Comments (4)
I'm not familiar with openID but with oauth2 you need to register an application to the third party authentication service (e.g. facebook) and use its client secret and id in order for the service to know who is asking for the data.
convertToken is more complex than this and there is more going on inside the django-oauth-toolkit package.
from django-rest-framework-social-oauth2.
Could you please explain a little bit more. I mean I now I need an application on the third party authentication service for the sign in on the mobile phone. However, after this the library is not using the id and the secret in the convert token API. At the moment I have added the library to my project and I am not using those parameters on my server and the authentication process still works.
And another question could you explain why you use this type of process, I mean sending the authentication token to the server and not using the authorisation code? is it safe to do in that way?
from django-rest-framework-social-oauth2.
I don't know how your server is working but this package is using the app id and secret in order to retrieve information from the third party service. If your service doesn't use it, fine, but this isn't oauth2.
Like I said, I'm not familiar with openID and I don't really have time to read about it now so I wouldn't know how things are supposed to work compared to oauth2, you'd have to check about it yourself.
I'll let you know if I find any issue about this later.
from django-rest-framework-social-oauth2.
Ok sorry for bothering you I was trying to get useful insights, I have checked the Facebook Oath2.0 backend and it is true, you use the secret in the following function:
def user_data(self, access_token, *args, **kwargs):
"""Loads user data from service"""
params = self.setting('PROFILE_EXTRA_PARAMS', {})
params['access_token'] = access_token
if self.setting('APPSECRET_PROOF', True):
_, secret = self.get_key_and_secret()
params['appsecret_proof'] = hmac.new(
secret.encode('utf8'),
msg=access_token.encode('utf8'),
digestmod=hashlib.sha256
).hexdigest()
return self.get_json(self.USER_DATA_URL, params=params)
My backend is the same of the google oath2.0 where you do not need the secret: (I use open id connect which is built on top of oauth2.0)
def user_data(self, access_token, *args, **kwargs):
"""Return user data from Google API"""
if self.setting('USE_DEPRECATED_API', False):
url = 'https://www.googleapis.com/oauth2/v1/userinfo'
else:
url = 'https://www.googleapis.com/plus/v1/people/me'
return self.get_json(url, params={
'access_token': access_token,
'alt': 'json'
})
I am curious about this but I will continue the investigation on my own.
Thank you for you awesome library and for your support.
from django-rest-framework-social-oauth2.
Related Issues (20)
- Documentation is out of sync HOT 1
- Django rest framework social oauth2 causing unexpected error with Djongo for mongoDB conversion of django app HOT 2
- How can I access "access tokens" of registered users in Backend ? HOT 1
- installing to docker container HOT 1
- Getting error while creating new application. HOT 1
- AppleIdAuth not working HOT 6
- url oauth callback for twitter HOT 1
- Fix simple typo: internaly -> internally HOT 1
- How can I revoke the refresh tokens?
- Your credentials aren't allowed HOT 1
- Refresh Token Error HOT 1
- unsupported_grant_type when trying to refresh token HOT 1
- custom backend not working with convert token api
- Question HOT 10
- Quick fix to enable this package to work with Django 4 and the older versions HOT 1
- why im getting invalid client error while trying to post in postman HOT 2
- I am getting a 401 Error (Unauthorized) and Uncaught (in promise) Error. Same is working fine on PostMan
- How to associate an existing user with multiple social accounts (different emails)? [DRF_SOCIAL_OAUTH2]
- cannot import name 'url' from 'django.conf.urls' HOT 5
- Client ID Error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-rest-framework-social-oauth2.