I am a beginner in the world of the OAuth2.0 and OpenID Protocols. I would like to implement a custom server - provider for multiple applications. So, to use it for Single Sign-On (SSO). I would like to work with python. Till now I have found four packages, for an OAuth2.0 and an OpenID Connect server implementation, in Python: pyoidc, django-oidc-provider, Django OAuth Toolkit (DOT) by OAuthlib and Authlib. I tried to read and understand pyoidc, but it was not so helpful and easy, basic things were missing. I have tried django-oidc-provider and I was really satisfied, and the whole implementation was really easy. So, after those trials, I am left with Django OAuth Toolkit (by OAuthlib) and Authlib. Has anyone tried them? Are these packages the same? Is Authlib an updated version of the OAuthlib library? The only information I know till now, is that Flask-OAuthlib is deprecated, and Authlib is was its new version.
*Every answer or advice or personal experience would be really helpful and always appreciated!
Thank you again for your help.
After some research, I concluded to work generally with JWTs. As before, I would like to work with a GraphQL API, so I am searching for solutions about JWT authentication on it. I maybe use Passport.js (passport-jwt) or something else for Python. All the libraries mentioned above possibly will be not used.
I will just redirect the user to my main application, authenticate them with JWT, and then return the JWT back to the application. In the future and after deployment, I might also implement an OAuth2.0 provider for my website. Although those packages did not really help me, I would recommend Django OAuth Toolkit (DOT) and django-oidc-provider to others. But, also I learned that django-oidc-provider only supports the implementation of a small and simple OAuth2.0 provider. Django OAuth Toolkit comes with lots of options for implementing an advanced OAuth2.0 Authentication Server (AS), including Authorization Code flow with PKCE (Proof Key with Code Exchange), which is the most secure flow. It is also scalable and has great documentation with lots of customizations if you want.
*I sent an email to the support of Authlib, and of course no one has answered to me after a week.
Related
I am a nodejs developer but currently migrating to django(being a python lover). I am trying to implement OAuth2 in Django Rest Framework but I don't know how to start.
In nodejs, there is passportjs library which is well maintained, and it's got stratigies for every possible authentication type. What about django rest framework ? User name/password auth seems straightforward but oauth2 is not well covered.
In DRF docs here, It mentions two libraries for oauth. The first is django-oauth-toolkit which is well maintained but after going through docs, I didn't seem to understand much, it doesn't even talk about googl/facebook oauth. I am not sure what it is used for, anyway. The second one is django-rest-framework-social-oauth2 which seems to be straightforward but it's not been touched for over a year, it's probably not maintained any more.
So, How do you guys do oauth2 in your DRF projects ?
I hope you have solved this already. You can check my repo: It offers a simple way of authenticating against major ouath2 vendors. Here it is https://github.com/wagnerdelima/drf-social-oauth2.
You can also check my other repo https://github.com/wagnerdelima/facebook_setup. It integrates https://github.com/wagnerdelima/drf-social-oauth2 as an example to make it easy for newcomers.
I want some advice on choosing right package in a REST Api django project
For authentication:Which one of below I should choose ?
django-oauth-toolkit: seems to be the most robust and recommended oauth library for DRF. This do not have account management. How can i implement account management with this package? If yes, can I get some guide.
django-rest-auth: API endpoints for authentication, and basic account management for DRF. But seems not as robust as django-oauth as django-oauth allows token expiery etc. or i am missing some feature of rest-auth
For authorisation: I will be going for django-guardian over django-role-permission. Later seems more like back end utility to control user roles.
My deep desire is to use oauth-toolkit but it does not have basic user management. On the contrary rest-auth has user management but lacks (seems to be) roubustness of oauth.
Please help me make a choice.
I came to understand that DRF supports builtin support for OAuth2 and provides token utilising 'provider.oauth2'dependency hence django-oauth-toolkit could be avoided just in case.
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.OAuth2Authentication',
),
Thanks every one for your interest.
Django rest auth amounts to a small set of API views around django-allauth which is (according to github usage stats) much more used than oauth-toolkit.
allauth is pretty great and has a long list of available providers. Adding a new one is very easy and can nearly be completed 100% through the admin interface.
rest_auth essentially wraps django allauth to make it available via API. Where rest_auth falls short, it is fairly easy to implement what you need to work directly with allauth. If you need jwt support with rest_auth they recommend another 3rd party library.
The biggest problem with rest_auth we've run into is that the documentation is just OK and there are many open issues in the repo that should be closed with more clear resolution, there is a lot of misinformation in the issues.
Looking forward to resolving some of that confusion by inquiring as to the State of rest_auth
As far as your need for user management goes, django user management is robust as is.
I have designed a Restful component using Coldfusion 11. Now I need to think of securing this REST service.After searching for sometime
I found HTTPS + oauth2 is the best combination for securing REST service.
In the official oauth2 page, We have libraries for different languages. But there is nothing listed for ColdFusion.
Any one having any kind of knowledge if we have a library for oauth2 in ColdFusion?
I believe you are looking for this. This CF script is built by Matt Gifford 3 years ago, so you might want to take a look and update some code. But as far as i believe, it was designed to work on CF9 and CF10, so it will work on CF11 as well.
Let me know if this works for you.
I am developing API using django-tasty-pie and wanted to know which library to implement to get the OAuth working for basing username/password. I want to use this API to do calls from an Android app and a chrome app that would do the user registration. I know about django-social-auth. But I am not exactly dealing with social auth here. Just basic OAuth would do.
To get a feel for landscape read this blog post: http://pydanny.com/the-sorry-state-of-python-oauth-providers.html (it also lists all the alternatives).
I looks like Idan's library is most up to date: https://github.com/idan/oauthlib
The post in the accepted answer stated the following at the addendums to the article:
07/07/2013 - Please consider
https://github.com/evonove/django-oauth-toolkit for use as a
Django-powered OAuth provider. The team behind it is doing it right!
I have followed a number of tutorials and examples on the web to setup and use django piston. They all work flawlessly, until i try to integrate oauth authentication. I have been working against the following examples:
http://blog.carduner.net/2010/01/26/django-piston-and-oauth/
http://github.com/clemesha/django-piston-oauth-example
Yet both of these seem to fail to include examples of the required oauth templates and views. It is quite likely that i'm just not implementing it properly, so any advice would be hugely helpful.
In summary. I have a working django piston setup (that returns / inserts data). What i am struggling with is a definitive guide to integrating oauth authentication. I.e. what do i need to install, which views, settings, url patterns and templates do i need to create?
Thanks
If you're using a released version of Piston, you might be interested in how we implemented OAuth in Snowy, our AGPL web app for Tomboy notes:
http://git.gnome.org/browse/snowy/tree/urls.py#n48
http://git.gnome.org/browse/snowy/tree/api/urls.py
http://git.gnome.org/browse/snowy/tree/api/templates/piston/authorize_token.html
http://git.gnome.org/browse/snowy/tree/api/handlers.py
The OAuth views are bundled with piston (in the released version).
I have yet to upgrade to prencher's improved OAuth fork (which will apparently turn into 0.3 soon?), but here are his instructions if you are using his code:
http://groups.google.com/group/django-piston/msg/5a148c8e33654c5d
(make sure to read all of his responses in that thread, as he makes some clarifications)