Giters

mahieyin-rahmun / NextJsWithDRFExample

This repository contains the code for a two-part article series that deals with connecting a Django Rest Framework backend with a Next.js + Next-Auth client with Social Authentication. In this example, we use OAuth with Google, but this can be extended to any arbitrary number of Providers.

Home Page:https://mahieyin-rahmun.medium.com/how-to-configure-social-authentication-in-a-next-js-next-auth-django-rest-framework-application-cb4c82be137

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Question: what does exactly the drfauth do?

robertwt7 opened this issue · comments

commented

I know that the example comes from dj-rest-auth, however i'm just not familiar with the package so i'm not sure what magic is happening behind it

when you disable the authentication below, then what does it mean? Does the token that's already retrieved by next-auth got saved in the db? how does it work behind the scene? I'm lost looking at the code please help

Thanks

class GoogleLoginView(SocialLoginView):
  authentication_classes = [] # disable authentication, make sure to override `allowed origins` in settings.py in production!
  adapter_class = GoogleOAuth2Adapter
  callback_url = "http://localhost:3000"  # frontend application url
  client_class = OAuth2Client
commented

When you login through the client using next-auth, you receive an access token and an id token from the Google servers. The GoogleLoginView class

  • takes those tokens,
  • contacts Google servers,
  • gets the information of the associated email by exchanging the input tokens,
  • saves the details in the database (depending on the user class you defined in Line 98 of settings.py)
  • returns you a new pair of access token and refresh token using the information saved in db (e.g. user_id to identify which user it is)
  • These tokens are the ones to be used against your DRF backend to make requests and receive data.

In short, the token you receive from Google servers in Line 56 of this file is not the same as the one you get returned from the DRF servers in Line 76.

commented

Thankyou for your reply

Okay i got it. Just one more thing to get my understanding correctly,the new access_token we got from django is also from google right? Why is it getting new avvess_token if we already got one from next-auth? Can't the library verify that it is valid for information and reuse that instead?

commented

The new access token is not what we got from Google. The access token we got from Google can be used to access information associated to the email, you exchange that token from your DRF backend to receive user information, and create a user in the database. After that, you create a new access token that allows the logged in user to request resources from your DRF backend. The two tokens are not the same, they have different use cases. You cannot use the Google provided token to request resources from your server, because your server still does not know this particular user. I know it's kind of a two step process but that's how it plays out.

Hope that clarifies.

commented

Ahh got it now! So the auth package only uses the token from google to get the user data. Then create user based on that..

It clarifies everything. Thanks for explaining to me

I didn't know initially what was happening at the background because reading dj-rest-auth docs doesn't really explain what authentication_classes is

Did you know how it works from digging the code?

commented

Yes, I went through the code (several times) before I understood how it works. Hope you have understood everything you wanted to.

commented

hello @mahieyin-rahmun , i have another question I hope that's okay for you.

If I want to use the access_token from google in django (i.e to access user's google calendar API), what's the best way to do it? As we have trade the token in the front end for django token.

commented

Hi, sorry for delayed response.

I haven't had the necessity to do what you mentioned (yet), but I imagine it could be done using scopes. Please note that my approach is not guaranteed to be precise.

  1. Add scopes for calendar in settings.py. Here is the list of scopes for Google Calendar API.

  2. Check this other project's file. You can see that they are using allauth and the google-oauth library in conjunction to communicate with the calendar API.

commented

no worries at all. thanks for pointing me out to the project, i'll implement my own stuff and see if it works!

commented

Hello @mahieyin-rahmun sorry to bother you again.

Your post helps me a lot previously and now I can fetch everything properly. I have another question about google refresh token though. I notice that the token expire before my django simple jwt, thus making the connect_to_calendar throws error because it doesn't have refresh token.

do you by any chance know how to save the refresh token from dj_rest_auth?

I opened an issue here: iMerica/dj-rest-auth#364
and i tried to search for a solution but i'm still stuck after a couple of hours.

I already sent the refresh_token from front end however I don't know how to dig the code because dj_rest_auth doesn't seem to save it in the token_secret of allauth.

Thankyou