发表新帖

发表新帖

Token Authentication for RESTful API: should the token be periodically changed?

后端未结

关注

 10  1323

庸人自扰 2020-12-02 03:20

I\'m building a RESTful API with Django and django-rest-framework.

As authentication mechanism we have chosen \"Token Authentication\" and I have already implemented

10条回答

夕颜 (楼主)

2020-12-02 03:58
Thought I'd give a Django 2.0 answer using DRY. Somebody already built this out for us, google Django OAuth ToolKit. Available with pip, pip install django-oauth-toolkit. Instructions on adding the token ViewSets with routers: https://django-oauth-toolkit.readthedocs.io/en/latest/rest-framework/getting_started.html. It's similar to the official tutorial.

So basically OAuth1.0 was more yesterday's security which is what TokenAuthentication is. To get fancy expiring tokens, OAuth2.0 is all the rage these days. You get an AccessToken, RefreshToken, and scope variable to fine tune the permissions. You end up with creds like this:
```
{
    "access_token": "",
    "token_type": "Bearer",
    "expires_in": 3600,
    "refresh_token": "",
    "scope": "read"
}
```
0 讨论(0)

查看其它10个回答
发布评论:

提交评论
- 加载中...

热议问题