Django OAuth - 分离资源和授权服务器 [英] Django OAuth- Separate Resource and Authorization Server

问题描述

我正在使用 Django Oauth 库.

我想要不同的身份验证和资源服务器.

I want to have different Auth and Resource Server.

在身份验证服务器上，以下是我的设置.

INSTALLED_APPS = [
    ...


    'oauth2_provider',
    'rest_framework',
]


REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
}

# ############## OAUTH SETTINGS ###################

OAUTH2_PROVIDER = {
    'SCOPES': {'users': 'user details', 'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups', 'introspection': 'introspection'},
    'ACCESS_TOKEN_EXPIRE_SECONDS': 86400,  # 1 Day.
}

在我的资源服务器上

INSTALLED_APPS = [
    ...


    'oauth2_provider',
    'rest_framework',
]


REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
}

# ############## OAUTH SETTINGS ###################

OAUTH2_PROVIDER = {
'RESOURCE_SERVER_INTROSPECTION_URL': 'http://localhost:8000/o/introspect/',
'RESOURCE_SERVER_AUTH_TOKEN': '3yUqsWtwKYKHnfivFcJu',

}

问题 1)

如何获取RESOURCE_SERVER_AUTH_TOKEN?

问题 2)

在检查令牌后，Auth Server 在控制台日志中返回 403 Forbidden Error.

Upon introspecting the token, Auth Server returns 403 Forbidden Error in the console logs.

以下是获取访问令牌的流程.

Following is the flow to obtain the access token.

我从客户端 POST 请求中获取 client_id、client_secret、grant_type 和 scopes 到 资源服务器.我从 Resource Server 调用 AuthServer 并将响应返回给客户端.

I get the client_id, client_secret, grant_type and scopes from the client POST request onto the Resource Server. I call the AuthServer from the Resource Server and return the response back to the client.

我到底错过了什么?

推荐答案

根据 django-oauth-toolkit 实现，资源服务器首先尝试检查访问令牌是否在其数据库中可用.

According django-oauth-toolkit implementation, Resource server first tries to check whether access token is available in its db or not.

如果访问令牌不存在，它将检查设置中的自省 URL 和自省令牌是否可用.如果内省设置可用，则资源服务器会尝试使用内省端点验证用户令牌.

If access token is not present, it will check introspection URL and introspection token are available in settings. If introspection settings is available then resource server tries to validate the user token with an introspection endpoint.

所以问题似乎是 AUTH SERVER 和 DRF 可能会返回 403 Forbidden，因为权限设置为 IsAuthenticated.这可能是由于无效的令牌或无效的用户.

So the issue seems to be that AUTH SERVER and DRF might be returing 403 Forbidden since the permission is set as IsAuthenticated. This could be either due to invalid token or invalid user.

所以为资源服务器创建一个用户，然后为资源服务器用户创建一个应用程序.

So create a user for the resource server and then create an application for the resource server user.

创建应用程序，

client_type=Application.CLIENT_CONFIDENTIAL
authorization_grant_type=Application.GRANT_AUTHORIZATION_COD‌​E

并通过管理站点生成令牌并使用新创建的令牌更新资源服务器 INTROSPECTION 设置.确保在创建令牌时放置了适当的范围.

And generate a token through the admin site and update the resource server INTROSPECTION setting with the newly created token. Make sure you put the appropriate scopes while creating the token.

这篇关于Django OAuth - 分离资源和授权服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！