1 files changed, 12 insertions, 4 deletions

diff --git a/rest_framework/authentication.py b/rest_framework/authentication.py
index 1f8d37fa..cbc83574 100644
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@@ -7,6 +7,7 @@ import base64
 from django.contrib.auth import authenticate
 from django.core.exceptions import ImproperlyConfigured
 from django.middleware.csrf import CsrfViewMiddleware
+from django.conf import settings
 from rest_framework import exceptions, HTTP_HEADER_ENCODING
 from rest_framework.compat import oauth, oauth_provider, oauth_provider_store
 from rest_framework.compat import oauth2_provider, provider_now, check_nonce
@@ -291,6 +292,7 @@ class OAuth2Authentication(BaseAuthentication):
     OAuth 2 authentication backend using `django-oauth2-provider`
     """
     www_authenticate_realm = 'api'
+    allow_query_params_token = settings.DEBUG
 
     def __init__(self, *args, **kwargs):
         super(OAuth2Authentication, self).__init__(*args, **kwargs)
@@ -308,7 +310,13 @@ class OAuth2Authentication(BaseAuthentication):
 
         auth = get_authorization_header(request).split()
 
-        if not auth or auth[0].lower() != b'bearer':
+        if auth and auth[0].lower() == b'bearer':
+            access_token = auth[1]
+        elif 'access_token' in request.POST:
+            access_token = request.POST['access_token']
+        elif 'access_token' in request.GET and self.allow_query_params_token:
+            access_token = request.GET['access_token']
+        else:
             return None
 
         if len(auth) == 1:
@@ -318,7 +326,7 @@ class OAuth2Authentication(BaseAuthentication):
             msg = 'Invalid bearer header. Token string should not contain spaces.'
             raise exceptions.AuthenticationFailed(msg)
 
-        return self.authenticate_credentials(request, auth[1])
+        return self.authenticate_credentials(request, access_token)
 
     def authenticate_credentials(self, request, access_token):
         """
@@ -326,11 +334,11 @@ class OAuth2Authentication(BaseAuthentication):
         """
 
         try:
-            token = oauth2_provider.models.AccessToken.objects.select_related('user')
+            token = oauth2_provider.oauth2.models.AccessToken.objects.select_related('user')
             # provider_now switches to timezone aware datetime when
             # the oauth2_provider version supports to it.
             token = token.get(token=access_token, expires__gt=provider_now())
-        except oauth2_provider.models.AccessToken.DoesNotExist:
+        except oauth2_provider.oauth2.models.AccessToken.DoesNotExist:
             raise exceptions.AuthenticationFailed('Invalid token')
 
         user = token.user