is it possible to use both oauth2 toolkit and another auth backend

[Mark Mikofski]

I would like use django-oauth-toolkit in combination with other auth backends. Is this possible?

I want to set up a resource and provider on the same web server, to serve both as a auth service provider and as an API resource.

They have a common user database. As well as a token table using the DRF token auth backend.

For some applications I want them to authenticate using oauth for their user. EG: get a token from the provider and then authenticate using the token for their user.

But some applications don't have any users, and they could just authenticate directly with the resource using the DRF token auth backend.

And I want to be able to log into the resource directly using my username and password using the DRF/Django builtin session backend.

When I try this, it works to use my username and password in the admin webpage and the DRF webpage of the resource (which is also the provider).

And it also works if I send a request (using curl or python-requests) from the command line using oauth2 tokens,

but If I try to send a request using either username/password or the DRF token, I get either a 401, 403 or a traceback that says the 

AssertionError: TokenHasScope requires the`oauth2_provider.rest_framework.OAuth2Authentication` authentication class to be used.

If I don't provide any backend at all, what is the default. Is it always the session backend?

Thanks!

Mark

[Mark Mikofski]

The answer is Yes, I was able to use multiple backends

The token, basic, session and django-ldap backends all worked fine together, as long as I disable scopes for django-oauth-toolkit (DOT), because the default DRF token backend doesn't have scopes, so I'll have to work that out.

I believe that tutorial 4 explains that the default backends for DRF are basic and session, depending on whether you're using the command line (basic by default) or the browser (session by default).

thanks! and sorry for spamming everyone with my own personal problems.

[Tom Christie]

> sorry for spamming everyone with my own personal problems

:) Actually I quite liked the confirmation that everything works as it's supposed to!

Well described cases like this are always appreciated, even if you end up resolving them yourself.

Cheers,

  Tom :)

[Mark Mikofski]

Thanks! I do have a follow up question about scopes that I posted separately.

[Benjamin SOULAS]

Hi Mark,

I am interested on the fact you handled Token from LDAP, to you have examples on ho wdo you implement it? Just for the context, I have to implement an API (with DRF or not, for now it is DRF). For testing it (eg: with Postman) it works fine with DRF Token authentication (easy to implement by the way).

But now, people asked me to see how we could handle LDAP users in our API, does it creates DRF users (to be more precise, does the DRF auth is an Django native implementation so is could be ok with DRF authentication?)

I don't really know if I am clear, but if I could make a synthesis: Could I use Django-auth-LDAP on my DRF API which uses DRF Token Authentication?)

Kind regards,

Benjamin

[Mark Mikofski]

Hi Benjamin, As I recall I did successfully use both django-auth-ldap [1] and django-oauth-toolkit [2] with DRF, but I didn't use the DRF token authentication [3] although I did use basic. The reason I couldn't use token auth from DRF is because it didn't have scopes which Oauth2 does, so they were not compatible, I believe, altho my memory is fuzzy. Anyway, the use case, apps that don't have users was covered by django-oauth-toolkit by setting those apps grant type to client credential [4]

[1] https://django-auth-ldap.readthedocs.io/en/latest/index.html

[2] https://django-oauth-toolkit.readthedocs.io/en/latest/

[3] http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication

[4] https://tools.ietf.org/html/rfc6749#section-4.4

for oauth2 see also:

https://alexbilbie.com/guide-to-oauth-2-grants/

https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

https://aaronparecki.com/oauth-2-simplified/

hope this helps

--
You received this message because you are subscribed to a topic in the Google Groups "Django REST framework" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-rest-framework/NgwlfsTtj_8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Being deeply loved by someone gives you strength;
loving someone deeply gives you courage.
Lao Tzu

[Benjamin SOULAS]

Hi again Mark,

Thank you very much for your reply, very fast and very complete in explainations !!! So if should remove my DRF TOekn authentication and use DRF Basic Authentication as I understood. A friend of mine gave me the same answer as yours. The only thing I don't understand are "scopes" you talked about (I am not expert at all in Django Devs, so some stuff don't really talk to me actually). For now, the only thing I have to know is the LDAP authentication with Django (ideally with DRF) and ho wto manage groups (it is explained in the django-auth-LDAP) so I have to figure it out. Also, I so a python LDAP (native) exists, so even if I don't use Django (but Tornado to give an other FW), it is still possible.

Thank you very much once again.

Kind regards,

Benjamin.

To unsubscribe from this group and all its topics, send an email to django-rest-framework+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.