I have an API from which users can login to get a token so they can make requests, etc and I have also made a a session login as there are a few scenarios where I need the user session token. Now if a user logs in to the API and afterwards they need to login using the session Auth its all good however the reverse does not work. If you are logged in using session Auth and then want to login via the API to release a token I get a response of Forbidden. Could someone please offer some insight?
Related
I have a Django application that doesn't have MVC pages and most of the data is served/posted via restful API powered by django-rest-framework. My userbase is in Azure single tenant AD, so I am trying to get the SSO going for them.
I am using django_auth_adfs to authenticate users against the Azure AD. Most of the stuff seems to work and the module takes care of the redirects and establishing the Django sessions for the client. Specifying the right permission_classes for the API ViewSets will make sure only authenticated users can access it it works fine via browser with proper django session cookie.
What I can't figure out is how to get the JWT token that I can give the UI client so that it could interact with the django-rest-framework API by supplying the JWT bearer and not relying on the session.
The documentation is not very specific on these details (besides the password grant that isn't quite relevant for my scenario).
I have implemented an endpoint for login, using the django-rest-framework and TokenAuthentication. What i want, is after the login, the user to be authenticated and can navigate on the website.
I know that any get request on any protected using authentication uri should contain the token in the headers, so that the user can be authenticated. Everything is fine with that, if i could do all the get requests adding the token manually.
But what i do not understand is, how can i add the token in the headers when for example the user manually does the request by writing the url?
Let's say that the uri /api/ is protected and requires an authenticated user.
The user logs in, and i save the token either on the cookies or in the localstorage.
Now the user does a http get request on /api/. The token is not placed in the headers, so the response is: "Not authenticated".
So the question is, how can i add the token on any subsequent request after user logs in successfully? Maybe the backend could check the cookies for a valid token, but isn't there any better and safer solution than this?
As I believe from the question you want to add the token to all API which is consumed by your client whether App/Web. So in both people prefer to store that token either in cookies or in local storage. Once user logged out api consumer also flush that key.
I've followed the both packages documentations and using example from rest-auth doc. I've followed all the steps and I can successfully use this API to register/login user with facebook. API returns me token and user object but this token is not working with JWT authentication. But if I set this user's username in the db and then post the facebook login request again then returned token works fine. What does this social authentication process has to do with username? Is there something I need to do to properly configure it?
I am using custom user model and have both username and email for authenticating users. Please let me know if any further info is needed for figuring out the problem.
after 1.7.0 in rest_framework_jwt,it use username to query user in authenticate_credentials().But when you use facebook accessToken to login firstly by rest_auth, the user doesn't have a username.
So you will recieve a 'Invalid payload.' message.
I have this problem too.And I do this work now.
Sorry for my bad English skill.
I would like to use django-rest-framework token to authenticate users. My workflow would be:
User requests a page
If auth token is present, respond with the requested data.
If auth token is not present, redirect to the login page (with the request page).
Inside the login page, user submit their credentials
If credentials were correctly authenticated, get or create a token for that user and redirect back to the requested page with the token.
Else, respond with error.
Lastly,
When the user logs out, delete the token for that user.
So my question is, is it okay to delete and create a new token for every login if the user has already logged out? Also I assume the token will be unique, am I correct? Your help and guidance is very much appreciated. Thank you.
A REST API should be stateless, that means that there should not be a "session" hence no login and no logout, and no redirections to a login page.
If the request doesn't have a token then the API should return (probably) a 401 Unauthorized HTTP status code and not a redirection. You're making an API so there won't be human interaction. Django rest framework offers a human-friendly interface that does have sessions, login/logout, and if that's all you need the go for it, you can do whatever you want. But It'd be hard for another program to use your API.
why not using tokens with expiration dates or using another well known authentication method ?? :P
Hope this helps :)
I was wondering if CSRF tokens for Django are generated automatically for both authenticated users and unauthenticated users? I am curious because I would like to make an API for posting form data so that any user -authenticated or unauthenticated users can be able to make a post call to the API endpoint. But I was wondering if I have to "attach" the CSRF token to the header for each user? (Implying that unauthenticated users would also have a CSRF token)
Both authenticated and unauthenticated users require a valid CSRF token when using Django's default authentication mechanism. The token is rotated when a user logs in.
Whether you need a token isn't so much dependent on if the user is authenticated, but it is dependent on the authentication mechanism. If the authentication uses sessions/cookies to authenticate the user, an attacker may use the session information that's implicitly send with each request to forge a request and perform some action that the victim is authorized to do. On the other hand, if you use e.g. token authentication, the token has to be send explicitly with each request, and an attacker can't know the token or forge a request that uses the token.