In the previous article, we explored the basic concepts and workings of OAuth2. In this post, we will focus on how to configure an OAuth2 authentication server using the Django OAuth Toolkit (DOT).

1. Installing Django OAuth Toolkit

To implement an OAuth2 server, you first need to install Django OAuth Toolkit (DOT). You can do this with a simple command:

bash pip install django-oauth-toolkit

Once the installation is complete, add oauth2_provider to INSTALLED_APPS and run the migrations.
After migrating, you can check the additional menus provided by DOT in the Django Admin page.

2. Exploring the Newly Added Menus in Admin

When you install DOT, the following 5 menus are added to Django Admin:

1) Access tokens

  • Manages issued access tokens.
  • You can check the validity period of each token, associated client application, and user information.
  • Access tokens are keys used by authenticated clients to access protected resources.

2) Refresh tokens

  • Manages refresh tokens.
  • Used to obtain a new access token when the access token expires.
  • This allows users to perform continuous tasks without re-authentication.

3) Application

  • Registers and manages OAuth2 client applications.
  • Applications must be registered to communicate with the authentication server, and various settings fields are provided.

4) Grant

  • Manages Authorization Codes.
  • The authorization code is a temporary key required for the client application to request an access token.

5) ID tokens

  • Manages issued ID tokens.
  • ID tokens are used when combining OAuth2 with OpenID Connect (OIDC), containing user authentication information and client application data.
  • It is used when the client retrieves user information using the OpenID Connect protocol.

3. Detailed Explanation of the Application Menu

The core of the OAuth2 server is the registration of client applications. You can set the following fields in the Application menu:

1) Name

  • The name of the application.
  • Write it clearly so that administrators can easily identify it.

2) Client ID

  • A unique identifier for the application.
  • Used by the OAuth2 server to identify the client and is generated automatically.

3) Client Secret

  • A secret key used for client authentication.
  • Applies only to server-based applications (Confidential) and should be kept secure.

4) Client Type

  • The type of client application.
  • Confidential: Server-based applications that can securely store the secret key.
  • Public: Mobile apps or Single Page Applications (SPAs) that cannot store the secret key.

5) Authorization Grant Type

  • The authentication method the client application will use. Main options:
  • Authorization Code: The most common and secure method.
  • Password: Authenticates by directly receiving the user's username/password.
  • Client Credentials: Suitable for server-to-server communication.

6) Redirect URIs

  • The URL of the client application to which the Authorization Code or Access Token will be sent after successful authentication.
  • Important: Must match the client-side settings exactly.
  • If the URLs do not match, the OAuth2 server will not deliver the authorization code or token.
  • It is recommended to use HTTPS for security.

7) Algorithm

  • Specifies the algorithm used for token encryption.
  • The default is RS256, which is an RSA-based signing algorithm.
  • RS256: Uses asymmetric encryption to validate signatures with a public key.
  • You can change to other algorithms as necessary.

8) Skip Authorization

  • Setting this to True automatically grants permission to the client application without user approval.
  • Useful for internal systems or trusted applications.

4. Summary and Next Steps

In this post, we explored how to configure an OAuth2 server using the Django OAuth Toolkit (DOT), focusing particularly on the Admin menu and the Application fields. This gave us an understanding of the client application registration process and the roles of each field.

In the next article, we will delve deeper into the Client Type mentioned in this post. We will compare the Confidential and Public types and thoroughly explain how these two types are utilized in OAuth2. We also plan to cover the following topics:

  • The relationship between Client Type and PKCE: Why PKCE (Proof Key for Code Exchange) is important for Public clients.
  • The role of the Client Secret: How the secret key is used in Confidential clients.
  • The flow of the Authorization Code method and PKCE: Unpacking the core of the most standard Grant Type in OAuth2.

Understanding the flow of the Authorization Code method clearly requires a good grasp of the interaction between PKCE and Client Type.
We will explore this topic in depth in the next post.

OAuth 2.0 Authorization Code Grant Flow