Separate Resource and Authorization Server

[prafulbagai]

I want to have different Auth and Resource Server.

On Auth Server, following is my setting.

INSTALLED_APPS = [
    ...


    'oauth2_provider',
    'rest_framework',
]


REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
}

# ############## OAUTH SETTINGS ###################

OAUTH2_PROVIDER = {
    'SCOPES': {'users': 'user details', 'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups', 'introspection': 'introspection'},
    'ACCESS_TOKEN_EXPIRE_SECONDS': 86400,  # 1 Day.
}

On my Resource Server

INSTALLED_APPS = [
    ...


    'oauth2_provider',
    'rest_framework',
]


REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
}

# ############## OAUTH SETTINGS ###################

OAUTH2_PROVIDER = {
'RESOURCE_SERVER_INTROSPECTION_URL': 'http://localhost:8000/o/introspect/',
'RESOURCE_SERVER_AUTH_TOKEN': '3yUqsWtwKYKHnfivFcJu',

}

Question 1)

How do I obtain RESOURCE_SERVER_AUTH_TOKEN?

Question 2)

Upon introspecting the token, Auth Server returns 403 Forbidden Error in the console logs.

Following is the flow to obtain the access token.

I get the client_id, client_secret, grant_type and scopes from the client POST request onto the Resource Server. I call the AuthServer from the Resource Server and return the response back to the client.

What exactly am I missing over here?

[hmm2001]

I am facing the same issue and from the console. It said "Introspection: Failed to parse response as json". Any ideas?

[prafulbagai]

@hmm2001 - Go through this link. I posted a question on SO and this should solve your problem.

[hmm2001]

@prafulbagai Thank you very much for your update. The link is very useful.

The steps to get the correct access token is like the following.

1. Create the application with Authorization grant type = authorization code.

2. Go to link /o/authorize to get the authorization code. (Make sure you change the expired date of it or it will expire very soon.)

3. Use curl -X POST -d "client_id=xxx&client_secret=xxx&grant_type=authorization_code&code=xxx&redirect_uri=xxx" http://hostname/o/token to get the access token as the RESOURCE_SERVER_AUTH_TOKEN.

And after that it all works.

[elcolie]

I have create an simple example here. It should save time for new comer
https://medium.com/@sarit.r/simple-seperate-auth-server-and-resource-server-36a7813ea8aa

[n2ygk]

This appears to have been resolved.