Django OAuth 2客户端设置 - 客户端不识别令牌 [英] Django OAuth 2 client setup - client isn't recognizing tokens
问题描述
OAuth提供商似乎工作正常。我可以在指向OAuth提供商的客户端服务上创建一个链接。然后用户登录,并提示是否允许/拒绝应用程序。如果用户允许应用程序,则将用户重定向回客户端服务,并且URI包含访问令牌。因为这个服务需要从一个网站和一个移动客户端访问,所以我使用了一个隐含的授权,并按照这样做: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps 。
与提供商的一切都符合预期,但我遇到的客户端服务应用程序也是一个Django应用程序。它似乎没有识别重定向URI中的令牌,因此我无法对该服务进行任何身份验证的请求。
我已经对客户端服务的settings.py进行以下更改:
我已经添加了AUTHENTICATION_BACKENDS部分,如下所示:
AUTHENTICATION_BACKENDS =(
'django.contrib.auth.backends.ModelBackend',
'oauth2_provider.backends.OAuth2Backend',
)
我已将oauth2_provider.middleware.OAuth2TokenMiddleware添加到MIDDLEWARE_CLASSES部分。
我已将oauth2_provider添加到INSTALLED_APPS。
REST_FRAMEWORK部分现在如下所示:
REST_FRAMEWORK = {
'DEFAULT_MODEL_SERIALIZER_CLASS':
'rest_framework.serializers.HyperlinkedModelSerializer',
'DEFAULT_AUTHENTICATION_CLASSES':((
oauth2_provider.ext。
$ b'DEFAULT_PERMISSION_CLASSES':(
'rest_framework.permissions.IsAuthenticated',
),
}
我还添加了OAUTH_PROVIDER部分:
OAUTH2_PROVIDER = {
#这是可用范围的列表
'SCOPES':{'read':'读取范围','写入':'写入范围' ,'groups':'访问你的团体'}
}
可以看出,我的settings.py中还有一些其他东西,我会告诉Django寻找令牌,但是我可能会有这样的损失。
有人可以指出我在这里可能丢失的方向正确吗?
编辑:我应该澄清我的结果尝试在客户端服务上调用某些东西时获取。当我向客户端服务发出卷曲请求时,如下所示(除了实际值插入):
curl -H授权:承载token_goes_herehttps://service.com/api/some_api/call
我得到结果:
{detail:未提供身份验证凭据}
就像客户端服务没有在正确的位置查看凭据,这使我觉得有些东西没有设置好
DEFAULT_PERMISSION_CLASSES对REST_FRAMEWORK进行的身份验证被禁止非验证请求。
如果您计划使用javascript访问您的REST API,请参阅 https://github.com/evonove/django-oauth-toolkit/blob/master/oauth2_provider/tests/test_implicit.py
对于隐性赠款流,您必须:
- 通过ModelBackend与用户登录和密码登录
- 创建oauth2应用程序(/ o / applications /)
或从django控制台查看测试。 - 从 / o / authorize /url与登录的用户。
- 那么你必须添加令牌到'HTTP_AUTHORIZATION':'承载'+ access_token头来访问API资源。而我认为,在这个工作流程中,我们不需要auth_backends和中间件,因为我们在REST_FRAMEWORK中有DEFAULT_AUTHENTICATION_CLASSES。
基于lib
https://oauthlib.readthedocs.org/en/latest/oauth2/grants/grants.html
或者您可以使用更简单的资源所有者密码,如DOT文档所述...
I attempting to use the Django OAuth Toolkit in a project I'm working on. I've set up two servers - one as the OAuth provider and another as a client service that is accessed only by authenticated users.
The OAuth provider seems to be working just fine. I'm able to create a link on the client service that directs to the OAuth provider. The user then logs in, and is prompted whether to allow/deny the application. If the user allows the application, the user is then redirected back to the client service, and the URI contains the access token. Because this service needs to be accessible from both a website and a mobile client, I'm using an implicit grant, and following this way of doing things: https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#browser-based-apps.
Everything with the provider seems to work as expected, but I'm having issues with the client service app, which is also a Django application. It doesn't appear to recognize the token in the redirect URI, and as a result I'm unable to make any authenticated requests against the service.
I've made the following changes to the client service's settings.py:
I've added the AUTHENTICATION_BACKENDS section, as follows:
AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', 'oauth2_provider.backends.OAuth2Backend', )I've added oauth2_provider.middleware.OAuth2TokenMiddleware to the MIDDLEWARE_CLASSES section.
I've added oauth2_provider to the INSTALLED_APPS.
The REST_FRAMEWORK section now looks like:
REST_FRAMEWORK = { 'DEFAULT_MODEL_SERIALIZER_CLASS': 'rest_framework.serializers.HyperlinkedModelSerializer', 'DEFAULT_AUTHENTICATION_CLASSES': ( 'oauth2_provider.ext.rest_framework.OAuth2Authentication', ), 'DEFAULT_PERMISSION_CLASSES': ( 'rest_framework.permissions.IsAuthenticated', ), }I've also added the OAUTH_PROVIDER section:
OAUTH2_PROVIDER = { # this is the list of available scopes 'SCOPES': {'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups'} }As near as I can figure, there must be something else that I'm missing in my settings.py that will tell Django to look for the token, but I'm at a bit of a loss on what this might be.
Can someone point me in the right direction on what I might be missing here?
EDIT: I should clarify the results I'm getting when attempting to call something on the client service. When I make a curl request to the client service, like so (except with real values plugged in):
curl -H "Authorization: Bearer token_goes_here" https://service.com/api/some_api/callI get a result of:
{"detail": "Authentication credentials were not provided."}It's as if the client service isn't looking in the right place for the credentials, which makes me think that something isn't set up quite right.
解决方案DEFAULT_PERMISSION_CLASSES IsAuthenticated for REST_FRAMEWORK is blocked non auth requests.
If you planned using javascript to access your REST API see https://github.com/evonove/django-oauth-toolkit/blob/master/oauth2_provider/tests/test_implicit.py
For "Implicit Grant Flow" you must:
- login via ModelBackend with user login and password.
- create oauth2 application ( /o/applications/ ) or from django console, see test.
- get auth token from "/o/authorize/" url with logged in user.
- then you must add token to "'HTTP_AUTHORIZATION': 'Bearer ' + access_token," header, to access API resourses.
And, i think, at this workflow we do not need auth_backends and middleware because we have DEFAULT_AUTHENTICATION_CLASSES in REST_FRAMEWORK.
All grant types you can see in DOT based on lib https://oauthlib.readthedocs.org/en/latest/oauth2/grants/grants.html
Or you can use more simplest "Resource owner password-based" as in DOT documentation described...
这篇关于Django OAuth 2客户端设置 - 客户端不识别令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
