Django Oauth Toolkit docs don't describe the redirect uris, authorization grant type, or client type fields when registering your application.
The tutorial says to set client type to confidential, grant type to password, and leave uris blank.
What do the other options do?
e.g. What is client type public vs confidential? What do the grant type password, credentials, authorization, implicit do? And what are the redirect uris for?
I have found sparse information about them but no actual explanations as they pertain to django rest framework and django oauth toolkit.
You'll get answer to all your questions once you read about Oauth2 Protocol from here
But I'll try to answer your questions in brief:
I'll be using the words client
and Resource Server
frequently. In Oauth2
protocol, client
means the system which accesses resources, data or service. (It could be your mobile app or javascript app consuming REST API's of your API Backend (or Resource Server
) . If you have implemented Facebook login in your mobile/JS apps, chances are, your API backend requests Facebook for user's information. In that case your API backend is being a client
and Facebook is Resource Server
)
Client Types:
Client type is either confidential
or public
depending on whether that client can keep it's client_secret
a secret. (For example, an AngularJS
app cannot keep it's client_secret
hidden, since anyone can do "Inspect Element" in a browser and search for it, so such a client
has to be registered as public
.)
Authorization Grant Types:
There are four kinds of Authorization Grant Types
in Oauth2
protocol.
Authorization Code:
In this grant type, the client
requests for an authorization code
first, then exchanges that authorization code
for an access token
. It's a two step procedure. Use this if the client
is an outsider (more on it in Resource-owner password based
).
Implicit:
Usually used along with public
client_type
. Instead of a two-step procedure above, the client
gets access token
in one go.
Resource-owner password based:
This is used when there is a high degree of trust between client
and Resource Server
. This is the case between your API backend and your Mobile app. (There is high degree of trust between your API backend and Javascript
app too, but since it cannot keep it's client_secret
a secret, you have to use Implicit
Grant type with it). Facebook
or Google
etc. will never give you this kind of Authorization Grant
because, for them, your API backend is an outsider.
Client Credentials:
It is least commonly used. Please read about it in above mentioned document.
Redirect URI's:
Now, as far as Redirect URI's
are concerned, they are needed only in Authorization Code
or Implicit
grant types (Not sure about Client Credentials
one, somebody please enlighten me on this in comments).
Redirect URI is given so that the Resource Server
knows where to send the access token
. Imagine if you are implementing Facebook login. In that case you will go to developers.facebook.com
and register your application (like you did with django-oauth-toolkit
), while registering your application, you will specify a Redirect URI
.
Specifying a Redirect URI
is a way of saying. "Hey Facebook, send the access token on this URI". So if you set Redirect URI
something like https://your_domain_name.com/token/facebook/, Facebook
will redirect to your specified Redirect URI
at the end of Oauth2 process and give Access Token
in the form of GET
parameter, like https://your_domain_name.com/token/facebook/?token=some_long_string&some=other_parameters.