Authentication process about django-rest-framework-social-oauth2 HOT 4 CLOSED

I'm not familiar with openID but with oauth2 you need to register an application to the third party authentication service (e.g. facebook) and use its client secret and id in order for the service to know who is asking for the data.

convertToken is more complex than this and there is more going on inside the django-oauth-toolkit package.

from django-rest-framework-social-oauth2.

Could you please explain a little bit more. I mean I now I need an application on the third party authentication service for the sign in on the mobile phone. However, after this the library is not using the id and the secret in the convert token API. At the moment I have added the library to my project and I am not using those parameters on my server and the authentication process still works.

And another question could you explain why you use this type of process, I mean sending the authentication token to the server and not using the authorisation code? is it safe to do in that way?

from django-rest-framework-social-oauth2.

I don't know how your server is working but this package is using the app id and secret in order to retrieve information from the third party service. If your service doesn't use it, fine, but this isn't oauth2.

Like I said, I'm not familiar with openID and I don't really have time to read about it now so I wouldn't know how things are supposed to work compared to oauth2, you'd have to check about it yourself.

I'll let you know if I find any issue about this later.

from django-rest-framework-social-oauth2.

Ok sorry for bothering you I was trying to get useful insights, I have checked the Facebook Oath2.0 backend and it is true, you use the secret in the following function:

    def user_data(self, access_token, *args, **kwargs):
        """Loads user data from service"""
        params = self.setting('PROFILE_EXTRA_PARAMS', {})
        params['access_token'] = access_token

        if self.setting('APPSECRET_PROOF', True):
            _, secret = self.get_key_and_secret()
            params['appsecret_proof'] = hmac.new(
                secret.encode('utf8'),
                msg=access_token.encode('utf8'),
                digestmod=hashlib.sha256
            ).hexdigest()
        return self.get_json(self.USER_DATA_URL, params=params)

My backend is the same of the google oath2.0 where you do not need the secret: (I use open id connect which is built on top of oauth2.0)

    def user_data(self, access_token, *args, **kwargs):
        """Return user data from Google API"""
        if self.setting('USE_DEPRECATED_API', False):
            url = 'https://www.googleapis.com/oauth2/v1/userinfo'
        else:
            url = 'https://www.googleapis.com/plus/v1/people/me'
        return self.get_json(url, params={
            'access_token': access_token,
            'alt': 'json'
        })

I am curious about this but I will continue the investigation on my own.
Thank you for you awesome library and for your support.

from django-rest-framework-social-oauth2.