we are developing an application using Angular2 as frontend and Django as a backend. A Django backend is already in place, while the Angular2 application is in development. We chose, for obvious reasons, to use Django REST as a way to communicate with the backend.
The application login and the backend login are done in two different pages but of course the login domain and the user base is the same. The two login are working properly by themselves, but we wanted to find a way to implement a transparent login (so an user can log into any of the two application and be recognized by the other one without re-logging).
The Angular frontend is currently using Token Authentication. The server does send the csfr and session cookie along with the token. Moving to the backend, the csfr cookie is preserved, while the session is not, so a new login is required (of course, backend and Angular frontend are on different subdomains but in the same domain, the cookies are set on the domain, with two dots: '.domain.com') .
Is it possible to do what we desire? Could someone help us find the proper way to do it?
We've done some research and found Django CAS, but it's not clear for us what's about and if it fits our use case.
Thank you very much
Related
I've setup a basic django app using scaffolding which creates all those nice admin panels for free.
I want to expose a REST api so I've followed this tutorial to get it running and add JWT authentication through simplejwt. I have tested my rest auth endpoints, gotten a token and used that token to consume a secured rest endpoint.
The problem is -- as soon as I enable this auth scheme, the admin panel stops working. I can't login at all. Which I guess it makes sense considering I've changed the auth paradigm, but it kinda defeats the purpose of the scaffolding to lose all those free admin panels.
Is it possible to combine both jwt authentication for my REST services while keeping regular authentication scheme for my admin panel?
I want to do a public frontend through REST but keeping my backoffice within the same deployment as the backedn itself.
I have Web application with VUE as frontend stack and Django DRF as backend stack I want to enable the feature that if someone is login from one system he/she can't login from other system unless and until logout from previous session is there any proper mechanism to do so
TL;DR I wouldn't even bother trying. But if you want: use websockets and keep track of the number of users connecting to a single endpoint.
It's not fool-proof since these are just tokens which means anyone with a terminal and curl can still access whatever REST API you have.
I think you have to understand how most people are using Vue, React, and other JS frameworks with Django. They're most likely not using SessionMiddleware and using something like djangorestframework-simplejwt (disclaimer: I help maintain it, and I've got a slight bias against JS frameworks + Django).
The problem lies in how authorization works, namely stateful and stateless. In your case with these token authentication methods, you've got stateless tokens that are verified only by signing, and not by anything backed by a database/cache on the server. So we don't actually know how many tabs the user has opened.
In SimpleJWT, we have something like token Blacklist, but it won't really help that much.
So the solution is to use websockets. You can keep track of the number of users connecting to a single endpoint (after authorization and authentication. You can use something like Django channels) by creating a cache key (backed by a service like Redis or Memcached in production, local can use memory/dummy) and incrementing and decrementing by the number of connections and disconnections.
That way, you have something on the server to backup all these claims.
It's not fool-proof since these are just tokens which means anyone with a terminal and curl can still access whatever REST API you have.
I am building a web app with a Django backend and React/Redux frontend running on separate servers. I have begun to try and start working on authentication and I cannot find a tutorial that suits my needs. Every tutorial either uses deprecated modules like drf-jwt (as opposed to simple-jwt) or has a simple mono-server that houses both the backend and the frontend in one directory. The former is useless and I do not want to do the latter as I like having the two separate servers for when I move on to deployment. Now can someone direct me to a good source of knowledge for getting this done? It doesn't have to be a tutorial it can be anything. I am really lost and I do not know how to begin.
you can use 3rd party packages djoser: Provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. for more information: https://pypi.org/project/djoser/
I'm using token authentication from Django Rest Framework so, after a login/password verification, the token on response can be used on any DRF endpoint.
I am developing Django(Server) with React(Web Client).
And I want to use facebook social login.
I knew that client is public client, server is confidential. So I want to use authentication code grant way for authenticating user.
So I find out the way but there is no way to implement that. All the python oauth2 library limplements is just for django server side rendering.(Django Server + Web client).
So I confused about I am wrong or just the others just did not make the grant way.
When you use DRF(Server API) + React(public Web Client),
how do you implement for OAuth2 social login?
I wonder that. please give me some advise to me.
Thanks.
Let's start from basics, people usually split frontend and backend to improve the production speed as frontend and backend can be developed by two separate teams. But in order for the frontend and backend to work together, there needs to be a connection interface, an API.
React is a frontend that runs in the browser, so in order to talk to the server, it uses a REST protocol.
As the backend in this scenario is Django we use DRF as React uses REST API. DRF provides easy flexible pre-built packages to carry out this communication job between server and client.
Now the authenticator for web login you choose to be Facebook hence you will get the identity token from facebook, which will correspond to the rows in the Django User table which will give you access to the user's data in Django.
You don't need to do everything at once, you need to first implement the Facebook social auth and after test(test using postman app) only think about connecting React
A good place to start is this DRF documentation, look into Social OAuth2
https://www.django-rest-framework.org/api-guide/authentication/#django-oauth-toolkit
I'm working on a service with REST-api implemented on django rest framework. I'l have web-site with frontend on javascript (possibly, SPA on Knockout), android and iOS apps, which all will be using this API. What is the best way to handle authentication in this case?
I'v read a lot on JWT-tokens (not my case, i must have ability to revoke auth for particular user at any time), sessions (already using django), storing tokens in localStorage and so on.
Should I have one type (tokens?) for all? Or is it normal, to use cookie-based session auth for web and tokens for mobile apps? If web also goes with tokens, where is the best way to store them: cookies or localStorage?
It's perfectly fine to use many authentication methods.
For web app this can be session base auth, assuming that you run it on the same domain. For mobile app you use tokens. DRF will check all methods defined here.
Therefore, remember to enable/disable correct ones.