Authentication
Setting up authentication globally
Authentication in Django REST Framework can be configured globally as a subkey of the REST_FRAMEWORK variable in settings.py, just like the rest of the default framework configurations.
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
)
}Setting up authentication for a specific APIView
Authentication can be set for an specific APIView endpoint, by using the authentication_classes variable:
from rest_framework.authentication import SessionAuthentication, BasicAuthentication
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
from rest_framework.views import APIView
class ExampleView(APIView):
authentication_classes = (SessionAuthentication, BasicAuthentication)
permission_classes = (IsAuthenticated,)
def get(self, request):
content = {
'user': unicode(request.user), # `django.contrib.auth.User` instance.
'auth': unicode(request.auth), # None
}
return Response(content)Using basic token-based authentication
Django REST Framework provides a basic token-based authentication mechanism which needs to be configured as an application in Django before being usable, so that tokens are created in the database, and their lifecycle handled.
Add Token-based authentication to settings.py
INSTALLED_APPS = (
...
'rest_framework.authtoken'
)Run the database migration
./manage.py migrateCreate tokens for your users
Somehow, you will have to create a token and return it:
def some_api(request):
token = Token.objects.create(user=request.user)
return Response({'token': token.key})There is already an API endpoint in the token application, so that you can simply add the following to your urls.py:
urls.py
from rest_framework.authtoken import views
urlpatterns += [
url(r'^auth-token/', views.obtain_auth_token)
]Clients can now authenticate
Using a Authorization header like:
Authorization: Token 123456789Prefixed by a literal “Token” and the token itself after whitespace.
The literal can be changed by subclassing TokenAuthentication and changing the keyword class variable.
If authenticated, request.auth will contain the rest_framework.authtoken.models.BasicToken instance.
Setting up OAuth2 authentication
OAuth is not handled by Django REST Framework, but there are a couple of pip modules that implement an OAuth client. The REST Framework documentation suggests one of the following modules:
Django OAuth Toolkit
pip install django-oauth-toolkitsettings.py
INSTALLED_APPS = (
...
'oauth2_provider',
)
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'oauth2_provider.ext.rest_framework.OAuth2Authentication',
)
}urls.py
urlpatterns = patterns(
...
url(r'^o/', include('oauth2_provider.urls', namespace='oauth2_provider')),
)Django REST Framework OAuth
pip install djangorestframework-oauth django-oauth2-providersettings.py
INSTALLED_APPS = (
...
'provider',
'provider.oauth2',
)
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.OAuth2Authentication',
)
}urls.py
urlpatterns = patterns(
...
url(r'^oauth2/', include('provider.oauth2.urls', namespace='oauth2')),
)Admin
Go to the admin panel and create a new Provider.Client to have a client_id and a client_secret.
Using better Token-based authorization with several client-tokens
The most interesting package for managing real tokens is django-rest-knox which supports multiple tokens per user (and cancelling each token independently), as well as having support for token expiration and several other security mechanisms.
django-rest-knox depends on cryptography. You can find more information on how to install it at: https://james1345.github.io/django-rest-knox/installation/
Installing knox
pip install django-rest-knoxsettings.py
INSTALLED_APPS = (
...
'rest_framework',
'knox',
...
)Apply migrations:
./manage.py migrate