Validate only received 'Access Token' in Django DRF API Requests. Is this headless?

[sachingaikwad123]

Hello,

Thanks for building this wonderful package. It is very nicely maintained with lots of documentation help available. Thanks!

I have following question for using django-allauth in my 'Django + DRF' (Backend Only) project.

Setup:

Frontend and Backend are completely disconnected.

1. Frontend: React SPA (running separately on different domain than backend)
2. IAM (OIDC Provider): Keycloak
3. Backend: Django + DRF (REST APIs and GraphQL APIs)

Flow

1. User logins to React SPA: OAuth2 flow (with PKCE) is completed with Keycloak and React SPA obtains 'Access Token' for 'Backend'.
2. React SPA can now call 'REST API' or 'GraphQL API' implemented in 'Django + DRF' backend. For this, it passes 'Access Token' in Authorization Header in requests 'Bearer ' format.
3. To be Implemented: Django DRF should authenticate these API requests and make sure it has valid 'Access Token'. It can also do some additional checks based on 'claims' present in the token. This claim based logic will be based on my specific requirement related to RBAC.

Question

Is this setup supported by 'django-allauth' where we don't need 'login flow' but we only need 'Token Authentication' by validating the tokens? I read and understood 'HEADLESS_ONLY = True' is this, but I could be wrong.