Securing Django OAuth Toolkit Views

Asked 17/11, 2016 at 22:32 Answered 1/4, 2019 at 9:24

python django oauth alexa-skills-kit django-oauth

We're looking to implement Django OAuth on our backend in order to integrate Alexa and other 3rd party APIs. We've been following the tutorials on their site (http://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial.html), but have run into a security question that has so far escaped us:

Is there a security concern that any user can access https://<oursite.com>/o/applications? If so, what steps need to be taken to prevent users from accessing these views?

The only relevant questions on SO weren't particularly helpful:

Secure creation of new applications in Django OAuth Toolkit

Disable or restrict /o/applications (django rest framework, oauth2)

Underslung answered 17/11, 2016 at 22:32 Comment(0)

I'm doing a similar thing, and I believe it is a security concern that anyone can see /o/applications - from what I can tell, that page is meant to be a development utility, not a production page. In fact, in the django-oauth-toolkit documentation, they have a code example with more restricted access to views.

from django.conf.urls import url
import oauth2_provider.views as oauth2_views
from django.conf import settings
from .views import ApiEndpoint

# OAuth2 provider endpoints
oauth2_endpoint_views = [
    url(r'^authorize/$', oauth2_views.AuthorizationView.as_view(), name="authorize"),
    url(r'^token/$', oauth2_views.TokenView.as_view(), name="token"),
    url(r'^revoke-token/$', oauth2_views.RevokeTokenView.as_view(), name="revoke-token"),
]

if settings.DEBUG:
    # OAuth2 Application Management endpoints
    oauth2_endpoint_views += [
        url(r'^applications/$', oauth2_views.ApplicationList.as_view(), name="list"),
        url(r'^applications/register/$', oauth2_views.ApplicationRegistration.as_view(), name="register"),
        url(r'^applications/(?P<pk>\d+)/$', oauth2_views.ApplicationDetail.as_view(), name="detail"),
        url(r'^applications/(?P<pk>\d+)/delete/$', oauth2_views.ApplicationDelete.as_view(), name="delete"),
        url(r'^applications/(?P<pk>\d+)/update/$', oauth2_views.ApplicationUpdate.as_view(), name="update"),
    ]

    # OAuth2 Token Management endpoints
    oauth2_endpoint_views += [
        url(r'^authorized-tokens/$', oauth2_views.AuthorizedTokensListView.as_view(), name="authorized-token-list"),
        url(r'^authorized-tokens/(?P<pk>\d+)/delete/$', oauth2_views.AuthorizedTokenDeleteView.as_view(),
            name="authorized-token-delete"),
    ]

urlpatterns = [
    # OAuth 2 endpoints:
    url(r'^o/', include(oauth2_endpoint_views, namespace="oauth2_provider")),

    url(r'^admin/', include(admin.site.urls)),
    url(r'^api/hello', ApiEndpoint.as_view()),  # an example resource endpoint
]

The revoke token view is part of the RFC, so that one is needed. I took a similar approach in my app of only including AuthorizationView, TokenView, and RevokeTokenView.

Hope that helps!

Dichloride answered 24/1, 2017 at 5:20 Comment(2)

docs.djangoproject.com/en/2.0/howto/deployment/checklist says "You must never enable debug in production." Therefore I believe they're giving us a hint that we should implement our own access controls to these sensitive endpoints. – Asynchronism 13/3, 2018 at 15:18

Yep, the sensitive endpoints are entirely optional and should not be used in production ever. In fact, in my case it was easier to just leave them out entirely and manage the authorized applications through Django Admin. – Dichloride 15/3, 2018 at 7:22

It is a security concern, and I suggest restricting access only to superusers with active accounts as in the following code from urls.py:

from django.contrib.auth.decorators import user_passes_test
import oauth2_provider.views as oauth2_views

def is_super(user):
    return user.is_superuser and user.is_active

oauth2_endpoint_views = [
    url(r'^authorize/$', oauth2_views.AuthorizationView.as_view(), name="authorize"),
    url(r'^token/$', oauth2_views.TokenView.as_view(), name="token"),
    url(r'^revoke-token/$', oauth2_views.RevokeTokenView.as_view(), name="revoke-token"),
    # the above are public but we restrict the following:
    url(r'^applications/$', user_passes_test(is_super)(oauth2_views.ApplicationList.as_view()), name="list"),
    ...
]
urlpatterns = [url(r'^o/', include(oauth2_endpoint_views, namespace="oauth2_provider"))]

Asynchronism answered 10/3, 2018 at 15:44 Comment(2)

Hey, I'm not entirely sure how this is exactly relevant, especially since there's no context for what this achieves. – Underslung 11/3, 2018 at 16:57

Gotcha. Makes sense. Thanks. – Underslung 14/3, 2018 at 12:53

To exclude 'applications/' endpoint, import just required urls instead of using whole oauth2_provider.urls:

from oauth2_provider.urls import app_name, base_urlpatterns, management_urlpatterns

urlpatterns = [
    ...
    # oauth2
    path('oauth2/', include((base_urlpatterns, app_name), namespace='oauth2_provider'))
]

Only urls, required for the client app authorization will be added:

oauth2/ ^authorize/$ [name='authorize']
oauth2/ ^token/$ [name='token']
oauth2/ ^revoke_token/$ [name='revoke-token']
oauth2/ ^introspect/$ [name='introspect']

To add/remove applications, you can either use Django admin site, or allow management_urlpatterns for admin users, as in @David Chander answer: https://mcmap.net/q/1425839/-securing-django-oauth-toolkit-views

Nostology answered 1/4, 2019 at 9:24 Comment(0)

Recommended topics

Hot tags