I went through the Flask OAuth api, and its pretty clear how to do authentication for a web app. The web app gets redirected to the authentication provider login page, where access is granted, and returns back to the web app with a token.
However, for web api scenarios, where a client is pre authorized to call the web api, the request will have a Bearer token along with the call. Is there any example on how to validate this token? I see apis like validate_access_token() in the OAuth2 library, but I cant see any examples where people use it for web apis.
I use Azure AD for authentication, and have created an AAD application, and am able to get a token from it through the adal package on the client side (with the clientId and clientKey from AAD). But I havent been able to authorize it yet on the web api side, because it seems most scenarios look at web app authentication and not web api scenarios. Any ideas on how to authenticate on server side?
Related
I use serverless-framework with aws lambda and aws cognito. I have set up a user pool and registered the app. I can login in the login ui and get the code and then exchange the code programmatically for tokens.
But how should I send the tokens from the web client to the aws lambda?
I can use the program Postman or curl but I need to use a web client (http browser). How should I set the header with the token?
After you receive the token from Cognito Token endpoint, you can store it in the Browser storage (e.g; LocalStorage, SessionStorage, ClientSide Cookies) using JavaScript and send it in Authorization header for API requests (Ajax requests).
You can use AWS Amplify JS library to simplify the authentication and refreshing the token.
Note: One can argue that it is not safe to store the token's in Browser Storage, but if you look at AWS Amplify JS library, it uses LocalStorage to store both id token and refresh token.
buddies
One of my GAE restful service needs login with admin account. And I'm writing an automation script in python for testing this service. The script simply do a HTTP POST and then check the returned response. The difficult part for me is how to authenticate the test script as an admin user.
I created an admin account for testing purpose. But I'm not sure how to use that account in my test script. Is there a way that my test script can use oath2 or other approach to authenticate itself as a test admin account?
Ok I think this might be what you are looking for, client libraries to authenticate and yeah I believe appengine now recommends using the oauth2 for any kind of authentication:
https://developers.google.com/accounts/docs/OAuth2#libraries
Then you get an auth token where you pass in headers on your restful request like:
# Your authenticated request
Authorization: Bearer TokenHere
Then in your handler you get it like:
try:
user = oauth.get_current_user('https://www.googleapis.com/auth/userinfo')
except NotAllowedError:
user = None
# then from the first link you should be able to access if
user.is_current_user_admin()
This is how I authenticate on android, but I only do this once and store it in session and just enable cookie jar on the httpclient.
I have an app which amounts to a Python script, running on the user's phone, and a JS client, running in the user's browser. The Python script sends messages to App Engine as HTTP requests. The server then pushes the messages to the JS client.
The problem is authentication: The server can easily use Google Accounts to authenticate anything coming from the JS client as being sent by a particular user, but I do not know how to get the Python script to make HTTP requests which will also authenticate.
Any ideas?
According to its homepage, httplib2 has support for Google Account authentication, maybe that may help you?
Can you use OAUth to authenticate with Google, then use the OAuth token to ensure the messages are legitimate?
Any tips on python oauth2 and facebook.
It seems there are little information since Facebook updated to OAuth2.
Is there anyway the existing Twitter library can be used to suite the facebook authentication?
import oauth2 as oauth
# Create your consumer with the proper key/secret.
consumer = oauth.Consumer(key="your-twitter-consumer-key",
secret="your-twitter-consumer-secret")
# Request token URL for Twitter.
request_token_url = "http://twitter.com/oauth/request_token"
# Create our client.
client = oauth.Client(consumer)
# The OAuth Client request works just like httplib2 for the most part.
resp, content = client.request(request_token_url, "GET")
print resp
print content
If your looking for readily available Django apps to integrate with your project, check out the authentication packages. Most of them that provide Facebook authentication have been updated to support the OAuth 2 protocol for some time already.
If, on the other hand, you'd like to work with a provider through an OAuth 2 library directly, take a look at python-oauth2--there's a lengthy example of how you can integrate it with Django's authentication immediately in the README.
There is an awesome project called Fandjango and Facepy. Simply, you don't even have to know or even worry about OAuth protocols anymore.
If you want all the user's details or are integrating more of Facebook's graph api, you should have a look at:
https://github.com/tschellenbach/Django-facebook
For a demo of how slick it is:
http://www.fashiolista.com/intro_wide/
Features (Copied from github)
Access the Facebook API, from:
Your website (Using javascript OAuth)
Facebook canvas pages (For building facebook applications)
Mobile (Or any other flow giving you a valid access token)
Django User Registration (Convert Facebook user data into a user model)
Use Facebook data to register a user with your Django app. Facebook connect using the open graph API.
Facebook FQL access
OAuth 2.0 compliant
Includes Open Facebook (stable and tested python client to the graph API)
I'm new to FB app development. Once the user authorize my app, facebook does the following request
http://www.example.com/response#access_token=...&expires_in=3600
Now my python do not see the part after the '#'. How do i get the part, or am i doing something wrong?
You cannot use this. That is part of client side auth. URI fragments (the stuff after the #) are never sent to the server by the browser. You need to look up server side auth.
Short answer: you need to fill in YOUR_URL in https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL, next the facebook app (in python) needs to filter the return URL and yank out the access_token in the callback.
For more information, drop by https://apps.facebook.com/fileglu/technical - i am using facebook's access_token and dropbox's access_token to enable dropbox access inside Facebook App.
Have hooks for Google Oauth 2.0, anyone requires google docs access within Facebook?