I am trying to authorize users to access some resources from my Django REST framework API using Oauth2.
我试图授权用户使用Oauth2从我的Django REST框架API访问一些资源。
Most answers about Oauth2 and API deal with making the API a provider.
关于Oauth2和API的大多数答案都涉及使API成为提供者。
But I plan to share an Oauth2 provider with many REST APIs, and I can't figure out how to consume it (not how to provide Oauth2).
但我计划与许多REST API共享一个Oauth2提供程序,我无法弄清楚如何使用它(而不是如何提供Oauth2)。
I have no idea how a user can log in on the provider SSO, and then communicate its token to my consuming API, which must authenticate users against my provider (getting back its information, mainly authorizations).
我不知道用户如何登录提供者SSO,然后将其令牌传递给我的消费API,消费API必须针对我的提供者对用户进行身份验证(获取其信息,主要是授权)。
Does anyone have a clue on how to consume Oauth2 from Django REST framework?
有没有人知道如何从Django REST框架中使用Oauth2?
Figure:
[User] -> [My API] <-> [Oauth2 provider (with django-oauth-provider)] <-> [Active Directory / anything ]
[用户] - > [我的API] < - > [Oauth2提供商(与django-oauth-provider)] < - > [Active Directory / anything]
2 个解决方案
#1
4
Looking at the code at https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/authentication.py#L290 it seems just not possible. The django-rest-framework internally accesses provider's database tables to check for tokens and authenticates requests using these data.
看看https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/authentication.py#L290上的代码似乎是不可能的。 django-rest-framework在内部访问提供者的数据库表以检查令牌并使用这些数据验证请求。
Which for me kinda defeats the purpose of OAuth at all, but here we go.
对我来说有点挫败了OAuth的目的,但是我们走了。
#2
1
I've found these related questions, which confirms what I thought was an interpretation error from my side:
我发现了这些相关的问题,这证实了我认为是我身边的解释错误:
- How to validate an OAuth 2.0 access token for a resource server?
- https://softwareengineering.stackexchange.com/questions/159119/oauth2-flow-does-the-server-validate-with-the-auth-server
如何验证资源服务器的OAuth 2.0访问令牌?
Basically, the standard desn't define such feature... it's amazing, provided a lot of people will hit that point sooner of later.
基本上,标准没有定义这样的功能......这太棒了,前提是很多人会很快达到这一点。
What's most weird is that I couldn't find any django addon to do this... are we the first two that need to authenticate more than one API using the same Auth Server?
最奇怪的是我找不到任何django插件来执行此操作...我们是否需要使用相同的Auth服务器对多个API进行身份验证?
#1
4
Looking at the code at https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/authentication.py#L290 it seems just not possible. The django-rest-framework internally accesses provider's database tables to check for tokens and authenticates requests using these data.
看看https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/authentication.py#L290上的代码似乎是不可能的。 django-rest-framework在内部访问提供者的数据库表以检查令牌并使用这些数据验证请求。
Which for me kinda defeats the purpose of OAuth at all, but here we go.
对我来说有点挫败了OAuth的目的,但是我们走了。
#2
1
I've found these related questions, which confirms what I thought was an interpretation error from my side:
我发现了这些相关的问题,这证实了我认为是我身边的解释错误:
- How to validate an OAuth 2.0 access token for a resource server?
- https://softwareengineering.stackexchange.com/questions/159119/oauth2-flow-does-the-server-validate-with-the-auth-server
如何验证资源服务器的OAuth 2.0访问令牌?
Basically, the standard desn't define such feature... it's amazing, provided a lot of people will hit that point sooner of later.
基本上,标准没有定义这样的功能......这太棒了,前提是很多人会很快达到这一点。
What's most weird is that I couldn't find any django addon to do this... are we the first two that need to authenticate more than one API using the same Auth Server?
最奇怪的是我找不到任何django插件来执行此操作...我们是否需要使用相同的Auth服务器对多个API进行身份验证?