Comments (8)
PhilipGarnero
commented on May 29, 2024
I don't understand you here. Why would you want to pass client id and secret to those views ?
from django-rest-framework-social-oauth2.
ashishtajane
commented on May 29, 2024
I am new to oAuth in general, so please bear with me if this sounds a newbie question.
So, what is the use of client id and secret in general in these requests ?
My understanding was, we can identify and verify different clients with these -- like mobile app, webapp, desktop app are different clients, also we can provide API access to third parties for various purposes so each third party becomes a client.
So, here, we can verify a normal login request (/auth/token/) is coming from genuine client as client credentials are a must for this view. But for social logins, someone can get an access_token using /auth/convert-token/ view even if they don't have client credentials. And if we are allowing this, then what is the use of using client id and secret in those other views at all?
from django-rest-framework-social-oauth2.
PhilipGarnero
commented on May 29, 2024
Hum... No, you're right this is a legitimate question.
For now, we are using the Owner application by default when converting a token. This means that every token you generate with this will belong to our app. This is fine when you don't handle third party clients but when you'll need them, you will be stuck with a good part of tokens not actually belonging to them and as a result probably breaking some oauth2 features.
Making this changes will break the api but it seems necessary.
Thank you for this report I will update the code and release a new version as soon as I'm free.
from django-rest-framework-social-oauth2.
ashishtajane
commented on May 29, 2024
Cool, Thanks! 👍
Do let me know if I could be of any help, as I am using this currently in my app.
from django-rest-framework-social-oauth2.
PhilipGarnero
commented on May 29, 2024
After some thinking, this is more complicated than I first thought.
Depending on the client type of the application, the parameters needed don't limit themselves to client_id and secret.
I probably need to implement the exact same behavior as /token but I will need to investigate on how I could handle the different grants and clients using it.
from django-rest-framework-social-oauth2.
PhilipGarnero
commented on May 29, 2024
I think the OauthlibMixin provided by oauth2_provider should do it with some customizations.
I'll try this tomorrow
from django-rest-framework-social-oauth2.
felix-d
commented on May 29, 2024
So how does it go? If you need some help I could try to give a hand. This module is crucial for me :P Well i don't have the need for third party clients right now but that might become a possibility in the future. When the issue is resolved, I'll link the repo to my blog post as well. It naively discusses the usage of python social auth with oauth2 toolkit but your module is way more complete and right than what I wrote lol
from django-rest-framework-social-oauth2.
PhilipGarnero
commented on May 29, 2024
Well, I think this is fixed now.
Please tell me if that fulfills your needs and report any bug encountered.
I'll close this for now.
from django-rest-framework-social-oauth2.
Related Issues (20)
- Documentation is out of sync HOT 1
- Django rest framework social oauth2 causing unexpected error with Djongo for mongoDB conversion of django app HOT 2
- How can I access "access tokens" of registered users in Backend ? HOT 1
- installing to docker container HOT 1
- Getting error while creating new application. HOT 1
- AppleIdAuth not working HOT 6
- url oauth callback for twitter HOT 1
- Fix simple typo: internaly -> internally HOT 1
- How can I revoke the refresh tokens?
- Your credentials aren't allowed HOT 1
- Refresh Token Error HOT 1
- unsupported_grant_type when trying to refresh token HOT 1
- custom backend not working with convert token api
- Question HOT 10
- Quick fix to enable this package to work with Django 4 and the older versions HOT 1
- why im getting invalid client error while trying to post in postman HOT 2
- I am getting a 401 Error (Unauthorized) and Uncaught (in promise) Error. Same is working fine on PostMan
- How to associate an existing user with multiple social accounts (different emails)? [DRF_SOCIAL_OAUTH2]
- cannot import name 'url' from 'django.conf.urls' HOT 5
- Client ID Error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rest-framework-social-oauth2.