I'm very beginner with authlib and trying to understand its concepts.
I try to understand, how can I save and reuse fetched tokens with authlib.
I created small FastAPI project:
from fastapi import FastAPI
from starlette.config import Config
from starlette.middleware.sessions import SessionMiddleware
from starlette.requests import Request
from authlib.integrations.starlette_client import OAuth
app = FastAPI()
app.add_middleware(SessionMiddleware, secret_key="some-random-secret")
config = Config(".env")
oauth = OAuth(config)
oauth.register(
name="some_service",
client_id="client_id",
client_secret="client_secret",
authorize_url="https://some-service.com/auth",
access_token_url="https://some-service.com/token",
client_kwargs={
"token_endpoint_auth_method": "client_secret_post",
},
)
#app.get("/login")
async def login(request: Request):
redirect_uri = "https://myservice.com/auth"
return await oauth.some_service.authorize_redirect(request, redirect_uri)
#app.get("/auth")
async def auth(request: Request):
token = await oauth.some_service.authorize_access_token(request)
# I suppose that I should save somehow token here
return token
#app.get("/account")
async def get_account(request: Request):
account_url = "https://some-service.com/account"
resp = await oauth.some_service.get(account_url)
return resp.json()
I want to get account info. So, further steps will be:
GET /login
I'm giving access to use my account and will be redirected back to my service.
GET /auth?oauth_params1=foo&oauth_params2=bar
There will be fetched tokens from token provider. I know that I'm wrongly supposing that token will somehow saved somewhere.
GET /account
And there I'm expecting that with OAuth client I can send previously fetched token. But, I'm getting next error:
authlib.integrations.base_client.errors.MissingTokenError: missing_token:
I also know that I should provide token like that:
oauth.some_service.get(account_url, token=previously_fetched_token)
But, I don't want to ask every time token from some-service I want to reuse token. How to do that?
Am I wrong that this issue is the part of authlib scope? Should I find solution with cache or database mechanisms?
p.s.: I'm really beginner with FastAPI too...
The token is an object with several values-
{
"oauth_token": "TOKEN ID",
"oauth_token_secret": "SECRET TOKEN",
"user_id": "USER ID",
"screen_name": "USER SCREEN NAME"
}
You have several options-
Use a database model that has those values. Use the "user_id" as the primary key, as the "screen_name" can be changed by users.
JSON encode the whole object and stash it somewhere.
Shove it into a cookie object so it's sent back with each request. The nice part of this is you don't have to worry about storing the oauth token at all, but it means you can't do anything with it outside of user requests.
Related
I hope everyone is fine. I am trying to implement google sso on my fastapi app. after entering the user credentials is entered and it gets redirected while redirecting i am getting this error
google_sso = GoogleSSO("client-id", "client-secret", "http://127.0.0.1:8000/google/callback/")
#app1.get("/google/login")
async def google_login():
"""Generate login url and redirect"""
return await google_sso.get_login_redirect()
#app1.get("/google/callback")
async def google_callback(request: Request):
"""Process login response from Google and return user info"""
user = await google_sso.verify_and_process(request)
print("Hellooooooooooooooo")
print(user, "11111111111111")
return {
"id": user.id,
"picture": user.picture,
"display_name": user.display_name,
"email": user.email,
"provider": user.provider,
}
I have shared the URL configuration in google dashboard in below screenshot
enter image description here
the error i have mentioned below
oauthlib.oauth2.rfc6749.errors.CustomOAuth2Error: (redirect_uri_mismatch) Bad Request
The problem could lay in the process_login() function which is getting called in the verify_and_process() function in your /callback api.
Let's take a look inside the process_login() function (https://tomasvotava.github.io/fastapi-sso/sso/base.html#fastapi_sso.sso.base.SSOBase.verify_and_process):
async def process_login(self, code: str, request: Request) -> Optional[OpenID]:
"""This method should be called from callback endpoint to verify the user and request user info endpoint.
This is low level, you should use {verify_and_process} instead.
"""
url = request.url
current_url = str(url).replace("http://", "https://")
current_path = f"https://{url.netloc}{url.path}"
I guess the (redirect_uri_mismatch) error is because you are using a HTTP redirect_url in your GoogleSSO() call:
google_sso = GoogleSSO("client-id", "client-secret", "http://127.0.0.1:8000/google/callback/")
Inside the process_login() function the HTTP of the redirect url inside the url of your request is replaced with HTTPS:
url = request.url
current_url = str(url).replace("http://", "https://")
After that replacement you have a mismatch with your redirect url, because
https://127.0.0.1:8000/google/callback/
is not
http://127.0.0.1:8000/google/callback/
They are two different urls.
Solution could be that you secure your server with HTTPS via self signed certificates.
(That one is very simple: https://dev.to/rajshirolkar/fastapi-over-https-for-development-on-windows-2p7d)
Btw. did you register you app in the google cloud (https://developers.google.com/identity/sign-in/web/sign-in)? Because you are using "client-id" and "client-secret" as parameters.
try it use 127.0.0.1:8000/google/callback #remove /
or
fix url #app1.get("/google/callback/") #add /
This is because the port number is changing in the redirect URI, everytime you run the application.
So everytime you run it it becomes:
http://localhost:65280/
http://localhost:65230/
http://localhost:63280/
And so forth. I dont have a solution for you yet. Working on it myself right now.
I am trying to get started with the Box.com SDK and I have a few questions.
from boxsdk import OAuth2
oauth = OAuth2(
client_id='YOUR_CLIENT_ID',
client_secret='YOUR_CLIENT_SECRET',
store_tokens=your_store_tokens_callback_method,
)
auth_url, csrf_token = oauth.get_authorization_url('http://YOUR_REDIRECT_URL')
def store_tokens(access_token, refresh_token):
# store the tokens at secure storage (e.g. Keychain)
1)What is the redirect URL and how do I use it? Do I need to have a server running to use this?
2)What sort of code to I need in the store_tokens method?
The redirect URL is only required if you're runng a Web application that needs to respond to user's requests to authenticate. If you're programtically authenticating, you can simply set this as http://localhost. In a scenario where you require the user to manually authenticate, the redirect URL should invoke some function in your web app to store and process the authentication code returned. Do you need a server running? Well, if you want to do something with the authentication code returned, the URL you specify should be under your control and invoke code to do something useful.
Here's an example of what the store_tokens function should look like. It should accept two parameters, access_token and refresh_token. In the example below, the function will commit these to a local store for use when the API needs to re-authenticate:
From here:
"""An example of Box authentication with external store"""
import keyring
from boxsdk import OAuth2
from boxsdk import Client
CLIENT_ID = 'specify your Box client_id here'
CLIENT_SECRET = 'specify your Box client_secret here'
def read_tokens():
"""Reads authorisation tokens from keyring"""
# Use keyring to read the tokens
auth_token = keyring.get_password('Box_Auth', 'mybox#box.com')
refresh_token = keyring.get_password('Box_Refresh', 'mybox#box.com')
return auth_token, refresh_token
def store_tokens(access_token, refresh_token):
"""Callback function when Box SDK refreshes tokens"""
# Use keyring to store the tokens
keyring.set_password('Box_Auth', 'mybox#box.com', access_token)
keyring.set_password('Box_Refresh', 'mybox#box.com', refresh_token)
def main():
"""Authentication against Box Example"""
# Retrieve tokens from secure store
access_token, refresh_token = read_tokens()
# Set up authorisation using the tokens we've retrieved
oauth = OAuth2(
client_id=CLIENT_ID,
client_secret=CLIENT_SECRET,
access_token=access_token,
refresh_token=refresh_token,
store_tokens=store_tokens,
)
# Create the SDK client
client = Client(oauth)
# Get current user details and display
current_user = client.user(user_id='me').get()
print('Box User:', current_user.name)
if __name__ == '__main__':
main()
I suggest taking a look at the OAuth 2 tutorial. It will help give a better understanding of how OAuth works and what the various parameters are used for.
The redirect URL is set in your Box application's settings:
This is the URL where Box will send an auth code that can be used to obtain an access token. For example, if your redirect URL is set to https://myhost.com, then your server will receive a request with a URL that looks something like https://myhost.com?code=123456abcdef.
Note that your redirect URI doesn't need to be a real server. For example, apps that use a WebView will sometimes enter a fake redirect URL and then extract the auth code directly from the URL in the WebView.
The store_tokens callback is optional, but it can be used to save the access and refresh tokens in case your application needs to shutdown. It will be invoked every time the access token and refresh token changes, giving you an opportunity to save them somewhere (to disk, a DB, etc.).
You can then pass in these tokens to your OAuth2 constructor at a later time so that your users don't need to login again.
If you're just testing, you can also pass in a developer token. This tutorial explains how.
This is the most basic example that worked for me:
from boxsdk import Client, OAuth2
CLIENT_ID = ''
CLIENT_SECRET = ''
ACCESS_TOKEN = '' # this is the developer token
oauth2 = OAuth2(CLIENT_ID, CLIENT_SECRET, access_token=ACCESS_TOKEN)
client = Client(oauth2)
my = client.user(user_id='me').get()
print(my.name)
print(my.login)
print(my.avatar_url)
I'm consistently getting an "Invalid response from Facebook" error when authenticating over Facebook with Oauthlib when building off of the sample code here.
I've outlined the sections of relevant code below.
Setup:
Setting up the Oauth request object.
Not pictured: Navigational routes and Flask app initialization.
from flask_oauthlib.client import OAuth, OAuthException
oauth = OAuth()
facebook = oauth.remote_app('facebook',
base_url='https://graph.facebook.com/',
request_token_url=None,
access_token_url='/oauth/access_token',
authorize_url='https://www.facebook.com/dialog/oauth',
consumer_key=config.get("app_id"),
consumer_secret=config.get("app_secret"),
request_token_params={'scope': 'public_profile,email'}
)
#facebook.tokengetter
def get_facebook_token():
if current_user.is_authenticated():
return current_user.get_facebook_token()
else:
return None
Login handler:
Sending users here in order to begin the process, with the url for the facebook callback appended to the root URL.
#app.route('/facebook/login')
def facebook_login():
return facebook.authorize(callback="http://example.com%s" % url_for('facebook_callback'))
Facebook callback, source of the issue:
From here I can garner that a code (presumably the token) is returned but Oauthlib fails to parse it correctly.
#app.route('/facebook/callback')
def facebook_callback(response):
response = facebook.authorized_response()
if response is None:
flash("You denied the request to sign in.", "error")
return redirect(url_for('index'))
if isinstance(response, OAuthException):
flash("Access denied: %s" % response.message, "error")
return redirect(url_for('index'))
# Request fails here, returns the redirect above.
From dumping the request args I can see fairly clearly that after being directed to Facebook and successfully connecting, there is a very long token being returned to the callback along the lines of '?code=1234567890-abcdefghijklmnop', however actually trying to authenticate with this fails with "Invalid response from Facebook".
Here is a sample request dump:
ImmutableMultiDict([('code', 'AQAPedwWavTb_cBx6NVy-qy3AL5YPr780oG5tA1LfITpVwkk-kr_4I0lG6B-vlhcYEubhuKhEM46bPs-1WpWUpJzcWfhkQ64lIkdLm9uSHSqeBHBM_6zw7SDpvVmGK-JKWBpAqRJuBKenl9zslQizthox96104iiul0uYQY67cmZgPXZi9uL-mcgZ5dRj387eKJIjNninBXxwCGgFkg5kLVHYt7t0ktUH58stYlxn2f98AXuSlrIvWsA5NeHsVbM8XY0XQrDrNbCvjDmEwHQGkZ3uZRbyaecN7MAi0bM0TrZzpuQ8j3M34DnQp_v9n4ktM4')])
Having used similar code based off of the Twitter sample that works, I'm thinking this could be a possible library bug due to Facebook API changes, but I would appreciate any pointers!
For anyone who stumbles upon this from Google in the future, I solved this in a solution that can be read here.
Hey there, I solved this issue in a very hacky way which I would not
recommend for production environments, but I eventually found the
issue a few days after my last message.
When you ask Facebook for an access token, it does NOT give you an
access token in the way you might expect. What I assumed to be a
failure on Facebook's side was instead a (perhaps intentional)
formatting error.
What you might expect:
http://example.com/callback?access_token=00000000000
or
http://example.com/callback with the access token passed as a POST
argument in the headers.
What actually happens is that Facebook responds like this:
http://example.com/callback?#access_token=0000000000
Because of this, it is -impossible- for any server side language
to parse it, as the access token will now only be visible to the
browser itself. It is not passed to the backend whatsoever.
Capturing the request:
#app.route('/facebook/translate', methods=['GET'])
def facebook_translate():
# Facebook responds with the access token as ?#access_token,
# rather than ?access_token, which is only accessible to the browser.
# This part is where things get really, really dumb.
return ''' <script type="text/javascript">
var token = window.location.href.split("access_token=")[1];
window.location = "/facebook/callback?access_token=" + token;
</script> '''
Proceeding as usual:
#app.route('/facebook/callback', methods=['GET', 'POST'])
def facebook_callback():
access_token = request.args.get("access_token")
if access_token == "undefined":
flash("You denied the request to sign in.", "error")
return redirect(url_for('index'))
graph = facebooksdk.GraphAPI(access_token)
profile = graph.get_object("me")
I am creating an API to wrap google oauth. I am using google python client library.
Code in api.py
from flask import request, g
from ..helpers import config_helper
from ..adapters.youtube.oauth_adapter import OauthAdapter
from ..api import api_blueprint as api
#api.before_app_request
def before_request():
client_id, client_secret, scope, callback = config_helper.get_config()
g.auth = OauthAdapter(client_id, client_secret, scope, callback)
#api.route('/authorisation_url/')
def authorisation_url():
auth = g.get('auth', None)
return auth.get_authorisation_url()
#api.route('/oauth2callback/')
def callback():
authorisation_code = request.args.get('code')
return authorisation_code
#api.route('/save_oauth2credential/', methods=['POST'])
def oauth2_credentials():
auth = g.get('auth', None)
user = request.form.get('user')
authorisation_code = request.form.get('authorisation_code')
auth.save_credentials(user, authorisation_code)
#api.teardown_app_request
def after_request(response):
g.auth = None
return response
Code in oauth_adapter.py
from oauth2client.client import OAuth2WebServerFlow
from ..repositories import oauth_credentials_repository
class OauthAdapter:
def __init__(self, client_id, client_secret, scope, callback):
self.flow = OAuth2WebServerFlow(client_id=client_id,
client_secret=client_secret,
scope=scope,
redirect_uri=callback)
def get_authorisation_url(self):
return self.flow.step1_get_authorize_url()
def save_credentials(self, user, authorisation_code):
credentials = self.flow.step2_exchange(authorisation_code)
oauth_credentials_repository.save(user, credentials, 'Google')
I need to save the credentials object against the logged in user so I can use it later to make call to other google api's on behalf of this user.
When I call #api.route('/save_oauth2credential/', methods=['POST']) to retrieve the credentials using the authorisation_code retrieved in #api.route('/oauth2callback/') step. I keep getting FlowExchangeError: invalid_grant
Any ideas?
Have a look at the network dialogue in Chrome Devtools and see what is going over the wire. I'm guessing that there is a 403 invalid grant response in there somewhere. So you need to figure out the cause of the invalid grant. I just posted some possible explanations at Getting 'invalid_grant' error with google oauth from second time
In general, there are two things you need to do.
Firstly, check that your code is correct, that your scopes and client id are solid, and that you are correctly saving the refresh token.
Once you've done all of that, you need to deal with invalid grant as an occupational hazard, and reprompt the user for for authorisation in order to get a new refresh token.
I'm working with the OAuth2Decorator() and Pytgon I'm in that stage where i'm still unsure of something about the App Engine. The documentation is not providing any info or I simply can't follow it. So:
Does OAuth2Decorator() store user Crediantials?
Does OAuth2Decorator() retrieve new tokens automatically?
Conside this following example.:
decorator = OAuth2Decorator(...)
service = build("drive", "v2")
class AppHandler(BaseHandler):
#decorator.oauth_aware
def get(self):
if decorator.has_credentials():
init = service.files().list().execute(decorator.http())
items = init['items']
context = {'data': getitems(items)}
self.render_response('index.html',**context)
else:
url = decorator.authorize_url()
self.redirect(url)
The credentials get stored as CredentialsModel in the datastore.
Provided the access that's requested is 'offline' (I believe this is the default), then there will be a 'refresh token' stored alongside the temporary access-token. If a request is made with a credentials-wrapped Http client, then upon receiving a response that indicates the access token has expired, the client make a request to get a new access token automatically, and then the original request will be retried with the new access token, which will then be stored in place of the expired one.