oauth2 grant type authorization code unable to get request.user

176 views
Skip to first unread message

Shekar Tippur

unread,
Jun 22, 2015, 8:26:46 PM6/22/15
to django-res...@googlegroups.com
Hello,

I have an oauth2 application that should cater to mobile logins with following variables.

client_type public
authorization_grant_type is authorization code
name test

Based on this, I have a client_id and a secret.

I am struggling to get a code back. When I try to go to authorize link, I get redirected to redirect_uri link

$ curl -L "http://localhost:8000/o/authorize/?state=random_state_string&response_type=code&client_id=bTe9KnSdEJxIj0SqzAZXCRR13dohMzKUq6q9Tl4v"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>

    <style>

      input.required, error {

        border: 2px solid red;

      }

    </style>

    <title>Log in</title>

</head>


<body>

    <div id="sidebar">

        

    </div>


    <div id="content">

        

<form method="post" action="" id="loginForm">

    <input type='hidden' name='csrfmiddlewaretoken' value='VALUE' />

    <p><label for="id_username">Username:</label> <input id="id_username" maxlength="254" name="username" type="text" /></p>

<p><label for="id_password">Password:</label> <input id="id_password" name="password" type="password" /></p>

    <input type="hidden" name="next" value="/o/authorize/?state=random_state_string&amp;response_type=code&amp;client_id=VALUE" />

    <input type="submit" value="Log in" />

</form>


<p>Forgot your password? <a href="/accounts/password/reset/">Reset it</a>.</p>

<p>Not a member? <a href="/accounts/register/">Register</a>.</p>


        

    </div>

</body>

</html>(env)


I am unable to get a code back as I get stuck at the login screen. Can someone please explain me on how to get complete authentication to work using django oauth2 framework.


I have followed http://django-oauth-toolkit.readthedocs.org/en/latest/tutorial/tutorial_01.html


Shekar Tippur

unread,
Jun 22, 2015, 8:29:40 PM6/22/15
to django-res...@googlegroups.com
I guess I cut short on my question. I want to proceed further and get a user name who got authenticated. 

Shekar Tippur

unread,
Jun 25, 2015, 3:42:01 AM6/25/15
to django-res...@googlegroups.com
Any updates on this please? I am stuck with this issue for quite a while now.

Chris Foresman

unread,
Jun 25, 2015, 12:37:29 PM6/25/15
to django-res...@googlegroups.com
My best guess is that you're not using the service's OAuth2 API correctly. Like most OAuth2 logins, you're taking to the external service to authenticate. Once you do that, whatever service is authenticating you will return a token that can then be used to verify that a particular user has authenticated your app against their service. Without specific documentation on the service  you are trying to use, no one is going to be able to help you.

Zoltan Szalai

unread,
Jun 25, 2015, 2:05:13 PM6/25/15
to django-res...@googlegroups.com
Hi,

1. Visit in your browser (normally you direct your users here from your application):
http://localhost:8000/o/authorize/?client_id=<client_id>&response_type=code&state=<state>

You can optionally specify redirect_uri and scope params here.

2. Login with a user and authorize

3. You get redirected to: <redirect_uri>?state=<state>&code=<authorization_code>

4. The view that gets called here should verify the state and can exchange the code for an access token with a POST request like this (I'm using httpie to demonstrate):

http POST http://localhost:8000/o/token/ grant_type=authorization_code client_id=<client_id> client_secret=<client_secret> code=<authorization_code> redirect_uri=<one_of_the_redirect_uris_of_the_application> --form

If success, you should get back an access_token among others.
Note 1: the request Content-Type is application/x-www-form-urlencoded
Note 2: you only have AUTHORIZATION_CODE_EXPIRE_SECONDS to make a successful call. (https://django-oauth-toolkit.readthedocs.org/en/latest/settings.html#authorization-code-expire-seconds)

5. You can now call a protected API endpoint by adding the "Authorization: Bearer <access_token>" header to the request. In the API view you can access the authenticated user (from step 2) in request.user and the access token in request.auth.
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Shekar Tippur

unread,
Jun 30, 2015, 12:02:32 AM6/30/15
to django-res...@googlegroups.com
Chris,

Thanks for responding. I can follow http://django-oauth-toolkit.readthedocs.org/en/latest/tutorial/tutorial_01.html where I can go to heroku link and get a token. I am unable to simulate the same on my local environment.

- Shekar

Shekar Tippur

unread,
Jun 30, 2015, 12:20:19 AM6/30/15
to django-res...@googlegroups.com
Here is the output from Step 1.

Here is the access log:

[30/Jun/2015 04:03:06]"GET /accounts/login/?code=FUk9bWEq7s3TTVDesZavJI6dDYvrGq&state=random_state_string HTTP/1.1" 200 910
[30/Jun/2015 04:03:09]"GET /accounts/login/?next=/o/authorize/%3Fresponse_type%3Dcode%26client_id%3DfiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0%26state%3Drandom_state_string HTTP/1.1" 200 1027
[30/Jun/2015 04:05:16]"GET /o/authorize/?client_id=fiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0 HTTP/1.1" 302 0
[30/Jun/2015 04:05:16]"GET /accounts/login/?next=/o/authorize/%3Fclient_id%3DfiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0 HTTP/1.1" 200 974
[30/Jun/2015 04:05:36]"GET /o/authorize/?client_id=fiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0&response_type=code&state=random_state_string HTTP/1.1" 302 0
[30/Jun/2015 04:05:36]"GET /accounts/login/?next=/o/authorize/%3Fclient_id%3DfiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0%26response_type%3Dcode%26state%3Drandom_state_string HTTP/1.0" 200 1027
[30/Jun/2015 04:06:14]"GET /o/authorize/?client_id=fiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0&response_type=code&state=random_state_string HTTP/1.1" 302 0
[30/Jun/2015 04:06:14]"GET /accounts/login/?next=/o/authorize/%3Fclient_id%3DfiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0%26response_type%3Dcode%26state%3Drandom_state_string HTTP/1.0" 200 1027
[30/Jun/2015 04:09:03]"GET /o/authorize/?client_id=fiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0&response_type=code&state=random_state_string HTTP/1.1" 200 3136
[30/Jun/2015 04:09:04]"POST /o/authorize/?client_id=fiXzCWfEocpT5Ff2TlftBcBRMC0zGSBQzDIS0sn0&response_type=code&state=random_state_string HTTP/1.1" 302 0
[30/Jun/2015 04:09:04]"GET /accounts/login/?code=4ciYjgIdwrsC3hfCke8t8noY2o1vJE&state=random_state_string HTTP/1.1" 200 910
[30/Jun/2015 04:09:04]"GET /accounts/login/style.css HTTP/1.1" 404 5655
[30/Jun/2015 04:09:31]"POST /accounts/login/ HTTP/1.1" 302 0
[30/Jun/2015 04:09:31]"GET / HTTP/1.1" 403 0

As you can see, there is a 403 at the end :(

Shekar Tippur

unread,
Jun 30, 2015, 3:58:39 AM6/30/15
to django-res...@googlegroups.com
Looks like the login form is not passing the credentials to the view. When I use permission_classes = [permissions.AllowAny] in my custom view, and try to print request.user, I get AnonymousUser

Do I need to change the action?

Here is my templates/registration/login.html

{% extends "base.html" %}


{% block content %}


{% if form.errors %}

<p>Your username and password didn't match. Please try again.</p>

{% endif %}


<form method="post" action="{% url 'django.contrib.auth.views.login' %}">

{% csrf_token %}

<table>

<tr>

    <td>{{ form.username.label_tag }}</td>

    <td>{{ form.username }}</td>

</tr>

<tr>

    <td>{{ form.password.label_tag }}</td>

    <td>{{ form.password }}</td>

</tr>

</table>


<input type="submit" value="login" />

<input type="hidden" name="next" value="{{ next }}" />

</form>


{% endblock %}

Reply all
Reply to author
Forward
0 new messages