All geek questions in one place

Passing a Token to a Client

I am developing an iOS application and am using Django for the backend. There are two applications that I use in Django

  • Django OAuth Toolkit to support OAuth authentication.
  • Python Social Auth to support social authentication

The social authentication process should be:

  • GET localhost / login / {application}
  • Authentication on the application site
  • Redirecting to localhost / complete / {application}
  • Access current Fetch {application}
  • Create a new user with the server access token and associate it with the {application} access token
  • Redirect to localhost / accounts / profile

Then I can use the server access token to communicate with {application}.

But the client will see that the browser starts with localhost / login / {application} and ends with localhost / accounts / profile, and still does not know what the server access token is, so my question is how to transfer the access token to to the client?

One solution is to redirect with an access token like localhost / accounts / profile? token = MyServerToken, but how do I add a parameter when redirecting to the profile URL?

+4
source share
3 answers

You should not pass an access token to the query string, for example /?token=my_token. This is not a safe method and is definitely not recommended.

Some other approaches you can use are as follows:

-1: server_access_token

HTTPS.

. , . , .

class MySocialApplicationRedirectView(View):

    def get(self, request, *args, **kwargs):  
        # Here, write your code to fetch the  {application} access token, 
        # creating a new user with your server access token, and then
        # associating it with {application} access token

        # assign the response to a variable and set the access token as a header in the response 
        response = HttpResponseRedirect('/accounts/profile/')       
        response['X-Auth-Token'] = 'my_server_access_token'    

        # can also use the below name as 'X-' prefixed headers are deprecated     
        # response['Auth-Token'] = 'my_server_access_token'

        return response

. .

-2: server_access_token cookie

- server_access_token cookie @Ben.

response.set_cookie() server_access_token cookie, cookie .

class MySocialApplicationRedirectView(View):

        def get(self, request, *args, **kwargs):  
            # Here, write your code to fetch the  {application} access token, 
            # creating a new user with your server access token, and then
            # associating it with {application} access token

            # assign the response to a variable and set the access token as a cookie in the response object
            response = HttpResponseRedirect('/accounts/profile/')       
            response.set_cookie(key, value='my_server_access_token', ..other parameters )
            return response

.. ( , ) HTTPS.

+1

, , Django . , ( ), extra_data dict SocialUser , .

, Django ( user):

access_token = user.social_auth.get(provider='google-oauth2').extra_data['access_token']

, . , , , API-, .

, . , . , Facebook, cookie, API- Facebook. , .

, , cookie :

response.set_cookie(social_auth_tokens,
    value=your_data_here,
    max_age=None, #cookie will expire at end of user session
    expires=None,
    path='/',
    domain=None, #only readable by this domain
    secure=True, #only transmitted over https
    httponly=False) #readable by scripts running on the page
+1

, , TastyPie. , , , API , .

0
source

Source: https://habr.com/ru/post/1606060/

More articles:


All Articles