Skip to content

Revert "getting_started.rst: add JSONOAuthLibCore as part of tutorial" #817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 20, 2020
Merged

Revert "getting_started.rst: add JSONOAuthLibCore as part of tutorial" #817

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a9fd4e9
Revert "getting_started.rst: add JSONOAuthLibCore as part of tutorial…
n2ygk Mar 20, 2020
4d4d8c2
tutorial docs errata
n2ygk Mar 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Fixed
* #812: Reverts #643 pass wrong request object to authenticate function.
* Fix concurrency issue with refresh token requests (#[810](https://github.com/jazzband/django-oauth-toolkit/pull/810))
* #817: Reverts #734 tutorial documentation error.

## [1.3.0] 2020-03-02

Expand Down
6 changes: 0 additions & 6 deletions docs/rest-framework/getting_started.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,8 +100,6 @@ Also add the following to your `settings.py` module:
.. code-block:: python

OAUTH2_PROVIDER = {
# parses OAuth2 data from application/json requests
'OAUTH2_BACKEND_CLASS': 'oauth2_provider.oauth2_backends.JSONOAuthLibCore',
# this is the list of available scopes
'SCOPES': {'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups'}
}
Expand All @@ -114,10 +112,6 @@ Also add the following to your `settings.py` module:
)
}

`OAUTH2_PROVIDER` setting parameter sets the backend class that is used to parse OAuth2 requests.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@n2ygk I would leave this portion of the PR in to let other devs know that it is an option to use JSONOAuthLibCore. As I mentioned in my original PR, the Angular HTTP library wasn't set up for using the correct content-type as per the OAuth RFC you linked.

Now that I think about it, maybe we should leave this part in and add on to it:

you can also try to configure your HTTP requests to use the RFC-mandated header for OAuth tokens: Content-Type: application/x-www-form-urlencoded

What are your thoughts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you cite a reference to using JSON-encoded data for the OAuth2 token POST being even allowed? All references I find seem to require form-encoded. Maybe I'm not reading the RFCs carefully enough?

There are angular libraries that work just fine as an OAuth2 client using POST with form-encoding. See https://github.com/manfredsteyer/angular-oauth2-oidc.

I really don't understand why JSONOAuthLibCore was added 5 years ago in the first place and see no usages of it anywhere in the code other than the test case that was added with it. I think it may have been added erroneously.

A documentation PR to clarify the required use of form-encoding would be appreciated.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you cite a reference to using JSON-encoded data for the OAuth2 token POST being even allowed? All references I find seem to require form-encoded. Maybe I'm not reading the RFCs carefully enough?

I think I didn't read the RFC closely enough (or the documentation on OAuth libraries). I ran into this issue while developing a video course.

I really don't understand why JSONOAuthLibCore was added 5 years ago in the first place and see no usages of it anywhere in the code other than the test case that was added with it. I think it may have been added erroneously.

I'm sure someone else was implementing an OAuth client for production use and skipped over the Content-Type issue too.

A documentation PR to clarify the required use of form-encoding would be appreciated.

I think your comments are that clarification, thanks for explaining how it all works and referencing the RFC too

The `JSONOAuthLibCore` class extends the default OAuthLibCore to parse correctly
`application/json` requests.

`OAUTH2_PROVIDER.SCOPES` setting parameter contains the scopes that the application will be aware of,
so we can use them for permission check.

Expand Down