Skip to content

Latest commit

 

History

History
192 lines (149 loc) · 7.37 KB

README.md

File metadata and controls

192 lines (149 loc) · 7.37 KB

Resource Server Implementation in Python

Overview

This is a resource server implementation in Python. It supports a userinfo endpoint defined in OpenID Connect Core 1.0 and includes an example of a protected resource endpoint that accepts an access token in the way defined in 2.1. Authorization Request Header Field of RFC 6750 (The OAuth 2.0 Authorization Framework: Bearer Token Usage).

This implementation is written using Django and authlete-python-django library which is an Anthlete's open-source library for Django.

To validate an access token presented by a client application, this resource server makes an inquiry to the Authlete server. This means that this resource server expects that the authorization server which has issued the access token uses Authlete as a backend service. django-oauth-server is such an authorization server implementation and it supports OAuth 2.0 and OpenID Connect.

License

Apache License, Version 2.0

Source Code

https://github.com/authlete/django-resource-server

About Authlete

Authlete is a cloud service that provides an implementation of OAuth 2.0 & OpenID Connect (overview). You can easily get the functionalities of OAuth 2.0 and OpenID Connect either by using the default implementation provided by Authlete or by implementing your own authorization server using Authlete Web APIs.

To use this resource server implementation, you need to get API credentials from Authlete and set them in authlete.ini. The steps to get API credentials are very easy. All you have to do is just to register your account (sign up). See Getting Started for details.

How To Run

  1. Install authlete-python and authlete-python-django libraries.

     $ pip install authlete
     $ pip install authlete-django
    
  2. Download the source code of this resource server implementation.

     $ git clone https://github.com/authlete/django-resource-server.git
     $ cd django-resource-server
    
  3. Edit the configuration file to set the API credentials of yours.

     $ vi authlete.ini
    
  4. Create a user account for testing.

     $ python manage.py migrate
     $ python manage.py shell
     >>> from django.contrib.auth.models import User
     >>> user = User()
     >>> user.username = 'john'
     >>> user.first_name = 'John'
     >>> user.last_name = 'Smith'
     >>> user.email = 'john@example.com'
     >>> user.set_password('john')
     >>> user.is_active = True
     >>> user.save()
     >>> quit()
    
  5. Start the resource server on http://localhost:8001.

     $ python manage.py runserver 8001
    

Endpoints

This implementation exposes endpoints as listed in the table below.

Endpoint Path
UserInfo Endpoint /api/userinfo
Time Endpoint /api/time

UserInfo Endpoint

The userinfo endpoint is an implementation of the requirements described in 5.3. UserInfo Endpoint of OpenID Connect Core 1.0.

The endpoint returns user information in JSON or JWT format, depending on the configuration of the client application. If both userinfo_signed_response_alg and userinfo_encrypted_response_alg of the metadata of the client application are not specified, user information is returned as a plain JSON. Otherwise, it is returned as a serialized JWT. Authlete provides you with a Web console (Developer Console) to manage metadata of client applications. As for metadata of client applications, see 2. Client Metadata of OpenID Connect Dynamic Client Registration 1.0.

User information returned from the endpoint contains claims of the user. In short, claims are pieces of information about the user such as a given name and an email address. Because Authlete does not manage user data (although it supports OpenID Connect), you have to provide claim values. It is achieved by implementing UserInfoRequestHandlerSpi interface.

In this resource server implementation, UserInfoRequestHandlerSpiImpl is an example implementation of UserInfoRequestHandlerSpi interface and it retrieves claim values from django.contrib.auth.

Time Endpoint

The time endpoint implemented in this resource server is just an example of a protected resource endpoint. Its main purpose is to show how to validate an access token at a protected resource endpoint.

The path of the time endpoint is /api/time. The endpoint accepts an access token in the way defined in 2.1. Authorization Request Header Field of RFC 6750.

$ ACCESS_TOKEN=YOUR_ACCESS_TOKEN
$ curl -v http://localhost:8001/api/time \
       -H "Authorization: Bearer ${ACCESS_TOKEN}"

The time endpoint returns information about the current time (UTC) in JSON format. The following is an example response.

{
  "year":   2019,
  "month":  8,
  "day":    9,
  "hour":   14,
  "minute": 45,
  "second": 2
}

As for generic and Authlete-specific information regarding how to protect Web APIs by OAuth 2.0 access tokens, see Protected Resource.

See Also

Contact

Contact Form : https://www.authlete.com/contact/

Purpose Email Address
General info@authlete.com
Sales sales@authlete.com
PR pr@authlete.com
Technical support@authlete.com