I am writing an app that is supposed to work with Google contacts.
So at some point I do the authentication with OAuth2:
token = OAuth2Token(client_id=client_info["client_id"],
client_secret=client_info["client_secret"],
scope=CLIENT_SCOPE,
user_agent=USER_AGENT)
# I open a webserver and browser until I retrieve the
# Auth code in a variable named "code"
token.get_access_token(code)
As of now, this flow starts every time the app accesses contatcs.
How do i make my application remember the authentication?
Does it have to do with refresh tokens, and if so, how does that works?
Yes, you should save the refresh token (depending on your system configuration) that is exchanged using the code..
Next time the script runs, it should look for the refresh token first and should try to use it. If it doesn't find it or the refresh token doesn't work, it should try to get the new code.
Related
I am trying to build an python application for my server to run 24 hours and overwrite a file in dropbox every minute. When I built this application it stopped working after an hours for new token. I can't awake 24 hour to add new token every token. I just want a way that help me in doing setup of this. With dropbox there is no option to remove short length expire from token. Please keep it simple to underatnd easily dropbox documentation is hard for me to understand.
I just want a solution for this problem. I tried refresh token but it also required user interaction so no use.
Using refresh tokens is the right solution here. Just like with Dropbox access tokens, manual user interaction is required initially to get a Dropbox refresh token, but once the app has a refresh token it can store and re-use it repeatedly without further manual user interaction.
For reference, Dropbox is in the process of switching to only issuing short-lived access tokens (and optional refresh tokens) instead of long-lived access tokens. You can find more information on this migration here.
Apps can still get long-term access by requesting "offline" access though, in which case the app receives a "refresh token" that can be used to retrieve new short-lived access tokens as needed, without further manual user intervention. You can find more information in the OAuth Guide and authorization documentation.
You can find examples of using the OAuth app authorization flow in the Dropbox Python SDK here.
I am a little confused right now. I am using googleapiclient to call the Docs API, google_auth_oauthlib.flow to handle the authorization flow, and google.oauth2.credentials only for, from what I can tell, the Credentials class.
I need to authorize users for my app for non-short periods of time (days-months). I need to know if I need to manually refresh their tokens should they expire.
The example Flask implementation here does not seem to manually need to refresh tokens if/when they expire. It says
# Save credentials back to session in case access token was refreshed.
in the test_api_request view as if credentials is automatically updated with a new token when the API is called by the object returned by build. Is this the case? A lot of the docs regarding these libraries have limited/vague information about how the token refresh works.
If not, how do I know when the token has expired? Does the Credentials instance have an expiry field? How do I get a new token using the refresh token?
Thanks
Looking at the source code from the three libraries involved, it seems like they manage refreshing the token for you and that's why they don't give you an expires_in field from the access token.
It's actually the drive.files().list().execute() expression that updates the access token because the refreshing is done per request (in case it's necessary), but it's the build method that makes it possible to do so. When it's called the following occurs:
build calls build_from_document (here)
build_from_document creates an instance of AuthorizedHttp (here)
The AuthorizedHttp instance manages refreshing the token when it's necessary, by calling the refresh method on Credentials (here)
You can see that the refresh method works with an expiry field (here)
And it parses the expires_in field given by the API. (here)
The three libraries involved in this process are google-auth-library-python, google-api-python-client and google-auth-library-python-httplib2.
Pretty convoluted process. If you want to read a simpler implementation of an OAuth client, you could try reading the Spotipy client implementation of the Authorization Code flow. It has nothing to do with the google libraries, but it might give you an idea of how it manages the token.
The gist of it is: You make a request to the token endpoint which gives you back an expires_in field along with the access_token, based on this field, you need to calculate the time in the future when this token will expire. When you make a request to the resource server, you need to check if the token is expired, if it is, you make a new request sending the refresh_token to the token endpoint.
I've omitted some steps, but if you want to know more, you can read about it here and in the RFC.
there is any way to get the access token automatically with python using login informations ?
Something like this :
import requests
r=requests.get('https://graph.facebook.com/oauth/access_token?grant_type=get_token&
client_id=idclient_secret=password&privilege=')
print r.text
As far as I know you can't get users access token without users interaction.
You can get app token though like this:
facebook.get_app_access_token(APP_ID, APP_SECRET)
To get APP_ID and APP_SECRET you need to create new app here: https://developers.facebook.com/ Note that you will get much less meta data using app's token than using user's token.
I was writing script collecting data from facebook lately and I had same problem. I just switched to app token since my script runs every hour as cron job so it was impossible to deliver new token every time manually.
So currently I have in place a system using Flask running on my localhost:8080 to add 1 song at a time to a public Spotify playlist. Unfortunately how I have implemented this it requires a browser to add a song. What I want to be able to do is URLLIB or possibly the REQUESTS library to do this without a browser. I have been unsuccessful in my attempts to do this bot URLLIB and REQUESTS only see the first page of my local host it is never redirected to my call back in the code that I linked below.
My Implementation
How would I go about implemented a non browser interface to add a song to a playlist? (Mind you this is python 3)
In order to add a song to a playlist, you need the playlist's owner to grant access to your application, so you will need a web interface at some point to carry out this step.
It's important that you obtain the access token using the Authorization Code Flow since that's how you will get an access token and a refresh token. Use that refresh token in your app to obtain access tokens without having the user to re-authorize your app.
So in brief:
Implement a web site that uses the Authorization Code. A user logs in and you obtain an access token and refresh token. Using the refresh token you will be able to generate access tokens without the user having to input their credentials.
Take the refresh token and include it in your script. Before making the request to add a track, obtain a fresh access token using the refresh token.
It's a bit cumbersome but that's the only way to use OAuth2 without exposing the user's username+password to an app.
Does this quick-start code handle refresh tokens? If so, where/how?
https://developers.google.com/gmail/api/quickstart/quickstart-python
I am working on a Python application that needs to have continuous/unfettered access to Gmail account emails, so I want to make sure that I am handling the scenario described on this page:
https://developers.google.com/gmail/api/auth/web-server#send_authorized_requests_and_check_for_revoked_credentials
Specifically, the "If your application requires offline access, the first time your app exchanges the authorization code, it also receives a refresh token that it uses to receive a new access token after a previous token has expired. Your application stores this refresh token (generally in a database on your server) for later use" paragraph.
It's not clear to me if/how this is handled by the quick-start code. Thanks!
I figured this out. The refresh token, if saved for offline access by the application, is used to perpetually request new access tokens (as they are short lived/expire). This quick-start code does save the refresh token in the stored credentials (the STORAGE file) and wraps the Oauth 2.0 methods that get new access tokens from the authorization server when needed.
If for some reason you need to get another refresh token, you can request one from the authorization server, after making the user to approve your application again:
From https://developers.google.com/gmail/api/auth/web-server
"Always store user refresh tokens. If your application needs a new refresh token it must sent a request with the approval_prompt query parameter set to force. This will cause the user to see a dialog to grant permission to your application again."
More info about authorization server requests:
https://developers.google.com/accounts/docs/OAuth2WebServer
Just to add,Limits apply to the number of refresh tokens that are issued per client-user combination, and per user across all clients, and these limits are different. If your application requests enough refresh tokens to go over one of the limits, older refresh tokens stop working.