Clone wiki

django-oauth-plus / installation

Django installation

First, install it through pip:

pip install django-oauth-plus

You need to specify the oauth_provider application in your settings and to sync your database.

Django 1.7+ or South users:

python migrate

If you're on Django 1.6 or earlier and not using South, run syncdb command.

Then add it to your URLs:

urlpatterns = patterns('',
    url(r'^oauth/', include('oauth_provider.urls'))

Note: The oauth prefix is not required, you can specify whatever you want.

With this setup, your OAuth URLs will be:

* Request Token URL: /oauth/request_token/
* User Authorization URL: /oauth/authorize/, using HTTP GET.
* Access Token URL: /oauth/access_token/

That is the only thing you need to document for external developers.

version >= 2.2.0 note:

If you want use xAuth flow you must add this backend to your AUTHENTICATION_BACKENDS setting:


version < 2.2.0 note:

Before 2.2.0 version the last step in setup is to create base scope for oauth_provider. Go to your project shell and type:

from oauth_provider.models import Resource

or add this fixture somewhere with your initial data fixtures:

[{"pk": 1, "model": "oauth_provider.resource", "fields": {"url": "", "name": "all", "is_readonly": true}}]


This is full in


As a provider, you probably need to customize the view you display to the user in order to allow access. The OAUTH_AUTHORIZE_VIEW setting allow you to specify this view, for instance::

OAUTH_AUTHORIZE_VIEW = 'myapp.views.oauth_authorize'

Note: See code with a custom callback view (optional) in example section, which depends on OAUTH_CALLBACK_VIEW setting.

Note: This implementation set an oauth flag in session which certify that the validation had been done by the current user. Otherwise, the external service can directly POST the validation argument and validate the token without any action from the user if he is already logged in. Do not delete it in your own view.


There is another setting dedicated to OAuth OAUTH_REALM_KEY_NAME, which allows you to specify a realm which will be used in headers::


# response
WWW-Authenticate: OAuth realm=""


The OAUTH_BLACKLISTED_HOSTNAMES setting allows you to restrict callback URL hostnames, it must be a list of blacklisted ones. For example::


Default is an empty list.


The OAUTH_SIGNATURE_METHODS setting allows you to restrict signatures' methods you'd like to use. For example if you don't want plaintext signature::


Default is ['plaintext', 'hmac-sha1'].


You can customize the length of your key/secret attributes with constants KEY_SIZE, SECRET_SIZE and CONSUMER_KEY_SIZE defined in

Default is 16 characters for KEY_SIZE and SECRET_SIZE and 256 characters for CONSUMER_KEY_SIZE.


Due to security reasons Django HttpResponseRedirect class throws SuspiciuosOperation exception when used with non-http schemes. For that reason non-http callbacks for successful authorization are considered unsafe and by default redirection won't succeed. If you still want to use non-http callbacks set OAUTH_UNSAFE_REDIRECTS setting to true. This change affect only redirection in default User Authorization view.

Default is False.