I want to build an app engine project that posts to a single pre-defined twitter account. I do not have any problem of including username and password hard coded inside the app. This is normally supposed to be just a post request + authentication. My question can I achieve this using simple http authentication instead of oauth?
Twitter has stopped supporting basic auth long time ago...
Please see this Twitter developers documentation about Moving from Basic Auth to OAuth.
Related
I am building out a REST service using Flask-RESTful that will allow users to connect to their salesforce Environment and pull data.
Is it possible to secure a restful API with oauth2?! I cannot seem to find any documentation this.
The short answer is yes
Miguel Grinberg talks about securing your REST api (in which he talks about oauth) in his blog post here:
http://blog.miguelgrinberg.com/post/restful-authentication-with-flask
and he has a general guide to using oauth with flask here:
http://blog.miguelgrinberg.com/post/oauth-authentication-with-flask
His blog posts answered all of my questions when I was building my flask app and is in general a good resource.
** The long anser **
Oauth2 doesn't have any specific functionality that makes it better for authenticating a REST api than any other method of authentication. It's just one method of authentication. The hard part is when a user gets authenticated that they don't have to send their username and password with every request. To do this you generate a token for them and store it on the server side and store it in their session on the client side. Now all you need to do is send the token with any REST requests from the client to authenticate it. This is discussed in the first link (you can find it if you do ctrl-f token)
I am developing an Android application with a GAE backend, for sessions etc.
I want to use Google Cloud Endpoint and develop an API with custom authentication user model. I dont want to use the google's oauth. I want to implement a simple email/pass user authentication model with a session based token. I have no experience on GAE whatsoever. I have worked in python and it's frameworks(django, flask, etc).
I have looked for a sample project of this kind for past week(with no luck).
Can someone please provide me with sample code/resource on how to implement such an endpoint with session management and csrf protection along with ssl?
Ps: If you think cloud endpoints is not a good approach for my application(server backend) then please direct me to a source that may aid me in creating my own RESTful api with JSON encoding + crsf-protection and session management.
I have already seen the following but none of them have a detailed solution:
Custom Authentication for Google Cloud Endpoints (instead of OAuth2)
Google App Engine: Endpoints authentication when custom auth or Open ID is used
AppEngine Cloud Endpoints and custom Users service
You're in for a ride. It's not a simple process, but I've managed to do just what you're looking for--albeit in a slightly hackish way.
First, there's a boilerplate project for GAE (in Python) that implements a custom email/pwd login system using webapp2's extras: http://appengine.beecoss.com/
It follows the guidelines for setting up custom authentication detailed in this blog post: http://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/
This project will set things up so that your user will start a session upon login. Now, in order to access the user information on this session in your endpoints, you'll follow the instructions to that first StackOverflow link you posted.
The key, after following the previous steps, is to match the session key in your endpoints to the session key in the config file of the boilerplate code. Then, you'll be able to get which user made the request and follow through with the endpoint call if they're validated:
self.get_user_from_cookie()
if not self.user:
raise endpoints.UnauthorizedException('Invalid token.')
It is incredibly ridiculous that this is how it works for custom authentication, so if you're used to Django and would like to implement your app that way, DO IT. It was "too late to turn back now" for me, and I despise Google for only documenting authentication schemes that work for Google account holders only.
OP, just use Django on GAE and save yourself the frustration. I'm sure there's plenty of quick integration with mobile apps that the Django community can provide.
No one wants to force their app users to have Google accounts in order to log in, Google. Stop it.
I'm trying to implement a secure google cloud endpoint in python for multi-clients (js / ios / android)
I want my users to be able to log by three ways loginForm / Google / Facebook.
I read a lot of docummentation about that but I didn't realy understood how I have to handle connection flow and session (or something else) to keep my users logged.
I'm also looking for a way to debug my endpoint by displaying objects like Request for exemple.
If someone know a good tutorial talking about that, it will be verry helpfull.
thank you
For request details, add 'HttpServletRequest' (java) to your API function parameter.
For Google authentication, add 'User' (java) to your API function parameter and integrate with Google login on client.
For twitter integration, use Google app-engine OpenID.
For facebook/loginForm, its all on you to develop a custom auth.
Do anyone know if there are alternatives of Django-SocialAuth which support Google, Facebook, Twitter and OpenID account.
I prefer webapp version instead of Django.
Or if you have done once would you mind sharing it?
Thanks in million.
try checking out http://code.google.com/p/gaema/
from the gaema introduction,
gaema is a library that provides
various authentication systems for
Google App Engine. It is basically the
tornado.auth module extracted to work
on App Engine and independently of any
framework.
It supports login using:
OpenId
OAuth
Google Accounts
Facebook
FriendFeed Twitter
You can use one, all or a mix of these
auth methods. This is done with
minimal overhead: gaema is small and
doesn't have any dependencies, thanks
to the awesome work done by the
Tornado crew.
gaema only authenticates an user, and
doesn't provide persistence such as
sessions or secure cookies to keep the
user logged in. Because each framework
do these things in a different way, it
is up to the framework to implement
these mechanisms.
You can get gaema from
http://pypi.python.org/pypi/gaema.
I'm developing a django app that integrates with google apps. I'd like to let the users login with their google apps accounts (accounts in google hosted domains, not google accounts) so they can access their docs, calendar, and whatnot.
In order to do it, I downloaded and started using django_openid_auth (and thus, python-openid).
First, to test it, I used this url in my settings:
OPENID_SSO_SERVER_URL = 'https://www.google.com/accounts/o8/id'
And with that I managed to redirect the user to the google accounts page to login and then to return to my own domain, with the authentication cycle described by the google folks successfuly completed. However, to login to google accounts is of little use for me, as I'd like the users who have a google apps account in their hosted domain -but not a google account- to login with.
In order to do that, I read the google article on discovery " Discovering OpenID Endpoints for Hosted Domains", and changed the aforementioned setting to:
OPENID_SSO_SERVER_URL = 'https://www.google.com/accounts/o8/site-xrds?hd=<my-domain>.com'
-where, obviously, <my-domain> is my actual domain ;)
But the backend responded with the following message:
OpenID authentication failed: HTTP
Response status from identity URL host
is not 200. Got status 404
Debugging a little, I managed to find out that the code in python-openid (version 2.2.4) is the one that is misinterpreting the response from google, but I'm quite at loss here.
I have seen the authentication in my own domain work in socialwok.com and puffypoodles.com So I'm quite certain that the auth cycle for my google apps domain works, but somehow python-openid can't seem to complete it (though, and I reiterate, it works just fine with plain old google accounts).
Should I try to fix python-openid, or is there another way to fix this? Has anyone successfuly managed to login with google apps in a pure django app (not in google app engine)?
According to http://groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains, Google changed the way of IdP Discovery and user XRDS check a little bit to give Google Apps users openid in http://example.com/openid?id=108441225163454056756 kind of format without asking the users to build their own openid servers. For small companies, people can get their openid under their domain with as few as just a domain name if they use Google Apps.
This might be a good approach because people could use their Google Apps Account for the authentication, and they can still give out openids under their own domain which they could change the authentication backend for in the future. It is simple and extendable, but sadly it hasn't became the standard yet. So, if you use standard library like python-openid, you will encounter some problems.
To solve those problems, you have to patch python-openid yourself to follow Google's approach.
I ran into the same problem before and I have a patched version of python-openid v2.1.1 which works for me.
If you need, I could post my code after some cleanup. It was a quick patch, so don't expect too much :)
I think you can give a try http://github.com/hudora/django-googleappsauth
but I found some bugs trying to fix them and translating comments