In Headless API switching from session-based authentication to access token authentication in Django: issues with user recognition in allauth

[kagiya-n]

Authentication with cookie["sessionid"] made it difficult to authenticate across different domains, so we want to switch to authentication using access_token. By issuing tokens as shown below, user authentication on the Django side after login with access_token became possible:

from allauth.headless.tokens.base import AbstractTokenStrategy
from django.contrib.sessions.backends.db import SessionStore
from django.http import HttpRequest
from rest_framework.authtoken.models import Token
import typing


class SessionTokenStrategy(AbstractTokenStrategy):
    def get_session_token(self, request: HttpRequest) -> typing.Optional[str]:
        token = request.headers.get("x-session-token")
        return token

    def create_session_token(self, request: HttpRequest) -> str:
        session_key = request.session.session_key
        if not session_key:
            request.session.save()
            session_key = request.session.session_key
        return session_key

    def lookup_session(self, session_token: str) -> typing.Optional[SessionStore]:
        session = SessionStore(session_key=session_token)
        if session.exists(session.session_key):
            return session
        return None

    def create_access_token(self, request: HttpRequest) -> typing.Optional[str]:
        user = request.user
        if user is authenticated:
            token, _ = Token.objects.get_or_create(user=user)
            return token.key
        return None

However, the user is no longer recognized on the allauth side after login. Testing with Postman showed that placing the session_token in cookie["sessionid"] allows the user to be recognized, but is it not possible to authenticate with access_token?

[pennersr]

across different domains

Shouldn't you be using OAuth/OpenID Connect for such use cases?

allows the user to be recognized, but is it not possible to authenticate with access_token?

That is currently the case, yes. For that to work we would need to be able to lookup the session from the access token. So, you would need to encode the session ID, or be able to somehow look it up, solely based on the access token.

[kagiya-n]

Thank you for your response
Currently, the only part that cannot be used is the section that utilizes the allauth login state. Therefore, we have decided to maintain the session ID by using subdomain-based cookie management in the production environment, in combination with the token.