django-oidc-provider/docs/sections/oauth2.rst

.. _oauth2:

OAuth2 Server
#############

Because OIDC is a layer on top of the OAuth 2.0 protocol, this package also gives you a simple but effective OAuth2 server that you can use not only for logging in your users on multiple platforms, but also to protect other resources you want to expose.

Protecting Views
================

Here we are going to protect a view with a scope called ``read_books``::

    from django.http import JsonResponse
    from django.views.decorators.http import require_http_methods

    from oidc_provider.lib.utils.oauth2 import protected_resource_view


    @require_http_methods(['GET'])
    @protected_resource_view(['read_books'])
    def protected_api(request, *args, **kwargs):

        dic = {
            'protected': 'information',
        }

        return JsonResponse(dic, status=200)

Client Credentials Grant
========================

The client can request an access token using only its client credentials (ID and SECRET) when the client is requesting access to the protected resources under its control, that have been previously arranged with the authorization server using the ``client.scope`` field.

.. note::
    You can use Django admin to manually set the client scope or programmatically::

        client.scope = ['read_books', 'add_books']
        client.save()

This is how the request should look like::

    POST /token HTTP/1.1
    Host: localhost:8000
    Authorization: Basic eWZ3a3c0cWxtaHY0cToyVWE0QjVzRlhmZ3pNeXR5d1FqT01jNUsxYmpWeXhXeXRySVdsTmpQbld3\
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials

A successful access token response will like this::

    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache

    {
        "token_type"    : "Bearer",
        "access_token"  : "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiw...",
        "expires_in"    : 3600,
        "scope"         : "read_books add_books"
    }

Token introspection can be used to validate access tokens requested with client credentials if the ``OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE`` setting is ``False``.
Add OAuth2 documentation. 2016-02-18 19:24:31 +00:00			`.. _oauth2:`

			`OAuth2 Server`
			`#############`

Sphinx documentation fixes (#219) * Small wording change + fix in example template code * Added note about UserConsent not being in the admin * Mostly spelling corrections and phrasing changes * Moved template context explation from the settings to the templates page * Changed wording * Changed wording 2017-12-14 17:30:46 +00:00			`Because OIDC is a layer on top of the OAuth 2.0 protocol, this package also gives you a simple but effective OAuth2 server that you can use not only for logging in your users on multiple platforms, but also to protect other resources you want to expose.`
Add OAuth2 documentation. 2016-02-18 19:24:31 +00:00
			`Protecting Views`
			`================`

Fix docs. 2018-04-08 21:29:10 +00:00			Here we are going to protect a view with a scope called ``read_books``::
Add OAuth2 documentation. 2016-02-18 19:24:31 +00:00
			`from django.http import JsonResponse`
			`from django.views.decorators.http import require_http_methods`

			`from oidc_provider.lib.utils.oauth2 import protected_resource_view`


			`@require_http_methods(['GET'])`
Improve docs. 2018-04-08 21:28:38 +00:00			`@protected_resource_view(['read_books'])`
Add OAuth2 documentation. 2016-02-18 19:24:31 +00:00			`def protected_api(request, args, *kwargs):`

			`dic = {`
			`'protected': 'information',`
			`}`

			`return JsonResponse(dic, status=200)`
Improve docs. 2018-04-08 21:28:38 +00:00
			`Client Credentials Grant`
			`========================`

			The client can request an access token using only its client credentials (ID and SECRET) when the client is requesting access to the protected resources under its control, that have been previously arranged with the authorization server using the ``client.scope`` field.

			`.. note::`
			`You can use Django admin to manually set the client scope or programmatically::`

			`client.scope = ['read_books', 'add_books']`
			`client.save()`

			`This is how the request should look like::`

			`POST /token HTTP/1.1`
			`Host: localhost:8000`
			`Authorization: Basic eWZ3a3c0cWxtaHY0cToyVWE0QjVzRlhmZ3pNeXR5d1FqT01jNUsxYmpWeXhXeXRySVdsTmpQbld3\`
			`Content-Type: application/x-www-form-urlencoded`

			`grant_type=client_credentials`

			`A successful access token response will like this::`

			`HTTP/1.1 200 OK`
			`Content-Type: application/json`
			`Cache-Control: no-store`
			`Pragma: no-cache`

			`{`
			`"token_type" : "Bearer",`
			`"access_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiw...",`
			`"expires_in" : 3600,`
			`"scope" : "read_books add_books"`
			`}`
support introspection on client credentials tokens The response can simply omit fields that require id_token as the only required field is "active" according to RFC 7662. I think it would be nice for introspection of client credentials tokens to be supported by default without needing to override OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE, but this is a start. 2018-07-05 19:07:49 +00:00
			Token introspection can be used to validate access tokens requested with client credentials if the ``OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE`` setting is ``False``.