Hi,
I know questions on how to use django-rest-framework + django-oauth-toolkit + python-social-auth for an api consumed by a mobile app have been asked many times. I've read through many of them and I've read Kevin Brown's great answer to this SO question
http://stackoverflow.com/questions/27051209/.... but I still have a question :).
I'm adding facebook authorization to my iOS app. My api is created with django-rest-framework and uses django-oauth-toolkit's OAuth2Authentication. I don't want to use the iOS facebook SDK to handle the facebook oauth2 dance. I want my django app to be the facebook oauth2 client and get the facebook access token so it can use the facebook client secret during authorization and I can trust the access token I get back from facebook. I have it working but I'm hoping someone is willing to sanity check my implementation:
1. My iOS app opens a SafariViewController at social/login/facebook/
2. python-social-auth handles all the oauth2 authorization and creates/updates and associates the facebook access token with a django user
3. I added a pipeline function to the end of the default pipeline called generate_internal_oauth_tokens that generates the django-oauth-toolkit tokens and adds the
access_token.id into the session
4. I set SOCIAL_AUTH_FACEBOOK_LOGIN_REDIRECT_URL = '/social/mobile_redirect/'
5. At the end of the pipeline python-social-auth redirects the browser to the /social/mobile_redirect/ view (which I created.) In that view I check the session for the
access_token.id, fetch the access token, and then redirect again to my custom iOS url scheme appending the django-oauth-toolkit tokens to the url query string, e.g., myiosapp://?access_token=<access_token>&refresh_token<refresh_token>
6. My iOS app stores the tokens and uses them to communicate with my api
Does that seem sensible? Are there any security implications?
I figured this was better than implementing an endpoint that converts a facebook token (received from the iOS app via the iOS facebook SDK) to an internal token because I can verify that the person initiating the request to social/login/facebook knows the facebook credentials.
Cheers,
Mark