DEFAULT_AUTHENTICATION_CLASS: don't raise errors until every backend has checked the token #7867

jeronimobarea · 2021-03-25T14:04:21Z

jeronimobarea
Mar 25, 2021

We are using JWT for our backend auth and Oauth2 for external connections, the problem we have is that if one authentication backend raises an error it stops checking the others, so if I use Bearer prefix with a JWT token it will rise an error if it doesn't match but will stop looking to check if it matches with Oauth2 and vice versa.

Example:
Config:

"DEFAULT_AUTHENTICATION_CLASSES": {
       "rest_framework_simplejwt.authentication.JWTAuthentication",
       "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
       "rest_framework_social_oauth2.authentication.SocialAuthentication"
}

This will raise a an error and won't check with the Oauth2 backend
Authorization: Bearer <Oauth2 token>

Example:
Config:

"DEFAULT_AUTHENTICATION_CLASSES": {
       "oauth2_provider.contrib.rest_framework.OAuth2Authentication",
       "rest_framework_social_oauth2.authentication.SocialAuthentication",
       "rest_framework_simplejwt.authentication.JWTAuthentication"
}

This will raise a an error and won't check with the JWT backend
Authorization: Bearer <JWT token>

tomchristie · 2021-03-25T14:28:06Z

tomchristie
Mar 25, 2021
Maintainer

So the way this works is that an authentication class may either return None (in which case other backends will still be checked) or raise an error (in which case they won't).

So, for example, if you have BasicAuthentication and TokenAuthentication both installed, then everything will work fine because:

The basic auth will just ignore the request if it wasn't an Authorization: Basic ... request.
The token auth will just ignore the request if it wasn't an Authorization: Token ... request.

It looks from a quick pass to me that you're using two different auth classes, both of which are making lookups against Authorization: Bearer ....

That's a bit of an awkward case because even if we do run them both, then if both fail it wouldn't be clear which exception we'd want to raise.

I'm not sure what's best to do here. I'd assume someone else has already run into this before.

You could potentially work around this with a custom auth class with an def authenticate(self, request): method that tries each of the oauth2 and JWT cases in turn, suppressing exceptions in order to ensure both get checked regardless. Not a great outcome, but might do the job.

1 reply

jeronimobarea Mar 25, 2021
Author

Yes, it will be awkward if it returns multiple errors.
Thanks for the solution!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DEFAULT_AUTHENTICATION_CLASS: don't raise errors until every backend has checked the token #7867

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

DEFAULT_AUTHENTICATION_CLASS: don't raise errors until every backend has checked the token #7867

jeronimobarea Mar 25, 2021

Replies: 1 comment · 1 reply

tomchristie Mar 25, 2021 Maintainer

jeronimobarea Mar 25, 2021 Author

jeronimobarea
Mar 25, 2021

Replies: 1 comment 1 reply

tomchristie
Mar 25, 2021
Maintainer

jeronimobarea Mar 25, 2021
Author