0

I'm looking to set up Django to use OAuth2 to authenticate users for a service that I'm running, but I'm having a bit of difficulty understanding how the tokens are passed around.

I've been working my way through this tutorial: https://django-oauth-toolkit.readthedocs.org/en/0.7.0/tutorial/tutorial_01.html. I've been able to get a server up and running as the OAuth provider, and it seems to be working as it should. I'm able to log in to it and set up an application. The difficulty I'm having is figuring out how the various tokens are passed around.

Suppose that my OAuth provider is sitting on one server - let's call this Provider.com - and my service that I'm wanting authenticated is on service.com. When a user first tries to make a request to the service, they first need to authenticate against the Provider. So they click on a login button which directs them to Provider.com. They enter their credentials. If everything is set up correctly on the server, they should be presented with a prompt that gives them a chance to allow or deny Service.com from accessing their account on Provider.com. Supposing that they click Allow, they are then redirected to Service.com, and are given a token. On future calls to Service.com, they pass in the token, and are, in theory, able to make authenticated calls.

The problem I'm having understanding is this: At what point do the Provider and the Service communicate? If a call comes in to the Service, how does it know that the authentication token passed in with the call is valid? There's know way it could know that a particular token is valid unless: A) it recognizes that same token from a previous call which was also authenticated or B) it talks to the OAuth 2 provider and verifies the authenticity of the token.

A diagram like the one found here shows the process in the browser:
http://tutorials.jenkov.com/images/oauth2/overview-1.png

At the end of this, it has the Client App sending the authentication code, client id, and client secret to the OAuth2 provider. In the previously mentioned tutorial, it isn't really clear how this is actually done. In the tutorial, the provider and the service are on the same machine, and it would appear that they also share the same database.

This this brings about my question: How does one host a Django-based OAuth provider on a separate server than the resource/service being accessed? Is this possible?

From this other post, it indicates that this might not be possible: https://stackoverflow.com/a/26656538/1096385 Is that indeed the case, at least with the existing Django OAuth2 provider framework?

Community
  • 1
  • 1
Joel B
  • 801
  • 1
  • 11
  • 30
  • oauth2 is really easy to implement ... using the library is probably making it harder for you than it really is .... initial connection client logs in ... you generate an intermediate code and redirect back to the uri with the code parameter. the user provides their secret and does a post back to your server at which point you issue a token to them ... you then look up their user information from that token (usually set into a header field) – Joran Beasley Jan 27 '15 at 00:51

1 Answers1

1

It depends on the oauth2 flow you're using. It seems like you're using authentication code.

In that case:

service.com sends the browser to provider.com for user authentication (uri contains service.com client_id and redirect_uri) User authenticates on provider.com, then the browser is redirected to service.com's redirect_uri with a ?code parameter. On your server side, handle this code parameter and ask for a token with it.

See https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps

cyprien
  • 65
  • 6
  • That link certainly clarifies things! We'll actually end up writing it as a browser-based app, as we have both a web page and a mobile app that will need to use the service. One more question though: What prevents someone from simply typing in an access token into the url? How does Services.com know that it came from Provider.com? – Joel B Jan 27 '15 at 16:57
  • I've created a related post: http://stackoverflow.com/questions/28178767/django-oauth-2-client-setup-client-isnt-recognizing-tokens – Joel B Jan 27 '15 at 20:34