request.user is not the same as the token user about django-oauth-toolkit HOT 8 CLOSED

@masci Not sure whether this is the approach you were considering but one very simple way to give protected views access to the user associated with the token would be via

--- a/oauth2_provider/views/mixins.py
+++ b/oauth2_provider/views/mixins.py
@@ -165,6 +165,7 @@ class ProtectedResourceMixin(OAuthLibMixin):
     def dispatch(self, request, *args, **kwargs):
         valid, r = self.verify_request(request)
         if valid:
+            request.resource_owner = r.user
             return super(ProtectedResourceMixin, self).dispatch(request, *args, **kwargs)
         else:
         return HttpResponseForbidden()

request.resource_owner might be better than request.user as to differentiate the two although they should likely never both be available simultaneously.

Looking forward to playing around more with django-oauth-toolkit soon, gone over the installation which was a breeze. Nice work =)

from django-oauth-toolkit.

Hi João,

the request object you encounter in oauth2_validators.py module is not a Django request, think about it as an object belonging to the oauthlib world, which is "framework-agnostic".

APIs endpoint protected with django-oauth-toolkit are supposed to be accessed without logging in the user (that's where OAuth comes into play) providing an access token instead.

Trying to answer your question: at the moment Django OAuth Toolkit does not provide a simple way to retrieve the user whom the access token belongs to, you have to make a query for that.

If you post your use case we could discuss this and trying to provide a solution.

from django-oauth-toolkit.

@ib-lundgren Neat!

This way we also avoid an additional query to retrieve the user instance.

Also 'resource_owner' could be appropriate since it is clear that it's Oauth stuff.

Good to me 👍

Looking forward to playing around more with django-oauth-toolkit soon, gone over the installation which was a breeze. Nice work =)

Thank you

from django-oauth-toolkit.

@ib-lundgren thanks, that makes sense to me. Trying it out

I'm an oAuth2 newbie, so don't assume I know what I'm talking about. I feel that request.user should not be AnonymousUser, but the "correct" approach would be to be the application which is the user and not the resource owner (as all of you have pointed out). django-auth-toolkit doesn't allow this now and I don't need it, I just want to know if I'm thinking along the right lines.

Thanks,
João

from django-oauth-toolkit.

Just to note that @ib-lundgren's solution works well for me and I'd love to see the patch integrated. Is a PR needed?

from django-oauth-toolkit.

Yes, please! :-)

from django-oauth-toolkit.

@jneves a PR would be great!
Please read contributing guidelines before submitting.

from django-oauth-toolkit.

@masci @synasius thanks, done.

from django-oauth-toolkit.