Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protect a Django REST api with Oauth2

Protect a Django REST api with Oauth2

Lightning talk for pycon15


Massimiliano Pippi

April 10, 2015

More Decks by Massimiliano Pippi

Other Decks in Programming


  1. Protect a Django REST API with OAuth2 Massimiliano Pippi @maxpippi

  2. Introducing my friend Harold Let’s say we want to write

    a timetracking web application y u not pushing? git push -f works lol
  3. Backend recipe Django & Django REST Framework u can use

    the new DRF3 generic views here wut?
  4. Projects proliferation timetracker-backend timetracker-web timetracker-[android|ios] timetracker-desktop yep! I need an

    app for my nokia 3210
  5. How do we do access control? Third party apps want

    to access our data as well! not ma problem can’t hear u
  6. Common problems • Using user credentials inside the app is

    a bad idea • The app might have full access to user account • User has to change his password to revoke the access
  7. Multiple problems - one Solution The OAuth2 framework omg not

    oauth again
  8. Django OAuth Toolkit • Django 1.4 → 1.7 (1.8 coming

    soon) • Python 2&3 • built on top of oauthlib, RFC 6749 compliant • DRF 2&3 integration https://github.com/evonove/django-oauth-toolkit
  9. Batteries included • builtin views to register and manage OAuth2

    applications • form view for user authorization lol I found what DRF stands for omg harold plz retire
  10. Endpoints protection for the lazy • function views decorators @protected_resource()

    def my_view(request): # A valid token is required to get here… • generic class based views class ApiEndpoint(ProtectedResourceView): def get(self, request, *args, **kwargs): return HttpResponse('Hello, OAuth2!')
  11. DRF ootb integration REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'oauth2_provider.ext.rest_framework.OAuth2Authentication', )

  12. Future plans - Help needed! OAuth1 support Resource and Authorization

    server components separation https://github.com/evonove/django-oauth-toolkit +1 for my own PR