OAuth - generate token with JSON instead of POST fields as input
699 views
Skip to first unread message
Yuri Prezument
Aug 12, 2013, 3:55:21 AM8/12/13
to django-res...@googlegroups.com
Hi,
A question to someone who's been doing oauth2 as an authentication method, with django-oauth2-provider or django-oauth-toolkit...
Is there an easy way to make the token view to accept json fields instead of post? Or maybe a way to create a DRF view that does the same?
It seems weird to me that all my API views accept json, except the authentication views...
Any thoughts?
Thanks,
Yuri
A question to someone who's been doing oauth2 as an authentication method, with django-oauth2-provider or django-oauth-toolkit...
Is there an easy way to make the token view to accept json fields instead of post? Or maybe a way to create a DRF view that does the same?
It seems weird to me that all my API views accept json, except the authentication views...
Any thoughts?
Thanks,
Yuri
Tom Christie
Aug 13, 2013, 4:33:28 AM8/13/13
to django-res...@googlegroups.com
Hi Yuri,
Specifically which views does this apply to - the views inside those packages, or something in REST framework? I'm looking at django-oauth2-provider's AccessToken view, which I guess is what you're referring too?
It may be that some of the views you're looking at are specified by the OAuth spec to take form encoded data. Otherwise you could raise an issue against those packages to see what the maintainers think about having those views accept JSON input too.
Having said that they'd need to do a bit of hacking around to accept both JSON and form encoded data otherwise. (Ie. they won't be able to just use REST framework's request.DATA, as it's not a dependency for those projects)
Cheers,
Tom
Yuri Prezument
Aug 13, 2013, 4:52:07 AM8/13/13
to django-res...@googlegroups.com
Yeah, I was talking about AccessTokenView.
Maybe a better approach is to make a rest framework "wrapper" view for the access token view?
One that could accept any input that rest framework would accept and pass it on to oauth-provider 's view
This will also allow using the browsable API for the process and displaying customized error messages...
Sounds kinda hacky to add json support to ouath provider views...
Maybe a better approach is to make a rest framework "wrapper" view for the access token view?
One that could accept any input that rest framework would accept and pass it on to oauth-provider 's view
This will also allow using the browsable API for the process and displaying customized error messages...
Yuri Prezument
Aug 13, 2013, 4:54:15 AM8/13/13
to django-res...@googlegroups.com
I'll try making a custom view, which passes request.DATA to the django-oauth2-provider view as post fields, and see how it goes...
Yuri Prezument
Aug 14, 2013, 12:26:41 PM8/14/13
to django-res...@googlegroups.com
It's getting too complicated... I don't really know what to do about it.
Maybe I should try using django-oauth-toolkit instead of oauth2-provider.
Massimiliano Pippi
Aug 15, 2013, 11:32:33 AM8/15/13
to django-res...@googlegroups.com
On Wed, Aug 14, 2013 at 6:26 PM, Yuri Prezument <y.pre...@gmail.com> wrote:
> It's getting too complicated... I don't really know what to do about it.
> Maybe I should try using django-oauth-toolkit instead of oauth2-provider.
>
Provided that as per RFC 6749 a Token endpoint of an OAuth2 provider
> It's getting too complicated... I don't really know what to do about it.
> Maybe I should try using django-oauth-toolkit instead of oauth2-provider.
>
accepts data in "application/x-www-form-urlencoded" format, Django
OAuth Toolkit is flexible enough to let you bend the standard a little
bit :-), even if the procedure is not trival nor documented.
If you follow the path of a token request from the view backward, the
story is this: TokenView handles the request and in the post method
makes a call to create_token_response:
https://github.com/evonove/django-oauth-toolkit/blob/master/oauth2_provider/views/base.py#L136
create_token_response is provided by OAuthLibMixin:
https://github.com/evonove/django-oauth-toolkit/blob/master/oauth2_provider/views/mixins.py#L95
DOT has the concept of "oauth providers", to which delegates oauth
logic. OAuthLibMixin uses "oauthlib provider", the default, retrieved
by the method get_oauthlib_core which returns an instance of
OAuthLibCore:
https://github.com/evonove/django-oauth-toolkit/blob/master/oauth2_provider/views/mixins.py#L66
Then the part most interesting for you. The _extract_params method
from OAuthLibCore takes a Django request, extracts the data from it
and put such data back in the OAuth2 workflow. This is the place where
DOT assumes data is in "application/x-www-form-urlencoded" format, and
where you can implement your own logic, likely taking data from
request.body instead of request.POST:
https://github.com/evonove/django-oauth-toolkit/blob/master/oauth2_provider/backends.py#L18
So this is what you have to do (not tested, take it as an hint):
* Implement your own oauthlib provider, you can derive from
OAuthLibCore and override just the _extract_params method.
* Implement your own oauth mixin, you can derive from OAuthLibMixin
and make it use the provider from previous step
* Implement your own TokenView, using the mixi from previous step.
Hope this helps and I didn't go too much OT for this list.
Should you have any further question regarding Django OAuth Toolkit,
feel free to ask in the official mailing list:
http://groups.google.com/group/django-oauth-toolkit
and if you step into some bug or design flaw, please report an issue,
any help is appreciated!
Cheers
--
M.
http://twitter.com/maxpippi :: http://masci.wordpress.com
Yuri Prezument
Aug 15, 2013, 11:44:49 AM8/15/13
to django-res...@googlegroups.com
Wow, thanks for the detailed answer... I'll try that
Reply all
Reply to author
Forward
0 new messages