Lab 9 - Authentication


Learn the basics of authentication for web applications. Explore the provided Django Rest Framework applications utilizing HTTP Basic, HTTP Token, and HTTP Session authentication. Understand the high-level intention behind OAuth/OAuth2 and the security implications behind these different authentication schemes.

Fork and clone the authentication lab repository.

Follow the Getting Started instructions and run the application locally.

virtualenv venv --python=python3
source venv/bin/activate
pip install -r requirements
./manage.py migrate
./manage.py createsuperuser
./manage.py runserver

Navigate to the /api route and log into the browsable api. Create a new code snippet.

Question 1: What authentication scheme is used by default in Django Rest Framework's browsable API? How is this managed?

In a new terminal, use httpie to query the api endpoints.

http POST http://127.0.0.1:8000/api/snippets/ code="print(123)"

http -a username:password POST http://127.0.0.1:8000/api/snippets/ code="print(123)"

Question 2: What authentication scheme is used by httpie when querying with the -a or --auth option flag?

Configure Token Authentication

Official documentation can be found here.

Within authlab/settings.py, add rest_framework.authtoken into the INSTALLED_APPS setting. include TokenAuthentication in the Django Rest Framework settings.

INSTALLED_APPS = [
    # ...
    'rest_framework',
    'rest_framework.authtoken'
]

# ...
# Django Rest Framework
REST_FRAMEWORK = {
    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
    'PAGE_SIZE': 10,
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.BasicAuthentication',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication'
    )
}

Run ./manage.py migrate after changing the settings.

Register the token model in the Django project admin dashboard. Update client/admin.py to be the following:

from rest_framework.authtoken.admin import TokenAdmin

TokenAdmin.raw_id_fields = ('user',)

Navigate to the Django admin dashboard and create a new token for your user.

Use httpie to create a new code snippet using token authentication.

http POST http://127.0.0.1:8000/api/snippets/ \
Authorization:Token\ ${YOUR_TOKEN}\
code="print('Token works')"

Question 3: What is the difference between Session Authentication and Token Authentication? How is Token Authentication an improvement over Basic Authentication?

Identity and Authentication

Identity management on the web can be a difficult problem. Consider the following features a good web application may have for identity management:

Question 4: Provide a high level summary of what happens during an OAuth2 authentication flow. For instance: bitbucket.org > Log In > Log in with Google. What happens when I click "Log in with Google"?

Optional: Configure your Django project and Django Rest Framework API to utilize OAuth2.