OAuth 2.0 client ids in Django/tastypie implementation

2
votes

I'm trying to implement OAuth 2.0 for my API. I'm using a third party library to act as the basic OAuth provider, django-oauth2-provider, and Tastypie as the framework. Those details shouldn't matter too much. The OAuth 2.0 works -- when a user is created, an OAuth 2 client that manages the user's secret_key and their id is created. A customer can then supply the user ID they get back from the user creation endpoint along with their username and password to get an access token which allows them to use API endpoints.·

Where I run into issues is retrieving the client id (which must be passed into requests for the access token). Obviously when a user is first created I can return the client_id with the HTTP response. After that, however, there will obviously be cases where the user doesn't have their client id· stored locally (this is a traditional user/app setup, not something like Google APIs where your client id is always visible). I want to protect GET requests to the customer resource with OAuth, but that means I can't query the API for a given user's client ID. And it seems like the whole point of OAuth is defeated if I can always just pass in a username and password to retrieve my client id from some oauth endpoint. Am I thinking about this wrong?

Also, from reading the OAuth specs I'm under the impression that a client id and client secret are all that should be supplied for getting granted an access token. Yet the implementation I'm using defaults to forcing the user to supply a client id, client secret, username, and password. I've overridden the implementation to require only the client id and secret, but I want to make sure that was the right call and I'm not missing something.

Edit for flup's response:

I'm dealing with a Django API as the resource server, and a user of an iPhone app as the resource owner. The iPhone app is directly associated with the server -- in other words, there are no third parties involved here and no plans to involve them in the future; all software is ours. I would think that the password flow would be what I would need in that case. Indeed, that seems to be what django-oauth2-provider supplies by default. I'd like to stay somewhat in line with what they are doing to not have to completely reinvent the wheel.

1
djangooauthoauth-2.0tastypie
You wrote, "an OAuth 2 client that manages the user's secret_key and their id is created". With OAuth 2 there aren't client secrets anymore. Which version of OAuth do you want to use? In the last paragraph you're also writing "from reading the OAuth specs I'm under the impression that a client id and client secret...", but in OAuth 2, there are no client secrets (I know, I repeat onself). Im a little bit confused, what you want.user2897701
@FabianParzefall the oauth2 authorization grant flow does use a client secret, the implicit flow does notflup

1 Answers

1
votes

The goal of oauth2 is to let the resource owner give a client a valet key which authorizes it to access certain resources on your server on his behalf.

If there are no third parties involved, there is no client to authorize and no need to use oauth2.

Instead, you could use the standard authentication mechanisms present in tastypie.