Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protect a Django REST api with Oauth2

Massimiliano Pippi
April 10, 2015
Programming
0
160

Protect a Django REST api with Oauth2

Lightning talk for pycon15

Massimiliano Pippi

April 10, 2015
Tweet

More Decks by Massimiliano Pippi

See All by Massimiliano Pippi
Project layout patterns in Go
masci
1
460
A Python and a Gopher walk into a bar - Embedding Python in Go. (dotGo2017)
masci
0
670
A Python and a Gopher walk into a bar - Embedding Python in Go.
masci
0
140
How to port your Python software to Go without people noticing
masci
0
160
Python - Go One Way
masci
0
140
How we stopped using the mouse and started drawing molecules with our fingertips: not the usual porting story
masci
0
66
Django 1.7 on App Engine
masci
0
170
If code is poetry, then documentation is prose
masci
0
65
Full­stack developer with Django and AngularJS
masci
0
130

Other Decks in Programming

See All in Programming
Construindo APIs resilientes: práticas de versionamento e documentação
monicaribeiro
0
130
テーブル駆動テストと状態
hazumirr
2
1k
アジャイルのライトウィングとレフトウィングはひとりで両方できなくてもいいんじゃない? - “ひとりでできるもん”から“みんなでできるもん”への道のり
psj59129
0
260
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
660
第6回 AWSとGitHub勉強会 - AWS ECS Fargate環境の構築 -
ogiwarat
0
180
WebViewと向き合う
mkeeda
1
160
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
760
どうするLeSS - スクラムフェス三河2023.9.16
stanby_inc
1
210
VSCodeから一発でProxymanを起動する
kumamotone
0
120
ノーコードE2Eテストで実現する高速開発
nozomiito
0
230
OpenTelemetryのバックエンドを作ってparquetと戯れている話
mrasu
0
270
Lightweight Architectures: With Angular's Signals and Standalone
manfredsteyer
PRO
0
130

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.7k
Teambox: Starting and Learning
jrom
125
8.1k
YesSQL, Process and Tooling at Scale
rocio
159
13k
Design by the Numbers
sachag
272
18k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.2k
Side Projects
sachag
450
39k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
56k
Facilitating Awesome Meetings
lara
37
5.1k
The World Runs on Bad Software
bkeepers
PRO
59
6.1k
Typedesign – Prime Four
hannesfritz
35
1.8k
Code Review Best Practice
trishagee
53
13k

Transcript

  1. Protect a Django REST
    API with OAuth2
    Massimiliano Pippi @maxpippi

    View Slide

  2. Introducing my friend Harold
    Let’s say we want to
    write a timetracking
    web application
    y u not pushing?
    git push -f works lol

    View Slide

  3. Backend recipe
    Django
    &
    Django REST
    Framework
    u can use the new DRF3 generic views here
    wut?

    View Slide

  4. Projects proliferation
    timetracker-backend
    timetracker-web
    timetracker-[android|ios]
    timetracker-desktop
    yep! I need an app for my nokia 3210

    View Slide

  5. How do we do access control?
    Third party apps
    want to access
    our data as well!
    not ma problem can’t hear u

    View Slide

  6. Common problems
    ● Using user credentials inside the app is a
    bad idea
    ● The app might have full access to user
    account
    ● User has to change his password to
    revoke the access

    View Slide

  7. Multiple problems - one Solution
    The OAuth2
    framework
    omg not oauth again

    View Slide

  8. Django OAuth Toolkit
    ● Django 1.4 → 1.7 (1.8 coming soon)
    ● Python 2&3
    ● built on top of oauthlib, RFC 6749
    compliant
    ● DRF 2&3 integration
    https://github.com/evonove/django-oauth-toolkit

    View Slide

  9. Batteries included
    ● builtin views to
    register and
    manage OAuth2
    applications
    ● form view for user
    authorization
    lol I found what DRF stands for
    omg harold plz retire

    View Slide

  10. Endpoints protection for the lazy
    ● function views decorators
    @protected_resource()
    def my_view(request):
    # A valid token is required to get here…
    ● generic class based views
    class ApiEndpoint(ProtectedResourceView):
    def get(self, request, *args, **kwargs):
    return HttpResponse('Hello, OAuth2!')

    View Slide

  11. DRF ootb integration
    REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
    'oauth2_provider.ext.rest_framework.OAuth2Authentication',
    )
    }

    View Slide

  12. Future plans - Help needed!
    OAuth1 support
    Resource and
    Authorization
    server components
    separation
    https://github.com/evonove/django-oauth-toolkit
    +1 for my own PR

    View Slide