Django Oauth Toolkit Application Settings

Question

Django Oauth Toolkit docs don't describe the redirect uris, authorization grant type, or client type fields when registering your application.

The tutorial says to set client type to confidential, grant type to password, and leave uris blank.

What do the other options do?

e.g. What is client type public vs confidential? What do the grant type password, credentials, authorization, implicit do? And what are the redirect uris for?

I have found sparse information about them but no actual explanations as they pertain to django rest framework and django oauth toolkit.

Answer 1

You'll get answer to all your questions once you read about Oauth2 Protocol from here

But I'll try to answer your questions in brief:

I'll be using the words client and Resource Server frequently. In Oauth2 protocol, client means the system which accesses resources, data or service. (It could be your mobile app or javascript app consuming REST API's of your API Backend (or Resource Server) . If you have implemented Facebook login in your mobile/JS apps, chances are, your API backend requests Facebook for user's information. In that case your API backend is being a client and Facebook is Resource Server)

Client Types:

Client type is either confidential or public depending on whether that client can keep it's client_secret a secret. (For example, an AngularJS app cannot keep it's client_secret hidden, since anyone can do "Inspect Element" in a browser and search for it, so such a client has to be registered as public.)

Authorization Grant Types:

There are four kinds of Authorization Grant Types in Oauth2 protocol.

1. Authorization Code:

   In this grant type, the client requests for an authorization code first, then exchanges that authorization code for an access token. It's a two step procedure. Use this if the client is an outsider (more on it in Resource-owner password based).

2. Implicit:

   Usually used along with public client_type. Instead of a two-step procedure above, the client gets access token in one go.

3. Resource-owner password based:

   This is used when there is a high degree of trust between client and Resource Server. This is the case between your API backend and your Mobile app. (There is high degree of trust between your API backend and Javascript app too, but since it cannot keep it's client_secret a secret, you have to use Implicit Grant type with it). Facebook or Google etc. will never give you this kind of Authorization Grant because, for them, your API backend is an outsider.

4. Client Credentials:

   It is least commonly used. Please read about it in above mentioned document.

Redirect URI's:

Now, as far as Redirect URI's are concerned, they are needed only in Authorization Code or Implicit grant types (Not sure about Client Credentials one, somebody please enlighten me on this in comments). Redirect URI is given so that the Resource Server knows where to send the access token. Imagine if you are implementing Facebook login. In that case you will go to developers.facebook.com and register your application (like you did with django-oauth-toolkit), while registering your application, you will specify a Redirect URI.

Specifying a Redirect URI is a way of saying. "Hey Facebook, send the access token on this URI". So if you set Redirect URI something like https://your_domain_name.com/token/facebook/, Facebook will redirect to your specified Redirect URI at the end of Oauth2 process and give Access Token in the form of GET parameter, like https://your_domain_name.com/token/facebook/?token=some_long_string&some=other_parameters.