SSO Authentication with JWT about django-rest-framework-social-oauth2 HOT 5 CLOSED

OK quite easy with your plugin:
Just creat a route /api/get-user that return a JWT from the given user

then curl -H "Authorization: Bearer <backend_name> <access_token>" http://localhost:8000/api/get-user

And that's it! Thanks for this amazing plugin

from django-rest-framework-social-oauth2.

@alexislg2 Can you please elaborate about how you achieved this?

from django-rest-framework-social-oauth2.

@kinesii What exactly do you need?

My api_view.py looks like:

from rest_framework.decorators import api_view, permission_classes


@api_view(['POST'])
@permission_classes((AllowAny, ))
def obtain_jwt_token_from_social_provider(request):
    """ This route must be called by the mobile app """
    # Use a custom function to generate a JWT token from a django user:
    jwt = generateJwtForUser(request.user)
    return JsonResponse({"jwt_token": jwt})

from django-rest-framework-social-oauth2.

@alexislg2 Does the request to /api/get-user contain any authentication in itself, or just the user data?

If just the user data, this is very insecure. An attacker could simply call that endpoint with someone's user and get infinite access to their account.

A better way would be to extend your django-rest-framework-social-oauth2 endpoint to return a JWT instead of the standard access token on the initial authentication request.

from django-rest-framework-social-oauth2.

@assembledadam the /api/get-user requests to provide the access_token provided by the OAuth backend. So an attacker would need this access_token so he would need to have the Google/Facebook password of the user he wants to hack

from django-rest-framework-social-oauth2.