Social Login for Django Rest Framefork for newbies (a.k.a. for me)

Last year I wrote a guide for django-allauth, and now it’s time for DRF. I will be using drf-social-oauth2 for social authentication.

As far as I understood this is a collaboratory project, and it is currently maintained by Wagner De Lima.

You can find very useful materials here and there, but the purpose behind this tutorial is to help set up social authentication for your DRF-based API by following clear and easy steps. So that nobody suffers from the lack of base knowledge or the lack of time – been there, done that.

Table of contents:

1. Registering an app in Facebook and Google developer’s panels
2. Getting User Access Token from Facebook/Google
2.1 Facebook
2.2 Google
3. Installing drf-social-oauth2
3.1 settings.py
3.2 Facebook
3.3 Google
4. Creating a local app
5. Converting Token from Facebook/Google into a DRF Access token
6. Accessing things with this new Token
7. Refreshing Access Token
8. Changing Access Token Expiration

1. Registering an app in Facebook and Google developer’s panels

I wrote about it previously, so please go check out my pieces for Facebook and Google. Some things change all the time, but the main points still stand the same.

2. Getting User Access Token from Facebook/Google

If you are making an API it is not exactly your job to get access tokens, but for the sake of testing, there are a few ways to get them.

2.1 Facebook

Go to Graph API Explorer and on the right you will see your Access token. Copy it.

It has an expiration date, I believe it lasts 24 hours. Once the token expires, just go back, press Generate Access Token and use it instead. It is an Access token for your account, so don’t go posting it on the Internet.

2.2 Google

As usual, Google is a bit trickier, but it’s manageable. Go to OAuth 2.0 Playground. In Step 1 find and choose Google OAuth2 API v2 and choose the scope. The press Authorize APIs.

Then in Step 2 press Exchange authorization code for tokens. Copy the

generated Access token.

The hardest part is behind, you can relax. Go to drf-social-oauth2 page and follow the installation process. Or follow these steps (I copied them for you). For both Facebook and Google at the same time to not waste time.

pip install drf_social_oauth2

3.1 settings.py

INSTALLED_APPS = (
    ...
    # OAuth
    'oauth2_provider',
    'social_django',
    'drf_social_oauth2',
)

TEMPLATES = [
    {
        ...
        'OPTIONS': {
            'context_processors': [
                ...
                # OAuth
                'social_django.context_processors.backends',
                'social_django.context_processors.login_redirect',
            ],
        },
    }
]

REST_FRAMEWORK = {
    ...
    'DEFAULT_AUTHENTICATION_CLASSES': (
        ...
        # OAuth
        # 'oauth2_provider.ext.rest_framework.OAuth2Authentication',  # django-oauth-toolkit < 1.0.0
        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',  # django-oauth-toolkit >= 1.0.0
        'drf_social_oauth2.authentication.SocialAuthentication',
    )
}

3.2 Facebook

INSTALLED_APPS = (
    ...
    # OAuth
    'oauth2_provider',
    'social_django',
    'drf_social_oauth2',
)

TEMPLATES = [
    {
        ...
        'OPTIONS': {
            'context_processors': [
                ...
                # OAuth
                'social_django.context_processors.backends',
                'social_django.context_processors.login_redirect',
            ],
        },
    }
]

REST_FRAMEWORK = {
    ...
    'DEFAULT_AUTHENTICATION_CLASSES': (
        ...
        # OAuth
        # 'oauth2_provider.ext.rest_framework.OAuth2Authentication',  # django-oauth-toolkit < 1.0.0
        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',  # django-oauth-toolkit >= 1.0.0
        'drf_social_oauth2.authentication.SocialAuthentication',
    )
}

3.3 Google

AUTHENTICATION_BACKENDS = (
    # Others auth providers (e.g. Facebook, OpenId, etc)
    ...

    # Google OAuth2
    'social_core.backends.google.GoogleOAuth2',

    # drf-social-oauth2
    'drf_social_oauth2.backends.DjangoOAuth2',

    # Django
    'django.contrib.auth.backends.ModelBackend',
)

# Google configuration
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = <your app id goes here>
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = <your app secret goes here>

# Define SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE to get extra permissions from Google.
SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = [
    'https://www.googleapis.com/auth/userinfo.email',
    'https://www.googleapis.com/auth/userinfo.profile',
]

Then run migrate and createsuperuser .

4. Creating a local app

These steps are a bit different from the tutorial installations.

Go to /admin/oauth2_provider/application/, create a new Application.

You need to choose your superuser, in Client Type – Public and in Authorization grant type – Client credentials. In Name write the name of your app.

Client ID and Client Secret will be generated after you press Save.

However, in the development stage, in Client id you can write client_id and in Client Secret – client_secret (or anything, you got the idea). Further I will use client_id and client_secret.

5. Converting Token from Facebook/Google into a DRF Access token

To covert user access token from Facebook/Google you need to make a POST request.

First option, go to http://127.0.0.1:8000/auth/convert-token and insert this body in Content field.

{
	"client_id": "client_id",
        "grant_type": "convert_token",
	"client_secret": "client_secret",
	"backend": "facebook" or "google-oauth2",
	"token": "Access_token" you got here
}

Second option, with curl (sudo apt install curl) . For Facebook or for Google:

curl -X POST -d "grant_type=convert_token&client_id=client_id&client_secret=client_secret&backend=facebook&token=Access_token" http://localhost:8000/auth/convert-token

or

curl -X PO
ST -d "grant_type=convert_token&client_id=client_id&client_secret=client_secret&backend=google-oauth2&token=Access_token" http://localhost:8000/auth/convert-token

The response will contain:

{
	"access_token": "WHAT_YOU_NEED",
	"expires_in": 36000, (time in seconds until the token expires)
	"token_type":"Bearer", (you will need it later)
	"scope":"read write",
	"refresh_token":"refresh_token" (needed to (!) refresh the access_token once it expires.
}

6. Accessing things with this new Token

Now you must’ve used a generated token to send requests to the API before. You created it at http://127.0.0.1:8000/admin/authtoken/token/ and used in headers like this:

Authorization: Token token

Now you can use the user access_token like this:

Authorization: Bearer access_token

7. Refreshing Access Token

As for refreshing, you will need to send a request to 127.0.0.1:8000/auth/token .

First option, go to http://127.0.0.1:8000/auth/convert-token and insert this body in Content field.

{
	"grant_type": "refresh_token",
	"client_id": "client_id",
	"client_secret": "client_secret"
	"refresh_token": "refresh_token"
}

Second option, with curl (sudo apt install curl) . For Facebook or for Google:

curl -X POST -d "grant_type=refresh_token&client_id=client_id&client_secret=client_secret&refresh_token=refresh_token" http://localhost:8000/auth/token

The response will be the same (I copied it oops):

{
	"access_token": "WHAT_YOU_NEED",
	"expires_in": 36000, (time in seconds until the token expires)
	"token_type":"Bearer", (you will need it later)
	"scope":"read write",
	"refresh_token":"refresh_token" (refresh token to (!) refresh the access_token once it expires.
}

8. Changing Access Token Expiration

So 36000 seconds = 600 minutes = 10 hours. It is definitely a choice, so if you need to change that, add to settings.py:

OAUTH2_PROVIDER = {
    'ACCESS_TOKEN_EXPIRE_SECONDS': 604800,  # 7 days
}

What is what:

3600 (1 hour)
36000 x 24 = 86400 (1 days)
86400 x 7 = 604800 (7 days)

It’s up to you.

M	T	W	T	F	S	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Django Investigations

Web Programming and lifestyle of a young web developer

Leave a Reply Cancel reply