Settings¶
Our configurations are all namespaced under the OAUTH2_PROVIDER settings with the solely exception of OAUTH2_PROVIDER_APPLICATION_MODEL: this is because of the way Django currently implements swappable models. See issue #90 (https://github.com/evonove/django-oauth-toolkit/issues/90) for details.
For example:
OAUTH2_PROVIDER = {
'SCOPES': {
'read': 'Read scope',
'write': 'Write scope',
},
'CLIENT_ID_GENERATOR_CLASS': 'oauth2_provider.generators.ClientIdGenerator',
}
A big thank you to the guys from Django REST Framework for inspiring this.
List of available settings¶
ACCESS_TOKEN_EXPIRE_SECONDS¶
The number of seconds an access token remains valid. Requesting a protected resource after this duration will fail. Keep this value high enough so clients can cache the token for a reasonable amount of time.
ALLOWED_REDIRECT_URI_SCHEMES¶
Default: ["http", "https"]
A list of schemes that the redirect_uri
field will be validated against.
Setting this to ["https"]
only in production is strongly recommended.
APPLICATION_MODEL¶
The import string of the class (model) representing your applications. Overwrite
this value if you wrote your own implementation (subclass of
oauth2_provider.models.Application
).
AUTHORIZATION_CODE_EXPIRE_SECONDS¶
The number of seconds an authorization code remains valid. Requesting an access token after this duration will fail. RFC6749 Section 4.1.2 recommends a 10 minutes (600 seconds) duration.
CLIENT_ID_GENERATOR_CLASS¶
The import string of the class responsible for generating client identifiers. These are usually random strings.
CLIENT_SECRET_GENERATOR_CLASS¶
The import string of the class responsible for generating client secrets. These are usually random strings.
CLIENT_SECRET_GENERATOR_LENGTH¶
The length of the generated secrets, in characters. If this value is too low, secrets may become subject to bruteforce guessing.
OAUTH2_SERVER_CLASS¶
The import string for the server_class
(or oauthlib.oauth2.Server
subclass)
used in the OAuthLibMixin
that implements OAuth2 grant types.
OAUTH2_VALIDATOR_CLASS¶
The import string of the oauthlib.oauth2.RequestValidator
subclass that
validates every step of the OAuth2 process.
OAUTH2_BACKEND_CLASS¶
The import string for the oauthlib_backend_class
used in the OAuthLibMixin
,
to get a Server
instance.
REFRESH_TOKEN_EXPIRE_SECONDS¶
The number of seconds before a refresh token gets removed from the database by
the cleartokens
management command. Check cleartokens management command for further info.
ROTATE_REFRESH_TOKEN¶
When is set to True (default) a new refresh token is issued to the client when the client refreshes an access token.
REQUEST_APPROVAL_PROMPT¶
Can be 'force'
or 'auto'
.
The strategy used to display the authorization form. Refer to Skip authorization form.
SCOPES_BACKEND_CLASS¶
New in 0.12.0. The import string for the scopes backend class. Defaults to , which reads scopes through the settings defined below.
SCOPES¶
Note
(0.12.0+) Only used if SCOPES_BACKEND_CLASS is set to the SettingsScopes default.
A dictionary mapping each scope name to its human description.
DEFAULT_SCOPES¶
Note
(0.12.0+) Only used if SCOPES_BACKEND_CLASS is set to the SettingsScopes default.
A list of scopes that should be returned by default. This is a subset of the keys of the SCOPES setting. By default this is set to ‘__all__’ meaning that the whole set of SCOPES will be returned.
DEFAULT_SCOPES = ['read', 'write']
READ_SCOPE¶
Note
(0.12.0+) Only used if SCOPES_BACKEND_CLASS is set to the SettingsScopes default.
The name of the read scope.
WRITE_SCOPE¶
Note
(0.12.0+) Only used if SCOPES_BACKEND_CLASS is set to the SettingsScopes default.
The name of the write scope.