Generating single access token with Django OAuth2 Toolkit

Question

I\'m using the latest Django OAuth2 Toolkit (0.10.0) with Python 2.7, Django 1.8 and Django REST framework 3.3

While using the grant_type=password, I notice

Answer 1

What I need is that every time a user asks for a new access token, the old one will become invalid, unusable and will be removed.

Giving a new token when you ask for one seems like an expected behavior. Is it not possible for you to revoke the existing one before asking for the new one?

Update

---

If you are determined to keep just one token - The class OAuth2Validator inherits OAuthLib's RequestValidator and overrides the method save_bearer_token. In this method before the code related to AccessToken model instance creation and its .save() method you can query (similar to this) to see if there is already an AccessToken saved in DB for this user. If found the existing token can be deleted from database.

I strongly suggest to make this change configurable, in case you change your mind in future (after all multiple tokens are issued for reasons like this)

A more simpler solution is to have your own validator class, probably one that inherits oauth2_provider.oauth2_validators.OAuth2Validator and overrides save_bearer_token. This new class should be given for OAUTH2_VALIDATOR_CLASS in settings.py

---

Also, is there a way that the password grunt type wont create refresh token. I don't have any use for that in my application.

Django OAuth Toolkit depends on OAuthLib.

Making refresh_token optional boils down to create_token method in BearerToken class of oAuthLib at this line and the class for password grant is here. As you can see the __init__ method for this class takes refresh_token argument which by default is set to True. This value is used in create_token_response method of the same class at the line

token = token_handler.create_token(request, self.refresh_token)

create_token_response method in OAuthLibCore class of Django OAuth toolkit is the one, I believe, calls the corresponding create_token_response in OAuthLib. Observe the usage of self.server and its initialization in __init__ method of this class, which has just the validator passed as an argument but nothing related to refresh_token.

Compare this with OAuthLib Imlicit grant type's create_token_response method, which explicitly does

token = token_handler.create_token(request, refresh_token=False)

to not create refresh_token at all

So, unless I missed something here, tldr, I don't think Django OAuth toolkit exposes the feature of optional refresh_token.