Separate Resource Server

Django OAuth Toolkit allows to separate the Authentication Server and the Resource Server. Based on the RFC 7662 Django OAuth Toolkit provides a rfc-compliant introspection endpoint. As well the Django OAuth Toolkit allows to verify access tokens by the use of an introspection endpoint.

Setup the Authentication Server

Setup the Authentication Server as described in the tutorial. Create a OAuth2 access token for the Resource Server and add the introspection-Scope to the settings.

  1. 'SCOPES':{
  2. 'read':'Read scope',
  3. 'write':'Write scope',
  4. 'introspection':'Introspect token scope',
  5. ...
  6. },

The Authentication Server will listen for introspection requests. The endpoint is located within the oauth2_provider.urls as /introspect/.

Example Request:

  1. POST /o/introspect/ HTTP/1.1
  2. Host: server.example.com
  3. Accept: application/json
  4. Content-Type: application/x-www-form-urlencoded
  5. Authorization:Bearer3yUqsWtwKYKHnfivFcJu
  6. token=uH3Po4KXWP4dsY4zgyxH

Example Response:

  1. HTTP/1.1200 OK
  2. Content-Type: application/json
  3. {
  4. "active":true,
  5. "client_id":"oUdofn7rfhRtKWbmhyVk",
  6. "username":"jdoe",
  7. "scope":"read write dolphin",
  8. "exp":1419356238
  9. }

Setup the Resource Server

Setup the Resource Server like the Authentication Server as described in the tutorial. Add RESOURCE_SERVER_INTROSPECTION_URL and eitherRESOURCE_SERVER_AUTH_TOKENorRESOURCE_SERVER_INTROSPECTION_CREDENTIALS as a (id,secret) tuple to your settings. The Resource Server will try to verify its requests on the Authentication Server.

  1. OAUTH2_PROVIDER ={
  2. ...
  3. 'RESOURCE_SERVER_INTROSPECTION_URL':'https://example.org/o/introspect/',
  4. 'RESOURCE_SERVER_AUTH_TOKEN':'3yUqsWtwKYKHnfivFcJu',# OR this but not both:
  5. # 'RESOURCE_SERVER_INTROSPECTION_CREDENTIALS': ('rs_client_id','rs_client_secret'),
  6. ...
  7. }

RESOURCE_SERVER_INTROSPECTION_URL defines the introspection endpoint and RESOURCE_SERVER_AUTH_TOKEN an authentication token to authenticate against the Authentication Server. As allowed by RFC 7662, some external OAuth 2.0 servers support HTTP Basic Authentication. For these, use: RESOURCE_SERVER_INTROSPECTION_CREDENTIALS=('client_id','client_secret') instead of RESOURCE_SERVER_AUTH_TOKEN.