django-oauth-toolkit icon indicating copy to clipboard operation
django-oauth-toolkit copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Documentation missing for DRF TokenHasResourceScope behavior

Open evitolins opened this issue 8 years ago • 2 comments

The DRF permissions class TokenHasResourceScope requires tokens use a colon-separated syntax to explicitly specify read/write scopes (ie. "music:read music:write"). This scope syntax is mentioned nowhere within the docs as far as I've found.

The following info seems like it would be necessary to understand to successfully utilize this workflow.

Based on this example from the TokenHasResourceScope docs....

class SongView(views.APIView):
    authentication_classes = [OAuth2Authentication]
    permission_classes = [TokenHasResourceScope]
    required_scopes = ['music']
    ...

Token Scope Syntax

A valid token's scope is set in this fashion, to grant both read and write permissions for this view.

music:read music:write

However, defining a token's scope without appending specific read and/or write access will not work

music

Settings

Within your scope settings, you must declare each scope explicitly

OAUTH2_PROVIDER = {
    'SCOPES': {
        'music:read' : 'Read music accessible by your account.',
        'music:write' : 'Write music accessible by your account.',
        ...
    }

evitolins avatar Aug 24 '16 02:08 evitolins

I just found this issue today, trying to work out the docs. Is there anything that I could do to help get into the docs for others? I could raise a PR with the changes required?

philsheard avatar Aug 05 '19 10:08 philsheard

yes please send a PR

auvipy avatar Oct 26 '21 09:10 auvipy