Protect a Django REST api with Oauth2

Transcript

1. Protect a Django REST API with OAuth2 Massimiliano Pippi @maxpippi

2. Introducing my friend Harold Let’s say we want to write

   a timetracking web application y u not pushing? git push -f works lol

3. Backend recipe Django & Django REST Framework u can use

   the new DRF3 generic views here wut?

4. Projects proliferation timetracker-backend timetracker-web timetracker-[android|ios] timetracker-desktop yep! I need an

   app for my nokia 3210

5. How do we do access control? Third party apps want

   to access our data as well! not ma problem can’t hear u

6. Common problems • Using user credentials inside the app is

   a bad idea • The app might have full access to user account • User has to change his password to revoke the access

7. Multiple problems - one Solution The OAuth2 framework omg not

   oauth again

8. Django OAuth Toolkit • Django 1.4 → 1.7 (1.8 coming

   soon) • Python 2&3 • built on top of oauthlib, RFC 6749 compliant • DRF 2&3 integration https://github.com/evonove/django-oauth-toolkit

9. Batteries included • builtin views to register and manage OAuth2

   applications • form view for user authorization lol I found what DRF stands for omg harold plz retire

10. Endpoints protection for the lazy • function views decorators @protected_resource()

    def my_view(request): # A valid token is required to get here… • generic class based views class ApiEndpoint(ProtectedResourceView): def get(self, request, *args, **kwargs): return HttpResponse('Hello, OAuth2!')

11. DRF ootb integration REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'oauth2_provider.ext.rest_framework.OAuth2Authentication', )

    }

12. Future plans - Help needed! OAuth1 support Resource and Authorization

    server components separation https://github.com/evonove/django-oauth-toolkit +1 for my own PR