I'm creating a REST API for a iOS app. Using Django, Tastypie, Mongoengine/MongoDB. I'm using python-social-auth to allow users to register via Facebook and it seems to be working perfectly.
What I'm struggling with is what happens next - when the user makes subsequent calls to the API what credentials should be passed with the request? I'm thinking that when the user is saved, I should generate an APIkey and send it back which the user would then use to authenticate in subsequent requests. Would that be the correct approach and, if so, how would that be implemented?
I can't seem to find any info/examples for non-ORM
Any help/nudge in the right direction would be greatly appreciated! Thanks!
Related
I've been working on this Drf app to sign certificates. I have been using simple JWT for token authentication. But now I need to implement SSO authentication, so I have been trying to use Mozilla - Django - OIDC, but I can't seem to figure out the docs. I'm confused on where the access and refresh tokens would come from, since it clearly says in the docs.
Note that this only takes care of authenticating against an access token, and provides no options to create or renew tokens.
If mozilla-django-oidc is not creating the tokens, then where do I obtain them from and where will they be stored when I try to access them in my React frontend.
Thank you in advance for any help!!
I was trying to do something similar to what you mentioning, however I was using this packages: https://django-oidc-provider.readthedocs.io/en/latest/
It can effectively create tokens and authenticate, I was struggling with the validation part of the user, but... might help out.
This question may be super simple but I've been googling for a while now and haven't found an exact solution.
I'm trying to implement a Google Login using React for the frontend and Django for the backend.
How exactly would I do this? I have seen solutions where a token is sent over to the backend which then retrieves the necessary information from the Google API and either creates or retrieves a user from the database based on the token. However, this seemed to be based on JWT and I was wondering if it is possible to implement the same with the simple Django Auth Token?
Maybe I'm just really blind but I really wasn't able to find a suitable solution.
Thanks for your help!
I was actually working on this a few moments ago, after many fails in the past. It's quite a headache really trying to find a solution that works with React. I have however managed to easily setup google login on the React front end side with https://www.npmjs.com/package/react-google-login. This should be the first step you will need to take.
After that you will need to setup social login on the Django backend using django_allauth. Basically, the idea is once a user logs in via google or to be precise, clicks on the Login With Google button on the front end, a google access_token will be retrieved from Google and saved in local storage together with some other data. Only the access_token is of interest here. So you will then need to take this access_token and send it to the Django backend via a Rest API of a view that you will have setup. That will get the google user data saved in the database under social accounts, ultimately login them in the application. Everything from then on should continue as per your normal logins with email and username. That is if using JWT, a jwt token will be returned from the backend which you hopefully should be able to save in local storage. In my React app, I authenticate against this token, so as long as I have the token in local storage, a user is logged in.
Pratik Singh Chauhan does a good job explaining this in his Part 1 tutorial here -> https://medium.com/#pratique/social-login-with-react-and-django-i-c380fe8982e2 and Part 2 here -> https://medium.com/#pratique/social-login-with-react-and-django-ii-39b8aa20cd27
UPDATE: June 2022
Since Google is now moving to (GIS) Google Identity Services sign-in SDK, this method, although it works is now deprecated.
Here is a good link to help you setup react login with the new google GIS.
https://github.com/MomenSherif/react-oauth/issues/12#issuecomment-1131408898
There are 2 methods you can use depending on your workflow, implicit or authorization. To maintain a similar workflow that the above code achieved, implicit workflow is the one that can give you both access_token and refresh_token that you will send to your backend api.
Here is another link with sample code for both workflows.
https://react-oauth.vercel.app/
Note you will need to use #react-oauth/google to configure the Google workflows in your code.
Refer to this:
https://reactjsexample.com/google-oauth2-using-the-new-google-identity-services-sdk-for-react/
I'm using a third party API Key for my website. I have done some modification on that API and now I'm using it for my own site.
I want to secure that API data by adding a restriction on any user (Authenticated or Anonymous ).
I want to add a time limit on the data provided by the API. So, if anybody uses the same data after a certain period of time then it will show an error.
As well as I want some restrictions on users IP. So, a user can access my website a fixed number of time.
You might want to use the Django REST Framework JWT Authentication.
I implemented https://github.com/davesque/django-rest-framework-simplejwt
It works - the installation is rather easy - read the docs :)
if you are using DRF use the authentication class settings. If you are using normal Django views you can wrap the view with a login_required decorator
We've deployed WSO2 API Manager 2.0 and are very happy with it.
Although, we've been looking in the documentation if it is possible to add a field to the user profile but haven't found anything yet, is this at all possible? Also, if this is possible can we show the field somewhere on the frontend? Or better yet, is it possible to send it to a backend webservice?
Our problem is that we have a backend with users that have a token, but we didn't want to send that token to the API Manager, we want it to be added without worrying the user. Is this at all possible? We know about sequence mediation and this can probably be achieved with it, the only complication is where we store the user token, for each user.
Thanks in advance!
Best Regards
You can introduce new user attributes to user profiles. APIM uses WSO2 identity server features internally. So you can refer this doc.
If you enabled Supported by Default property, it will be shown in user profile.
You can use JWT to send user claims to backend. You can find docs here.
Last part is not much clear to me.
I am using Django v1.8 and django-rest-framework v3.2.2. I have a site with a public-facing API, which is also consumed by my own site (on the same domain) as the Ajax back-end to a JavaScript application, using GET only.
I want public users of this API to be asked for a key parameter in the URL, which I will issue manually. But I also want my JavaScript application to be able to use the API, in a way that means that other users can't just steal the key and use it.
I have set up my custom key authentication as described here, and it's working well.
However, I'm unclear on how the JavaScript application should use the API. Obviously I could just pass a dedicated key parameter in the URL, but then won't other users trivially be able to spot the key and use it?
I think I need SessionAuthentication, but how do I even start to make this work? I can't see any instructions in the DRF documentation about how I need to change my JavaScript calls to use it.
Also I don't understand how SessionAuthentication allows the Ajax app to authenticate without other users being able to see and copy the authentication.
Very grateful for any advice.
I think I need SessionAuthentication, but how do I even start to make this work? I can't see any instructions in the DRF documentation about how I need to change my JavaScript calls to use it.
SessionAuthentication is the Django's one. It uses session to authenticate a user. It's mostly transparent for ajax request as the browser will send the cookie automatically. However, if you're posting data, you need to make sure you send the CSRF token in both headers and post body.
Also I don't understand how SessionAuthentication allows the Ajax app to authenticate without other users being able to see and copy the authentication.
As said above, it uses cookies for that. They are part of the headers and thus usually not seen on the urls.
To make sure no-one else can steal user's session you need to run the site through https.
This isn't much different from regular websites.