Django DRF with oAuth2 using DOT (django-oauth-toolkit)

I have tried the demo you mentioned and everything was fine.

$ curl -X POST -d "grant_type=password&username=superuser&assword=123qwe" -u"xLJuHBcdgJHNuahvER9pgqSf6vcrlbkhCr75hTCZ:nv9gzOj0BMf2cdxoxsnYZuRYTK5QwpKWiZc7USuJpm11DNtSE9X6Ob9KaVTKaQqeyQZh4KF3oZS4IJ7o9n4amzfqKJnoL7a2tYQiWgtYPSQpY6VKFjEazcqSacqTx9z8" http://127.0.0.1:8000/o/token/
{"access_token": "jlLpKwzReB6maEnjuJrk2HxE4RHbiA", "token_type": "Bearer", "expires_in": 36000, "refresh_token": "DsDWz1LiSZ3bd7NVuLIp7Dkj6pbse1", "scope": "read write groups"}
$ curl -H "Authorization: Bearer jlLpKwzReB6maEnjuJrk2HxE4RHbiA" http://127.0.0.1:8000/beers/
[]

In your case, I think, you have created an application with wrong "Authorization grant type".

Use this application settings:

Name: just a name of your choice
Client Type: confidential
Authorization Grant Type: Resource owner password-based

This https://django-oauth-toolkit.readthedocs.org/en/latest/rest-framework/getting_started.html#step-3-register-an-application helped me a lot.

Here the database file I've created: https://www.dropbox.com/s/pxeyphkiy141i1l/db.sqlite3.tar.gz?dl=0

You can try it yourself. No source code changed at all. Django admin username - superuser, password - 123qwe.

When you use "client credentials" it doesn't set the user on the generated access token, this is the root of that you do not have permission error you are seeing.

When using the client credentials grant type, you need to set the Rest Framework permission handler to look at tokens as client credentials does not set the user on the generated token. Django OAuth Toolkit provides custom permissions for this purpose:

https://django-oauth-toolkit.readthedocs.org/en/latest/rest-framework/permissions.html

Or if your entire API is subject to the same type of permissions you can just set the permission handler globally in your settings.pyfile, for example:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'oauth2_provider.ext.rest_framework.OAuth2Authentication',
    ),

    'DEFAULT_PERMISSION_CLASSES': (
        'oauth2_provider.ext.rest_framework.TokenHasReadWriteScope',
    )
}

This assumes of course that you grant read write permissions at the time.

More info about scopes here:

https://django-oauth-toolkit.readthedocs.org/en/latest/settings.html

Django DRF with oAuth2 using DOT (django-oauth-toolkit)

Tags:

Python

Django

Django Rest Framework

Related

Recent Posts