26T01:35:10.311966+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,311 authorization_code 13 44584784 Created authorization code grant {u'state': u'V9D8D6hgGI5vnco4w4e8ExJPNDuvf0', u'code': u'4sCeKG0ZTZv43PfcCvdwP1Rz8k2KQS'} for request <oauthlib.common.Request object at 0x32fbdd0>.
2013-09-26T01:35:10.312043+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,311 authorization_code 13 44584784 Saving grant {u'state': u'V9D8D6hgGI5vnco4w4e8ExJPNDuvf0', u'code': u'4sCeKG0ZTZv43PfcCvdwP1Rz8k2KQS'} for <oauthlib.common.Request object at 0x32fbdd0>.
Not sure what I can do here. I'm running 0.5.0.
Also, the query string looks like this (of course, I've substituted the URL):
response_type=code&client_id=Y1VEHZ%218.73lA%21afOkTq%21BkuoIEFq%3BGCRSNNdeUv&redirect_uri=https%3A%2F%2Fexample.com%2Faccounts%2Fauthenticated%2F&state=V9D8D6hgGI5vnco4w4e8ExJPNDuvf0
Add a glossary section for some terms like 'Client type' or 'Authorization grant type' because their meaning and use aren't clear during tutorial.
This is related to HTTP Basic Auth: the spec forbids the use of colon char in the userid but not in the password. See RFC2617 for more details
Use RegistrationForm
for all the views, at the moment it is used only for ApplicationRegistration
.
Bonus: make it configurable so users who implement their own Application model can write their own form and reuse the views.
In the playground application deployed on Heroku, the homepage contains a link to read the docs that is broken.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.