Protect a Django REST API with OAuth2 Massimiliano Pippi @maxpippi 

Introducing my friend Harold Let’s say we want to write a timetracking web application y u not pushing? git push -f works lol 

Backend recipe Django & Django REST Framework u can use the new DRF3 generic views here wut? 

Projects proliferation timetracker-backend timetracker-web timetracker-[android|ios] timetracker-desktop yep! I need an app for my nokia 3210 

How do we do access control? Third party apps want to access our data as well! not ma problem can’t hear u 

Common problems ● Using user credentials inside the app is a bad idea ● The app might have full access to user account ● User has to change his password to revoke the access 

Multiple problems - one Solution The OAuth2 framework omg not oauth again 

Django OAuth Toolkit ● Django 1.4 → 1.7 (1.8 coming soon) ● Python 2&3 ● built on top of oauthlib, RFC 6749 compliant ● DRF 2&3 integration https://github.com/evonove/django-oauth-toolkit 

Batteries included ● builtin views to register and manage OAuth2 applications ● form view for user authorization lol I found what DRF stands for omg harold plz retire 

Endpoints protection for the lazy ● function views decorators @protected_resource() def my_view(request): # A valid token is required to get here… ● generic class based views class ApiEndpoint(ProtectedResourceView): def get(self, request, *args, **kwargs): return HttpResponse('Hello, OAuth2!') 

DRF ootb integration REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'oauth2_provider.ext.rest_framework.OAuth2Authentication', ) } 

Future plans - Help needed! OAuth1 support Resource and Authorization server components separation https://github.com/evonove/django-oauth-toolkit +1 for my own PR