Python-Social-Auth with DRF (+ authentication doubts)

1675 views
Skip to first unread message

Pawel Kozela

unread,
Apr 11, 2014, 4:25:00 AM4/11/14
to django-res...@googlegroups.com
Hi guys,

I'm developing a back-end for a mobile application and I kind of struggle (hard) to get my mind clear now on how to handle the authentication with social accounts.

Currently, I use rest_framework.authentication.OAuth2Authentication, so the mobile app sends all requests with the OAuth2 token and it works all OK.

However, in my app I will need to connect the user app with different services (FB, Google, Linkedin etc) and request those from the server. I did this with some ad-hoc code for tests, but now I wanted something clean.

I need 2 things:
- ability to associate different social accounts to user account
- ability to log-in with social accounts (no sign-up with social accounts)

I have taken a look at python-social-auth and it seems to do just that, but I don't see how I can make it work with DRF. For instance, I don't use sessions. If my understanding is good, in Django it's the login() function that attaches the user attribute to the request (and creates / updates the current session). In DRF it's done in the authentication back-end, without the use of sessions right ?

Have somebody been able to use those two together ?

Rodrigo Gadea

unread,
Apr 11, 2014, 5:45:04 AM4/11/14
to django-res...@googlegroups.com



On Fri, Apr 11, 2014 at 5:25 AM, Pawel Kozela <pawel....@gmail.com> wrote:
Hi guys,


Hi Pawel,
 
I'm developing a back-end for a mobile application and I kind of struggle (hard) to get my mind clear now on how to handle the authentication with social accounts.

Currently, I use rest_framework.authentication.OAuth2Authentication, so the mobile app sends all requests with the OAuth2 token and it works all OK.

However, in my app I will need to connect the user app with different services (FB, Google, Linkedin etc) and request those from the server. I did this with some ad-hoc code for tests, but now I wanted something clean.

I need 2 things:
- ability to associate different social accounts to user account

This is what PSA does in the authentication pipeline for each backend (FB, Goolge, Linkedin). When you call psa to do the auth, it will do the association 
 
- ability to log-in with social accounts (no sign-up with social accounts)


You have to remove the "create_user" function from the authentication pipeline of PSA
 
I have taken a look at python-social-auth and it seems to do just that, but I don't see how I can make it work with DRF. For instance, I don't use sessions. If my understanding is good, in Django it's the login() function that attaches the user attribute to the request (and creates / updates the current session). In DRF it's done in the authentication back-end, without the use of sessions right ?

You should take a look at:

If you do the request by https (as you should for oauth2), then you create an endpoint with "AllowAny" to POST the token you obtain from the Provider or Backend (FB, Google, LinkedIn) via their SDK / Javascript (if you don't mind redirections, you can use the "/login/<backend>/" endpoints that PSA provides, then rely on the cookies set to get your app's token).

Once you get the User object (because the auth succeeded) from register_by_access_token(), you can generate your app's oauth2 token (probably with something like AccessToken.objects.get_or_create(user=User, client=client, scope=scope_read)) and return it in the serializer or the Response of the endpoint.

Then your client can use that token in its requests to auth to your server.

HTH,
Rodrigo


Have somebody been able to use those two together ?

--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Pawel Kozela

unread,
Apr 11, 2014, 5:52:02 AM4/11/14
to django-res...@googlegroups.com
Hi Rodrigo,

yep, I've seen this example - it's doing this part indeed. As I don't use Django authentication (nor sessions), only DRF authentication, I put the PSA backends in :
REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (...)
}

rather than Django's;
AUTHENTICATION_BACKENDS = ()

right ?

Regards,
Pawel

Rodrigo Gadea

unread,
Apr 11, 2014, 6:01:32 AM4/11/14
to django-res...@googlegroups.com
On Fri, Apr 11, 2014 at 6:52 AM, Pawel Kozela <pawel....@gmail.com> wrote:
Hi Rodrigo,

yep, I've seen this example - it's doing this part indeed. As I don't use Django authentication (nor sessions), only DRF authentication, I put the PSA backends in :
REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (...)
}

rather than Django's;
AUTHENTICATION_BACKENDS = ()

right ?


No, you should put the enabled PSA backends in AUTHENTICATION_BACKENDS (before ModelBackend), which are different from DEFAULT_AUTH_CLASSES. The last one is only for authing the requests to the API, PSA is just another django app.
Reply all
Reply to author
Forward
0 new messages