Clone wiki

django-oauth-plus / Home

Django OAuth provider

The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication.

django-oauth-plus features two authentication flows:

  • three-legged OAuth
  • xAuth (twitter xAuth)

Authenticating with OAuth

OAuth authentication is the process in which Users grant access to their Protected Resources without sharing their credentials with the Consumer. OAuth uses Tokens generated by the Service Provider instead of the User's credentials in Protected Resources requests. The process uses two Token types:

  • Request Token: Used by the Consumer to ask the User to authorize access to the Protected Resources. The User-authorized Request Token is exchanged for an Access Token, MUST only be used once, and MUST NOT be used for any other purpose. It is RECOMMENDED that Request Tokens have a limited lifetime.
  • Access Token: Used by the Consumer to access the Protected Resources on behalf of the User. Access Tokens MAY limit access to certain Protected Resources, and MAY have a limited lifetime. Service Providers SHOULD allow Users to revoke Access Tokens. Only the Access Token SHALL be used to access the Protect Resources.

OAuth Authentication is done in three steps:

  • The Consumer obtains an unauthorized Request Token.
  • The User authorizes the Request Token.
  • The Consumer exchanges the Request Token for an Access Token.

See the OAuth Authentication Flow if you need visual details.

Authenticating with xAuth flow

In some cases full three-legged OAuth flow cannot be easily used in consumer application. This can apply to desktop or mobile application which sometimes can't redirect to Service Provider site or use authorization callback from browser. In this cases xAuth flow can be used. xAuth is one-step flow where consumer exchanges Consumer credentials and user credentials for Access Token.

This is still OAuth authorization. There is no official RFC for this flow, but it is fully described in twitter docs - place where it emerged.

Note that this flow gives third-party apps access to user credentials. Because of this access to xAuth flow should be restricted only to trusted consumers and given only when there is a good reason for that.