Tutorial Part3 302s

[DavidMuller]

Hello,

I've been working through the tutorial with a vanilla installation of Django 1.7. Parts 1 and 2 work as expected, but I've encountered a bit of a road block with part 3.

Running curl -H "Authorization: Bearer 123456" -X GET http://localhost:8000/secret as suggested at the end of tutorial step 3 just throws a 302 and pushes me to the login page (as it does when I access /secret through the browser). This is unexpected. I dug a little bit, and it seems that Django's SessionAuthenticationMiddleware is responsible for logging the user out after OAuth2TokenMiddleware successfully uses the token to authenticate the user.

My settings look like:

AUTHENTICATION_BACKENDS = (
    'oauth2_provider.backends.OAuth2Backend',
    'django.contrib.auth.backends.ModelBackend',
    )

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'oauth2_provider.middleware.OAuth2TokenMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
)

CORS_ORIGIN_ALLOW_ALL = True

Is this expected? What am I missing here? Thanks!

-David

[DavidMuller]

For anyone else who runs into this, placing oauth2_provider.middleware.OAuth2TokenMiddleware after django.contrib.auth.middleware.SessionAuthenticationMiddleware alleviated the problem.
This would be a good additional note in the tutorial docs.