Comments (5)
OK quite easy with your plugin:
Just creat a route /api/get-user that return a JWT from the given user
then curl -H "Authorization: Bearer <backend_name> <access_token>" http://localhost:8000/api/get-user
And that's it! Thanks for this amazing plugin
from django-rest-framework-social-oauth2.
@alexislg2 Can you please elaborate about how you achieved this?
from django-rest-framework-social-oauth2.
@kinesii What exactly do you need?
My api_view.py looks like:
from rest_framework.decorators import api_view, permission_classes
@api_view(['POST'])
@permission_classes((AllowAny, ))
def obtain_jwt_token_from_social_provider(request):
""" This route must be called by the mobile app """
# Use a custom function to generate a JWT token from a django user:
jwt = generateJwtForUser(request.user)
return JsonResponse({"jwt_token": jwt})
from django-rest-framework-social-oauth2.
@alexislg2 Does the request to /api/get-user contain any authentication in itself, or just the user data?
If just the user data, this is very insecure. An attacker could simply call that endpoint with someone's user and get infinite access to their account.
A better way would be to extend your django-rest-framework-social-oauth2 endpoint to return a JWT instead of the standard access token on the initial authentication request.
from django-rest-framework-social-oauth2.
@assembledadam the /api/get-user requests to provide the access_token
provided by the OAuth backend. So an attacker would need this access_token
so he would need to have the Google/Facebook password of the user he wants to hack
from django-rest-framework-social-oauth2.
Related Issues (20)
- Documentation is out of sync HOT 1
- Django rest framework social oauth2 causing unexpected error with Djongo for mongoDB conversion of django app HOT 2
- How can I access "access tokens" of registered users in Backend ? HOT 1
- installing to docker container HOT 1
- Getting error while creating new application. HOT 1
- AppleIdAuth not working HOT 6
- url oauth callback for twitter HOT 1
- Fix simple typo: internaly -> internally HOT 1
- How can I revoke the refresh tokens?
- Your credentials aren't allowed HOT 1
- Refresh Token Error HOT 1
- unsupported_grant_type when trying to refresh token HOT 1
- custom backend not working with convert token api
- Question HOT 10
- Quick fix to enable this package to work with Django 4 and the older versions HOT 1
- why im getting invalid client error while trying to post in postman HOT 2
- I am getting a 401 Error (Unauthorized) and Uncaught (in promise) Error. Same is working fine on PostMan
- How to associate an existing user with multiple social accounts (different emails)? [DRF_SOCIAL_OAUTH2]
- cannot import name 'url' from 'django.conf.urls' HOT 5
- Client ID Error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rest-framework-social-oauth2.