It would be splendid to have an example or two around using the toolkit for "Facebook/Twitter-like" authentication. Considering there are other kits like django-social-auth out there, I'm struggling to find The Easy Way™ to do it apart from depending on and subclassing social-auth's classes.

This is related to issue #24.

Problem is here:

class OAuth2Validator(RequestValidator):
    def authenticate_client(self, request, *args, **kwargs):

        # ...
        auth_string_decoded = base64.b64decode(auth_string).decode(encoding)
        client_id, client_secret = auth_string_decoded.split(':')

        # ...

We should split the base64 unencoded string only at the first colon.

I am writing a new app, and I an using Django's custom user model. I want to make my id a uuid (string). django-oauth-toolkit seems to accept only an integer in the relation between a user and AbstractApplication.

because of this, I can't migrate with django-oauth-toolkit:

Error in migration: oauth2_provider:0001_initial
DatabaseError: foreign key constraint "user_id_refs_id_ce8b3416" cannot be implemented
DETAIL: Key columns "user_id" and "id" are of incompatible types: integer and uuid.

If you try to authorize an application without the redirect_uris an IndexError exception will be raised. I used an authorization grant type implicit. Not sure it can raise a better error
RedirectURINotFound or it should be enforced in application form.

/o/authorize/?client_id=c873c692338138235c0d14ba025d64d0d96ee0db&response_type=code

IndexError at /o/authorize/
pop from empty list

/home/wiliam/devel/canelada-django/src/django-oauth-toolkit/oauth2_provider/oauth2_validators.py in get_default_redirect_uri
return request.client.default_redirect_uri ...
/home/wiliam/devel/canelada-django/src/django-oauth-toolkit/oauth2_provider/models.py in default_redirect_uri
return self.redirect_uris.split().pop(0) ...

In Django admin, when setting a redirect_uri for a certain Application, if you put a trailing slash, like:

http://localhost:8000/exchange/

the authorization view responses with this error:

mismatching_redirect_uri

I'd like to improve the Application model providing additional informative fields to be shown to the user in the authorization form. These are examples:

• logo image field
• text description
• the real url of the service that is registering (not the redirect uri)

As reported by @ib-lundgren in issue #14 we should also consider the new dynamic client registration specification http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-12.

Describe the meaning of the parameters accepted by the decorators and provide a few examples to show how decorators could be used for protecting function-based endpoints.

The goal is to provide a view for registering application that can be easily customized. That way the admin is no more required.

I've been able to get a client and a provider working in development, but once I've tried to get the same two applications working in production, I've been getting this really odd error with no traceback.

TypeError: isinstance() arg 2 must be a class, type, or tuple of classes and types

I experience this after pressing the "Authorize" button, getting sent to /authorize. I have no isinstance() calls in my code, so I can only deduce that there's something wrong with the toolkit.

Here's the logging, apparently the grants work and are made, but throws a 500 before redirecting to the callback URI. Below are the logs generated from oauthlib.

2013-09-26T01:35:10.259563+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,259 authorization 13 44584784 Dispatching response_type code request to <oauthlib.oauth2.rfc6749.grant_types.authorization_code.AuthorizationCodeGrant object at 0x32fbc50>.
2013-09-26T01:35:10.264069+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,263 authorization_code 13 44584784 Validating redirection uri https://<example>.com/accounts/authenticated/ for client Y1VEHZ!8.73lA!afOkTq!BkuoIEFq;GCRSNNdeUv.
2013-09-26T01:35:10.264069+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,264 authorization_code 13 44584784 Using provided redirect_uri https://<example>.com/accounts/authenticated/
2013-09-26T01:35:10.311315+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,311 base 13 44584784 Validating access to scopes [u'read', u'write'] for client u'Y1VEHZ!8.73lA!afOkTq!BkuoIEFq;GCRSNNdeUv' (<Client: Example (Y1VEHZ!8.73lA!afOkTq!BkuoIEFq;GCRSNNdeUv)>).
2013-09-26T01:35:10.311474+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,311 authorization_code 13 44584784 Pre resource owner authorization validation ok for <oauthlib.common.Request object at 0x32fbdd0>.
2013-09-26T01:35:10.311966+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,311 authorization_code 13 44584784 Created authorization code grant {u'state': u'V9D8D6hgGI5vnco4w4e8ExJPNDuvf0', u'code': u'4sCeKG0ZTZv43PfcCvdwP1Rz8k2KQS'} for request <oauthlib.common.Request object at 0x32fbdd0>.
2013-09-26T01:35:10.312043+00:00 app[web.1]: DEBUG 2013-09-26 01:35:10,311 authorization_code 13 44584784 Saving grant {u'state': u'V9D8D6hgGI5vnco4w4e8ExJPNDuvf0', u'code': u'4sCeKG0ZTZv43PfcCvdwP1Rz8k2KQS'} for <oauthlib.common.Request object at 0x32fbdd0>.

Not sure what I can do here. I'm running 0.5.0.

Also, the query string looks like this (of course, I've substituted the URL):

response_type=code&client_id=Y1VEHZ%218.73lA%21afOkTq%21BkuoIEFq%3BGCRSNNdeUv&redirect_uri=https%3A%2F%2Fexample.com%2Faccounts%2Fauthenticated%2F&state=V9D8D6hgGI5vnco4w4e8ExJPNDuvf0

Use RegistrationForm for all the views, at the moment it is used only for ApplicationRegistration.

Bonus: make it configurable so users who implement their own Application model can write their own form and reuse the views.

Part of the sentence inside the Note box is placed outside the box itself.

With reference to oauthlib/oauthlib#182 we should keep track of the upcoming changes in oauthlib regarding refresh token grant.

In particolar, confirm_scopes method in RequestValidator does not longer exist and we should implement get_original_scopes instead.

The change has to be ready when we will upgrade the supported oauthlib version. For the moment I set the milestone for this issue at 0.4.0

Let users use the playground as a provider using authorization flow. Provide a way to reset all the data periodically (let's say every midnight).

In the playground application deployed on Heroku, the homepage contains a link to read the docs that is broken.

This is mostly a question, so I'm sorry if it belongs to mailing list.

Imagine a scenario with single app registered with password grant type. I'm using this app on 2 devices. I log in on device A, get access token and refresh token. Everything is peachy. I do the same on device B, everything is still great. When I come back to device A and access token expires, I can no longer use refresh token as it was overwritten when I got tokens on device B.

Is it possible to fix this somehow? I'd imagine having multiple refresh tokens could help this scenario, but I guess that would have also negative security implications.

This is related to HTTP Basic Auth: the spec forbids the use of colon char in the userid but not in the password. See RFC2617 for more details

Hi,

I'm using django-oauth-toolkit to protect an API in a django project using class-based views.

If I understand correctly the function validate_bearer_token in oauth2_validators.py is supposed to set the request.user to the same value as the access_token.user. But when I access the request.user from a view I get AnonymousUser.

Am I misreading the code? Is there another way to get the user?

Thanks in advance,
João

I've been attempting to get the awesome stuff in #54 to work and I ran into the following:

Traceback:
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
  115.                         response = callback(request, *callback_args, **callback_kwargs)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/views/generic/base.py" in view
  68.             return self.dispatch(request, *args, **kwargs)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/views/generic/base.py" in dispatch
  86.         return handler(request, *args, **kwargs)
File "/Users/Bryan/Code/Revyver/hello-base/base/components/accounts/views.py" in get
  68.         user = authenticate(request=request)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/contrib/auth/__init__.py" in authenticate
  58.     for backend in get_backends():
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/contrib/auth/__init__.py" in get_backends
  33.         backends.append(load_backend(backend_path))
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/contrib/auth/__init__.py" in load_backend
  17.         mod = import_module(module)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/django/utils/importlib.py" in import_module
  35.     __import__(name)
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauth2_provider/backends.py" in <module>
  2. from .oauth2_backends import get_oauthlib_core
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauth2_provider/oauth2_backends.py" in <module>
  5. from .oauth2_validators import OAuth2Validator
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauth2_provider/oauth2_validators.py" in <module>
  14. Application = get_application_model()
File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauth2_provider/models.py" in get_application_model
  239.         raise ImproperlyConfigured(e.format(oauth2_settings.APPLICATION_MODEL))

Exception Type: ImproperlyConfigured at /accounts/authenticated/
Exception Value: APPLICATION_MODEL refers to model oauth2_provider.Application that has not been installed

It seems that the validators depend on APPLICATION_MODEL existing, but I'm trying to SSO from a separate client, so I shouldn't have to have another instance of Application on my client.

/cc @masci

On 'Start your app' it's better to inform the user to add oauth2_provider to django urls.py

This is needed to avoid clashes

The idea is to have a view where the use can see and eventually revoke the authorizations (aka tokens) issued to third party clients.

Hello,

I'm following the tutorial for Django Rest Framework. I set up my application in the admin and I'm sending a POST request just like in the tutorial, but always get

{"error": "invalid_client"}

as a response:

$ curl -vK user -X POST -d "grant_type=password&username=myuser&password=mypass" http://localhost:8000/o/token/
* About to connect() to localhost port 8000 (#0)
*   Trying 127.0.0.1...
* connected
* Connected to localhost (127.0.0.1) port 8000 (#0)
* Server auth using Basic with user 'RgmI&_Y A5mdjuAh2T/]m_ZeD|u'[8`$r|`k'!'
> POST /o/token/ HTTP/1.1
> Authorization: Basic UmdtSSZfWSBBNW1kanVBaDJUL11tX1plRHx1J1s4YCRyfGBrJyE6dnZdWWw/LUB3YWNBI2Q+NEcyNWEkbkZCclogJGQ/e1ZtYm4rMl5GYnRNSl9ZTitiVHB6b3UjXkRdaFhMeGxNL28jJz95MCV0ZXQ8Z3w8OEZTZHVPMkIvN3Y6dG5EUz99ZGxla3B2dTchWTssJDA8VEQ1UmwucA==
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: localhost:8000
> Accept: */*
> Content-Length: 55
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 55 out of 55 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 400 BAD REQUEST
< Date: Sun, 08 Sep 2013 17:30:37 GMT
< Server: WSGIServer/0.1 Python/2.7.5
< Content-Language: it
< Vary: Accept-Language, Cookie
< Pragma: no-cache
< Cache-Control: no-store
< X-Frame-Options: SAMEORIGIN
< Content-Type: application/json;charset=UTF-8
< 
* Closing connection #0
{"error": "invalid_client"}

I've been following the tutorial to try and get an SSO working for my project and I've been able to use the provider against the Heroku test app. Outside of that though, I've had no luck getting things working as I consistently get AccessDenied errors thrown.

I'm using requests_oauthlib to try and get through the authentication process and I'm not sure what to try anymore. I've tried putting client_id and client_secret in the response body as well as the auth= parameter shown below (the second method found mentioned here, https://groups.google.com/forum/#!topic/django-oauth-toolkit/KsDyKtrhhVg).

For clarity, the Application is a public, authorization-code application.

>>> from django.conf import settings
>>> client_id = settings.CLIENT_ID
>>> client_secret = settings.CLIENT_SECRET
>>> authorization_base_url = 'https://localhost:8443/authorize/'
>>> token_url = 'https://localhost:8443/token/'
>>> redirect_uri = 'https://localhost:8444/accounts/authenticated/'
>>> from requests_oauthlib import OAuth2Session
>>> base = OAuth2Session(client_id)
>>> authorization_url, state = base.authorization_url(authorization_base_url)
>>> print authorization_url
https://localhost:8443/authorize/?response_type=code&client_id=c4Jev7re0fLCmeWs%3DcmJ%3DXhXKrVA6f%40TyGaMUqju&state=RW0SLFm9SgllPrm01aZGDkaeZigUTu
>>> authorization_response = 'https://localhost:8444/accounts/authenticated/?state=RW0SLFm9SgllPrm01aZGDkaeZigUTu&code=rqoG2aZ5NrXYEj4xbeobxb3RjBirN7'
>>> token = base.fetch_token(token_url, authorization_response=authorization_response, auth=(client_id, client_secret))
Traceback (most recent call last):
  File "<input>", line 1, in <module>
  File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/requests_oauthlib/oauth2_session.py", line 144, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/clients/web_application.py", line 271, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 297, in parse_token_response
    validate_token_parameters(params, scope)
  File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 304, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/Users/Bryan/.virtualenvs/hello-base/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 223, in raise_from_error
    raise cls(**kwargs)
AccessDeniedError
>>> 

We should support confidential clients authentication through request-body parameters.

Note that, as in http://tools.ietf.org/html/rfc6749#section-2.3.1 :

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme

This should solve #52 (comment)

It is expected to get access token by type=confidential, grant_type=authorization-code scheme from django-rest-framework with oauth-toolkit as oauth2 flow. At last, the client validation failed and report Internal Server Error at line 57 of oauth2_validators.py

• request & response for authorization token url issued by passportjs: http://localhost:3000/oauth2/authorize/?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fauth%2Fogcio%2Fcallback&client_id=01872c3487755dda4319&type=web_server

HTTP/1.0 200 OK
Date: Mon, 16 Sep 2013 03:03:57 GMT
Server: WSGIServer/0.1 Python/2.7.3
Vary: Cookie
Content-Type: text/html; charset=utf-8
Set-Cookie: csrftoken=PrI88VPP3OnOTo04HNZSJFR0fNsAMnkc; expires=Mon, 15-Sep-2014 03:03:57 GMT; Max-Age=31449600; Path=/

• request & response for user authorization grant url: http://localhost:3000/oauth2/authorize/?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fauth%2Fogcio%2Fcallback&client_id=01872c3487755dda4319&type=web_server

HTTP/1.0 302 FOUND
Date: Mon, 16 Sep 2013 03:04:00 GMT
Server: WSGIServer/0.1 Python/2.7.3
Vary: Cookie
Content-Type: text/html; charset=utf-8
Location: http://localhost:8000/auth/ogcio/callback?code=jIvbl8BS2xlvin8hYjZEhr5p0DTCb9

• request & response for redirecting to callback: http://localhost:8000/auth/ogcio/callback?code=jIvbl8BS2xlvin8hYjZEhr5p0DTCb9

HTTP/1.1 500 Internal Server Error
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Date: Mon, 16 Sep 2013 03:04:00 GMT
Connection: keep-alive
Transfer-Encoding: chunked

• authlib DEBUG log:
  DEBUG 2013-09-17 10:45:38,360 Validating redirection uri http://localhost:8000/auth/ogcio/callback for client 01872c3487755dda4319.
  DEBUG 2013-09-17 10:45:38,360 Using provided redirect_uri http://localhost:8000/auth/ogcio/callback
  DEBUG 2013-09-17 10:45:38,364 Validating access to scopes ['read', 'write'] for client u'01872c3487755dda4319' (<Application: 01872c3487755dda4319>).
  [17/Sep/2013 10:45:38] "GET /oauth2/authorize/?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fauth%2Fogcio%2Fcallback&client_id=01872c3487755dda4319&type=web_server HTTP/1.1" 200 3016
  DEBUG 2013-09-17 10:45:40,778 Dispatching response_type code request to <oauthlib.oauth2.rfc6749.grant_types.authorization_code.AuthorizationCodeGrant object at 0x7fb4a83fe490>.
  DEBUG 2013-09-17 10:45:40,783 Validating redirection uri http://localhost:8000/auth/ogcio/callback for client 01872c3487755dda4319.
  DEBUG 2013-09-17 10:45:40,783 Using provided redirect_uri http://localhost:8000/auth/ogcio/callback
  DEBUG 2013-09-17 10:45:40,784 Validating access to scopes [u'read', u'write'] for client u'01872c3487755dda4319' (<Application: 01872c3487755dda4319>).
  DEBUG 2013-09-17 10:45:40,785 Pre resource owner authorization validation ok for <oauthlib.common.Request object at 0x7fb49c072a10>.
  DEBUG 2013-09-17 10:45:40,785 Created authorization code grant {u'code': u'OObFx0mvpcPvcXFzfZ5Mv5uMhUqmmB'} for request <oauthlib.common.Request object at 0x7fb49c072a10>.
  DEBUG 2013-09-17 10:45:40,786 Saving grant {u'code': u'OObFx0mvpcPvcXFzfZ5Mv5uMhUqmmB'} for <oauthlib.common.Request object at 0x7fb49c072a10>.
  [17/Sep/2013 10:45:40] "POST /oauth2/authorize/?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fauth%2Fogcio%2Fcallback&client_id=01872c3487755dda4319&type=web_server HTTP/1.1" 302 0
  DEBUG 2013-09-17 10:45:41,028 Dispatching grant_type authorization_code request to <oauthlib.oauth2.rfc6749.grant_types.authorization_code.AuthorizationCodeGrant object at 0x7fb4a8402390>.
  DEBUG 2013-09-17 10:45:48,204 Client authentication failed, <oauthlib.common.Request object at 0x7fb49c072c90>.
  DEBUG 2013-09-17 10:45:48,205 Client error during validation of <oauthlib.common.Request object at 0x7fb49c072c90>. InvalidClientError().
  [17/Sep/2013 10:45:48] "POST /oauth2/token/ HTTP/1.1" 400 27
• callstack: Thread-41 - pid3269_seq22
  authenticate_client_id [oauth2_validators.py:57]
  validate_token_request [authorization_code.py:356]
  create_token_response [authorization_code.py:228]
  create_token_response [token.py:93] wrapper [base.py:61]
  create_token_response [backends.py:89]
  create_token_response [mixins.py:102]
  post [base.py:135]
  dispatch [base.py:86]
  dispatch [views.py:120] bound_func [decorators.py:21]
  wrapped_view [csrf.py:77]
  wrapper [decorators.py:25] view [base.py:68]
  get_response [base.py:115]
  _call [wsgi.py:255]
  call [handlers.py:72]
  run [handlers.py:85]
  handle [simple_server.py:124]
  init [SocketServer.py:638]
  init [basehttp.py:150]
  finish_request [SocketServer.py:323]
  process_request_thread [SocketServer.py:582]
  run [threading.py:504]
  __bootstrap_inner [threading.py:551]
  __bootstrap [threading.py:524]

Thanks
Tommy Tang

I'd like to have explanatory pages with usage examples

During Token exchange, Heroku app make a POST to localhost and this cause an error because user's django app doesn't support CORS requests. Add a minimal explaination to add CORS middleware.

Add a glossary section for some terms like 'Client type' or 'Authorization grant type' because their meaning and use aren't clear during tutorial.

This seems like a great library. Unfortunately, I can't use it yet as it will not pass our automated unit testing since we are using a custom user model. Please replace direct references to Django's User model with django.contrib.auth.get_user_model().

Thank you.

Make sure to import from oauthlib.oauth2 and not oauthlib.oauth2.draft25. draft25 package may be dropped in future oauthlib releases

It would be convenient for me to not tied a User to Application for credentials grant this way the access token could be associated to None or AnonymousUser (I've applied a hack in my validate_bearer_token validator in the meantime).

why the User is required in this model?

Use session to avoid users copy and paste the same infos across the steps to get an access token. For example, the application ID could be inserted at the very beginning, then reused later.

This error is not raised on sqlite, due to the lax way it works checking relational dependencies.

However, when I syncdb/migrate on postgresql, I get:

Running migrations for oauth2_provider:

• Migrating forwards to 0001_initial.

  oauth2_provider:0001_initial
  FATAL ERROR - The following SQL query failed: ALTER TABLE "oauth2_provider_application" ADD CONSTRAINT "user_id_refs_id_f9cca3bd" FOREIGN KEY ("user_id") REFERENCES "auth_user" ("id") DEFERRABLE INITIALLY DEFERRED;
  The error was: relation "auth_user" does not exist

Error in migration: oauth2_provider:0001_initial
DatabaseError: relation "auth_user" does not exist

I use a custom user model called "Account". You can even see the code here:

https://github.com/hasadna/omuni-budget/blob/develop/openbudget/apps/accounts/models.py#L10

Update documentation to use the the new set of views for the Application management

Change ClientIdGenerator and ClientSecretGenerator uses oauthlib[1] functions to generate client_secret and client_id. OAuth 2 specify the format of client_id in [2].

[1] https://github.com/idan/oauthlib/blob/master/oauthlib/common.py#L236
[2] http://tools.ietf.org/html/rfc6749#appendix-A.

There's information that 'corsheaders' are needed for the sake of the tutorial, but it would be nice to have 1-2 sentences shortly explaining the reason for that.

Link: https://django-oauth-toolkit.readthedocs.org/en/latest/tutorial/tutorial_01.html

The current authorization form is a little bit ugly. I don't want to include any assets but we can add some basic style based on Twitter Bootstrap using http://www.bootstrapcdn.com.

Form also lacks of some information like the list of scopes.