[Solved]-Django REST Framework – OAuth2 Consumer API from external provider


Looking at the code at https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/authentication.py#L290 it seems just not possible. The django-rest-framework internally accesses provider’s database tables to check for tokens and authenticates requests using these data.

Which for me kinda defeats the purpose of OAuth at all, but here we go.



I’ve found these related questions, which confirms what I thought was an interpretation error from my side:

Basically, the standard desn’t define such feature… it’s amazing, provided a lot of people will hit that point sooner of later.

What’s most weird is that I couldn’t find any django addon to do this… are we the first two that need to authenticate more than one API using the same Auth Server?


Lately, the OAuth 2.0 Authorization Framework came up with a specification called OAuth 2.0 Token Introspection (RFC 7662) which defines a protocol that allows authorized protected resources to query the authorization server to determine the set of metadata for a given token that was presented to them by an OAuth 2.0 client.

This can solve your problem.

It is implemented by most of the well known OAuth 2.0 providers like:

  • Amazon Cognito
  • Okta
  • Auth0
  • Google Cloud Identity

And can easily be integrated with your Django Rest Framework API resources.

In your use case in Django, the open-source library Django OAuth Toolkit can also do the job perfectly. Note that, using an open-source library comes with the hidden costs of maintenance and support, sometimes rarely available.

Token Inspection can be achieved in these simple steps:

  1. Setup the Authentication Server and add one extra scope introspection for the Resource Server while creating an OAuth2 access token.

    'SCOPES': {
        'read': 'Read scope',
        'write': 'Write scope',
        'introspection': 'Introspect token scope',
  2. The OAuth provider must have one endpoint with path /introspect/ at which it will listen to any introspection request.
    e.g. URL: https://example.org/o/introspect/

    eg. Request:

    POST /o/introspect/ HTTP/1.1
    Host: www.example.org
    Accept: application/json
    Content-Type: application/x-www-form-urlencoded
    Authorization: Bearer 5HtUoltwKYKHnfmxRcJu

    Note: token is access token and Bearer token is Base64($CLIENT_ID:$CLIENT_SECRET)

    And the Response to above example request would look like:

    HTTP/1.1 200 OK
    Content-Type: application/json
      "client_id": "o7dfkjhvHt74F9W20",
      "scope": "read write xyz",
      "username": "john",
      "exp": 1519123438,
      "active": true
  3. Setup the Resource Server with all other settings same as Auth Server and then add following configurations into your settings:

    a. Resource Server Interospection URL e.g. https://example.org/o/introspect/

    b. Resource Server Auth Token e.g. tBvd837tbdHssyT6bhAr9H

    Or Resource Server Introspection Credentials (i.e. client id & client secret)

The implementation of the above steps might differ for different Auth Providers. But it gives a basic idea of how the whole configurations are done as per the rfc-compliance.

Leave a comment