The Django REST Framework gives you the flexibility of using multiple authentication methods. Since I have time, and it will be useful for future visitors who have similar questions, I will talk about the benefits of the most common authentication methods.
Initially, his client will be a web application, but perhaps future clients may include mobile applications.
Typically, when working with web applications that are in the same domain and Django instance as an API, most users use SessionAuthentication because it interacts with the server using existing authentication methods. Authentication works without failure, so you do not need to go through the second stage of authentication.
Most APIs also support some form of BasicAuthentication , most likely because it is easiest to test, but also because it is easiest to implement. This is not a recommended authentication method for your web application, but it is not uncommon for your mobile application to see that it is being used. I personally would recommend token-based authentication, so you donβt have to worry about clients intercepting user credentials.
TokenAuthentication meet my needs.
Many people use TokenAuthentication because they are relatively easy to understand and use, and it seems that at first they meet all the requirements. Tokens are directly tied to users, and they do not automatically rotate ( although you can make them automatically rotate ), so each client working on behalf of the user receives the same token. This can be a problem if you ever need to revoke a token, since all other clients will also have their token.
I would rather avoid the OAuth cognitive overhead if there is no convincing security reason for this.
OAuth 2 ( OAuth2Authentication ) gives you token rotation and token expiration over the benefits of TokenAuthentication . It is also useful to be able to cancel individual tokens without affecting other clients that authenticate the user. You can also restrict clients to specific areas of your API using areas, which is useful if you have certain areas of the API that are used more often than others.
I am also going to mention JSON Web Tokens , because although I did not use it, it appeared quite a bit in the support channels. It is very similar to TokenAuthentication since TokenAuthentication tokens, but it has the added benefit of unique tokens for clients and token expiration.