Django DRF with oAuth2 using DOT (django-oauth-toolkit)
I have tried the demo you mentioned and everything was fine.
$ curl -X POST -d "grant_type=password&username=superuser&assword=123qwe" -u"xLJuHBcdgJHNuahvER9pgqSf6vcrlbkhCr75hTCZ:nv9gzOj0BMf2cdxoxsnYZuRYTK5QwpKWiZc7USuJpm11DNtSE9X6Ob9KaVTKaQqeyQZh4KF3oZS4IJ7o9n4amzfqKJnoL7a2tYQiWgtYPSQpY6VKFjEazcqSacqTx9z8" http://127.0.0.1:8000/o/token/
{"access_token": "jlLpKwzReB6maEnjuJrk2HxE4RHbiA", "token_type": "Bearer", "expires_in": 36000, "refresh_token": "DsDWz1LiSZ3bd7NVuLIp7Dkj6pbse1", "scope": "read write groups"}
$ curl -H "Authorization: Bearer jlLpKwzReB6maEnjuJrk2HxE4RHbiA" http://127.0.0.1:8000/beers/
[]
In your case, I think, you have created an application with wrong "Authorization grant type".
Use this application settings:
Name: just a name of your choice
Client Type: confidential
Authorization Grant Type: Resource owner password-based
This https://django-oauth-toolkit.readthedocs.org/en/latest/rest-framework/getting_started.html#step-3-register-an-application helped me a lot.
Here the database file I've created: https://www.dropbox.com/s/pxeyphkiy141i1l/db.sqlite3.tar.gz?dl=0
You can try it yourself. No source code changed at all. Django admin username - superuser, password - 123qwe.
When you use "client credentials" it doesn't set the user on the generated access token, this is the root of that you do not have permission
error you are seeing.
When using the client credentials
grant type, you need to set the Rest Framework permission handler to look at tokens as client credentials
does not set the user on the generated token. Django OAuth Toolkit provides custom permissions for this purpose:
https://django-oauth-toolkit.readthedocs.org/en/latest/rest-framework/permissions.html
Or if your entire API is subject to the same type of permissions you can just set the permission handler globally in your settings.py
file, for example:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'oauth2_provider.ext.rest_framework.OAuth2Authentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'oauth2_provider.ext.rest_framework.TokenHasReadWriteScope',
)
}
This assumes of course that you grant read write
permissions at the time.
More info about scopes here:
https://django-oauth-toolkit.readthedocs.org/en/latest/settings.html