search

jazzband / django-oauth-toolkit

OAuth2 goodies for the Djangonauts!
https://django-oauth-toolkit.readthedocs.io
Other
3.13k stars 792 forks source link

Implicit grant flow #554

Open testphys opened 6 years ago

testphys commented 6 years ago

Since there is no documentation for using the implicit grant flow, I am having a hard time figuring out what the actual request should look like.

curl -X GET -d "username=<username>&password=<password>&clientid=<client_id>&redirect_uri=<redirect_uri>&response_type=token http://0.0.0.0:8000/o/authorize/

From looking into the code the user has to already be authenticated. Isn't it possible to pass the user credentials with the actual request?

class LoginRequiredMixin(AccessMixin):
    """Verify that the current user is authenticated."""
    def dispatch(self, request, *args, **kwargs):
        if not request.user.is_authenticated:
            return self.handle_no_permission()
        return super().dispatch(request, *args, **kwargs)

Furthermore, the body of the GET request seems to get lost. 

def extract_body(self, request):
    """
    Extracts the POST body from the Django request object
    :param request: The current django.http.HttpRequest object
    :return: provided POST parameters
    """
    return request.POST.items()

I would appreciate a little help to get my head around it.

manelclos commented 6 years ago

Hi @testphys, from my limited understanding, I'd say that the authorize endpoint, for using the implicit flow, is about showing the user a web page for authorizing the client app. In my case, I'm automatically authenticating users using REMOTE_USER, but the webpage is still shown to users so they can decide wether or not authorize the client app.