2

So i am using DRF Social Oauth2 to implement social authentication in DRF.

While setting the settings.py we need many things to do like adding some apps to installed apps etc.

We also need to set these two settings;

SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = 'google_client_id'
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = 'google_client_secret'

But as we create a google console app for android, it doesnot provide any secret but only client_Id.

What i did is i just removed SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = 'google_client_secret' from the settings and my api still worked fine. It gave the response without any errors.

After that, i tried to remove SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = 'google_client_id' also and still my api worked fine.

So i am now confused why we use them? Why is my app working fine even without client_id and secret?

This is how i send the request;

http://127.0.0.1:8000/social/auth/token

body of the request;

{
    "grant_type": "password",
    "username": "myusername",
    "password": "mypassword",
    "client_id": "client id created in my backend when creating a new application for the social login (different from google client id)",
    "client_secret": "client secret created in my backend when creating a new application for the social login (different from google client secret)"
}

OUTPUT:

{
  "access_token": "some_token",
  "expires_in": 36000,
  "token_type": "Bearer",
  "scope": "read write",
  "refresh_token": "some_other_token"
}

Another request to save a user;

http://127.0.0.1:8000/social/auth/convert_token

{
    "token": "token recieved from frontend from google",
    "backend": "google-oauth2",
    "grant_type": "convert_token",
    "client_id": "...",
    "client_secret": "..."
}

OUTPUT is same as the first request and it also adds the details to the database.

Irfan wani
  • 4,084
  • 2
  • 19
  • 34
  • Does it still work even if you ask for a new access token? – Brian Destura Aug 15 '21 at 07:59
  • Yes it works. Let me edit my question to show how i send the request. – Irfan wani Aug 15 '21 at 08:12
  • Ok did you build the request manually? If you are not using `SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET`, where did the value in the request come from? – Brian Destura Aug 15 '21 at 12:40
  • As i mentioned in the question, i am using DRF Social oauth2 which provides these credentials while settings an application for the social authentication. – Irfan wani Aug 15 '21 at 12:53
  • First i thought that maybe it is just creating the tokens but i am really surprised to see that it is able to access the google account data and stores that in the database. – Irfan wani Aug 15 '21 at 13:04
  • Is it possible that the data can be obtained from the token provided b the google? – Irfan wani Aug 15 '21 at 13:07

1 Answers1

2

I hope you have solved this already. First things first, the endpoints in drf-social-oauth2 do not have the social/ before the auth/. You can check the endpoints demonstration here: https://github.com/wagnerdelima/drf-social-oauth2#testing-the-setup.

So you should fire to http:127.0.0.1:8000/auth/convert_token.

I don't know why the response is being positive since you removed the valid client and secret ids. However, your newly generated tokens are not necessarily valid since they have not been generated with valid credentials, you see?

P.S: I am the main maintainer of drf-social-oauth2.

wagnerdelima
  • 340
  • 1
  • 9
  • 18
  • having social in url is not a big deal. I did it while setting the urls. So ofcourse, that is not a wrong thing. You should check django-urls and how we set them. – Irfan wani Dec 28 '21 at 04:25