Skip to main content

A Django app that facilitates authentication using cookie-based refresh token

Project description

Django-oauth-toolkit-cookie-refresh

CI tests Package Downloads

Django-oauth-toolkit-cookie-refresh is a Django app to that provides REST authentication endpoints which uses refresh token in httpOnly cookie. It relies on Django REST framework and Django Oauth Toolkit.

Motivation

The django-oauth-toolkit by default sends back access token and refresh token both in response body. This presents a dilemma for web developers as to where to store/persist each token:

  • Web storage (local storage and session storage) is accessible through Javascript on the same domain, this presents an opportunity for malicious scripts running on your site to carry out XSS against your user clients, which makes web storage not ideal for storing either access or refresh tokens. There are a large number of scenarios where XSS can take place, and a number of ways to mitigate them. you can read more about XSS here.
  • Cookies with HttpOnly flag are not accessible by Javascript and therefore not vulnerable to XSS, however they may be the target of CSRF attack because of ambient authority, where cookies may be attached to requests automatically. Even though a malicious website carrying out a CSRF has no way of reading the response of the request which is made on behalf of a user, they may be able to make changes to user data resources if such endpoints exist. This makes HttpOnly cookies unsuited for storing access token. There are several ways to mitigate CSRF, such as setting the SameSite attribute of a cookie to "Lax" or "Strict", and using anti-CSRF token. You can read more about CSRF here.

In addition to various XSS and CSRF mitigation techniques, this package deploys access token and refresh token for web apps in a specific way that broadly hardens application security against these attacks:

  • Access tokens, are as usual, send back to clients in response body. It is expected that you would design your frontend application to not persist access tokens anywhere. They are short-lived and only used by the SPA in memory, and are tossed as soon as the user close the browser tab. This way, the access token cannot be utilized in a CSRF attack against your application.
  • Refresh tokens, are sent back to client in a HttpOnly cookie header that the client browser sees but inaccessible by your own frontend application. This way, the refresh token is not subject to any XSS attack against your application. While CSRF is possible, the attacker cannot use this mechanism to make modification to your resources even is a CSRF attack is successfully carried out. It is important to note that in CSRF, the attacker cannot read the response even when they successfully make the malicious request to your API endpoint; the worst they can do is to refresh the token on user's behalf, and no damage can be done. The refresh token cookie would also typically have domain and path attributes specified, so that browsers should only attach them with request to your domain and specific url path used for refreshing the tokens, therefore reducing attack surfaces further.

Quick start

Install using pip:

pip install django-oauth-toolkit-spa

Or, install from source:

Set up django-oauth-toolkit and django REST framework if you haven't already:

INSTALLED_APPS = (
    'django.contrib.admin',
    ...,
    'oauth2_provider',
    'rest_framework',
)
REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
    )
}

Include the oauth_toolkit_spa URLconf in your project urls.py:

path('auth/', include('oauth_toolkit_spa.urls')),

Settings

django-oauth-toolkit's settings are largely extended and used, except few default values have been overwritten. These settings are used as default unless explicitly specified:

"ACCESS_TOKEN_EXPIRE_SECONDS": 300,
"REFRESH_TOKEN_EXPIRE_SECONDS": 36000,
"REFRESH_COOKIE_NAME": "refresh_token",
"REFRESH_COOKIE_PATH": "/auth"

You can modify these settings by specifying them in the settings for django-oauth-toolkit:

OAUTH2_PROVIDER = {
    ...,
    "ACCESS_TOKEN_EXPIRE_SECONDS": 300,
    "REFRESH_TOKEN_EXPIRE_SECONDS": 36000,
    "REFRESH_COOKIE_NAME": "refresh_token",
    "REFRESH_COOKIE_PATH": "/auth",
    ...
}

If you want to use a different path for authentication than the default path, you should provide the setting in REFRESH_COOKIE_PATH, using a string with leading slash /; while provide the same path in URLconf but with a trailing slash /.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-oauth-toolkit-spa-1.0.1.tar.gz (7.4 kB view details)

Uploaded Source

Built Distribution

django_oauth_toolkit_spa-1.0.1-py3-none-any.whl (9.1 kB view details)

Uploaded Python 3

File details

Details for the file django-oauth-toolkit-spa-1.0.1.tar.gz.

File metadata

File hashes

Hashes for django-oauth-toolkit-spa-1.0.1.tar.gz
Algorithm Hash digest
SHA256 98b17d62cbf8714a6c58de44104c2ede1e6ef11796cd6a8525ee9f7b67bc58a9
MD5 d00e2bfde5d13b88708284b5b6b4d9ad
BLAKE2b-256 07c75e980596ce906fa31e0aa2e8b92fac4220ba9c004570b87080d0e412fb66

See more details on using hashes here.

File details

Details for the file django_oauth_toolkit_spa-1.0.1-py3-none-any.whl.

File metadata

File hashes

Hashes for django_oauth_toolkit_spa-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 83ed51b58388e7ac1f9d8c15b0eba501e393e54a14f5543c6f5f139c951cfab0
MD5 69c5c8b780dfd09536e1a4d0ad315a54
BLAKE2b-256 dcd48f94d32a85d94a2ddcf6ca419a059c91bbf0a9850259af6a8adee27e1e3f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page