I'm working on a service with REST-api implemented on django rest framework. I'l have web-site with frontend on javascript (possibly, SPA on Knockout), android and iOS apps, which all will be using this API. What is the best way to handle authentication in this case?
I'v read a lot on JWT-tokens (not my case, i must have ability to revoke auth for particular user at any time), sessions (already using django), storing tokens in localStorage and so on.
Should I have one type (tokens?) for all? Or is it normal, to use cookie-based session auth for web and tokens for mobile apps? If web also goes with tokens, where is the best way to store them: cookies or localStorage?
It's perfectly fine to use many authentication methods.
For web app this can be session base auth, assuming that you run it on the same domain. For mobile app you use tokens. DRF will check all methods defined here.
Therefore, remember to enable/disable correct ones.
Related
I've setup a basic django app using scaffolding which creates all those nice admin panels for free.
I want to expose a REST api so I've followed this tutorial to get it running and add JWT authentication through simplejwt. I have tested my rest auth endpoints, gotten a token and used that token to consume a secured rest endpoint.
The problem is -- as soon as I enable this auth scheme, the admin panel stops working. I can't login at all. Which I guess it makes sense considering I've changed the auth paradigm, but it kinda defeats the purpose of the scaffolding to lose all those free admin panels.
Is it possible to combine both jwt authentication for my REST services while keeping regular authentication scheme for my admin panel?
I want to do a public frontend through REST but keeping my backoffice within the same deployment as the backedn itself.
I am building a web app with a Django backend and React/Redux frontend running on separate servers. I have begun to try and start working on authentication and I cannot find a tutorial that suits my needs. Every tutorial either uses deprecated modules like drf-jwt (as opposed to simple-jwt) or has a simple mono-server that houses both the backend and the frontend in one directory. The former is useless and I do not want to do the latter as I like having the two separate servers for when I move on to deployment. Now can someone direct me to a good source of knowledge for getting this done? It doesn't have to be a tutorial it can be anything. I am really lost and I do not know how to begin.
you can use 3rd party packages djoser: Provides a set of views to handle basic actions such as registration, login, logout, password reset and account activation. for more information: https://pypi.org/project/djoser/
I'm using token authentication from Django Rest Framework so, after a login/password verification, the token on response can be used on any DRF endpoint.
I am creating a Flutter project with Django + Django Rest framework as the backend. I want to add user authentication to the app.
I found some ways to achieve that such as Session authentication or token authentication. According to this article, if we want to add user authentication for mobile-based apps, it is best to use token authentication since session authentication is not suited for mobile phones.
Is it really best to use token authentication for mobile-based apps instead of session authentication?
Yes, token is best for mobile client.
Mobile and cookies are not good friends ;)
Token authentication work well for multiple device connection with same account and it's easier to store token.
It's stateless and work without cookies.
I have worked on two projects with Django and flutter.
I think for android or ios projects, token based authentication is best to go with because they are stateless and you can easily manage user roles and permissions for the application too.
From security point of view, it's also better because there's no possibility of creating a CSRF request when you app is using tokens.
Cookies don't fit much with other platform than a browser.
I am developing Django(Server) with React(Web Client).
And I want to use facebook social login.
I knew that client is public client, server is confidential. So I want to use authentication code grant way for authenticating user.
So I find out the way but there is no way to implement that. All the python oauth2 library limplements is just for django server side rendering.(Django Server + Web client).
So I confused about I am wrong or just the others just did not make the grant way.
When you use DRF(Server API) + React(public Web Client),
how do you implement for OAuth2 social login?
I wonder that. please give me some advise to me.
Thanks.
Let's start from basics, people usually split frontend and backend to improve the production speed as frontend and backend can be developed by two separate teams. But in order for the frontend and backend to work together, there needs to be a connection interface, an API.
React is a frontend that runs in the browser, so in order to talk to the server, it uses a REST protocol.
As the backend in this scenario is Django we use DRF as React uses REST API. DRF provides easy flexible pre-built packages to carry out this communication job between server and client.
Now the authenticator for web login you choose to be Facebook hence you will get the identity token from facebook, which will correspond to the rows in the Django User table which will give you access to the user's data in Django.
You don't need to do everything at once, you need to first implement the Facebook social auth and after test(test using postman app) only think about connecting React
A good place to start is this DRF documentation, look into Social OAuth2
https://www.django-rest-framework.org/api-guide/authentication/#django-oauth-toolkit
we are developing an application using Angular2 as frontend and Django as a backend. A Django backend is already in place, while the Angular2 application is in development. We chose, for obvious reasons, to use Django REST as a way to communicate with the backend.
The application login and the backend login are done in two different pages but of course the login domain and the user base is the same. The two login are working properly by themselves, but we wanted to find a way to implement a transparent login (so an user can log into any of the two application and be recognized by the other one without re-logging).
The Angular frontend is currently using Token Authentication. The server does send the csfr and session cookie along with the token. Moving to the backend, the csfr cookie is preserved, while the session is not, so a new login is required (of course, backend and Angular frontend are on different subdomains but in the same domain, the cookies are set on the domain, with two dots: '.domain.com') .
Is it possible to do what we desire? Could someone help us find the proper way to do it?
We've done some research and found Django CAS, but it's not clear for us what's about and if it fits our use case.
Thank you very much