I'm attempting to use the Microsoft Graph API to send emails and edit excel documents from my works 355 environment.
I'm able to get into Active directory and register an app, but I'm unsure how to figure out authentication without having a webervice, azure hosting etc.
It seems that most authentication flows need a redirect URl to receive the token after sending the client id and secret.
Is there a way for me to authenticate from a python script sitting on a local Windows machine with no static IP?
The client credentials flow doesn't require a redireturi there is a good sample of using the MSAL in phython https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/sample/confidential_client_secret_sample.py
If you want to use delegate authentication the other way would be the device code flow https://github.com/Azure-Samples/ms-identity-python-devicecodeflow
Another option is the native redirect you might want to look at something like https://pypi.org/project/msal-interactive-token-acquirer/
Related
I am currently building a web-app that requires a Spotify user to login using their credentials in order to access their playlists
I'm using the Spotipy python wrapper for Spotify's Web API and generating an access token using,
token = util.prompt_for_user_token(username,scope,client_id,client_secret,redirect_uri)
The code runs without any issues on my local machine. But, when I deploy the web-app on AWS, it does not proceed to the redirected uri and allow for user login.
I have tried transferring the ".cache-username" file via SCP to my AWS machine instance and gotten it to work in limited fashion.
Is there a solution to this issue? I'm fairly new to AWS and hence don't have much to go on or any idea where to look. Any help would be greatly appreciated. Thanks in advance!!
The quick way
Run the script locally so the user can sign in once
In the local project folder, you will find a file .cache-{userid}
Copy this file to your project folder on AWS
It should work
The database way
There is currently an open feature request on Github that suggests to store tokens in a DB. Feel free to subscribe to the issue or to contribute https://github.com/plamere/spotipy/issues/51
It's also possible to write a bit of code to persist new tokens into a DB and then read from it. That's what I'm doing as part of an AWS Lambda using DynamoDB, it's not very nice but it works perfectly https://github.com/resident-archive/resident-archive/blob/a869b73f1f64538343be1604d43693b6165cc58a/functions/to-spotify/main.py#L129..L157
The API way
This is probably the best way, as it allows multiple users to sign in simultaneously. However it is a bit more complex and requires you host a server that's accessible by URL.
This example uses Flask but one could adapt it to Django for example https://github.com/plamere/spotipy/blob/master/examples/app.py
I am trying to create a daemon python application which will get emails from outlook server using Microsoft outlook graph API. They have provided excellent tutorial and documentation on how to get it done for python app like django and flask. But I want to create daemon script which can get access code without using web interface(which was used in django).
Note: This app will only collect email from single email and will feed it to db.
Any help is appriciated.
It really depends on what kind of security you need. You can have your daemon/service authenticate with username/password directly, or you can have it authenticate with a certificate.
There are several different authentication scenarios, take a look at the docs page.
Either way, you need to register your daemon as an app in Azure and give it permissions to the Outlook API, just as if it were a web app.
I'm trying to access my GAE app from outside the browser.
At the moment it's Python script but I'm planning desktop C++ app.
I'm fallowing Using OAuth 2.0 for Installed Applications.
So far I managed to access user info:
https://www.googleapis.com/oauth2/v1/userinfo?alt=json
However every call to my GAE ends up with redirection to login page.
Is there a way to do authenticated calls to GAE from a script?
Please take a look at my test code
My goal:
Use Python script on my local machine to get data (json endpoint, static file, html, whatever) from my GAE app as authenticated user.
I believe this is sort of possible using ClientLogin (deprecated) https://developers.google.com/accounts/docs/AuthForInstalledApps.
However, I have found it much easier to just have an API secret string that I use (in a header, over HTTPS) to say that the request is from an approved script.
Alternatively you can do the oauth login flow (whichever flow you want, using your own oauth app), but you don't want to use any login: tags in app.yaml, just do it entirely in your Python code.
I'm writing a opensource app in python following this example:
https://developers.google.com/gmail/api/quickstart/quickstart-python?hl=it
I generated correctly the client_secret.json and ran successfully that example.
Now.. considering I'm starting to write my code and according with google doc:
Warning: Keep your client secret private. If someone obtains your client secret, they could use it to consume your quota, incur charges against your Google APIs Console project, and request access to user data.
so, how can I (in the future) share my app's code and keep at same time the client_secret.json secret?
Ok, I got the answer here:
https://developers.google.com/accounts/docs/OAuth2InstalledApp
This flow is similar to the one shown in the Using OAuth 2.0 for Web
Server Applications, but with three differences:
When creating a client ID, you specify that your application is an
Installed application. This results in a different value for the
redirect_uri parameter.
The client ID and client secret obtained from
the Developers Console are embedded in the source code of your
application. In this context, the client secret is obviously not
treated as a secret.
The authorization code can be returned to your
application in the title bar of the browser or to an http ://localhost
port in the query string.
In other words, if you specify that your project is an "Installed Application" while creating it in the Google APIs Console, you can safely embed secret in your code
To use Google API's, after activating them from the Google Developers Console, one needs to generate credentials. In my case, I have a backend that is supposed to consume the API server side. For this purpose, there is an option to generate what the Google page calls "Key for server applications". So far so good.
The problem is that in order to generate the key, one has to mention IP addresses of servers that would be whitelisted. But GAE has no static IP address that I could use there.
There is an option to manually get the IP's by executing:
dig -t TXT _netblocks.google.com #ns1.google.com
However there is no guarantee that the list is static (further more, it is known to change from time to time), and there is no programatic way I could automate the use of adding IP's that I get from dig into the Google Developers Console.
This leaves me with two choices:
Forget about GAE for this project, ironically, GAE cannot be used as a backend for Google API's (better use Amazon or some other solution for that). or
Program something like a watchdog over the output of the dig command that would notify me if there's a change, and then I would manually update the whitelist (no way I am going to do this - too dangerous), or allow all IP's to use the Google API granted it has my API key. Not the most secure solution but it works.
Is there any other workaround? Can it be that GAE does not support consuming Google API's server side?
You can use App Identity to access Google's API from AppEngine. See: https://developers.google.com/appengine/docs/python/appidentity/. If you setup your app using the cloud console, it should have already added your app's identity with permission to your project, but you can always check that out. From the "Permissions" Tab in cloud console for your project, make sure your service account is added under "Service Accounts" (in the form of your_app_id#appspot.gserviceaccount.com)
Furthermore, if you use something like the JSON API Libs available for python, you can use the bundled oauth2 library to do all of this for you using AppAssertionCredentials to authorize the API you wish to use. See: https://developers.google.com/api-client-library/python/guide/google_app_engine#ServiceAccounts
Yes, you should use App Identity. Forget about getting an IP or giving up on GAE :-) Here is an example of how to use Big Query, for example, inside a GAE application:
static {
// initializes Big Query
JsonFactory jsonFactory = new JacksonFactory();
HttpTransport httpTransport = new UrlFetchTransport();
AppIdentityCredential credential = new AppIdentityCredential(Arrays.asList(Constants.BIGQUERY_SCOPE));
bigquery = new Bigquery.Builder(httpTransport, jsonFactory, credential)
.setApplicationName(Constants.APPLICATION_NAME).setHttpRequestInitializer(credential)
.setBigqueryRequestInitializer(new BigqueryRequestInitializer(Constants.API_KEY)).build();
}