Django OAuthToolkit Scopes per specific method

Question

I'm using Django Rest Framework and OAuthTookit.

I want that the scope provided by the token should be HTTP Method specific. For eg:- GET, PUT, DELETE of the same APIView should have different scopes.

Following are my APIs.

class MyView(RetrieveUpdateDestroyAPIView):
    permission_classes = [TokenHasScope]
    required_scopes = ['scope1']
    serializer_class = ModelSerializer
    queryset = Model.objects.all()

Currently, the scope is set at the class level, which means to access all the GET, PUT & DELETE method, the token should have scope1.

I want that there should be different scope for different HTTP methods. How can I set different scope for different methods?

score 3 · Accepted Answer · answered Nov 15 '17 at 13:26

To handle this case, I think you need to implement a new permission class, something like this:

class TokenHasScopeForMethod(TokenHasScope):

     def has_permission(self, request, view):
         token = request.auth

         if not token:
             return False

         if hasattr(token, "scope"):
             # Get the scopes required for the current method from the view
             required_scopes = view.required_scopes_per_method[request.method]

             return token.is_valid(required_scopes)

And use it in your view like this:

class MyView(RetrieveUpdateDestroyAPIView):
     permission_classes = [TokenHasScopeForMethod]
     required_scopes_per_method = {'POST': ['post_scope'], 'GET': ['get_scope']}
     serializer_class = ModelSerializer
     queryset = Model.objects.all()

Awesome. Works like a charm. (y) – Praful Bagai Nov 16 '17 at 06:02 — Praful Bagai, Nov 16 '17 at 06:02

sahama · Answer 2 · 2020-08-04T09:39:24.527

Perhaps You can use TokenMatchesOASRequirements permission class

class SongView(views.APIView):
    authentication_classes = [OAuth2Authentication]
    permission_classes = [TokenMatchesOASRequirements]
    required_alternate_scopes = {
        "GET": [["read"]],
        "POST": [["create"], ["post", "widget"]],
        "PUT":  [["update"], ["put", "widget"]],
        "DELETE": [["delete"], ["scope2", "scope3"]],
    }

score 0 · Answer 3 · answered Dec 28 '21 at 18:26

I like @clément-denoix answer, but would tweak it a bit.

Instead of reloading TokenHasScope.has_permission I would suggest to redefine TokenHasScope.get_scopes as it is smaller method and perfectly fit for what you need. Also original has_permission method has additional logic that I prefer to preserve.

Something like this should do the trick:

from django.core.exceptions import ImproperlyConfigured
from oauth2_provider.contrib.rest_framework import TokenHasScope


class TokenHasScopeForMethod(TokenHasScope):
    def get_scopes(self, request, view):

        try:
            scopes = getattr(view, "required_scopes_per_method")
            return scopes[request.method]
        except (AttributeError, KeyError):
            raise ImproperlyConfigured(
                "TokenHasScope requires the view to define the required_scopes_per_method attribute"
            )

Django OAuthToolkit Scopes per specific method

3 Answers3