Consumer

Consumer Authentication

At the root of authentication & authorization is the consumer. The existence of a consumer gives us the ability to verify that the user exists, that we can authenticate the request by OAuth 1.0a signature. Then using this information, each endpoint can dictate whether or not a given consumer has access to a requested resource as necessary for each resource. By default, OauthConsumer is used. However, this can be overridden with the DECLARATIVE_ENDPOINT_CONSUMER_GETTER Django config setting. This must be implemented as a function that takes a single parameter (key). Consumer creation is straightforward. If unspecified, key and secrets are auto-generated:

In [1]: from django_declarative_apis import models
In [2]: consumer = models.OauthConsumer.objects.create(name='test_user')
In [3]: consumer.__dict__
Out[3]:{'content_type_id': None,
 'id': 1,
 'key': 'j5wPDAvtYsArfZ5Lo5',
 'name': 'test_user',
 'object_id': None,
 'secret': 'FM3wNWMj34JmzqFFRzPwe3QvOjE9X4Xu',
 'type': 'RW'}

Endpoint Authorization

Consumers are authenticated automatically when using any endpoint definition class that derives from EndpointDefinition. Rudimentary authorization (read-only vs read-write) is implemented as well. If an endpoint is defined as is_read_only = False and a consumer has been created with consumer.type = OauthConsumer.TYPE_READ_ONLY, the request will be rejected. If more complex logic is required (i.e. the resource belongs to the requesting consumer), is_authorized(self) can be overridden.

Example

from django_declarative_apis import machinery

class MyEndpointDefinition(machinery.EndpointDefinition):
    def is_authorized(self):
        return self.request.consumer.id == self.resource.owner_id

BaseConsumer

class django_declarative_apis.models.BaseConsumer(*args, **kwargs)

BaseConsumer is shared in common by all consumers. It implements Django’s GenericForiegnKey to find what the consumer is supposed to point to, which could be the service calling the API to perform authentication, or it could be a mobile app instance. You can also set the read and write privileges of the consumer using TYPE_READ_ONLY and TYPE_READ_WRITE.

OAuthConsumer

class django_declarative_apis.models.OauthConsumer(*args, **kwargs)

Bases: BaseConsumer

OAuthConsumer inherits from BaseConsumer and it based on OAuth1.0a. It adds the additional properties of key, secret, and rsa_public_key_pem.

Example

from django_declarative_apis import models

consumer = models.OAuthConsumer.objects.create()

# *consumer will have:*
# consumer.content_type_id
# consumer.id
# consumer.key
# consumer.name
# consumer.object_id
# consumer.secret
# consumer.type

exception DoesNotExist

Bases: ObjectDoesNotExist

exception MultipleObjectsReturned

Bases: MultipleObjectsReturned

key

Consumer key as defined by OAuth 1.0a

Django Config Settings Related to Consumer

DECLARATIVE_ENDPOINT_CONSUMER_GETTER

Tries to get the consumer using the provided primary key. Should point to consumer_getter function defined by the developer.