Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Protect a Django REST api with Oauth2

Protect a Django REST api with Oauth2

Lightning talk for pycon15

Massimiliano Pippi

April 10, 2015
Tweet

More Decks by Massimiliano Pippi

Other Decks in Programming

Transcript

  1. Introducing my friend Harold Let’s say we want to write

    a timetracking web application y u not pushing? git push -f works lol
  2. Backend recipe Django & Django REST Framework u can use

    the new DRF3 generic views here wut?
  3. How do we do access control? Third party apps want

    to access our data as well! not ma problem can’t hear u
  4. Common problems • Using user credentials inside the app is

    a bad idea • The app might have full access to user account • User has to change his password to revoke the access
  5. Django OAuth Toolkit • Django 1.4 → 1.7 (1.8 coming

    soon) • Python 2&3 • built on top of oauthlib, RFC 6749 compliant • DRF 2&3 integration https://github.com/evonove/django-oauth-toolkit
  6. Batteries included • builtin views to register and manage OAuth2

    applications • form view for user authorization lol I found what DRF stands for omg harold plz retire
  7. Endpoints protection for the lazy • function views decorators @protected_resource()

    def my_view(request): # A valid token is required to get here… • generic class based views class ApiEndpoint(ProtectedResourceView): def get(self, request, *args, **kwargs): return HttpResponse('Hello, OAuth2!')
  8. Future plans - Help needed! OAuth1 support Resource and Authorization

    server components separation https://github.com/evonove/django-oauth-toolkit +1 for my own PR