Make user field on abstract refresh token nullable

duzumaki · duzumaki · commit f8d195094a07 · 2025-01-14T17:30:31.000Z
why?

DOT currently assume the user will be derived from the django request.user object (from the logic throughout DOT, not the model itself).

Since the device flow happens out of band there is no request.user available when the call to token is made, we have to make this field none.

How do I handle it in my own custom auth server:
In my custom auth server how I associate a refresh token with a user is to have a field (column in the refresh token table) that has the payload of the original JWT what was made when the refresh token was issued and I use the sub claim in the payload to know “this user has the refresh token” which prevents it relying on django solely for the user information but the stateless JWT instead
diff --git a/oauth2_provider/migrations/0014_alter_refreshtoken_user.py b/oauth2_provider/migrations/0014_alter_refreshtoken_user.py
@@ -0,0 +1,21 @@
+# Generated by Django 4.2.17 on 2025-01-13 17:24
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('oauth2_provider', '0013_alter_application_authorization_grant_type_device'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='refreshtoken',
+            name='user',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='%(app_label)s_%(class)s', to=settings.AUTH_USER_MODEL),
+        ),
+    ]
diff --git a/oauth2_provider/models.py b/oauth2_provider/models.py
@@ -503,7 +503,7 @@ class AbstractRefreshToken(models.Model):
 
     id = models.BigAutoField(primary_key=True)
     user = models.ForeignKey(
-        settings.AUTH_USER_MODEL, on_delete=models.CASCADE, related_name="%(app_label)s_%(class)s"
+        settings.AUTH_USER_MODEL, on_delete=models.CASCADE, related_name="%(app_label)s_%(class)s", null=True
     )
     token = models.CharField(max_length=255)
     application = models.ForeignKey(oauth2_settings.APPLICATION_MODEL, on_delete=models.CASCADE)

Original file line number	Diff line number	Diff line change
`@@ -503,7 +503,7 @@ class AbstractRefreshToken(models.Model):`
`503`	`503`
`504`	`504`	`id = models.BigAutoField(primary_key=True)`
`505`	`505`	`user = models.ForeignKey(`
`506`		`- settings.AUTH_USER_MODEL, on_delete=models.CASCADE, related_name="%(app_label)s_%(class)s"`
	`506`	`+ settings.AUTH_USER_MODEL, on_delete=models.CASCADE, related_name="%(app_label)s_%(class)s", null=True`
`507`	`507`	`)`
`508`	`508`	`token = models.CharField(max_length=255)`
`509`	`509`	`application = models.ForeignKey(oauth2_settings.APPLICATION_MODEL, on_delete=models.CASCADE)`