For sure, I understood rough estimates of work to be done.
But project I'm working on uses FastAPI (which has it's own implementation of OAuth2 and has no oauthlib integration) and we need to have an OIDC provider to allow users to login into several "satellite" sites with just one central authentication portal.
So for me it looks like we have to implement OIDC provider ourselves (despite the existence of OAuth2 in FastAPI) and oauthlib looks like a appropriate foundation to base on.
As I see in django-oauth-toolkit, there is client secret in Application model (which is definitely a Relying Party) - and that answers question 2.
Also it looks like registration from question 1 is considered there too).
And now it looks like I've got a purpose of user
field (from question 3) - it's just to forbid registration of "anonymous" applications which has total sense :)
So now, when these questions were answered, can you please tell me one more general thing - is oauthlib suitable for building OpenID Connect Provider for FastAPI application? Oauthlib is positioned as framework-agnostic but existence of the OAuth2 implementation in FastAPI confuses me.
client = BackendApplicationClient(
client_id=client_id, scope="a:action b:action"
)
# OAUTHLIB_INSECURE_TRANSPORT
oauth = OAuth2Session(client=client)
token = oauth.fetch_token(
token_url=token_endpoint,
client_id=client_id,
client_secret=client_secret,
)
:point_up: Edit: what is the role of your Django app ?
I want to make a back end api which takes tokens from Oauth2 but instead of direct connection to server I have to fetch the Access token from a Csharp back end API
The access token format is defined by your AS. Is it JWT with clear documentation?
it is in bearer token format not in JWT form. for example
("access_token": "F2ZKDSni998To0k3hfdWgadadHwQTFtMX9u5RPaldEPLqrxUTaK6EL6xjJf1OcNNLhHrBuac_dadadfCohqtMSovSitmXPESee5STDsU-IY5S4JhiTky4gt1ndV4UTvhIIvE5x8Mr0d7wtHmjHbZvpEIe6W1ohxp7rYm5x58dadas6pPAFVqDjd3wcNdCEP4O79mD-XhXRLEHLrcSeT5QMv0mABQOeql8ZEzmnfDUwEB5Z1hjXn7-INjZu9IOtAn095b1bb5PDvuxHJ0JdVF_1qadg_onHSX80qxhiDMLB_vEHHsxtGewI4NBaDB-F-gHc2acHadjrZiiPFqAEn2LijhZLC9_Llq300ctrh1z1D9xEevZJji9JMQ_yNqC-jCfo1xr3lOx6Nj0KtTlA3Kqsfz8m0c7-lxKbtiHgSZS3xV6OkqUaet95LDC1XA7LmwxRy8jNjKG6eEyx7R17CdFqoCm9WoVLpgQ5lPj0SZ-MSzONzcJSmjTgaXmQntGdJP_E5B6Ls-9RKBlXubo0s7xapNisHd0EFQRJyQUXgUjaB-pUSOgQlUhw57LanneCCVXN-WK3Dvu6zUc64XP0cReWOWjf5bggXWxW1_byoWyM7F_vfXtZmeS757Yp9v9fXW583jXJ8fszrcEm7n85WEnNgJoBeMK7LZj3qSxOIfCo9nnCSSZxdv--zJjZEo13UBFhCVwS4qEpBOjwbcKIZl1XPfcWvmbWJMAZ63UcfASB18eiNZVhP",
"token_type": "bearer",
"expires_in": 86399,)
Do you have to call introspect call?
We dont have a introspect call we decrypt the token using machine key
<machineKey validationKey='88F606D92<>63B5026AFFB1D3F84DA900A0EB6adsasdadq3fafdBE8fvszvda--FJF00F81D6016B78AEDEAA9B6CD0558D94960B328371FEAFDEBF00' decryptionKey='<><adasd797F5F0231BEE024E40CEB7E470B2095' validation='SHA1' decryption="AES" />
I get my access token from this url with this parameters
https://<myURL....>/api/authentication
User-Agent: Fiddler
content-type: application/x-www-form-urlencoded
Origin: http://localhost:45112/
Content-Length: 93
Host: Userauth-userauthorisation-test.azurwebsites.net
grant_type=password&username=admin@<email>.co.uk&password=password&scope=scriptingAPI
and then we receive the token in this format
{
"access_token": "F2ZKDSni998To0k3hfdWgvGvEHwQTFtMX9u5RPaldEPLqrxUTaK6EL6xjJf1OcNNLhHrBuac_hwREfCohqtMSovSitmXPESee5STDsU-IY5S4JhiTky4gt1ndV4UTvhIIvE5x8Mr0d7wtHmjHbZvpEIe6W1ohxp7rYm5x581UQ6pPAFVqDjd3wcNdCEP4O79mD-XhXRLEHLrcadadasdfadav0mABQOeql8ZEzmnfDUwEB5Z1hjXn7-INjZu9IOtAnadadqdb5PDvuxHJ0JdVF_1qadg_onHSX80qxhiDMLB_vEHHsxtGewI4NBaDB-F-gHc2acHadjrZiiPFqAEn2LijhZLC9_Llq300ctrh1z1D9xEevZJji9JMQ_yNqC-jCfo1xr3lOx6Nj0KtTlA3Kqsfz8m0c7-adadgqSZS3xV6OkqUaet95LDC1XA7LmwxRy8jNjKG6eEyx7R17CdFqoCm9WoVLpgQ5lPj0SZ-MSzONzcJSmjTgaXmQntGdJP_E5B6Ls-9RKBlXubo0s7xapNisHd0EFQRJyQUXgUjaB-pUSOgQlUhw57LanneCCVXN-WK3Dvu6zUc64XP0cReWOWjf5bggXWxW1_byoWyM7F_vfXtZmeS757Yp9v9fXW583jXJ8fszrcEm7n85WEnNgJoBeMK7LZj3qSxOIfCo9nnCSSZxdv--zJjZEo13UBFhCVwS4qEpBOjwbcKIZl1XPfcWvmbWJMAZ63UcfASB18eiNZVhP",
"token_type": "bearer",
"expires_in": 86399,
"forcePassword": "false",
"SupplierId": "",
".issued": "Mon, 04 Oct 2021 16:30:05 GMT",
".expires": "Tue, 05 Oct 2021 16:30:05 GMT"
}
The Access token is encrypted and contains permissions (Read,Write,Limited Access)
we just want to decode this bearer token so that we get the permissions from the token and our api calls are authorised
There is one infelicity I've run into. oauth2_provider.http.OAuth2ResponseRedirect
checks the URL it's redirecting to, and raises DisallowedRedirect
if it's not a recognised protocol. But this breaks some Android clients, which use made-up protocols to send the user back to the same app. So I monkey-patch it:
https://gitlab.com/marnanel/yarrow3/-/blob/mastodon/yarrow3/trilby_api/views/oauth.py#L28