how to differentiate 'invalid credentials' and 'disabled users'?

[flc]

Hi, do you have any idea how could I differeniate the case when the user provides invalid credentials and the case when the user provides valid credentials but the user is disabled (is_active is False)? They both return 'Invalid credentials given.' message (which comes from oauthlib) but it would be important to differentiate the two cases. Currently it seems that a lot of functionality need to be overriden with a lot of duplicate codes to achieve it.

I'm open to any idea in general about how to handle this properly.

[apiraino]

Hi,

same thought that I had when we moved from django-oauth2-provider (deprecated) to django-oauth-toolkit.
We use using DRF and we had to remove djangorestframework-oauth too.

The pkg djangorestframework-oauth has an authenticate_credentials mehod, that does exactly what you mention, i.e. distinguish from a "invalid/missing credentials" error from an "invalid token" error:
https://github.com/jpadilla/django-rest-framework-oauth/blob/master/rest_framework_oauth/authentication.py#L163

Our workaround is to stuff a custom class with the missing logic copying from the removed package djangoframework-oauth package and then use this class as our oauth2 auth check and token retrieval.

But this solutions smells, so I'm open to other suggestions.

IMHO django-oauth-toolkit should implement the missing logic.

Just my .2 cents

[auvipy]

Our workaround is to stuff a custom class with the missing logic copying from the removed package djangoframework-oauth package and then use this class as our oauth2 auth check and token retrieval.

you are welcome to come with the implementation