How to make a full fledged REST API with Django OAuth Toolkit
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Teil | 50 | |
| Anzahl der Teile | 119 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/20036 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache | ||
| Produktionsort | Berlin |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
| |
| Schlagwörter |
EuroPython 201450 / 119
1
2
9
10
11
13
15
17
22
23
24
27
28
41
44
46
49
56
78
79
80
81
84
97
98
99
101
102
104
105
107
109
110
111
112
113
116
118
119
00:00
SynchronisierungEmulationREST <Informatik>SoftwareentwicklerComputeranimationVorlesung/Konferenz
00:35
REST <Informatik>MultiplikationsoperatorVorlesung/Konferenz
01:13
Weg <Topologie>Gleitendes MittelMultiplikationsoperatorDialektW3C-StandardInformationsmanagementDienst <Informatik>Framework <Informatik>Innerer PunktSpezielle unitäre GruppeEndliche ModelltheorieMehrwertnetzVarianzRechenwerkMetropolitan area networkCOMDatenmodellSichtenkonzeptAuthentifikationExogene VariableDateiformatMAPGesetz <Physik>SummierbarkeitURNCodeCodierungModelltheorieFormale SemantikSoftwaretestTaskArithmetisches MittelBildschirmmaskeIndexberechnungProjektive EbeneExogene VariableSerielle SchnittstelleInstantiierungDatenfeldPunktVererbungshierarchieKlasse <Mathematik>SchnittmengeAuthentifikationKartesische KoordinatenInteraktives FernsehenBrowserMailing-ListeFramework <Informatik>SichtenkonzeptDifferenteKontrast <Statistik>SelbstrepräsentationSystemplattformObjekt <Kategorie>Front-End <Software>MultiplikationsoperatorZweiDienst <Informatik>BenutzerbeteiligungVolumenvisualisierungWeb-ApplikationHumanoider RoboterREST <Informatik>DefaultTwitter <Softwareplattform>SoftwareentwicklerEinsParserDateiformatTextbausteinComputeranimation
08:47
QuantenzustandMetropolitan area networkMehrwertnetzLokales MinimumGleitendes MittelKlasse <Mathematik>SichtenkonzeptApp <Programm>ClientAutorisierungPasswortSCI <Informatik>Mailing-ListeGewicht <Ausgleichsrechnung>Framework <Informatik>CASE <Informatik>ServerKanal <Bildverarbeitung>CodeDatenflussAuthentifikationToken-RingCOMSoftware Development KitURNSoftwareentwicklerBildschirmmaskeCodeMustererkennungTopologieProgrammbibliothekIntegralCOMGeometrische QuantisierungResultanteStichprobenumfangTermDatenflussAbfrageServerExogene VariableGewicht <Ausgleichsrechnung>Serielle SchnittstelleCASE <Informatik>Anpassung <Mathematik>Coxeter-GruppeUltraviolett-PhotoelektronenspektroskopieFormation <Mathematik>PunktKlasse <Mathematik>Spezielle unitäre GruppeDatentransferKartesische KoordinatenInteraktives FernsehenBeobachtungsstudieBrowserFramework <Informatik>ClientWeg <Topologie>PasswortSchlüsselverwaltungAutorisierungMultiplikationsoperatorDatenreplikationSchlussregelDienst <Informatik>Office-PaketHumanoider RoboterDefaultBildschirmmaskeAuthentifikationService providerTextbausteinSichtenkonzeptGenerizitätFront-End <Software>URLSoftwareentwicklerApp <Programm>Computeranimation
16:22
Spezielle unitäre GruppeSoftwaretestAutorisierungCodeURNCAN-BusPunktKartesische KoordinatenAutorisierungSoftwareentwicklerSichtenkonzeptProgramm/QuellcodeXMLJSON
16:47
URNNetzwerkbetriebssystemWurzel <Mathematik>RechenwerkBrennen <Datenverarbeitung>Neuronales NetzRuhmasseInnerer PunktCAN-BusKartesische KoordinatenClientFramework <Informatik>Programm/QuellcodeXML
17:30
URNWurzel <Mathematik>DreiNetzwerkbetriebssystemSystemaufrufZeitbereichMetropolitan area networkMenütechnikCAN-BusTotal <Mathematik>CodeBildschirmmaskeIndexberechnungE-MailExogene VariableKartesische KoordinatenMailing-ListeClientAutorisierungAuthentifikationURLProgramm/Quellcode
19:36
SoftwaretestAutorisierungCodeNormierter RaumOffene MengeInformationsspeicherungHilfesystemBenutzerschnittstellenverwaltungssystemOffene MengeInformationsspeicherungKartesische KoordinatenHilfesystemMultiplikationsoperatorOffice-PaketAutomatische HandlungsplanungComputersicherheitComputeranimation
20:08
ImplementierungMereologieServerFramework <Informatik>ClientAutorisierungTwitter <Softwareplattform>UmwandlungsenthalpieVorlesung/Konferenz
21:10
CodeModelltheorieMAPGruppenoperationMereologieServerSerielle SchnittstelleCoxeter-GruppeKlasse <Mathematik>AutorisierungObjekt <Kategorie>Rechter WinkelDienst <Informatik>VererbungshierarchieKomponente <Software>Vorlesung/Konferenz
23:05
AbfrageInstantiierungFilter <Informatik>Vorlesung/Konferenz
23:39
Vorlesung/Konferenz
Transkript: Englisch(automatisch erzeugt)
00:15
Okay, ready for the next talk, then? This is Federico who is a C++ and Python developer at Evernote, and he's going to
00:29
talk about how to make a full-fledged REST API with Django and OAuth toolkit. Over to you.
00:44
Hi everyone, so the goal of this talk is to show you how to create a REST API protected with OAuth tool, but first I want to tell you how you should know how to
01:08
tell you a story. So let me introduce you to this small and simple application, the time tracker, which
01:21
is of course a web application that tracks, allows the users to track the time they spend on their activities. And, at the beginning, at first, I had to choose to pick one tool, which was Django,
01:43
and I had one single big project, and I deployed it once, and everything was fine, more or less, but as he used to sing, the times, they are changing, and what has changed?
02:02
Actually, well, front-end development has changed a lot, sorry, today we have a lot of web front-end frameworks, and that allows you to create amazing front-end applications,
02:24
and they have their own development tools, to build, to test, and to run the application, and so they are completely separate applications, and I also had to support multiple devices,
02:44
which means to support different browsers, and different platforms, but I should also take care of the native applications, so I ended up with a lot of projects, I had
03:09
time tracker backend, time tracker web, which is the web front-end application, and the android project, the IIS project, and the desktop application, you know, for the old
03:27
desktops, and moreover, there are third-party services that wants to connect with my time
03:40
tracker application, they want to send me data, they want to read data from my time tracker applications, so what happens in the backend application, what's in the backend application, there is a service that exposes an amazing and reliable REST API, and this
04:04
is the recipe, Django, Django REST framework, and Django OAuth toolkit, these are the models, they are really really simple, there is the activity and the time entry, which is the model
04:24
that allows us to track the user, the time that a user spends on an activity or a task, and these are the endpoints that I want to create, on the most left column,
04:44
the URL, the HTTP method supported, and the semantic meaning of each method, so, for example, the first row, slash API slash activities, if you send a GET request, you get back
05:06
a list of the available activities. To create the endpoint, I need you to, I need you, I need
05:22
five minutes, so the first thing you have to do is to serialize your data, and this is really really straightforward in Django REST framework, you can use this base class, serializer, and this works just like Django forms, so you just define the fields you
05:43
need, and add some code to restore or create the instance of the model from its serialized representation, and then you can use, easily use the serializer, and you'll get back a dictionary representation of your object.
06:06
Of course, this is boilerplate code, which should be repeated for every model of your application, but you can avoid to write that code using model serializer, which allows you
06:23
to just specify which is the model you are serializing, you want to serialize. Then we have to create the views, the endpoints, and what do we need? We need, of course, to respect the semantic meaning, but we should take care of the user
06:48
authentication, and also we should take care of permission checks, also sometimes object-level permissions, sometimes you need to paginate your endpoints because you get a lot of results,
07:06
and also you want maybe to handle response and request formatting to support, for example, JSON, XML, YAML, so this is a lot of stuff, but you just keep calm and use Django REST
07:22
framework, because Django's framework is really, has a lot of settings that allows you to customize its behavior, its default behavior, these are just a small example, the first one allows you to define which is the class that takes care of the user authentication, and then we have the
07:49
default permission class, so if you're not authenticated, you won't get anything, just 403, and the default renderer and default parser for the formatting,
08:07
for the format. Well, to create the endpoint, you can use the API view based class provided by Django REST framework, which allows you to add some code to the handler meters,
08:24
and this class will use, this base class will use the settings, we can see here, to realize, to create an endpoint with the correct behavior, with the behavior you want, and well, the code, it is really, really easy to understand,
08:50
here we have the query set to retrieve all the activities, we serialize the query set, and return the serialized response, and of course, this is boilerplate code, so you can
09:10
you have to repeat this code, 44 endpoints, but you can avoid to write this code using the generic class-based view provided by Django REST framework,
09:26
here you just need to specify which is the base query set and the serializer class you want to use, there is also a built-in browsable API provided by Django REST framework,
09:44
which we are going to see at the end of the talk, so the next step is how do you authorize client applications, I mean, your applications like the time tracker
10:02
Android and the time tracker iOS, they need to be authorized to talk to the time tracker backend API, and also there are third-party apps that want to access your users' data, so you need an authorization, you need some authorization engine behind,
10:27
if you don't have this authorization engine, these are the problems you're going to face, first of all, you have to store, the first solution without the
10:45
authorization framework is to store the user password in the application, which is not good, of course, because the application gets a full access to the user account, and if the user wants to revoke the access to
11:07
the application, he needs to change his password, so also compromised apps can expose the user password and username, this is the solution,
11:29
the auth2 authorization framework, so how does it work, and I want to explain how it works using this simple use case, so imagine that there is a songify
11:49
music streaming service that wants to connect with the time tracker application, so their users can track their listening activities on the time tracker application,
12:09
these are the actors, this terminology is the same used in the RFC,
12:21
in the auth2 RFC, and I'm just trying to translate these terms to this use case, so the results owner is of course the user, the resource server is the time tracker API, and the authorization server in this case is the same as the results server, and the client
12:44
is the songify application, I want to explain you what the auth2 authorization framework defines four flows, four authorization flows, I want to show you how one of these flows work,
13:02
this is the most popular one, the authorization code flow, so the first step is when the client registers with the authorization server, and the authorization server provides a client ID and a client secret, the client of course is the songify application, so there is someone
13:26
at songify that for example goes to developer.timetracker.com, add a developer application, and it gets back a client ID and a client secret key, the second step
13:46
is when the songify application redirects the user to the time tracker application via its user agent, via its browser for instance, and next the time tracker application authenticates
14:11
the user and obtains the authorization to communicate with the songify application
14:23
from the user, now the time tracker application redirects the user back to the songify application with an authorization code, which is later exchanged for a token, and the token
14:40
can be used by the client to authenticate requests, how to do that in Django? With Django our toolkit of course, which supports Django from 1.4 to 1.7, Python 2 and Python 3, and it is built on top of altlib, which actually is a really great library,
15:08
it takes care of the compliance with the RFC, we just wrote some glue code, and its integration with Django is really really easy, you add the alt2 provider application
15:25
to the installed apps, add our URLs to your patterns, and you can create a protected endpoint using our generic protected resource view, and here you have an API,
15:44
an endpoint which is protected with alt2, now it comes with batteries included, so we have built-in views to register developer apps and a form view for the user for the user
16:02
authorization, it is integrated with Django rest framework, you just need to switch the default authentication classes with the one provided by Django toolkit package, and now I want to show you how it works, so these are the steps,
16:28
we are going to the authorization, first we are going to create a developer application, then we are going to simulate the step when the user is redirected to the authorization
16:46
endpoint, so here you can see this is one of the built-in views to register new developer applications, so you create new application, you add the name, here you have your client ID
17:07
and client secret, you can choose these are details from the alt2 framework, anyway I got my songify application ready, here it is, so
17:27
we can just use this one to step one, the songify application is redirecting the user agent
17:46
of the user to the authorization form, but first the user has to authenticate, and now the application is asking for my authorization, and we authorize, of course,
18:13
come on, okay, of course this should be the URL of the client application, so songify.com
18:28
for example, now we can take this authorization code, just substitute the code here, and we are going to exchange the code to obtain a token, here is the response, and
18:54
the token can be used to create a proper request with this header authorization bearer
19:05
with the token, so just want to show you that I'm not lying, if I try to get the list of the activities, just tell me that I'm missing the authentications credential, if I use
19:28
my new token, I can get back the list of the activities, so, and that's all, the future plans for Django toolkit are to support alt1, maybe add support for the open ID connector,
19:47
RFC, which I really don't know, I still have to read the paper, and add no secure storage, storage support for the application's storage, so we need some help, and thank you, that's all.
20:16
Any questions, please, anyone? First, thank you for your talk, my question is,
20:38
can we use the same framework to post tweets on Twitter? No, Django toolkit actually is the
20:47
implementation of the server side part of the outer specification, so if you want to send tweets to Twitter, you need a client side implementation of the alt2
21:08
RFC, the authorization framework. In your examples, the authorization server was always the same as the actual service, with your toolkit, can you make two services,
21:26
can you separate out the authorization part? Actually, we have to work to keep the resource server and the authorization server separated, yes, but maybe
21:43
you can, actually you have to write some more code to keep the authorization server and the so if you want to expose your API differently, your resources differently from the actual model
22:07
definition, can you simply handle that in the serializer class so you don't have to use the Django and the serializer? Yes, of course, you just use serializer, if your data is, for example, MongoDB, you just use the serializer base class
22:29
to write your own serializer and it just works, you have to write some more code, but it works, it is okay. Okay, thanks. You're welcome. Hello, thanks for your talk,
22:44
what are you using for object ownership? Sorry? Object ownership, so how do you say this object belongs to this user and I only showed this request coming from this user? Oh,
23:02
well, this is object level permission. But you are using any component for that? We are just filtering the query set, looking at the, well, actually, okay,
23:21
sometimes we can get back which is the user bound to the token, okay, and with the user instance you can filter the query set. This is a solution, really simple solution. Any more questions?
23:44
Okay, thank you very much.