Alternative authentication methods for the http API #413
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, the Django rest framework is configured to use an API token flow which is best suited for non-interactive clients. Adding an alternative OAuth2/OIDC-based flow could greatly simplify developing interactive applications interfacing with the API (automated login) and improve users' security (revoking leaked tokens, easily rotating them, per-client tokens). Moreover, it could enable kurs.oi.edu.pl to seamlessly interface with szkopul, using an oioioi installation as an authentication server for other apps.
I would like to implement this as an optional feature during TAG as there's a rather popular OAuth2 and OIDC implementation for django, https://github.com/jazzband/django-oauth-toolkit, which claims to be rfc compliant, however authentication is a mission critical part of oioioi and any bugs could prove catastrophic (for ex. the oauth-toolkit linked allows all users to register clients by default which is a really bad idea). OAuth could also be considered bloat for most installations.
The text was updated successfully, but these errors were encountered: