2

我将限制我的工作rest_framework.views.APIView继承类,只对经过身份验证的用户可见。
我做了这些修改:

  1. 添加authentication_classespermission_classes我的班级:
class TestView(APIView):
    authentication_classes = (OAuth2Authentication,)
    permission_classes = (IsAuthenticated,)

    return Response("Hey there...")
  1. 从 django-oauth-toolkit 获得 access_token:
curl -XPOST "http://172.18.0.1:8000/oauth2/token/" \
-d 'grant_type=client_credentials&client_id=MY-CLIENT-ID&client_secret=MY-CLIENT-SECRET'
{"access_token": "Haje1ZTrc7VH4rRkTbJCIkX5u83Tm6", "expires_in": 36000, "token_type": "Bearer", "scope": "read write groups"}
  1. 尝试请求视图而不设置access_token
curl -XGET "http://172.18.0.1:8000/api/v1/test/"
{"detail":"Authentication credentials were not provided."}
  1. 尝试了一个新的请求access_token
curl -XGET "http://172.18.0.1:8000/api/v1/test/" \
-H "Authorization: Bearer Haje1ZTrc7VH4rRkTbJCIkX5u83Tm6"
{"detail":"You do not have permission to perform this action."}

我应该做更多的事情来启用 access_token 身份验证吗?

注意:我已经在环境中安装了这些库:

Django==2.2.17
djangorestframework==3.12.2
django-oauth-toolkit==1.3.3

注2:忘记说了rest_frameworkoauth2_provider已经添加到INSTALLED_APPS。

重要编辑:
仅当使用“客户端凭据授予”进行身份验证时才存在此问题。在下面检查我自己的答案。

4

2 回答 2

1

最后,我发现它OAuth2Authentication不会通过其 client_credential 对用户进行身份验证(接受带有 grant_type=password 的用户名/密码对)。所以我写了这个自定义身份验证器。希望它可以帮助其他有同样问题的人。

from oauth2_provider.contrib.rest_framework import OAuth2Authentication
from oauth2_provider.models import Application


class OAuth2ClientCredentialAuthentication(OAuth2Authentication):
    """
    OAuth2Authentication doesn't allows credentials to belong to an application (client).
    This override authenticates server-to-server requests, using client_credential authentication.
    """
    def authenticate(self, request):
        authentication = super().authenticate(request)

        if not authentication is None:
            user, access_token = authentication
            if self._grant_type_is_client_credentials(access_token):
                authentication = access_token.application.user, access_token

        return authentication

    def _grant_type_is_client_credentials(self, access_token):
        return access_token.application.authorization_grant_type == Application.GRANT_CLIENT_CREDENTIALS
于 2021-01-14T12:10:44.507 回答
0

在 Django rest 框架中尝试 djoser 进行身份验证

于 2021-01-09T20:01:29.550 回答