You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been looking into adding support for django rest framework in django-oidc-provider.
The two things I'd like to implement are authentication and permissions classes for OAuth 2.0 Bearer authentication (RFC6750).
The Authentication class is straight-forward. I can simply check the token and respond with 401 if it doesn't exist or is invalid. The API also lets me set the correct WWW-Authenticate header as per RFC6750#3.
However, it's not possible to implement a permissions class to check token scopes which is compatible with RFC6750. Section 3 states (emphasis mine):
If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field; ...
This is because the only options for a failing permissions class are to return False and get 403, or raise a 404 exception.
I'm not sure how the api should be expanded to accommodate this, an equivalent authenticate_header method on the Permission class may be enough, or there may be a better approach.
This discussion was converted from issue #7176 on March 08, 2021 12:50.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Checklist
master
branch of Django REST framework.I've been looking into adding support for django rest framework in django-oidc-provider.
The two things I'd like to implement are authentication and permissions classes for OAuth 2.0 Bearer authentication (RFC6750).
The Authentication class is straight-forward. I can simply check the token and respond with 401 if it doesn't exist or is invalid. The API also lets me set the correct
WWW-Authenticate
header as per RFC6750#3.However, it's not possible to implement a permissions class to check token scopes which is compatible with RFC6750. Section 3 states (emphasis mine):
This is because the only options for a failing permissions class are to return
False
and get 403, or raise a 404 exception.I'm not sure how the api should be expanded to accommodate this, an equivalent
authenticate_header
method on thePermission
class may be enough, or there may be a better approach.Beta Was this translation helpful? Give feedback.
All reactions