Understanding HEADLESS flow

[citizenfish]

This is probably my fault for misunderstanding as I'm new to allauth. My goal is to provide an API with endpoints authenticated by allauth using Google OAuth2.

At the moment I'm doing the following in my client:-

1. Call /_allauth/app/v1/config to get details of the Google configuration.
2. The user then authenticates with Google independently
3. The client calls /_allauth/app/v1/auth/provider/token with:-

{
        "provider": "google",
        "process": "login",
        "token": {
            "id_token": "<token provided by Google>",
            "client_id": "< client_id provided by config>"
        }

4. this returns a json structure with:-

{
 "meta" : {
     "is_authenticated" : true,
     "session_token" : "<Session token>"
  }
}

Which is great, my user is logged in and has a session_token. So now I'd like them to call an API endpoint that only authenticated users can access. This is where I'm confused, how should I set my headers to use this token to authenticate the call? I tried setting X-Session-Token to but this did not work.

Is it that I need to do some additional processing with the Token before processing the api call.

[pennersr]

You've covered exactly the part that allauth considers in scope: authentication of the user. How to invoke your own APIs is something allauth puts no constraints/assumptions on, as that depends on what framework (e.g. django rest framework / ninja) you use, and also what authentication method you desire there.

• If your APIs require a specific access token, a JWT, or anything like that: use settings.HEADLESS_TOKEN_STRATEGY to point to a token strategy that creates such a token. Once you set that up, the token will appear in the meta next to the session_token.
• If you don't have any specific requirements, you could use the session token. You will likely need to add an authentication method to your APIs that recognizes the session token and looks up the related user, e.g. like so:

        engine = import_module(settings.SESSION_ENGINE)
        session = engine.SessionStore(session_key=key)
        user_id_str = session.get(SESSION_KEY)
        if user_id_str:
            user_id = get_user_model()._meta.pk.to_python(user_id_str)
            user = get_user_model().objects.filter(pk=user_id).first()
            if user and user.is_active:
                return user

The above code needs to be setup here https://www.django-rest-framework.org/api-guide/authentication/#custom-authentication or https://django-ninja.dev/guides/authentication/

[citizenfish]

Thank you for the super fast reply. That is exactly what I was looking for. If I can find the time I'll document and share our framework for this as it may be useful to others.

[citizenfish]

For anyone coming here and wanting to do this in django-ninja I created an auth function as follows:-

from importlib import import_module
from django.conf import settings
from django.contrib.auth import SESSION_KEY,get_user_model

def session_key_auth(request):
    engine = import_module(settings.SESSION_ENGINE)
    sk = request.META.get('HTTP_X_SESSION_TOKEN')
    session = engine.SessionStore(session_key=sk)
    user_id_str = session.get(SESSION_KEY)
    if user_id_str:
        user_id = get_user_model()._meta.pk.to_python(user_id_str)
        user = get_user_model().objects.filter(pk=user_id).first()
        if user and user.is_active:
            request.user = user
            return True

    return False

I need to look at the ramifications of overriding request.user but for prototyping this is working