API References of Django OAuth 2.0 Server

This part of the documentation covers the interface of Django OAuth 2.0 Server.

class authlib.django.oauth2.AuthorizationServer(client_model, token_model, generate_token=None, metadata=None)

Django implementation of authlib.oauth2.rfc6749.AuthorizationServer. Initialize it with client model and token model:

from authlib.django.oauth2 import AuthorizationServer
from your_project.models import OAuth2Client, OAuth2Token

server = AuthorizationServer(OAuth2Client, OAuth2Token)
create_authorization_response(request=None, grant_user=None)

Validate authorization request and create authorization response.

Parameters:
  • request – HTTP request instance.
  • grant_user – if granted, it is resource owner. If denied, it is None.
Returns:

Response

create_endpoint_response(name, request=None)

Validate endpoint request and create endpoint response.

Parameters:
  • name – Endpoint name
  • request – HTTP request instance.
Returns:

Response

create_token_response(request=None)

Validate token request and create token response.

Parameters:request – HTTP request instance
register_endpoint(endpoint_cls)

Add extra endpoint to authorization server. e.g. RevocationEndpoint:

authorization_server.register_endpoint(RevocationEndpoint)
Parameters:endpoint_cls – A endpoint class
register_grant(grant_cls, extensions=None)

Register a grant class into the endpoint registry. Developers can implement the grants in authlib.oauth2.rfc6749.grants and register with this method:

class AuthorizationCodeGrant(grants.AuthorizationCodeGrant):
    def authenticate_user(self, credential):
        # ...

authorization_server.register_grant(AuthorizationCodeGrant)
Parameters:
  • grant_cls – a grant class.
  • extensions – extensions for the grant class.
class authlib.django.oauth2.ResourceProtector
acquire_token(request, scope=None, operator='AND')

A method to acquire current valid token with the given scope.

Parameters:
  • request – Django HTTP request instance
  • scope – string or list of scope values
  • operator – value of “AND” or “OR”
Returns:

token object

class authlib.django.oauth2.BearerTokenValidator(token_model, realm=None)
authenticate_token(token_string)

A method to query token from database with the given token string. Developers MUST re-implement this method. For instance:

def authenticate_token(self, token_string):
    return get_token_from_database(token_string)
Parameters:token_string – A string to represent the access_token.
Returns:token
request_invalid(request)

Check if the HTTP request is valid or not. Developers MUST re-implement this method. For instance, your server requires a “X-Device-Version” in the header:

def request_invalid(self, request):
    return 'X-Device-Version' in request.headers

Usually, you don’t have to detect if the request is valid or not, you can just return a False.

Parameters:request – instance of HttpRequest
Returns:Boolean
token_revoked(token)

Check if this token is revoked. Developers MUST re-implement this method. If there is a column called revoked on the token table:

def token_revoked(self, token):
    return token.revoked
Parameters:token – token instance
Returns:Boolean
class authlib.django.oauth2.RevocationEndpoint(server)

The revocation endpoint for OAuth authorization servers allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed.

Register it into authorization server, and create token endpoint response for token revocation:

from django.views.decorators.http import require_http_methods

# see register into authorization server instance
server.register_endpoint(RevocationEndpoint)

@require_http_methods(["POST"])
def revoke_token(request):
    return server.create_endpoint_response(
        RevocationEndpoint.ENDPOINT_NAME,
        request
    )
query_token(token, token_type_hint, client)

Query requested token from database.

revoke_token(token)

Mark the give token as revoked.

authlib.django.oauth2.client_authenticated

Signal when client is authenticated

authlib.django.oauth2.token_revoked

Signal when token is revoked

authlib.django.oauth2.token_authenticated

Signal when token is authenticated