Protect your API endpoints with Django oAuth2 toolkit

May 2019

Now that everything is in place to protect our API, we need to tell Django Rest framework that our endpoints are protected. To do so, just modify our in our api folder to add the following line:

permission_classes = [permissions.IsAuthenticated]

or the full code:

class UserListCreateView(generics.ListCreateAPIView):
                add users
                Search or get users
                You can search using:
                    :param email
                    :param username
    permission_classes = [permissions.IsAuthenticated]
    queryset = User.objects.all()
    serializer_class = UserSerializer
    filter_backends = (DjangoFilterBackend,)
    filterset_fields = ('email', 'username')

The permission line indicates that now our API is protected and can't be access without authentification. We also need to modify the file to indicate to Django Rest Framework, that we are using Django oAuth toolkit to protect the endpoints.

     #  'rest_framework.authentication.BasicAuthentication',
    'DEFAULT_FILTER_BACKENDS': ('django_filters.rest_framework.DjangoFilterBackend',),
    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
    'PAGE_SIZE': 20,

The important configuration line is:


So now if you try to access to API such as getting the user list (using Postman or the Live API endpoints), you should received an Http 401 status code (unauthorized access) and an error message telling you that you are not authenticated.
Well done ! At this point the API is protected and can't be access anymore publicly.

So now to be authenticated, we need to provide a token to the API. To get a token, we need to call a specific endpoint and give it our credentials. The endpoint url is the one we added in our file. Here is the http call using cUrl (you can use postman too

curl -X POST \ \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Postman-Token: 059a3664-2e02-48d6-ba47-e19cc41f7b91' \
  -H 'cache-control: no-cache' \
  -d 'grant_type=password&username=yourusername&password=yourpassword&client_id=VbXH6Jwp7FSMqgL9fuXn3Qo6dI57BEYH1FGEMQPF&client_secret=Vur9PaOf39LaWEWxIAitTUrvbQOCDegCUpwCPCmKqcbZDz5FhbTKfYeI0IUBFvY4g3hxf4CctEWzw2KJrOfEsAVTDQ2z4LPImoRoGxyzZMmulswIwNLJHRIK8JIfTD93'

or using Postman

You just need to pass as parameters: your username, password, the client_id, client_secret and grant_type with value password. If everything is ok, you should obtain a token in the Http response body as you can see in the screenshot. I forget to mention but you need to specify some settings regarding the oAuth toolkit in your file:

#oAuth2 expiration
OAUTH_ACCESS_TOKEN_MODEL = 'oauth2_provider.models.AccessToken'
    'SCOPES': {'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups'}

One of the parameter is the ACCESS TOKEN expiricy (in seconds). In this configuration, after one day (86400 seconds) the tokens generated will not be valid and you will need to get a new one.

Now using the token we received we can authenticate ourselves and call the API:

To do so, we need to specify in the Http headers of our request, the following:

Authorization: Bearer FnEgoxNQS1wD8h0dXjt2GgnjBAPwg7

We are using the value of the token received : FnEgoxNQS1wD8h0dXjt2GgnjBAPwg7.
Et voilĂ , we can now access again our API to get datas.

Please notice that at this point, you will not be able to use the Live Endpoint API tool, that we installed in the documentation, since there is no way to add specific headers in this tool.