Google has an example of an OAuth2 client here
I am completelly new to OAuth2 and I would like to get this example working before I move to integrate OAuth2 with my application. What I have done is the following:
Register a test application
Get Client ID and Client Secret
Configure those values into client_secrets.json
Run the test app: python moderator.py
The application opens up a browser, where I can (as a user) authorize the application to access my account. But Google is complaining like this (400 Bad Request):
Error: redirect_uri_mismatch
The redirect URI in the request: http://localhost:8080/ did not match a registered redirect URI
Learn more
Request Details
from_login=1
scope=https://www.googleapis.com/auth/moderator
response_type=code
access_type=offline
redirect_uri=http://localhost:8080/
approval_prompt=auto
as=-xxxxxxxxxxxxx
pli=1
client_id=xxxxxxxxxxx.apps.googleusercontent.com
authuser=0
hl=en
I guess the localhost:8080 is coming from an internal web server started by moderator.py. My question is: has somebody goten this example to work? What other components do I need (apache configuration, DNS, ...)
I am very confused with OAuth2 and any help would be greatly appreciated.
First of all, sorry if my answer isn't very precise, because I'm also very new to OAuth (and even python)... and also sorry if it came too late, I don't usually access here.
Have you tried using this (worked for me):
REDIRECT_URI = 'urn:ietf:wg:oauth:2.0:oob'
Check this: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi
Here I have a piece of code with a complete OAuth flow working.
In OAuth 2.0, the redirect_uri parameter is usually registered with the provider. The provider should also be enforcing https-only redirect_uri.
You need to register the redirect_uri with Google here: https://code.google.com/apis/console/?pli=1#access
Perhaps try registering your external IP with Google (may require some port fowarding on your router)? If this fails, maybe you could use Python's SimpleServer, register your IP and get this server to handle the redirect.
Your redirect_uri is set to 'http://localhost:8080/' because you pass a default(I don't know how to describe it) flags parameter to run_flow(flow, storage, flags)
if you look at the define for run_flow() function you will find this:
It presumes it is run from a command-line application and supports the
following flags:
``--auth_host_name`` (string, default: ``localhost``)
Host name to use when running a local web server to handle
redirects during OAuth authorization.
``--auth_host_port`` (integer, default: ``[8080, 8090]``)
Port to use when running a local web server to handle redirects
during OAuth authorization. Repeat this option to specify a list
of values.
``--[no]auth_local_webserver`` (boolean, default: ``True``)
Run a local web server to handle redirects during OAuth
authorization.
Related
We deployed our flask application to AWS lambda and would like to restrict to access to it to:
Our development team (some external IP for everyone)
Wordpress server (static IP)
Bitbucket (for automatic deploys to lambda)
Google oAuth2 (callback function to lambda)
The first two are fairly easy to accomplish by whitelisting the respective IP in the AWS Gateway or in flask itself. However, the latter two are a bit more tricky since there's no static IP for the bitbucket pipeline nor when receiving the oauth2 callback from Google.
I've looked at the referer in the Http header to identify Google's callback which works but it can be spoofed easily...
Is there a sophisticated way of locking the app down to the above sources?
Here is the version I've got so far
def whitelist_handler():
whitelist_ips = os.getenv('WHITELIST_IPS')
allow_access = True
if whitelist_ips:
whitelist_ips = whitelist_ips.split(',')
referer = request.headers.get('Referer', '')
whitelist_domains = ['https://accounts.google.com/signin/']
if request.remote_addr not in whitelist_ips and not any([referer.startswith(domain) for domain in whitelist_domains]):
allow_access = False
if not allow_access:
abort(401)
Bitbucket
For Bitbucket, the pipelines do actually have static IP addresses as listed on the docs.
Google OAuth
For OAuth, I'm not sure what you're doing here but no part of the OAuth flow involves the provider (Google) needing to send web requests to your application. OAuth works entirely off redirecting the user (who should already have access through your other rules). You can read about this flow here.
So as long as your rules allow your users IPs then there's nothing you need to do for Google. This flow is why it's possible to use OAuth for local or intranet applications.
I'm trying to create a Slack App (see here), but I'm having incredible difficulty with how to create a Redirect URI.
Slack states the following:
You must specify at least one redirect URL for OAuth to work. If you
pass a URL in an OAuth request, it must (at least partially) match one
of the URLs you enter here. Learn more
I have a rudimentary understanding of a Redirect URI conceptually, but I have no idea how to go about actually getting this Redirect URI that Slack requires.
I've successfully used all of Slacks Integrations with Python including Real Time Messaging, but setting up a Redirect URI seems to require a special server or a website.
As already mentioned in the comments you will need a publicly reachable webserver to host your script for installing the Slack app. So the redirect URL is the URL to your installation script.
Basically any webserver or script hosting service that runs your favorite script flavor (e.g. PHP or Python) will work. See also this answer on how the OAUTH process can be implemented.
The redirect URL works without SSL, but for security reasons SSL is strongly recommended. Also many other features of Slack requires you to run SSL on your webserver (e.g. Interactive Buttons)
Another option is to run a webserver on your local machine (e.g. WAMP for windows) and open it to the Internet through a secure tunnel (e.g. ngrok). For developing and testing this is actually the better alternative, since you can test and fix your Slack app locally without having to deploy every change on a public server.
However for running a public Slack app (e.g. one that is listed on the Slack App Directory) I would strongly recommend to put the production version of your App on a public webserver.
If you're just trying to get it up so that you can authorize another workspace you can always use 'http://localhost' after authorizing it will try to redirect you there and you wont be able to see anything useful, but the authorization should still have taken place I believe.
of course if you're looking for the api code, you will have to pull it directly from the browser url. ... it's very manual.
I'm working on an API registration and authentication service application using python. Developers will be able to register their application (domain name of the application) and a random API key will be generated for the registered application.
Next, the registered application will send the API key to the API service with each API request. API server will authenticate the domain of the incoming request with the passed API key to confirm that the request is valid. I'm using Forwarded Host to validated the domain name of the API request, however it doesn't work as in some cases (when the opened page is the first page), Forward Host comes blank.
Are there a better approach to authenticate the request or any changes required in the API registration process to reliably authenticate the request? Some pointers will be helpful.
Using Authorization proxy
Samples are "3scale.net", offering free tier, other commercial solutions exist too.
Open source solution I am aware of is ApiAxle, which is much simpler, but still very useful.
The proxy takes care of managing access keys and forwards request back to real application only in case, it is really to be served.
Using Authorization service
Another solution is to have some internal service evaluating set of client provided keys (providerid, appid, accesskey, ...) are authrized or not. For this purpose, you have to:
set up authorization service
modify your code by adding 2-3 lines at the top of each call calling the authentication service.
Sample code for 3scale is here: https://github.com/3scale/3scale_ws_api_for_python
Conclusions
Authentication proxy makes the application simple and not bothering about who is asking. This can be advantage until your application needs to know who is asking.
Authentication service requires changing your code.
I have been reading a lot about this google endpoints and I have trying to something that is not quite easy to guess. After you create a google cloud endpoint server and you deploy it is open to any HTTP request (unauthenticated). In the cloud endpoint documentation (referring to using authentication) you can read about setting OAuth2.0 to authenticate users with google account but there is no documentation about restrict the endpoint service to a specific mobile app (android or ios) and discard all other HTTP requests. So the question is how to authenticate mobile apps (no users) and prevent HTTP request (unauthenticated)? I'am building my server API(enpoints) based on Python.
Thank you.
In order to restrict your Endpoint to a specific application you can use OAuth2. This is because the OAuth2 flow does user authentication and in-turn the OAuth2 flow inherently authenticates the application requesting the OAuth2 access.
These two client samples detail how to enable authenticated calls on the client side. You have to register your apps in the Developer Console at http://cloud.google.com/console/ .
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-android (Starting after the Note in the readme)
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-ios/ (Step 8 in README)
authedGreeting is the authenticated call and you would check the User object in the method's backend project for null. If empty then you can immediately throw an unauthorized exception.
https://github.com/GoogleCloudPlatform/appengine-endpoints-helloendpoints-java-maven
Specifically, optional Step 2 in the README tells Cloud Endpoints to start looking for OAuth2 tokens in the request. If the Endpoints exposed method has a User parameter. It will populate it with a user instance only if an OAuth2 token was found, was generally valid, and the token was issued to a client ID defined in the API annotation on the service class.
During the setup of your endpoints API, in clientIds list you provide your WEB_CLIENT_ID, ANDROID_CLIENT_ID, and IOS_CLIENT_ID for example. These values tell the Google App Engine that your application will respond to HTTPS requests from web browsers and Android/iOS installed applications.
When your clients first connect your server, they must obtain an OAuth 2.0 token in order to the communication be secure and that is the reason why you use the WEB_CLIENT_ID in your installed client application. This WEB_CLIENT_ID is unique to your Google Cloud app and through it your client becomes capable of obtain an access_token and a renew_token to communicate with your backend server and your server only. This is a cross-client authorization.
So, if you need only the WEB_CLIENT_ID to obtain the access_token and the renew_token, why you need the ANDROID_CLIENT_ID and IOS_CLIENT_ID? For security reasons.
The ANDROID_CLIENT_ID is linked to a RSA signature key through the SHA1 informed at backend setup. Thus your GAE app will grant (access_token, renew_token) only installed apps signed with the same key listed at your application console (and of course in your clientIds list)
Finally Android apps signed with different or not signed will not receive any access_token, being unable to establish the secure communication channel or even communicate with your server.
I have an app that I'm writing which authenticates against an Oauth 2.0 authorisation server. I'd like to test the parts that are accessible only after you've logged in but the Oauth server is an external dependency that complicates and make brittle my tests.
Any suggestions on how I should go about this? What the industry practices for something like this? My gut feel is to somehow mock out the server so that it allows access to the protected resources.
In case it matters, this is a Python webapp written using Flask.
I am using a custom oauth server which will run on my own domain and while it's possible to add some kind of sandboxing functionality as FoxMask has suggested, I'd much prefer being able to run the test without requiring an extra server running.
From the consumer (i.e. your application) side, the OAuth2 process can be separated in two parts:
the redirect from your application to the OAuth2 provider's "authorize" URL
the exchange of the "code" returned by the OAuth2 provider for an access token
For #1 all you need to test is that when you invoke the route that starts the authentication process the response returned is a redirect to the OAuth2 provider. This is easily accomplished with Flask's test client. The response should have a status code of 302 and a "Location" header set to the authorize URL for your OAuth2 provider. Note that you do not need to provider to be up, you are just testing that the response is a redirect, but you do not need to actually redirect.
Testing for #2 is a little bit more involved. Your Flask app has a special URL that is designated as the "redirect URL" for the OAuth2 provider to send you back the authorization code. You can just invoke this URL with the Flask test client passing a mock code and that has no issue.
The problem is that in the view function that handles your redirect URL you need to invoke the OAuth2 provider to exchange the auth code for an access token, and this is done synchronously. To prevent this transaction to happen you have to check app.config['TESTING'] and in that case skip the actual request and replace it with a fake response that includes a mock access token.
From then on you will need to also fake any additional calls into the OAuth2 provider that send the access token to request data.
If you are using an OAuth2 client library in your Flask app it may be easier to create the mock provider without having to create testing exceptions in your application. In my case I'm using rauth, and for this I have created a subclass of the OAuth2Service class that overrides the proper methods and responds with mock data that I have captured from a real session. Then in my test setup I just create the mock service and the application is fooled into thinking it is talking to a real server.
I hope this helps.