New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How does it work? #58
Comments
How do you try to login? I suspect a config issue. Have a look at the docs, LoginView is explained quite detailed: rest-knox will only give tokens to users that are authenticated. Simply because if you have a token you no longer need to access the LoginView. And if you don't have a token, rest-knox does not know who you are. You need password and username to receive a token. To make your user authenticated, you can e.g. use a form that creates a django session or BasicAuth where you send the credentials per post request. But don't try to send a token to knox's LoginView. e.g. with httpie On success, you will receive a token that you then use for any following request. Django provides views for authenticating via a form out of the box. See last code box under this caption: Hope that clears up your misunderstanding. |
Mmhh maybe I don't get how Knox works. I'm currently using django-rest-auth with all-auth. My current workflow is:
What should be the Knox' workflow? |
Starting from your 3rd bullet point rest-knox will act differently. It will create a new token and not return the existing one. You can look at the tests to see how it behaves: https://github.com/James1345/django-rest-knox/blob/master/tests/tests.py#L20 |
Ok thank you for your reply. I think you're right, the 401 error should be caused by a setting issue. I will try to find this issue and come back here to give more informations. |
This thread is really helpful, but just a quick follow-up: If I need to authenticate the user through some method that takes username and password (as described by @BenDevelopment), what does the Knox LoginView actually do? |
Hi! |
Hi, absolutely, sorry. The view that knox calls the "LoginView". I've read the code, and I see that amongst other things, it provides an auth token. My question, basically, is that since I apparently need to already have an auth token to access the view, what is the point of this view? In what sense does it actually Log me in, since I already have a token? I hope I've explained that a bit more clearly. I really appreciate your responsiveness! |
Ah no problem, well it's true that one is confusing. So if you setup, say, basic-auth in the default authentication class, you would be able to authenticate to that view via basic-auth. If you look at the logout view, it's using the TokenAuthentication only so it won't work with basic-auth but only with the token: I hope this clarifies things 😉 |
I still find it confusing myself, each time relearning it :D |
Ah, that makes much more sense. So I should restrict the login view to Basic Auth, and then all other views to Token Auth, using the token obtained by the login view? |
Exactly, yes 👍🏻 |
Thank you so much for your help, and patience! |
This information should be in the documentation. I'm used to OAuth, and this is my first time using token authentication. Based on the documentation as written, I believed I could POST username and password to the login end point to get a token. This is not the case. I still need a login page of some sort (seemingly server-side), and the session generated from that login is exchanged for a token. This seems unnecessarily complicated; although, I admit I could be missing something from a security perspective. |
@clintonb feel free to contribute to the docs. Also the login view is provided for you, and you can just issue a POST to it with the proper headers, as I explained above it’s using DRF’s authentication settings. Not sure what you mean by needing a login page... if you want to log users in, you need a login page... right? |
@johnraz thanks. The error was on my end. My Docs PR is forthcoming. |
Also as you mentioned react, I thought I would also strongly advise against storing any token client side on a web application but use a more traditional cookie based session, auth0’s documentation is pretty clear about it: https://auth0.com/docs/security/store-tokens#don-t-store-tokens-in-local-storage and this article is a bit more opiniated but draws a good picture of why you shouldn’t store anything like a secret anywhere else than in an HTTP only cookie: https://dev.to/rdegges/please-stop-using-local-storage-1i04 and finally owasp’s words: cheers |
@johnraz thanks for the info. Given this info, does it make sense to use token-based authentication at all for web clients? I'm getting the sense that I should stick with Soapbox: This is all a bit confusing since nearly every blog post/tutorial on integrating DRF and React makes use of local storage. This is one of the reasons I don't enjoy frontend development. |
I use session auth for my web frontend - all the time unless I really dont care about security which really never happened 😂 I was also amazed at how misleading online resources are on the subject... Mobile and server to server communication are indeed the right candidate for token based auth. |
Can someone provide a short example or tutorial to explain how knox works? I have a DRF backend app and many client (web, ios, android). I would like to add some imprivment to my backend to allow the user to have a different token by client.
But when I try to login trough
api/auth/login/
endpoint, I got a error 401.When I look at the code, the LoginView need the user to be logged in. How is it possible to be logged in in the LoginView (that doesn't makes sens for me ^^)?
Thank you for your help!
The text was updated successfully, but these errors were encountered: