As far as understood, obtain_auth_token view works as a login functionality. You provide credentials and get the token back. What will be the logout? Should I delete the token on logout? What would be the best practice?
If deleting is OK, then how do I handle multiple clients at the same time. Say, the user logs out from mobile device but wants to stay logged in on the web. The Token model currently has a OneToOne relationship to User.
Please give me some advice. Thanks
The TokenAuthentication provided by Django REST framework is intended to be used as a very simple token authentication. What I mean by that is, you get
If you are looking for anything more advanced than that, you usually have to look into a different token authentication method. This can be as simple as subclassing the standard TokenAuthentication classes and views (as linked), but the Token model is not easily swappable. This means that changing the user field to a ForeignKey, allowing you to have multiple tokens for a user, is not easy to implement.
Luckily, Django REST framework does support other authentication methods, such as OAuth and JSON Web Tokens, both of which support multiple tokens for users. You can find a comparison of the common authentication classes at this Stack Overflow answer.
