If you do configure the middleware that intercepts requests and potentiallyforces a refresh to refresh your session, this gets tricky with XHR requests.Usually XHR requests (with libraries like fetch or jQuery.ajax)follow redirects by default (which is most likely a good thing). The problemis that it can’t redirect back to the OP when it’s time to refresh yoursession. So for XHR requests, some special handling is required by you.
The problem with the above code is that it’s wrong to assume the XHRresponse is going to be application/json if the server’s middlewareinsisted you need to refresh your session.
Django provides an authentication and authorization ('permission') system, built on top of the session framework discussed in the previous tutorial, that allows you to verify user credentials and define what actions each user is allowed to perform. A django OpenID Connect library. Version License Released Status Python 3? 1.2.4: MPL 2.0:: Production/Stable.
Instead watch out for a 403Forbidden response when, in conjunction,there is a header called refresh_url. Like this:
Note
The refresh middleware only applies to GET requests.
You don’t have to use document.location.href to redirect immediatelyinside the client-side application. Perhaps you can other things likeupdating the DOM to say that the user has to refresh their authenticationand provide a regular link.
If you want DRF to authenticate users based on an OAuth access token provided inthe Authorization header, you can use the DRF-specific authentication classwhich ships with the package.
Add this to your settings:
Note that this only takes care of authenticating against an access token, andprovides no options to create or renew tokens.
Django Mdn
If you’ve created a custom Django OIDCAuthenticationBackend and added thatto your AUTHENTICATION_BACKENDS, the DRF class should be smart enough tofigure that out. Alternatively, you can manually set the OIDC backend to use: