Lab 9 - Authentication

Learn the basics of authentication for web applications. Explore the provided Django Rest Framework applications utilizing HTTP Basic, HTTP Token, and HTTP Session authentication. Understand the high-level intention behind OAuth/OAuth2 and the security implications behind these different authentication schemes.

Fork and clone the authentication lab repository.

Follow the Getting Started instructions and run the application locally.

virtualenv venv --python=python3
source venv/bin/activate
pip install -r requirements
./ migrate
./ createsuperuser
./ runserver

Navigate to the /api route and log into the browsable api. Create a new code snippet.

Question 1: What authentication scheme is used by default in Django Rest Framework's browsable API? How is this managed?

In a new terminal, use httpie to query the api endpoints.

http POST code="print(123)"

http -a username:password POST code="print(123)"

Question 2: What authentication scheme is used by httpie when querying with the -a or --auth option flag?

Configure Token Authentication

Official documentation can be found here.

Within authlab/, add rest_framework.authtoken into the INSTALLED_APPS setting. include TokenAuthentication in the Django Rest Framework settings.

    # ...

# ...
# Django Rest Framework
    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
    'PAGE_SIZE': 10,

Run ./ migrate after changing the settings.

Register the token model in the Django project admin dashboard. Update client/ to be the following:

from rest_framework.authtoken.admin import TokenAdmin

TokenAdmin.raw_id_fields = ('user',)

Navigate to the Django admin dashboard and create a new token for your user.

Use httpie to create a new code snippet using token authentication.

http POST \
Authorization:Token\ ${YOUR_TOKEN}\
code="print('Token works')"

Question 3: What is the difference between Session Authentication and Token Authentication? How is Token Authentication an improvement over Basic Authentication?

Identity and Authentication

Identity management on the web can be a difficult problem. Consider the following features a good web application may have for identity management:

Question 4: Provide a high level summary of what happens during an OAuth2 authentication flow. For instance: > Log In > Log in with Google. What happens when I click "Log in with Google"?

Optional: Configure your Django project and Django Rest Framework API to utilize OAuth2.