Skip to content

Install DOT + Authorization Server Metadata #7032

New issue
New issue
Open
Open
Install DOT + Authorization Server Metadata#7032
Assignees
Zaimwa9
@Zaimwa9

Description

@Zaimwa9
Zaimwa9
opened on Mar 24, 2026

Context

Implement OAuth 2.1 Authorization Server to support delegated access to the Admin API.

django-oauth-toolkit (DOT) is an OAuth library, recommended by DRF. It provides Authorization Code Grant, token/reovcation/introspection endpoints, and a DRF authentication class out of the box.

OAuth clients also need to discover our endpoints before starting the auth flow. We need to setup the metadata endpoint (/.well-known/oauth-authorization-server) that returns a JSON document listing all endpoint URLs, supported scopes, grant types that DOT does not provide

Non-exhaustive exemple:

  {
    "issuer": "https://api.flagsmith.com",
    "authorization_endpoint": "https://app.flagsmith.com/oauth/authorize",
    "token_endpoint": "https://api.flagsmith.com/o/token/",
    "registration_endpoint": "https://api.flagsmith.com/o/register/",
    "introspection_endpoint": "https://api.flagsmith.com/o/introspect/",
    "revocation_endpoint": "https://api.flagsmith.com/o/revoke/",
    "scopes_supported": {{SUPPORTED_SCOPES}},
    "response_types_supported": ["code"],
    "grant_types_supported": ["authorization_code", "refresh_token"],
    "code_challenge_methods_supported": ["S256"],
    "introspection_endpoint_auth_methods_supported": ["none"] // => Important for Gram
  }

DOT installation

  • Add django-oauth-toolkit to project dependencies
  • Add oauth2_provider to INSTALLED_APPS
  • Run DOT migrations (creates Application, AccessToken, RefreshToken, Grant tables)
  • Add oauth2_provider.contrib.rest_framework.OAuth2Authentication to DRF's DEFAULT_AUTHENTICATION_CLASSES (will use Bearer
  • Configure OAUTH2_PROVIDER settings:
    • Access token expiry: 15 minutes
    • Refresh token expiry: 30 days, one-time use, rotated on each refresh
    • PKCE mandatory (S256 only)
    • Opaque tokens (DOT default — stored in DB, instant revocation)
  • Include DOT's URL patterns (/o/authorize/, /o/token/, /o/revoke/, /o/introspect/)

Metadata endpoint

  • No authentication required on this endpoint
  • For self-hosted deployments, all URLs must derive from FLAGSMITH_API_URL

Definition of done

  • DOT installed and migrations run
  • OAuth2Authentication in DRF auth classes
  • DOT endpoints accessible (/o/token/, /o/revoke/, /o/introspect/)
  • GET /.well-known/oauth-authorization-server returns valid RFC 8414 JSON
  • AS metadata URLs derived from FLAGSMITH_API_URL setting
  • Can manually create an Application in Django admin and complete an Authorization Code + PKCE flow
  • Existing auth methods (session, token, master API key) unaffected
  • Optional: cleartokens scheduled as a periodic task

Docs
django-oauth-toolkit docs
DOT + DRF getting started
RFC 8414 — OAuth 2.0 Authorization Server Metadata

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions