From 274e24693a411dc987413715baf80e91e022a629 Mon Sep 17 00:00:00 2001 From: Marcus Sonestedt Date: Tue, 14 Feb 2023 20:44:58 +0100 Subject: [PATCH 1/7] Replace heroku with postman tutorial --- docs/tutorial/tutorial_01.rst | 39 +++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/docs/tutorial/tutorial_01.rst b/docs/tutorial/tutorial_01.rst index f0b8cb3ed..6886eded8 100644 --- a/docs/tutorial/tutorial_01.rst +++ b/docs/tutorial/tutorial_01.rst @@ -89,7 +89,7 @@ point your browser to http://localhost:8000/o/applications/ and add an Applicati * `Redirect uris`: Applications must register at least one redirection endpoint before using the authorization endpoint. The :term:`Authorization Server` will deliver the access token to the client only if the client specifies one of the verified redirection uris. For this tutorial, paste verbatim the value - `http://django-oauth-toolkit.herokuapp.com/consumer/exchange/` + `https://www.getpostman.com/oauth2/callback` * `Client type`: this value affects the security level at which some communications between the client application and the authorization server are performed. For this tutorial choose *Confidential*. @@ -105,17 +105,28 @@ process we'll explain shortly) Test Your Authorization Server ------------------------------ Your authorization server is ready and can begin issuing access tokens. To test the process you need an OAuth2 -consumer; if you are familiar enough with OAuth2, you can use curl, requests, or anything that speaks http. For the rest -of us, there is a `consumer service `_ deployed on Heroku to test -your provider. +consumer; if you are familiar enough with OAuth2, you can use curl, requests, or anything that speaks http. + +For this tutorial, we suggest using Postman, where we will be following `this guide https://columbia-it-django-jsonapi-training.readthedocs.io/en/latest/using_oauth2/#get-an-oauth-20-token`. + +Set the fields as follows for this tutorial: + +* Grant type: `Authorization code (With PKCE)` +* Callback URL: `https://www.getpostman.com/oauth2/callback` <- need to be in your added application +* Authorize using browser: leave unchecked +* Auth URL: `http://localhost:8000/o/authorize/` +* Access Token URL: `http://localhost:8000/o/token/` +* Client ID: `random string for this app, as generated` +* Client Secret: `random string for this app, as generated` <- must be before hashing, should not begin with 'pbkdf2_sha256' or similar + +The rest can be left to their (mostly empty) default values. Build an Authorization Link for Your Users ++++++++++++++++++++++++++++++++++++++++++ Authorizing an application to access OAuth2 protected data in an :term:`Authorization Code` flow is always initiated -by the user. Your application can prompt users to click a special link to start the process. Go to the -`Consumer `_ page and complete the form by filling in your -application's details obtained from the steps in this tutorial. Submit the form, and you'll receive a link your users can -use to access the authorization page. +by the user. Your application can prompt users to click a special link to start the process. + +Here, we click "Get New Access Token" in postman, which should open your browser and show django's login. Authorize the Application +++++++++++++++++++++++++ @@ -125,18 +136,20 @@ page is login protected by django-oauth-toolkit. Login, then you should see the her authorization to the client application. Flag the *Allow* checkbox and click *Authorize*, you will be redirected again to the consumer service. -__ loginTemplate_ +Possible errors: -If you are not redirected to the correct page after logging in successfully, +* loginTemplate: If you are not redirected to the correct page after logging in successfully, you probably need to `setup your login template correctly`__. +* invalid client: client id and client secret needs to be correct. Secret cannot be copied from Django admin after creation. + (but you can reset it by pasting the same random string into Django admin and into Postman, to avoid recreating the app) +* invalid callback url: Add the postman link into your app in Django admin. +* invalid_request: Use "Authorization Code (With PCKE)" from postman or disable PKCE in Django Exchange the token ++++++++++++++++++ At this point your authorization server redirected the user to a special page on the consumer passing in an :term:`Authorization Code`, a special token the consumer will use to obtain the final access token. -This operation is usually done automatically by the client application during the request/response cycle, but we cannot -make a POST request from Heroku to your localhost, so we proceed manually with this step. Fill the form with the -missing data and click *Submit*. + If everything is ok, you will be routed to another page showing your access token, the token type, its lifetime and the :term:`Refresh Token`. From 198e0a6d85a90d7f7b5923927e4da52795d0e4d8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 14 Feb 2023 19:46:33 +0000 Subject: [PATCH 2/7] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/tutorial/tutorial_01.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorial/tutorial_01.rst b/docs/tutorial/tutorial_01.rst index 6886eded8..afb1f7b2b 100644 --- a/docs/tutorial/tutorial_01.rst +++ b/docs/tutorial/tutorial_01.rst @@ -105,7 +105,7 @@ process we'll explain shortly) Test Your Authorization Server ------------------------------ Your authorization server is ready and can begin issuing access tokens. To test the process you need an OAuth2 -consumer; if you are familiar enough with OAuth2, you can use curl, requests, or anything that speaks http. +consumer; if you are familiar enough with OAuth2, you can use curl, requests, or anything that speaks http. For this tutorial, we suggest using Postman, where we will be following `this guide https://columbia-it-django-jsonapi-training.readthedocs.io/en/latest/using_oauth2/#get-an-oauth-20-token`. From e88f15a7efeab5f6bf14bb4e3dc72ea24b50990c Mon Sep 17 00:00:00 2001 From: Marcus Sonestedt Date: Tue, 14 Feb 2023 20:47:56 +0100 Subject: [PATCH 3/7] Update tutorial_01.rst --- docs/tutorial/tutorial_01.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/tutorial/tutorial_01.rst b/docs/tutorial/tutorial_01.rst index afb1f7b2b..22dfd2dab 100644 --- a/docs/tutorial/tutorial_01.rst +++ b/docs/tutorial/tutorial_01.rst @@ -138,9 +138,8 @@ again to the consumer service. Possible errors: -* loginTemplate: If you are not redirected to the correct page after logging in successfully, -you probably need to `setup your login template correctly`__. -* invalid client: client id and client secret needs to be correct. Secret cannot be copied from Django admin after creation. +* loginTemplate: If you are not redirected to the correct page after logging in successfully, you probably need to `setup your login template correctly`__. +* invalid client: client id and client secret needs to be correct. Secret cannot be copied from Django admin after creation. (but you can reset it by pasting the same random string into Django admin and into Postman, to avoid recreating the app) * invalid callback url: Add the postman link into your app in Django admin. * invalid_request: Use "Authorization Code (With PCKE)" from postman or disable PKCE in Django From 33755a4e579ad1864b84021dd1e2cd2557a0a07d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 14 Feb 2023 19:48:07 +0000 Subject: [PATCH 4/7] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/tutorial/tutorial_01.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorial/tutorial_01.rst b/docs/tutorial/tutorial_01.rst index 22dfd2dab..5c8c983ef 100644 --- a/docs/tutorial/tutorial_01.rst +++ b/docs/tutorial/tutorial_01.rst @@ -139,7 +139,7 @@ again to the consumer service. Possible errors: * loginTemplate: If you are not redirected to the correct page after logging in successfully, you probably need to `setup your login template correctly`__. -* invalid client: client id and client secret needs to be correct. Secret cannot be copied from Django admin after creation. +* invalid client: client id and client secret needs to be correct. Secret cannot be copied from Django admin after creation. (but you can reset it by pasting the same random string into Django admin and into Postman, to avoid recreating the app) * invalid callback url: Add the postman link into your app in Django admin. * invalid_request: Use "Authorization Code (With PCKE)" from postman or disable PKCE in Django From b42c64b357bebbc6eac6f886bc3f4d96fce57452 Mon Sep 17 00:00:00 2001 From: Marcus Sonestedt Date: Wed, 15 Feb 2023 15:20:13 +0100 Subject: [PATCH 5/7] Update AUTHORS --- AUTHORS | 1 + 1 file changed, 1 insertion(+) diff --git a/AUTHORS b/AUTHORS index 9bd1ea3fc..8914badcc 100644 --- a/AUTHORS +++ b/AUTHORS @@ -90,3 +90,4 @@ Víðir Valberg Guðmundsson Will Beaufoy pySilver Łukasz Skarżyński +Marcus Sonestedt From 6bb7686704d0f47db62b520839ee1f18e78bfabe Mon Sep 17 00:00:00 2001 From: Marcus Sonestedt Date: Wed, 15 Feb 2023 15:21:00 +0100 Subject: [PATCH 6/7] Update docs/tutorial/tutorial_01.rst Co-authored-by: Alan Crosswell --- docs/tutorial/tutorial_01.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorial/tutorial_01.rst b/docs/tutorial/tutorial_01.rst index 5c8c983ef..25b932ee1 100644 --- a/docs/tutorial/tutorial_01.rst +++ b/docs/tutorial/tutorial_01.rst @@ -107,7 +107,7 @@ Test Your Authorization Server Your authorization server is ready and can begin issuing access tokens. To test the process you need an OAuth2 consumer; if you are familiar enough with OAuth2, you can use curl, requests, or anything that speaks http. -For this tutorial, we suggest using Postman, where we will be following `this guide https://columbia-it-django-jsonapi-training.readthedocs.io/en/latest/using_oauth2/#get-an-oauth-20-token`. +For this tutorial, we suggest using Postman. Set the fields as follows for this tutorial: From 7b4cc7e864b0092d77c00659b3bbc17c00901c65 Mon Sep 17 00:00:00 2001 From: Marcus Sonestedt Date: Wed, 15 Feb 2023 15:26:52 +0100 Subject: [PATCH 7/7] Update tutorial_01.rst --- docs/tutorial/tutorial_01.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tutorial/tutorial_01.rst b/docs/tutorial/tutorial_01.rst index 25b932ee1..1d53de78a 100644 --- a/docs/tutorial/tutorial_01.rst +++ b/docs/tutorial/tutorial_01.rst @@ -107,9 +107,9 @@ Test Your Authorization Server Your authorization server is ready and can begin issuing access tokens. To test the process you need an OAuth2 consumer; if you are familiar enough with OAuth2, you can use curl, requests, or anything that speaks http. -For this tutorial, we suggest using Postman. +For this tutorial, we suggest using [Postman](https://www.postman.com/downloads/) : -Set the fields as follows for this tutorial: +Open up the Authorization tab under a request and, for this tutorial, set the fields as follows: * Grant type: `Authorization code (With PKCE)` * Callback URL: `https://www.getpostman.com/oauth2/callback` <- need to be in your added application