I am trying to implement a web service with filtered resources access (OAuth authentication) with Django, and I had some questions.
I created two web servers:
I am trying to use OAuth version 1.0a to authenticate a consumer against a provider. The workflow for this protocol is described here .
In short, here are a few steps (name of the resource being exchanged):
- the consumer requests a token from the provider (key, secret)
- If the customer is valid, the supplier returns a token to it (oauth_token, oauth_token_secret)
- consumer redirects user to supplier for login / access (oauth_token)
- the user provides consumer access to the resource.
- The supplier the consumer provides a token_verifier
- consumer requests access_token (key, secret, oauth_token, oauth_token_secret, oauth_verifier)
- the provider provides the consumer with access_token (oauth_token)
- the consumer uses his oauth_token to access the resource
Here is my consumer view code:
from django.shortcuts import render_to_response from django.http import HttpResponse, HttpResponseRedirect import oauth2 as oauth import urlparse REQUEST_TOKEN_URL = 'http://127.0.0.1:8080/api/authentication/request_token/' AUTHORIZATION_URL = 'http://127.0.0.1:8080/api/authentication/authorize/' ACCESS_TOKEN_URL = 'http://127.0.0.1:8080/api/authentication/access_token/' CONSUMER_CALLBACK_URL = 'http://127.0.0.1:8000/request_access_token/' CONSUMER_KEY = 'key' CONSUMER_SECRET = 'secret' consumer = oauth.Consumer(CONSUMER_KEY, CONSUMER_SECRET) client = oauth.Client(consumer) def request_token(request): """ Contacts the service provider to get a token. """ resp, content = client.request(REQUEST_TOKEN_URL, 'GET') oauth_token = dict(urlparse.parse_qsl(content)).get('oauth_token', None) oauth_token_secret = dict(urlparse.parse_qsl(content)).get('oauth_token_secret', None) if oauth_token is None: return render_to_response('home.html', {'data': 'NO TOKEN FOUND'}) else: request.session['oauth_token'] = oauth_token request.session['oauth_token_secret'] = oauth_token_secret return HttpResponseRedirect('request_user_permission/') def request_user_permission(request): """ Redirects the user to the service provider to get permission if token provided. """ oauth_token = request.session['oauth_token'] if oauth_token is None: return render_to_response('home.html', {'data': 'NO TOKEN FOUND'}) else: return HttpResponseRedirect("%s?oauth_token=%s&oauth_callback=%s" % (AUTHORIZATION_URL, oauth_token, CONSUMER_CALLBACK_URL)) def request_access_token(request): """ Requests an access token from the service provider if the user granted permission. """ error = request.GET.get('error', None) if error is None: oauth_verifier = request.GET.get('oauth_verifier', None) if oauth_verifier is None: return render_to_response('home.html', {'data': 'UNKNOWN ERROR HAPPENED'}) else:
General OAuth Questions
- How many tokens should a consumer have? One? One per user? One resource?
- How should a consumer store their token (s)?
- How do you determine what resources a user can get with his token? Should a consumer provide an identifier for a resource that he wants to access when a user is redirected to a service provider (step 3)?
- If the user wants to access a resource for which the user has already granted access in the past, should he redirect the user to the service provider in any case (and let the service provider immediately return oauth_verifier, instead of asking the user for permission)?
Technical problems
I am currently using local cached sessions to store a token, but it does not work:
- When sessions are activated on the consumer server, the User must log in to the server of the service provider each time (even if he is already logged in).
- In the first view (requesting a token), I save
oauth_token and oauth_token_secret in the request session. When I try to access it in the second view (before redirecting the user), it works. But when I try to access it in the last view (after redirecting), it is not ( KeyError , oauth_token not found in request.session dictionary)
Thanks!
source share