p2pu
OAuth Provider Support
In order to provide standards based authentication to the P2PU API, we'll need to implement support for OAuth 2.0. I've started a first cut of this with bd269c9c671ff75. To test out what is currently there:
- Create a client application using the Django console:
from django.contrib.auth.models import User
from oauth2app.models import Client
user = User.objects.get(...) # get some user
client = Client.objects.create(name='Sample App', user=user, redirect_uri='http://localhost:3000')
# print client credentials
print client.key
print client.secret
- Construct authorization URL and authorize the app.
http://localhost:8000/oauth/authorize?client_id=<from_above>&redirect_uri=http://localhost:3000/callback&response_type=code
- Approve the app's authorization request and you'll be redirected to the callback URL (it's fine if it 404s) with a code query string parameter. Save that code for the following step.
- Exchange authorization code for access token. This is best done with curl:
curl -X POST http://localhost:3000/oauth/token -d'client_id=from_above' -d'client_secret=from_above' -d'code=from_above' -d'redirect_uri=http://localhost:3000/callback' -d'grant_type=authorization_code'
If successful, the response should be a JSON object with information about the access token.
- Extract the access token property to test out an authenticated request:
curl "http://localhost:3000/oauth/test?bearer_token=from_above"
Recommended steps to complete this issue:
- Security audit. This uses oauth2app which seems fairly popular. We should still make sure we're not introducing any security vulnerabilities by adding this.
- Pretty up the Authorization page (templates/oauth/authorize.html).
- Implement support for authentication throughout the existing API.
