Discussion:
is it possible to use both oauth2 toolkit and another auth backend
Mark Mikofski
2017-02-09 22:00:39 UTC
Permalink
I would like use django-oauth-toolkit in combination with other auth
backends. Is this possible?

I want to set up a resource and provider on the same web server, to serve
both as a auth service provider and as an API resource.
They have a common user database. As well as a token table using the DRF
token auth backend.

For some applications I want them to authenticate using oauth for their
user. EG: get a token from the provider and then authenticate using the
token for their user.

But some applications don't have any users, and they could just
authenticate directly with the resource using the DRF token auth backend.

And I want to be able to log into the resource directly using my username
and password using the DRF/Django builtin session backend.

When I try this, it works to use my username and password in the admin
webpage and the DRF webpage of the resource (which is also the provider).

And it also works if I send a request (using curl or python-requests) from
the command line using oauth2 tokens,
but If I try to send a request using either username/password or the DRF
token, I get either a 401, 403 or a traceback that says the

AssertionError: TokenHasScope requires
the`oauth2_provider.rest_framework.OAuth2Authentication` authentication
class to be used.

If I don't provide any backend at all, what is the default. Is it always
the session backend?

Thanks!
Mark
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mark Mikofski
2017-02-10 01:00:05 UTC
Permalink
The answer is Yes, I was able to use multiple backends

The token, basic, session and django-ldap backends all worked fine
together, as long as I disable scopes for django-oauth-toolkit (DOT),
because the default DRF token backend doesn't have scopes, so I'll have to
work that out.

I believe that tutorial 4 explains that the default backends for DRF are
basic and session, depending on whether you're using the command line
(basic by default) or the browser (session by default).

thanks! and sorry for spamming everyone with my own personal problems.
Post by Mark Mikofski
I would like use django-oauth-toolkit in combination with other auth
backends. Is this possible?
I want to set up a resource and provider on the same web server, to serve
both as a auth service provider and as an API resource.
They have a common user database. As well as a token table using the DRF
token auth backend.
For some applications I want them to authenticate using oauth for their
user. EG: get a token from the provider and then authenticate using the
token for their user.
But some applications don't have any users, and they could just
authenticate directly with the resource using the DRF token auth backend.
And I want to be able to log into the resource directly using my username
and password using the DRF/Django builtin session backend.
When I try this, it works to use my username and password in the admin
webpage and the DRF webpage of the resource (which is also the provider).
And it also works if I send a request (using curl or python-requests) from
the command line using oauth2 tokens,
but If I try to send a request using either username/password or the DRF
token, I get either a 401, 403 or a traceback that says the
AssertionError: TokenHasScope requires
the`oauth2_provider.rest_framework.OAuth2Authentication` authentication
class to be used.
If I don't provide any backend at all, what is the default. Is it always
the session backend?
Thanks!
Mark
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tom Christie
2017-02-10 09:45:53 UTC
Permalink
Post by Mark Mikofski
sorry for spamming everyone with my own personal problems
:) Actually I quite liked the confirmation that everything works as it's
supposed to!
Well described cases like this are always appreciated, even if you end up
resolving them yourself.

Cheers,

Tom :)
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mark Mikofski
2017-02-11 08:30:34 UTC
Permalink
Thanks! I do have a follow up question about scopes that I posted
separately.
Post by Tom Christie
Post by Mark Mikofski
sorry for spamming everyone with my own personal problems
:) Actually I quite liked the confirmation that everything works as it's
supposed to!
Well described cases like this are always appreciated, even if you end up
resolving them yourself.
Cheers,
Tom :)
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Benjamin SOULAS
2018-08-24 13:35:08 UTC
Permalink
Hi Mark,

I am interested on the fact you handled Token from LDAP, to you have
examples on ho wdo you implement it? Just for the context, I have to
implement an API (with DRF or not, for now it is DRF). For testing it (eg:
with Postman) it works fine with DRF Token authentication (easy to
implement by the way).

But now, people asked me to see how we could handle LDAP users in our API,
does it creates DRF users (to be more precise, does the DRF auth is an
Django native implementation so is could be ok with DRF authentication?)

I don't really know if I am clear, but if I could make a synthesis: Could I
use Django-auth-LDAP on my DRF API which uses DRF Token Authentication?)

Kind regards,

Benjamin
Post by Mark Mikofski
Thanks! I do have a follow up question about scopes that I posted
separately.
Post by Tom Christie
Post by Mark Mikofski
sorry for spamming everyone with my own personal problems
:) Actually I quite liked the confirmation that everything works as it's
supposed to!
Well described cases like this are always appreciated, even if you end up
resolving them yourself.
Cheers,
Tom :)
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mark Mikofski
2018-08-25 21:21:41 UTC
Permalink
Hi Benjamin, As I recall I did successfully use both django-auth-ldap [1]
and django-oauth-toolkit [2] with DRF, but I didn't use the DRF token
authentication [3] although I did use basic. The reason I couldn't use
token auth from DRF is because it didn't have scopes which Oauth2 does, so
they were not compatible, I believe, altho my memory is fuzzy. Anyway, the
use case, apps that don't have users was covered by django-oauth-toolkit by
setting those apps grant type to client credential [4]

[1] https://django-auth-ldap.readthedocs.io/en/latest/index.html
[2] https://django-oauth-toolkit.readthedocs.io/en/latest/
[3]
http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
[4] https://tools.ietf.org/html/rfc6749#section-4.4

for oauth2 see also:
https://alexbilbie.com/guide-to-oauth-2-grants/
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
https://aaronparecki.com/oauth-2-simplified/

hope this helps
Post by Benjamin SOULAS
Hi Mark,
I am interested on the fact you handled Token from LDAP, to you have
examples on ho wdo you implement it? Just for the context, I have to
with Postman) it works fine with DRF Token authentication (easy to
implement by the way).
But now, people asked me to see how we could handle LDAP users in our API,
does it creates DRF users (to be more precise, does the DRF auth is an
Django native implementation so is could be ok with DRF authentication?)
I don't really know if I am clear, but if I could make a synthesis: Could
I use Django-auth-LDAP on my DRF API which uses DRF Token Authentication?)
Kind regards,
Benjamin
Post by Mark Mikofski
Thanks! I do have a follow up question about scopes that I posted
separately.
Post by Tom Christie
Post by Mark Mikofski
sorry for spamming everyone with my own personal problems
:) Actually I quite liked the confirmation that everything works as it's
supposed to!
Well described cases like this are always appreciated, even if you end
up resolving them yourself.
Cheers,
Tom :)
--
You received this message because you are subscribed to a topic in the
Google Groups "Django REST framework" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/django-rest-framework/NgwlfsTtj_8/unsubscribe
.
To unsubscribe from this group and all its topics, send an email to
For more options, visit https://groups.google.com/d/optout.
--
Being deeply loved by someone gives you strength;
loving someone deeply gives you courage.
Lao Tzu
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Benjamin SOULAS
2018-08-27 06:45:32 UTC
Permalink
Hi again Mark,

Thank you very much for your reply, very fast and very complete in
explainations !!! So if should remove my DRF TOekn authentication and use
DRF Basic Authentication as I understood. A friend of mine gave me the same
answer as yours. The only thing I don't understand are "scopes" you talked
about (I am not expert at all in Django Devs, so some stuff don't really
talk to me actually). For now, the only thing I have to know is the LDAP
authentication with Django (ideally with DRF) and ho wto manage groups (it
is explained in the django-auth-LDAP) so I have to figure it out. Also, I
so a python LDAP (native) exists, so even if I don't use Django (but
Tornado to give an other FW), it is still possible.

Thank you very much once again.

Kind regards,

Benjamin.
Post by Mark Mikofski
Hi Benjamin, As I recall I did successfully use both django-auth-ldap [1]
and django-oauth-toolkit [2] with DRF, but I didn't use the DRF token
authentication [3] although I did use basic. The reason I couldn't use
token auth from DRF is because it didn't have scopes which Oauth2 does, so
they were not compatible, I believe, altho my memory is fuzzy. Anyway, the
use case, apps that don't have users was covered by django-oauth-toolkit by
setting those apps grant type to client credential [4]
[1] https://django-auth-ldap.readthedocs.io/en/latest/index.html
[2] https://django-oauth-toolkit.readthedocs.io/en/latest/
[3]
http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
[4] https://tools.ietf.org/html/rfc6749#section-4.4
https://alexbilbie.com/guide-to-oauth-2-grants/
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
https://aaronparecki.com/oauth-2-simplified/
hope this helps
Post by Benjamin SOULAS
Hi Mark,
I am interested on the fact you handled Token from LDAP, to you have
examples on ho wdo you implement it? Just for the context, I have to
with Postman) it works fine with DRF Token authentication (easy to
implement by the way).
But now, people asked me to see how we could handle LDAP users in our
API, does it creates DRF users (to be more precise, does the DRF auth is an
Django native implementation so is could be ok with DRF authentication?)
I don't really know if I am clear, but if I could make a synthesis: Could
I use Django-auth-LDAP on my DRF API which uses DRF Token Authentication?)
Kind regards,
Benjamin
Post by Mark Mikofski
Thanks! I do have a follow up question about scopes that I posted
separately.
Post by Tom Christie
Post by Mark Mikofski
sorry for spamming everyone with my own personal problems
:) Actually I quite liked the confirmation that everything works as
it's supposed to!
Well described cases like this are always appreciated, even if you end
up resolving them yourself.
Cheers,
Tom :)
--
You received this message because you are subscribed to a topic in the
Google Groups "Django REST framework" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/django-rest-framework/NgwlfsTtj_8/unsubscribe
.
To unsubscribe from this group and all its topics, send an email to
For more options, visit https://groups.google.com/d/optout.
--
Being deeply loved by someone gives you strength;
loving someone deeply gives you courage.
Lao Tzu
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...