django-oauth-toolkit icon indicating copy to clipboard operation
django-oauth-toolkit copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Authentication flow via json

Open philsheard opened this issue 5 years ago • 7 comments

I'm using the library to setup an auth server for an Alexa skill. Alexa's "account linking" flow uses OAuth but only accepts tokens and auth codes as JSON in the body of the response [1]:

"More specifically, for authentication code type, the access token must be sent in JSON by default as per the OAuth2 spec. If the parameter is in the response as a parameter string by default, account linking will fail."

Is the best option here to fork the library and add a new view based on django-oauth-toolkit/oauth2_provider/views/base.py that returns data as JSON instead of kwargs? This seems a bit brute force and not very DRY so I thought I'd ask what others recommend.

[1] Alexa developer blog post

philsheard avatar Aug 19 '19 15:08 philsheard

I am also wondering about this. I would like to know what is the best way to support a standalone Django API that does not serve static content and still implement this library's OAuth 2.0 functionality. I think it's pretty common these days to have a separate API and UI application. Would love to use django-oauth-toolkit without having to fork or copy existing views and override functions.

dshinzie avatar Sep 20 '19 21:09 dshinzie

Here was my solution - I added as me class which overrides the form_valid method to copy the URL params into the body of the response. It's not very intrusive so you could actually implement this within your codebase rather than a fork.

https://github.com/philsheard/django-oauth-toolkit/blob/5efa311fd7b4744ab3bf6fb0dd4a5eaf0b88ecf6/oauth2_provider/views/base.py#L209

philsheard avatar Sep 21 '19 05:09 philsheard

@philsheard did you create a new class to register new applications as well?

dshinzie avatar Sep 23 '19 00:09 dshinzie

No, I just used that custom class within my code when building responses.

philsheard avatar Sep 23 '19 08:09 philsheard

Can we get an example of what you did or give us more insight?

bobozar avatar Mar 20 '20 16:03 bobozar

Hello, @philsheard. I didn't understand. How can we achieve the alexa integration with your solution? You created a custom view for authorize process?

devmessias avatar Dec 07 '20 13:12 devmessias

I use TokenAuthentication by drf as main oauth system, we are app only. I want to implement consent screen in-app, call the API that @philsheard wrote, but the issue is that the AuthorizationView is a "django" view and not "drf" view, is there a work around to either (1) make AuthorizationView a "drf" based view or (2) inject TokenAuthentication with AuthorizationView.

daadu avatar Jan 27 '21 08:01 daadu