DRF Integration

If you are using django together with Django REST Framework this page explains how DRF can be configured to accept Openid access tokens. This is useful if a django based server is only intended to serve as an API- or Resource-Server hosting resources to which access is protected.

Setup

Since DRF is built on Django the DRF Integration is built on top of the Django Integration, that must have already been set up.

Setup Authentication

The DRF integration ships with the AccessTokenAuthentication authentication class which parses access tokens contained in a request, fetches a user based on that access token from the database or from the Openid Provider and associates them with the request.

Beware however that tokens are not always associated to a specific user (they might be issued directly to another client instead). In this case, the request is authenticated but only associated with an anonymous django user. If you wish to only allow identifiable users, use the AccessTokenNoAnonAuthentication authentication class instead.

Set these classes as described in the corresponding DRF documentation on Setting the authentication scheme.

class ExampleViewset(ModelViewSet):
    authentication_classes = [AccessTokenNoAnonAuthentication]
    ...

Setup Permissions

Most of the time requests need to not only be authenticated but also authorized. This can be done by validating the scopes that a received access token has been granted access to.

To do so, simply setup the HasTokenScope permission for your api view as described in the DRF documentation on Setting the permission policy.

By default the required scopes for a view are taken from settings.OPENID_SCOPE. This can be overriden per view by setting the required_scopes attribute on it.

class ExampleViewset(ModelViewSet):
    permission_classes = [HasTokenScope]
    required_scopes = "openid example-resource"
    ...