Could not setup django-oauth-toolkit authentication

Question

I'm going to restrict my working rest_framework.views.APIView inherited class, to be visible only by authenticated users.
I made these modifications:

Added authentication_classes and permission_classes to my class:

class TestView(APIView):
    authentication_classes = (OAuth2Authentication,)
    permission_classes = (IsAuthenticated,)

    return Response("Hey there...")

Got an access_token from django-oauth-toolkit:

curl -XPOST "http://172.18.0.1:8000/oauth2/token/" \
-d 'grant_type=client_credentials&client_id=MY-CLIENT-ID&client_secret=MY-CLIENT-SECRET'
{"access_token": "Haje1ZTrc7VH4rRkTbJCIkX5u83Tm6", "expires_in": 36000, "token_type": "Bearer", "scope": "read write groups"}

Tried requesting the view without setting the access_token:

curl -XGET "http://172.18.0.1:8000/api/v1/test/"
{"detail":"Authentication credentials were not provided."}

Tried a new request with the access_token:

curl -XGET "http://172.18.0.1:8000/api/v1/test/" \
-H "Authorization: Bearer Haje1ZTrc7VH4rRkTbJCIkX5u83Tm6"
{"detail":"You do not have permission to perform this action."}

Should I do anything more to enable access_token authentication?

Note: I have installed these libraries in the environment:

Django==2.2.17
djangorestframework==3.12.2
django-oauth-toolkit==1.3.3

Note2: Forgot to say that rest_framework and oauth2_provider have been added to INSTALLED_APPS.

IMPORTANT EDIT:
This problem exists only if using "client credential grant" for authentication. check my own answer below.

How are you attaching the token to the request — can you share that part too? That's the one curl command you left out. — Noah, Jan 09 '21 at 16:54

score 1 · Accepted Answer · answered Jan 14 '21 at 12:10

In the end I found that OAuth2Authentication does not authenticate a user by its client_credential (accepts username/password pair with grant_type=password). so I wrote this custom authenticator. hope it helps other guys with the same problem.

from oauth2_provider.contrib.rest_framework import OAuth2Authentication
from oauth2_provider.models import Application


class OAuth2ClientCredentialAuthentication(OAuth2Authentication):
    """
    OAuth2Authentication doesn't allows credentials to belong to an application (client).
    This override authenticates server-to-server requests, using client_credential authentication.
    """
    def authenticate(self, request):
        authentication = super().authenticate(request)

        if not authentication is None:
            user, access_token = authentication
            if self._grant_type_is_client_credentials(access_token):
                authentication = access_token.application.user, access_token

        return authentication

    def _grant_type_is_client_credentials(self, access_token):
        return access_token.application.authorization_grant_type == Application.GRANT_CLIENT_CREDENTIALS

How is it possible that this is not documented? Thanks! – Adam Strike Apr 07 '22 at 13:42 — Adam Strike, Apr 07 '22 at 13:42

score 0 · Answer 2 · answered Jan 09 '21 at 20:01

0

Try djoser for authentication in Django rest framework

answered Jan 09 '21 at 20:01

ziyad alotaibe

19
3

it's not an answer to my question. ideas and suggestions like this are better to be submitted as comments. BTW thank you – mahyard Jan 09 '21 at 20:16
Sorry but I can’t choose to add a comment or an answer. Stackoverflow does – ziyad alotaibe Jan 09 '21 at 20:18
1

doesn't matter. when your reputation score reaches 50, you can comment everywhere. – mahyard Jan 09 '21 at 20:30
1

@mahyard I have a good video explaining djoser https://youtu.be/ddB83a4jKSY it works well with me – ziyad alotaibe Jan 09 '21 at 20:33

Could not setup django-oauth-toolkit authentication

2 Answers2