I was stuck in 'Getting the Access Token' part. In the documentation, I need a 'code'. But how can I get the authorization code? I'm using python.
authorize_url = 'https://www.box.com/api/oauth2/authorize?response_type=code&client_id=MY_CLIENT_ID'
def myRequest(path, method=None, options=None):
response = requests.request(method, path, **options)
return json.dumps(response.json())
code = myRequest(
path=authorize_url,
method='GET',
options={
'headers':{
'response_type': 'code',
'client_id': CLIENT_ID,
}
}
)
You have to use a module to make HTTP requests e.g. requests or urllib and follow the instructions as indicated here.
I have a very simple Flask app set up here: https://github.com/seanrose/box-oauth2-example
The 'code' is returned to your app after you send the user to Box's authorization URL.
Related
Context:
I'm working on a side project to pull data from the Spotify API into a
Microsoft SQL Server database as part of a refreshing ETL job. I need
to use the "Authorization Code Flow" so I can authorize/authenticate
programmatically, so my table will populate each day.
I'm using the Python requests library for this, and I don't want to
make an Object Oriented Solution for this if possible (not my
preference).
Problem:
I'm having trouble getting the Access Token after authenticating.
Looking at similar issues, it's very similar to this one:
Spotify API Authorization Code Flow with Python
.
I'm not sure why I'm getting a Response 400 (Bad Request) from this.
Can someone please advise here?
Code:
# used to to encode byte string from CLIENT_ID : CLIENT_SECRET, then decode for Authentication Header
import base64
# used to make HTTP requests from Spotify API
import requests
# used to access the environment variables
import os
def request_user_authorization():
'''
HTTP GET request to gain access to data (Authorization Code Flow)
HTTP POST request to send the code and receive an Authorization Token (current issue)
https://developer.spotify.com/documentation/general/guides/authorization/code-flow/
'''
# URLs
AUTH_URL = 'https://accounts.spotify.com/authorize'
TOKEN_URL = 'https://accounts.spotify.com/api/token'
BASE_URL = 'https://api.spotify.com/v1'
SPOTIFY_URI = 'https://api.spotify.com/v1/me/player/recently-played'
# sensitive items
CLIENT_ID = os.environ.get('SPOTIFY_CLIENT_ID_ENV')
CLIENT_SECRET = os.environ.get('SPOTIFY_CLIENT_SECRET_ENV')
# make a request to the /authorize endpoint to get an authorization code
user_authorization_code = requests.get(
AUTH_URL, {
'client_id': CLIENT_ID,
'response_type': 'code',
'redirect_uri': SPOTIFY_URI,
'scope': 'user-read-recently-played',
}
)
# Code 200 = "OK"
print(user_authorization_code)
#----------------------------------------------------------#
api_header_string = base64.urlsafe_b64encode((CLIENT_ID + ':' + CLIENT_SECRET).encode('ascii'))
api_headers={
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic %s' % api_header_string.decode('ascii')
}
api_payload = {
'grant_type': 'authorization_code',
'code': user_authorization_code,
'redirect_uri': SPOTIFY_URI,
'client_id': CLIENT_ID,
'client_secret': CLIENT_SECRET
}
#issue here:
# Make a request to the /token endpoint to get an access token
access_token_request = requests.post(url=TOKEN_URL, data=api_payload, headers=api_headers)
# returns <Response [400]>
# https://datatracker.ietf.org/doc/draft-ietf-httpbis-semantics/
# 15.5.1. 400 Bad Request
# The _400 (Bad Request)_ status code indicates that the server cannot
# or will not process the request due to something that is perceived to
# be a client error (e.g., malformed request syntax, invalid request
# message framing, or deceptive request routing).
# print(access_token_request)
#----------------------------------------------------------#
request_user_authorization()
You seem to have misunderstood how the Authorizatuon Code Flow works.
The redirect_uri in this kind of flow is used by the provider api (here spotify) as a callback to give you the authorization code.
The spotify API will call this url with a code parameter that you can use to ask for a token.
Meaning that for this flow to work you need a web server ready to receive requests on the uri that you have given in your code request (and specified when creating your app on the spotify developer portal). You might be better off using the Client Credentials Flow for your use case.
Also you should always use the name of the keywords arguments when using requests.get, requests.post ... It makes the code clearer and the order of the arguments differ for each method so it can get confusing if you don't.
#Speedlulu you're correct, that was the problem.
For anyone in the future reading this question: this is what I learned since posting the question:
What I misunderstood was the flow of data, and that Client Credentials Flow (Application to Spotify only) was the better choice because I don't need to have a "User" portion to this program.
Spotify's Client Credentials Flow Documentation: https://developer.spotify.com/documentation/general/guides/authorization/client-credentials/
# used to access environment variables securely (sensitive data)
import os
# used to encode strings into bytes and back
import base64
# used to convert JSON data into strings
import json
# endpoint that I'm connecting to on Spotify's servers
token_request_url = "https://accounts.spotify.com/api/token"
CLIENT_ID = os.environ.get('SPOTIFY_CLIENT_ID_ENV')
CLIENT_SECRET = os.environ.get('SPOTIFY_CLIENT_SECRET_ENV')
# encode credentials into bytes, then decode into a string for the HTTP POST request to Spotify to authenticate
BASE64_ENCODED_HEADER_STRING = base64.b64encode(bytes(f"{CLIENT_ID}:{CLIENT_SECRET}", "ISO-8859-1")).decode("ascii")
#initializing dictionaries for HTTP POST request
headers = {}
data = {}
headers['Authorization'] = f"Basic {BASE64_ENCODED_HEADER_STRING}"
data['grant_type'] = "client_credentials"
data['json'] = True
data['scope'] = 'user-read-recently-played'
r = requests.post(url=token_request_url, headers=headers, data=data)
# prints the response from the server regarding the access token data (formatted to be easier to read)
print(json.dumps(r.json(), indent=2))
# store the token value in a variable for HTTP GET request
token = r.json()['access_token']
What was unclear is that I first need to POST my request with the credentials to get the token (using the specific URL to do), store the r.json()['access_token'] value in a variable, then use that as part of the following GET request to access my specific data.
I have this callback url that has a redirection:
#spotify_auth_bp.route("/callback", methods=['GET', 'POST'])
def spotify_callback():
SPOTIFY_TOKEN_URL = "https://accounts.spotify.com/api/token"
CLIENT_ID = os.environ.get('SPOTIPY_CLIENT_ID')
CLIENT_SECRET = os.environ.get('SPOTIPY_CLIENT_SECRET')
REDIRECT_URI = os.environ.get('SPOTIPY_REDIRECT_URI')
auth_token = request.args['code']
code_payload = {
"grant_type": "authorization_code",
"code": auth_token,
"redirect_uri": REDIRECT_URI,
'client_id': CLIENT_ID,
'client_secret': CLIENT_SECRET,
}
post_request = requests.post(SPOTIFY_TOKEN_URL, data=code_payload)
# Auth Step 5: Tokens are Returned to Application
response_data = json.loads(post_request.text)
access_token = response_data["access_token"]
refresh_token = response_data["refresh_token"]
token_type = response_data["token_type"]
expires_in = response_data["expires_in"]
token_info = {'access_token': access_token,
'refresh_token': refresh_token,
'token_type': token_type,
'expires_in': expires_in}
res = make_response(redirect('http://localhost/about', code=302))
# I'd rather send token_info to `localStorage` at my client, instead of setting cookies
#res.set_cookie('access_token', access_token)
#res.set_cookie('refresh_token', refresh_token)
#res.set_cookie('token_type', token_type)
#res.set_cookie('expires_in', str(expires_in))
return res
Is there a way of sending 'token_info' above with jsonify() (or else) to client via make_response() before redirection occurs?
Please read foot-notes if your concern is about the OAuth flow!
According to HTTP 302 Redirect - is a message-body needed?, you can return a body in a 302 Redirect. Indeed RFC2616 doesn't forbid to send a response body.
Well, I'm not a Flask expert, but this should do the job. It returns the JSON in the body of the 302 Redirect response. Pay attention that you should also set the right Content-Type header (not done in my example).
import json
from flask import Flask, redirect, Response
app = Flask(__name__)
def jsonResponseFactory(data):
'''Return a callable in top of Response'''
def callable(response=None, *args, **kwargs):
'''Return a response with JSON data from factory context'''
return Response(json.dumps(data), *args, **kwargs)
return callable
#app.route('/')
def hello_world():
token_info = {
'access_token': '...',
'refresh_token': '...',
'token_type': '...',
'expires_in': '...'
}
return redirect(
'http://localhost/about',
302,
jsonResponseFactory(token_info)
)
Btw, if your client needs to read the token, it should not automatically follow the redirect! Furthermore, I don't know if a 302 Redirect is the best answer to your OAuth callback endpoint. But all of this depends on the context.
Edit:
Here are some notes after feedback from comments.
You should not store tokens in the localStorage. There is a good explanation from Auth0 website. Furthermore, browsers (starting with Safari) will now drop localStorage after 7 days without user interaction
Again from Auth0 (and I fully agree) the token should be handled server-side.
I'll let my answer as it is (even if the scope is not ideal) because it's actually answer to your HTTP related question.
Using python 3.6, requests==2.22.0
Trying to use the Google API, in particular mobile and desktop apps flow
I am able to generate an auth code by using this url:
url = (
'https://accounts.google.com/o/oauth2/v2/auth?'
'scope={scope}'
'response_type=code&'
'redirect_uri={redirect_uri}&'
'client_id={client_id}&'
'access_type=offline'.format(
redirect_uri=redirect_uri,
client_id=client_id,
scope=scope,
)
)
The redirect_uri I am using (for now) is simply https://google.com, and it is registered in the developer app I generated, in the Authorized redirect URIs section and in the Authorized domains section under the OAuth consent settings page/tab.
Once I paste the produced url in the browser - I get a code that I can extract and use to make the next call:
data = {
'client_id': client_id,
'client_secret': client_secret,
'grant_type': 'authorization_code',
'code': code,
'redirect_uri': redirect_uri,
}
url = 'https://oauth2.googleapis.com/token'
response = requests.post(
url,
data=data,
headers={
'Content-Type': 'application/x-www-form-urlencoded',
},
print(response)
print(response.json())
The output:
<Response [200]>
{tokens dictionary} <-- more downstream
Here is the question:
In the beginning I was experimenting with the basic scopes from the various examples available everywhere: email+profile, and the result I got was this:
{'access_token': '******', 'expires_in': 3594, 'scope': 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid', 'token_type': 'Bearer', 'id_token': '******'} <-- id_token is a JWT
Next, I added the actual scopes I am interested in (and made sure to add them within the developer app):
https://www.googleapis.com/auth/calendar.events+https://www.googleapis.com/auth/calendar.readonly
The result I am getting is this:
{'access_token': '******', 'expires_in': 3595, 'scope': 'https://www.googleapis.com/auth/calendar.events https://www.googleapis.com/auth/calendar.readonly', 'token_type': 'Bearer'}
No refresh token? (I specifically require it to refresh the access token)
I then read this stack overflow post and added "&prompt=consent" to the code grant URL above: (https://accounts.google.com/o/oauth2/v2/auth)
Now I am getting:
{'access_token': '******', 'expires_in': 3600, 'refresh_token': '******', 'scope': 'https://www.googleapis.com/auth/calendar.events https://www.googleapis.com/auth/calendar.readonly', 'token_type': 'Bearer'}
I have the refresh token now, but is that the only way?
If the user will end up going through the flow again it will force another consent page flow - which should not be required after an initial consent was already given.
Is there any way to get the refresh token without an explicit consent every time?
Is there any way to get the refresh token without an explicit consent every time?
No. The refresh token is returned the first time with the user consent to off line access.
Google assumes that you have saved it and there for dont need another one. Revoke the users access and request access again you should get a refresh token. or sending request prompt will request that the user grant you off line access again and you will again get a new refresh token.
I am developing a Flask application which gives call to the REST service developed in Flask. The target REST service method is secured using Basic Authentication. I found that for this type of authentication, I have to use base64 encoding.
I am trying to pass the credentials to the service in this way:
headers = {'username': base64.b64encode(g.user['username'])}
response = requests.post('http://127.0.0.1:3000/api/v1.0/follower/' + username, headers=headers)
And at the service side, the username is fetched as :
user_name = request.authorization.username
However, the service is not able to authorize the provided credentials and it is throwing an error 401.
Is there any issue with the authorization at the service side and at the application side?
You are not creating a proper Basic Authorization header.
You'd have to call the header Authorization, and then set the header value to the string Basic <base64-of-username-and-password-separated-by-a-colon>.
If we assume an empty password, that would look like:
headers = {
'Authorization': 'Basic {}'.format(
base64.b64encode(
'{username}:{password}'.format(
username=g.user['username'],
password='')
)
),
}
See the Wikipedia description of the client side of the protocol.
However, there is no need to construct this manually, as requests will create the header for you when you pass in a username and password as a tuple to the auth keyword:
response = requests.post(
'http://127.0.0.1:3000/api/v1.0/follower/' + username,
auth=(g.user['username'], ''))
for me the working code was, but may have some error.
headers = {
'Authorization': 'Basic {}'.format(
base64.b64encode(
'{username}:{password}'.format(
username=g.user['username'],
password='').encode()
).decode()
)
}
When trying to authorize spotify using python 3, I get a "server_error" with the description "Unexpected status: 400".
I am using the correct authorization code and the spotify documentation (https://developer.spotify.com/web-api/authorization-guide/) instructed me to use a post command with those parameters.
I'm quite a noob in this and I do not know what I am doing wrong.
Here is the code:
import requests
params = {'grant_type': 'authorization_code', 'code': authcode, 'redirect_uri': 'https://example.com/callback','client_id':'example', 'client_secret':'example'}
req=requests.post('https://accounts.spotify.com/api/token', params=params)
print(req.content)
According to spotify's own guide (see step #4):
https://developer.spotify.com/web-api/authorization-guide/
The authorization info for requesting a new token must go in the header via an "Authorization" variable:
Authorization: Required. Base 64 encoded string that contains the
client ID and client secret key. The field must have the format:
Authorization: Basic base64 encoded client_id:client_secret
You have it instead in the request body itself.
So you should do something like:
import requests
import base64
authcode = 'valid_authcode_from_prev_authorization_step'
params = {'grant_type': 'authorization_code', 'code': authcode, 'redirect_uri': 'https://example.com/callback'}
client_id = 'example_id'
client_secret = 'example_secret'
b64_val = base64.b64encode("%s:%s" % (client_id, client_secret))
req = requests.post(
'https://accounts.spotify.com/api/token', params=params,
headers={'Authorization': b64_val})
However, for this to work you need a valid auth code which you can only get by having the user go through the auth step which precedes the token acquisition step.
This code gets sent to the callback you have registered in your app settings, which won't work if you have a fake callback set (ie: http://example.com/callback).