django-rest-framework/docs/api-guide/authentication.md

149 lines
7.1 KiB
Markdown
Raw Normal View History

2012-09-09 01:06:13 +04:00
<a class="github" href="authentication.py"></a>
2012-09-05 13:01:43 +04:00
# Authentication
2012-09-12 13:12:13 +04:00
> Auth needs to be pluggable.
>
> &mdash; Jacob Kaplan-Moss, ["REST worst practices"][cite]
2012-09-05 16:03:55 +04:00
Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with. The [permission] and [throttling] policies can then use those credentials to determine if the request should be permitted.
2012-09-05 13:01:43 +04:00
REST framework provides a number of authentication policies out of the box, and also allows you to implement custom policies.
2012-09-05 16:03:55 +04:00
Authentication will run the first time either the `request.user` or `request.auth` properties are accessed, and determines how those properties are initialized.
2012-09-06 00:14:00 +04:00
The `request.user` property will typically be set to an instance of the `contrib.auth` package's `User` class.
2012-09-07 22:12:46 +04:00
The `request.auth` property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with.
2012-09-06 00:14:00 +04:00
2012-09-05 23:10:06 +04:00
## How authentication is determined
2012-09-13 12:39:16 +04:00
The authentication policy is always defined as a list of classes. REST framework will attempt to authenticate with each class in the list, and will set `request.user` and `request.auth` using the return value of the first class that successfully authenticates.
2012-09-05 23:10:06 +04:00
If no class authenticates, `request.user` will be set to an instance of `django.contrib.auth.models.AnonymousUser`, and `request.auth` will be set to `None`.
2012-09-06 00:14:00 +04:00
The value of `request.user` and `request.auth` for unauthenticated requests can be modified using the `UNAUTHENTICATED_USER` and `UNAUTHENTICATED_TOKEN` settings.
2012-09-05 23:10:06 +04:00
2012-09-05 16:03:55 +04:00
## Setting the authentication policy
The default authentication policy may be set globally, using the `DEFAULT_AUTHENTICATION_CLASSES` setting. For example.
2012-09-05 16:03:55 +04:00
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
2012-09-05 16:03:55 +04:00
)
}
You can also set the authentication policy on a per-view basis, using the `APIView` class based views.
class ExampleView(APIView):
authentication_classes = (SessionAuthentication, BasicAuthentication)
2012-09-30 18:55:24 +04:00
permission_classes = (IsAuthenticated,)
2012-09-05 16:03:55 +04:00
def get(self, request, format=None):
content = {
2012-09-07 22:12:46 +04:00
'user': unicode(request.user), # `django.contrib.auth.User` instance.
2012-09-05 16:03:55 +04:00
'auth': unicode(request.auth), # None
}
return Response(content)
Or, if you're using the `@api_view` decorator with function based views.
2012-10-29 12:25:17 +04:00
@api_view(['GET'])
@authentication_classes((SessionAuthentication, BasicAuthentication))
2013-01-11 23:26:44 +04:00
@permission_classes((IsAuthenticated,))
2012-09-05 16:03:55 +04:00
def example_view(request, format=None):
content = {
2012-09-07 22:12:46 +04:00
'user': unicode(request.user), # `django.contrib.auth.User` instance.
2012-09-05 16:03:55 +04:00
'auth': unicode(request.auth), # None
}
return Response(content)
2012-10-15 16:27:50 +04:00
# API Reference
2012-09-12 23:39:22 +04:00
## BasicAuthentication
2012-09-05 16:03:55 +04:00
2012-09-12 23:39:22 +04:00
This policy uses [HTTP Basic Authentication][basicauth], signed against a user's username and password. Basic authentication is generally only appropriate for testing.
2012-09-05 16:03:55 +04:00
2012-09-12 23:39:22 +04:00
If successfully authenticated, `BasicAuthentication` provides the following credentials.
2012-09-05 16:03:55 +04:00
2012-11-20 01:42:33 +04:00
* `request.user` will be a Django `User` instance.
2012-09-05 16:03:55 +04:00
* `request.auth` will be `None`.
2012-09-05 13:01:43 +04:00
2012-09-12 23:39:22 +04:00
**Note:** If you use `BasicAuthentication` in production you must ensure that your API is only available over `https` only. You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.
2012-09-07 22:12:46 +04:00
## TokenAuthentication
2012-09-05 13:01:43 +04:00
2012-09-12 23:39:22 +04:00
This policy uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients.
To use the `TokenAuthentication` policy, include `rest_framework.authtoken` in your `INSTALLED_APPS` setting.
2012-09-12 23:39:22 +04:00
You'll also need to create tokens for your users.
from rest_framework.authtoken.models import Token
2012-09-12 13:12:13 +04:00
2012-09-12 23:39:22 +04:00
token = Token.objects.create(user=...)
print token.key
2012-09-05 16:03:55 +04:00
2012-10-21 18:34:07 +04:00
For clients to authenticate, the token key should be included in the `Authorization` HTTP header. The key should be prefixed by the string literal "Token", with whitespace separating the two strings. For example:
2012-09-05 16:03:55 +04:00
2012-09-12 23:39:22 +04:00
Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b
2012-09-07 22:12:46 +04:00
If successfully authenticated, `TokenAuthentication` provides the following credentials.
2012-09-05 16:03:55 +04:00
2012-11-20 01:42:33 +04:00
* `request.user` will be a Django `User` instance.
* `request.auth` will be a `rest_framework.tokenauth.models.BasicToken` instance.
2012-09-07 22:12:46 +04:00
2012-09-12 23:39:22 +04:00
**Note:** If you use `TokenAuthentication` in production you must ensure that your API is only available over `https` only.
2012-09-05 16:03:55 +04:00
If you want every user to have an automatically generated Token, you can simply catch the User's `post_save` signal.
@receiver(post_save, sender=User)
def create_auth_token(sender, instance=None, created=False, **kwargs):
if created:
Token.objects.create(user=instance)
2012-11-20 02:08:38 +04:00
If you've already created some users, you can generate tokens for all existing users like this:
from django.contrib.auth.models import User
from rest_framework.authtoken.models import Token
for user in User.objects.all():
Token.objects.get_or_create(user=user)
2012-11-20 02:08:38 +04:00
When using `TokenAuthentication`, you may want to provide a mechanism for clients to obtain a token given the username and password.
2012-11-20 01:42:33 +04:00
REST framework provides a built-in view to provide this behavior. To use it, add the `obtain_auth_token` view to your URLconf:
urlpatterns += patterns('',
2012-11-28 13:58:34 +04:00
url(r'^api-token-auth/', 'rest_framework.authtoken.views.obtain_auth_token')
)
2012-11-20 02:08:38 +04:00
Note that the URL part of the pattern can be whatever you want to use.
2012-11-20 01:42:33 +04:00
2012-11-20 02:08:38 +04:00
The `obtain_auth_token` view will return a JSON response when valid `username` and `password` fields are POSTed to the view using form data or JSON:
{ 'token' : '9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b' }
2012-09-05 13:01:43 +04:00
## SessionAuthentication
2012-09-05 16:03:55 +04:00
This policy uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website.
If successfully authenticated, `SessionAuthentication` provides the following credentials.
2012-11-20 01:42:33 +04:00
* `request.user` will be a Django `User` instance.
2012-09-05 16:03:55 +04:00
* `request.auth` will be `None`.
If you're using an AJAX style API with SessionAuthentication, you'll need to make sure you include a valid CSRF token for any "unsafe" HTTP method calls, such as `PUT`, `POST` or `DELETE` requests. See the [Django CSRF documentation][csrf-ajax] for more details.
2012-10-15 16:27:50 +04:00
# Custom authentication
2012-09-05 16:03:55 +04:00
2012-09-12 13:12:13 +04:00
To implement a custom authentication policy, subclass `BaseAuthentication` and override the `.authenticate(self, request)` method. The method should return a two-tuple of `(user, auth)` if authentication succeeds, or `None` otherwise.
2012-09-05 16:03:55 +04:00
2012-09-12 13:12:13 +04:00
[cite]: http://jacobian.org/writing/rest-worst-practices/
2012-09-05 16:03:55 +04:00
[basicauth]: http://tools.ietf.org/html/rfc2617
[oauth]: http://oauth.net/2/
[permission]: permissions.md
2012-09-05 23:10:06 +04:00
[throttling]: throttling.md
[csrf-ajax]: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax