-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OAuth authentication/permissions. #8
Comments
Why not using OAuth2app? : http://hiidef.github.com/oauth2app/ It should be much simpler, as it implements OAuth 2.0, which is less tricky than OAuth 1.0 provided by django-oauth-plus. I did this my own way for my API, which was done from scratch, I'm learning django-rest-framework to migrate to it now, I'll try to figure out how feasible this is. |
May I suggest https://github.com/caffeinehit/django-oauth2-provider ? ;) |
Interesting! I don't really understand why there are two module levels: provider and oauth2, are you anticipating provider.oauth3? However, it seems pretty neat! Have you ever experience its integration in DRF? |
Yes please. Things to note:
Also this is more a future thing, but worth bearing in mind:
/cc @sebpiq |
OK, correct me if I'm wrong, but I think that David's stuff is OAuth 1.0 related. I'm not sure that 1.0 worth the challenge nowadays regarding its tedious design and that 2.0 is ramping up… Indeed, authenticators will probably need Camille. |
As far as I know, yup. It was last summer, and I don't think the OAuth 2.0 was very finalized.
Yup. Makes sense to me. Thought I'd better just point out that there are vestiges of 1.0 stuff in there that might need ripping out if we get an OAuth 2.0 implementation. |
I've been looking at oauth for two days now and I'd personally say that it is just fine to use 1.0. 1.0 works fine and is pretty clear, 2.0 seems to be quite enterprisy and hard to implement right. So if there's a proper 1.0 library... As a data point: dropbox is using oauth 1.0. |
Yup I'd somewhat come to the same conclusion. The confusingly named python-oauth2 library (It actually implements 1.0) seems very well used. There's an example service that uses it here: And a plugin to Kenneth Reitz'a requests that gives you an oauth client here, which'd be useful for testing: |
@flashingpumpkin's django-oauth2-provider looks like the best option to me. He's given me a sketch of an auth class: https://gist.github.com/877c9ffb14568031609c Anyone up for taking this on? |
I've got no time currently. :/ |
@flashingpumpkin shame. D'ya think it'd be worth me pulling together an Authentication class for django-oauth2-provider? How likely is it to get a little bit of "getting started" style docs love sometime? I don't think it needs much, but at the moment I'd be a bit lost around things like say, why |
@tomchristie When I get some time spare I'm definitely up for it. We're using it quite heavily in our projects. Re bitwise scopes: It's easy to swap them out for a table with name and description, but again, time. :( |
@flashingpumpkin - That's good enough for me. If I get around to it I might tick off the Authentication class myself.
Yup. As ever. Feeling pretty lucky that I've managed to get some real quality on-the-clock hours for REST framework 2, would have been a pretty impossible slog otherwise. |
Curious if anyone has made any progress on this. Wondering if there's any way I can lend a hand. If people are happy with the approach of django-oauth2-provider as an approach but no one has the time to implement right now, I can give that a go. |
@michaelmior - Nope it's still kicking around. As you can see there's not loads needed in terms of implementation, so I think a big chunk of the work needed is simply around adequate documentation and testing. Also I don't know if there's any python oauth2 client at the moment, but it'd def be helpful if we could provide examples to implementers of how to access with eg. a python client. I'm also not really sure if it'd make sense to implement this as a third party package, or include it directly in core. |
I haven't tried it, but there is python-oauth2 which seems promising. Personally I'd like to see this end up in the core since OAuth is becoming pretty standard as an auth method for any API. My experience with OAuth in Python has strictly been on the server side (currently using Piston, which uses about the same OAuth code as django-oauth-plus). |
Note that On 7 January 2013 16:43, Michael Mior notifications@github.com wrote:
|
I believe oauthlib implements OAuth 2 client behavior. Server support |
Assuming you mean this oauthlib: https://github.com/idan/oauthlib There isn't a well-documented, maintained Django binding for that yet. This is the closest I've seen, https://github.com/craigbruce/django-oauth Have toyed with the idea of putting together a Django binding for oauthlib, On 7 January 2013 17:23, matthewlmcclure notifications@github.com wrote:
|
Yes, that's the oauthlib I meant. |
I took a look at https://github.com/craigbruce/django-oauth. The project seems pretty far from complete, but perhaps a good starting point. However, I'm inclined to say that your initial suggestion of OAuth plus seems like the best option so far. I'm a little biased since as mentioned, I'm using almost the same code in one of my current projects via Piston. I've found it to be quite stable. |
Hi everyone, I've read the whole issue and I'm willing to give a hand on adding the OAuth and OAuth2 support. If I correctly understand the work @tomchristie is suggesting, the goal is to provide just an Authentication class that returns a tuple This way, we can build a perfectly decoupled OAuth2 authentication support. I will add a pull request to translate those clumsy words into a full of sense code :) |
@dulaccc - That'd be great!
Actually, not quite. At this point we don't really need to provide any extra layers of abstraction, we just need a concrete implementation of OAuth (using django-oauth-plus) and/or OAuth2 (using django-oauth2-provider). Having good documentation for them is also really important. At the moment it's often quite hard to know where to start with OAuth, so we need to make sure we provide a really simple, easy guide. |
I think this could be done the same way it's done in django-tastypie. Their I don't see the point in making developer to implement his own validation methods for tokens and signatures. Maybe I'm wrong because I know know only OAuth 1.0a specification and perhaps 2.0 is more flexible (and needs such approach). I recommend looking at |
@swistakm Agreed on all counts, they use django-oauth-plus and seems good to me. Any more info about eg validation of nonces? Doesn't mention anything about that in the django-oauth-plus docs. |
@tomchristie there is already everything needed in django-oauth-plus (including nonces). I was only mentioning tastypie implementation which lacks this feature (what makes it vulnerable to reply attacks). I have even working OAuth code for django-rest-framework but I hadn't time to clean it and add to lib. I hope I will find time this week to make pull request. BTW oauth-plus wasn't very developed over last year but I already contacted its author and I will take lead of this project (because it still needs some fixes IMO) |
@tomchristie I agree, if we choose a specific backend (like django-oauth2-provider for OAuth2) then we can implement the validation method ourself.
Can't agree more. The issue is that django-oauth2-provider doesn't have a decent documentation currently. I've been through all the source code and the good news is that it is really well commented and brilliantly executed, so I think it's just a matter of time before they'd generate a complete documentation. I'll fill an issue on their project to ask them to update the online doc. I need to implement an OAuth2 Authentication class for a current project of mine. The OAuth2 dance is working right now using the django-oauth2-provider backend. |
By the way, there's also the rauth library which apparently supports OAuth1.0/a, 2.0 and Ofly. Its only requirement is requests. It's on readthedocs and well tested. But I've never used it yet and don't know exactly how well it covers everything we need. |
@dbrgn It looks like rauth is for client-side only? |
@michaelmior D'oh, I'm sorry, you're right :( |
The plan would be to use David Larlet's OAuth plus, and keep it as an external dependency for anyone requiring OAuth support.
See: https://bitbucket.org/david/django-oauth-plus/overview
At least as a first pass this oughta be pretty easy - most of the OAuth stuff is just down to oauth-plus to deal with and you only need to tie in the very last leg.
You'll want to start off looking at examples/provider in oauth-plus. You'll see the 'outh_providers.urls' views listed in there. Those don't need to tie in at all to begin with. They'll just need to be unprotected un-api'ed views that just work exactly as they do already.
(At some point it'd be really great to tie them in with the auto-documenting API - that'd really really improve the ease of use I think.)
So the part you do need to tie in is CheckOAuth. With oauth-plus you'd normally apply that check to a view as a simple decorator, and it'd ensure that:
We'll prob want pretty much the same thing eg.
I think it's that simple. (?)
The text was updated successfully, but these errors were encountered: