What I need is that every time a user asks for a new access token, the
old one will become invalid, unusable and will be removed.
Giving a new token when you ask for one seems like an expected behavior. Is it not possible for you to revoke the existing one before asking for the new one?
Update
If you are determined to keep just one token -
The class
OAuth2Validator inherits OAuthLib's
RequestValidator
and overrides the method
save_bearer_token. In this method before the code related to
AccessToken model instance creation and its .save() method you can query (similar to
this) to see if there is already an AccessToken saved in DB for this user. If found the existing token can be deleted from database.
I strongly suggest to make this change configurable, in case you change your mind in future (after all multiple tokens are issued for reasons like this)
A more simpler solution is to have your own validator class, probably one that inherits oauth2_provider.oauth2_validators.OAuth2Validator
and overrides save_bearer_token
. This new class should be given for OAUTH2_VALIDATOR_CLASS
in settings.py
Also, is there a way that the password grunt type wont create refresh
token. I don't have any use for that in my application.
Django OAuth Toolkit depends on OAuthLib.
Making refresh_token optional boils down to create_token
method in BearerToken
class of oAuthLib at this line and the class for password grant is here. As you can see the __init__
method for this class takes refresh_token
argument which by default is set to True
. This value is used in create_token_response
method of the same class at the line
token = token_handler.create_token(request, self.refresh_token)
create_token_response
method in OAuthLibCore
class of Django OAuth toolkit is the one, I believe, calls the corresponding create_token_response
in OAuthLib. Observe the usage of self.server
and its initialization in __init__
method of this class, which has just the validator passed as an argument but nothing related to refresh_token
.
Compare this with OAuthLib Imlicit grant type's create_token_response
method, which explicitly does
token = token_handler.create_token(request, refresh_token=False)
to not create refresh_token
at all
So, unless I missed something here, tldr, I don't think Django OAuth toolkit exposes the feature of optional refresh_token
.