2

I am doing some work in Django, using the Django Rest Framework.

Users login via Oauth2 to facilitate integration with mobile applications.

I am using the Oauth2 authentication library that is packaged together with the Django Rest Framework.

To logout a user, I am expiring their access tokens, is this the correct way of doing things?

kaizenx
  • 385
  • 1
  • 5
  • 15

2 Answers2

1

It's not correct. Normally, the access token expires when it reaches its expiration time.

Or in some these cases: 1. User revoke this access token. 2. Users change their password. 3. When refresh token is revoked, its issued access tokens will be deleted.

And here is a reference about log out.

Owen Cao
  • 7,955
  • 2
  • 27
  • 35
  • So what if I, the owner of the service would like to disable usage for the user? Or oauth2 is not meant for this usage pattern? – kaizenx Jul 10 '14 at 06:07
  • I think I might be less than clear in my question. My service is providing the oauth2 authentication. So when the user is logging into their app, it is via my oauth2 service. I hope this clears it up. If it is still true that I am using oauth2 wrongly, then I'll just drop using oauth2 and go with token authentication. – kaizenx Jul 10 '14 at 06:18
  • What do you mean in `the owner of the service would like to disable usage for the user?`? – Owen Cao Jul 10 '14 at 07:12
  • I mean, I am the one providing the oauth2 authentication, I am the authorization endpoint that an app will check with to obtain credentials – kaizenx Jul 12 '14 at 22:26
  • You could use Oauth for this but that's not what Oauth is for designed. You provide a Oauth server (like google). This would mean that a developer can create a link to your Oauth server and his users can logging using your Oauth server. The idea is that his users can revoke the right for the developers website by the use of your Oauth server. (This means you provide the Oauth server but never have or should have any rights to revoke.) – Eagllus Jul 19 '14 at 17:51
0

I think what you mean is that you are creating a oauth2 provider?

If I am correct I would recommend switching to using token authentication. To create a oauth2 provider there are many restrictions and rules to follow and I assume when you create a oauth2 provider that it will be a public system that can be used by many people (that can and will misuse your service if it's has leaks)

Eagllus
  • 437
  • 3
  • 8
  • how is an solution where user oauth token is deleted from accesstoken model in logout method ? – Snehal Parmar Aug 24 '15 at 06:05
  • Not sure what your asking, if the oauth token is deleted the use would be unable to logging. This has little to nothing todo with the logout method. – Eagllus Aug 24 '15 at 09:46
  • If you create an oauth provider correctly, there will not be any misuse. Every faulty system has its own risks. – Shubham Apr 30 '21 at 04:54