Separate Resource Server
Django OAuth Toolkit allows to separate the Authorization Server and the Resource Server. Based on the RFC 7662 Django OAuth Toolkit provides a rfc-compliant introspection endpoint. As well the Django OAuth Toolkit allows to verify access tokens by the use of an introspection endpoint.
Setup the Authentication Server
Setup the Authorization Server as described in the Tutorials.
Create a OAuth2 access token for the Resource Server and add the
introspection
-Scope to the settings.
'SCOPES': {
'read': 'Read scope',
'write': 'Write scope',
'introspection': 'Introspect token scope',
...
},
The Authorization Server will listen for introspection requests.
The endpoint is located within the oauth2_provider.urls
as /introspect/
.
Example Request:
POST /o/introspect/ HTTP/1.1
Host: server.example.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer 3yUqsWtwKYKHnfivFcJu
token=uH3Po4KXWP4dsY4zgyxH
Example Response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"client_id": "oUdofn7rfhRtKWbmhyVk",
"username": "jdoe",
"scope": "read write dolphin",
"exp": 1419356238
}
Setup the Resource Server
Setup the Resource Server like the Authorization Server as described in the Tutorials.
Add RESOURCE_SERVER_INTROSPECTION_URL
and either RESOURCE_SERVER_AUTH_TOKEN
or RESOURCE_SERVER_INTROSPECTION_CREDENTIALS
as a (id,secret)
tuple to your settings.
The Resource Server will try to verify its requests on the Authorization Server.
OAUTH2_PROVIDER = {
...
'RESOURCE_SERVER_INTROSPECTION_URL': 'https://example.org/o/introspect/',
'RESOURCE_SERVER_AUTH_TOKEN': '3yUqsWtwKYKHnfivFcJu', # OR this but not both:
# 'RESOURCE_SERVER_INTROSPECTION_CREDENTIALS': ('rs_client_id','rs_client_secret'),
...
}
RESOURCE_SERVER_INTROSPECTION_URL
defines the introspection endpoint and
RESOURCE_SERVER_AUTH_TOKEN
an authentication token to authenticate against the
Authorization Server.
As allowed by RFC 7662, some external OAuth 2.0 servers support HTTP Basic Authentication.
For these, use:
RESOURCE_SERVER_INTROSPECTION_CREDENTIALS=('client_id','client_secret')
instead
of RESOURCE_SERVER_AUTH_TOKEN
.