I'm trying to implement OAuth2 with DRF but I'm struggling to understand which flow is the correct one and how to use it. The backend is being used by Angular and React Native app. Using this https://auth0.com/docs/flows/ documentation I've concluded that "Authorization Code Flow with Proof Key for Code Exchange (PKCE)" would be the right choice.
I'm stuck on getting a "code" from OAuth server because I don't want to have to be logged in into django admin console in order to get it and it looks like it's the only option. I have couple of questions:
- Is the Authorization Code Flow used only for integration with other sites like Facebook, Google?
- At which point I authenticate the user? Is it before the authorization code is sent or after using the code together with the username and password?
- If I use password authentication am I stuck with the "Resource Owner Password Flow"?
- With the password flow the client would have to keep the secret key on their side also. So if a third party gets the secret key the only thing left is users password and username which is actually what we have at the moment with BasicAuth. Then the qustion is - When using the pasword flow how is OAuth additionally protecting the resources compared to BasicAuth?
没有评论:
发表评论