django-rest-framework/api-guide/authentication.html

<!DOCTYPE html>
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta charset="utf-8">
    <title>Django REST framework</title>
    <link href="http://tomchristie.github.com/django-rest-framework/img/favicon.ico" rel="icon" type="image/x-icon">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="">

    <!-- Le styles -->
    <link href="http://tomchristie.github.com/django-rest-framework/css/prettify.css" rel="stylesheet">
    <link href="http://tomchristie.github.com/django-rest-framework/css/bootstrap.css" rel="stylesheet">
    <link href="http://tomchristie.github.com/django-rest-framework/css/bootstrap-responsive.css" rel="stylesheet">
    <link href="http://tomchristie.github.com/django-rest-framework/css/default.css" rel="stylesheet">

    <!-- Le HTML5 shim, for IE6-8 support of HTML5 elements -->
    <!--[if lt IE 9]>
      <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->
  <body onload="prettyPrint()" class="authentication-page">

  <div class="wrapper">

    <div class="navbar navbar-inverse navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container-fluid">
            <a class="repo-link btn btn-primary btn-small" href="https://github.com/tomchristie/django-rest-framework/tree/restframework2">GitHub</a>
          <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </a>
          <a class="brand" href="http://tomchristie.github.com/django-rest-framework">Django REST framework</a>
          <div class="nav-collapse collapse">
            <ul class="nav">
              <li><a href="http://tomchristie.github.com/django-rest-framework">Home</a></li>
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">Tutorial <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/quickstart">Quickstart</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/1-serialization">1 - Serialization</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/2-requests-and-responses">2 - Requests and responses</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/3-class-based-views">3 - Class based views</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/4-authentication-permissions-and-throttling">4 - Authentication, permissions and throttling</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/5-relationships-and-hyperlinked-apis">5 - Relationships and hyperlinked APIs</a></li>
                  <!-- <li><a href="http://tomchristie.github.com/django-rest-framework/tutorial/6-resource-orientated-projects">6 - Resource orientated projects</a></li> -->
                </ul>
              </li>
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">API Guide <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/requests">Requests</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/responses">Responses</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/views">Views</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/generic-views">Generic views</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/parsers">Parsers</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/renderers">Renderers</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/serializers">Serializers</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/fields">Serializer fields</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/authentication">Authentication</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/permissions">Permissions</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/throttling">Throttling</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/pagination">Pagination</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/content-negotiation">Content negotiation</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/format-suffixes">Format suffixes</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/reverse">Returning URLs</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/exceptions">Exceptions</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/status-codes">Status codes</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/api-guide/settings">Settings</a></li>
                </ul>
              </li>
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">Topics <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/csrf">Working with AJAX and CSRF</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/browser-enhancements">Browser enhancements</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/browsable-api">The Browsable API</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/rest-hypermedia-hateoas">REST, Hypermedia & HATEOAS</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/contributing">Contributing to REST framework</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/migration">2.0 Migration Guide</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/release-notes">Release Notes</a></li>
                  <li><a href="http://tomchristie.github.com/django-rest-framework/topics/credits">Credits</a></li>
                </ul>
              </li>
            </ul>
            <ul class="nav pull-right">
              <!-- TODO
              <li class="dropdown">
                <a href="#" class="dropdown-toggle" data-toggle="dropdown">Version: 2.0.0 <b class="caret"></b></a>
                <ul class="dropdown-menu">
                  <li><a href="#">Trunk</a></li>
                  <li><a href="#">2.0.0</a></li>
                </ul>
              </li>
            -->
            </ul>
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>

    <div class="body-content">
      <div class="container-fluid">
        <div class="row-fluid">

          <div class="span3">
            <!-- TODO
            <p style="margin-top: -12px">
              <a class="btn btn-mini btn-primary" style="width: 60px">&laquo; previous</a>
              <a class="btn btn-mini btn-primary" style="float: right; margin-right: 8px; width: 60px;">next &raquo;</a>
            </p>
          -->
            <div id="table-of-contents">
              <ul class="nav nav-list side-nav well sidebar-nav-fixed">
                <li class="main"><a href="#authentication">Authentication</a></li>
<li><a href="#how-authentication-is-determined">How authentication is determined</a></li>
<li><a href="#setting-the-authentication-policy">Setting the authentication policy</a></li>
<li class="main"><a href="#api-reference">API Reference</a></li>
<li><a href="#basicauthentication">BasicAuthentication</a></li>
<li><a href="#tokenauthentication">TokenAuthentication</a></li>
<li><a href="#oauthauthentication">OAuthAuthentication</a></li>
<li><a href="#sessionauthentication">SessionAuthentication</a></li>
<li class="main"><a href="#custom-authentication">Custom authentication</a></li>

              </ul>
            </div>
          </div>

          <div id="main-content" class="span9">
            <p><a class="github" href="https://github.com/tomchristie/django-rest-framework/blob/restframework2/rest_framework/authentication.py"><span class="label label-info">authentication.py</span></a></p>
<h1 id="authentication">Authentication</h1>
<blockquote>
<p>Auth needs to be pluggable.</p>
<p>&mdash; Jacob Kaplan-Moss, <a href="http://jacobian.org/writing/rest-worst-practices/">"REST worst practices"</a></p>
</blockquote>
<p>Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with.  The <a href="permissions">permission</a> and <a href="throttling">throttling</a> policies can then use those credentials to determine if the request should be permitted.</p>
<p>REST framework provides a number of authentication policies out of the box, and also allows you to implement custom policies.</p>
<p>Authentication will run the first time either the <code>request.user</code> or <code>request.auth</code> properties are accessed, and determines how those properties are initialized.</p>
<p>The <code>request.user</code> property will typically be set to an instance of the <code>contrib.auth</code> package's <code>User</code> class.</p>
<p>The <code>request.auth</code> property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with.</p>
<h2 id="how-authentication-is-determined">How authentication is determined</h2>
<p>The authentication policy is always defined as a list of classes.  REST framework will attempt to authenticate with each class in the list, and will set <code>request.user</code> and <code>request.auth</code> using the return value of the first class that successfully authenticates.</p>
<p>If no class authenticates, <code>request.user</code> will be set to an instance of <code>django.contrib.auth.models.AnonymousUser</code>, and <code>request.auth</code> will be set to <code>None</code>.</p>
<p>The value of <code>request.user</code> and <code>request.auth</code> for unauthenticated requests can be modified using the <code>UNAUTHENTICATED_USER</code> and <code>UNAUTHENTICATED_TOKEN</code> settings.</p>
<h2 id="setting-the-authentication-policy">Setting the authentication policy</h2>
<p>The default authentication policy may be set globally, using the <code>DEFAULT_AUTHENTICATION_CLASSES</code> setting.  For example.</p>
<pre class="prettyprint lang-py"><code>REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.UserBasicAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    )
}
</code></pre>
<p>You can also set the authentication policy on a per-view basis, using the <code>APIView</code> class based views.</p>
<pre class="prettyprint lang-py"><code>class ExampleView(APIView):
    authentication_classes = (SessionAuthentication, UserBasicAuthentication)
    permission_classes = (IsAuthenticated,)

    def get(self, request, format=None):
        content = {
            'user': unicode(request.user),  # `django.contrib.auth.User` instance.
            'auth': unicode(request.auth),  # None
        }
        return Response(content)
</code></pre>
<p>Or, if you're using the <code>@api_view</code> decorator with function based views.</p>
<pre class="prettyprint lang-py"><code>@api_view(('GET',)),
@authentication_classes((SessionAuthentication, UserBasicAuthentication))
@permissions_classes((IsAuthenticated,))
def example_view(request, format=None):
    content = {
        'user': unicode(request.user),  # `django.contrib.auth.User` instance.
        'auth': unicode(request.auth),  # None
    }
    return Response(content)
</code></pre>
<h1 id="api-reference">API Reference</h1>
<h2 id="basicauthentication">BasicAuthentication</h2>
<p>This policy uses <a href="http://tools.ietf.org/html/rfc2617">HTTP Basic Authentication</a>, signed against a user's username and password.  Basic authentication is generally only appropriate for testing.</p>
<p>If successfully authenticated, <code>BasicAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be <code>None</code>.</li>
</ul>
<p><strong>Note:</strong> If you use <code>BasicAuthentication</code> in production you must ensure that your API is only available over <code>https</code> only.  You should also ensure that your API clients will always re-request the username and password at login, and will never store those details to persistent storage.</p>
<h2 id="tokenauthentication">TokenAuthentication</h2>
<p>This policy uses a simple token-based HTTP Authentication scheme.  Token authentication is appropriate for client-server setups, such as native desktop and mobile clients.</p>
<p>To use the <code>TokenAuthentication</code> policy, include <code>rest_framework.authtoken</code> in your <code>INSTALLED_APPS</code> setting.</p>
<p>You'll also need to create tokens for your users.</p>
<pre class="prettyprint lang-py"><code>from rest_framework.authtoken.models import Token

token = Token.objects.create(user=...)
print token.key
</code></pre>
<p>For clients to authenticate, the token key should be included in the <code>Authorization</code> HTTP header.  The key should be prefixed by the string literal "Token", with whitespace seperating the two strings.  For example:</p>
<pre class="prettyprint lang-py"><code>Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b
</code></pre>
<p>If successfully authenticated, <code>TokenAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be a <code>rest_framework.tokenauth.models.BasicToken</code> instance.</li>
</ul>
<p><strong>Note:</strong> If you use <code>TokenAuthentication</code> in production you must ensure that your API is only available over <code>https</code> only.</p>
<h2 id="oauthauthentication">OAuthAuthentication</h2>
<p>This policy uses the <a href="http://oauth.net/2/">OAuth 2.0</a> protocol to authenticate requests.  OAuth is appropriate for server-server setups, such as when you want to allow a third-party service to access your API on a user's behalf.</p>
<p>If successfully authenticated, <code>OAuthAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be a <code>rest_framework.models.OAuthToken</code> instance.</li>
</ul>
<h2 id="sessionauthentication">SessionAuthentication</h2>
<p>This policy uses Django's default session backend for authentication.  Session authentication is appropriate for AJAX clients that are running in the same session context as your website.</p>
<p>If successfully authenticated, <code>SessionAuthentication</code> provides the following credentials.</p>
<ul>
<li><code>request.user</code> will be a <code>django.contrib.auth.models.User</code> instance.</li>
<li><code>request.auth</code> will be <code>None</code>.</li>
</ul>
<h1 id="custom-authentication">Custom authentication</h1>
<p>To implement a custom authentication policy, subclass <code>BaseAuthentication</code> and override the <code>.authenticate(self, request)</code> method.  The method should return a two-tuple of <code>(user, auth)</code> if authentication succeeds, or <code>None</code> otherwise.</p>
          </div><!--/span-->
        </div><!--/row-->
      </div><!--/.fluid-container-->
    </div><!--/.body content-->

      <div id="push"></div>
  </div><!--/.wrapper -->

  <footer class="span12">
    <p>Sponsored by <a href="http://dabapps.com/">DabApps</a>.</a></p>
  </footer>

    <!-- Le javascript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src="http://tomchristie.github.com/django-rest-framework/js/jquery-1.8.1-min.js"></script>
    <script src="http://tomchristie.github.com/django-rest-framework/js/prettify-1.0.js"></script>
    <script src="http://tomchristie.github.com/django-rest-framework/js/bootstrap-2.1.1-min.js"></script>
    <script>
      //$('.side-nav').scrollspy()
      var shiftWindow = function() { scrollBy(0, -50) };
      if (location.hash) shiftWindow();
      window.addEventListener("hashchange", shiftWindow);

      $('.dropdown-menu').on('click touchstart', function(event) {
        event.stopPropagation();
      });
    </script>
</body></html>