Adding barebones oauth support is pretty trivial when using django-oauth-toolkit and this commit demonstrates the MVP. In a debug environment as per the docs one can use /o/applications/ to register an oauth2 app with ex;

Client Type: confidential
Authorization Grant Type: Resource owner password-based

then retrieve an access token for admin (after replacing <client_id>, <client_secret> with the appropriate values) using curl;

curl -X POST -d "grant_type=password&username=admin&password=admin" -u"<client_id>:<client_secret>" http://localhost:8000/o/token/

and authenticate API calls via the access token (using the bearer scheme) which can be refreshed with the refresh token as in the spec. Other oauth2 flows work out of the box as well. In a production environment, I would implement special admin pages for managing the applications, and add config options for enabling oauth/defining clients. The toolkit package also adds some new migrations for the oauth-related models which have to be applied in current installations.

The things to consider are;

• Using OIDC
• What should be included in a default installation
• What means of configuration would be preferred (defining clients statically in config files/managing them via a webui)

This pull request would be very useful for the upcoming TAG semester, in my opinion, as it greatly simplifies creating discrete applications that interconnect with oioioi installations.