I am trying to get my head wrapped around grpc authentication. From the looks of the examples, it looks like grpc supports ssl/tls and google tokens...
I've also looked at json web tokens as a means of authentication.
I'm not sure if this is even the correct way of thinking about this, but how would I use JWT in conjunction with grpc?
Is the JWT the "token" that gets used with the oauth2 example?
Does it relate to the 'roots.pem' file that is being opened?
I feel like I know very little about authentication/tokens. I've tried searching for python examples that involve grpc and JWT, and it has been a mostly fruitless search.
Am I thinking about this the wrong way?
The normal JWT approach uses service account credentials which are provided by the environment in a well-known location. This is what "Google Default Credentials" are in the examples. These are by far the easiest to get working, and have the best security and performance characteristics.
OAuth2 is also supported, by using a OAuth token. This is useful for things like 3-legged OAuth or integrating into a pre-existing application that is using tokens directly.
roots.pem is something different. That's for TLS-based authentication with custom Certificate Authorities.
That said, there is currently no JWT example in Python. Please follow the open issue. The example today uses service account credentials, but then converts it to a normal OAuth token.
Related
I have a resource server (built with Flask, but not sure if that matters right now) that has a RESTful API. The API is secured with OAuth2 access tokens and scopes.
Currently the access tokens are opaque (not JWT) and the resource server needs to call the /oauth/token/info endpoint on the auth server to check if the access token is valid and get the list of scopes associated with the access token, and then validate the scopes granted against the ones required. We have some custom code for this.
We now want to start to use JWT access tokens so that we can avoid this call to the auth server, but we can't roll them out to all OAuth clients just yet, only some. So the resource server will be getting a mix of opaque access tokens and JWT access tokens. The JWT will be signed with a RS256 private/public key, and the public key will be available from the auth server at a /oauth/discovery/keys endpoint that the resource servers could hit on startup once and cache so that it doesn't need to hit it on every request, unless the public key changes and doesn't match the kid in the JWT.
While doing this, I was hoping we could get rid of some of the custom code we've written and use some tried and tested library for us, hence AuthLib.
However, I can't seem to find any good examples of how to configure a resource server to handle either of these cases individually, let alone both at the same time. The examples I see seem to assume the resource server has access to the access token database.
I'm assuming I will need to write my own BearerTokenValidator that handles this, but I was hoping there would be examples somewhere on how to go about that. Ideally with the ability to cache the public key for the JWT and only refresh when the JWT kid claim changes.
I was sort of hoping that a TokenInfoBearerTokenValidator and a JWTBearerTokenValidator existed that I could use that did most of the work for me. Maybe there are and I'm just missing it?
AuthLib 1.0 has been released with additional support fro JWTBearerTokens that makes this easier to accomplish now.
I'm attempting to write a simple script that I can run from my command line that will send warning messages to certain users on HipChat, and I've run into some issues around authentication. Ideally, I'd like to have the script prompt the user for their HipChat username and password, and use them to log into the Hipchat API. However, it seems that Hipchat doesn't offer this functionality, and I'm not sure what to do.
The documentation seems to suggest I manually generate a token, and use that instead. While this is definitely an option, it seems a little less user friendly, so I wanted to double check that there wasn't an alternative before going ahead. I want to avoid the installation and OAuth flows as much as possible (I don't think they're an option).
Any thoughts? I'm open to alternative suggestions, although it really seems like Basic Auth or simple token generation would be an option.
The hipchat APIs don't support username+password as authentication, for security reasons (you don't want your password flowing through every API call).
The OAuth flow you mention is used for the integrations. If you want to try the API manually (or to script them), there's a simpler auth flow:
Generate an API token by going to https://hipchat.com/account/api (make sure to select the right scopes for the APIs you want to call)
Call the API with the token as an authorization header Authorization: Bearer YOUR_TOKEN
[Much less secure] Or add your authorization token to the API URL as a query parameter: https://hipchat.com/v2/room?auth_token=YOUR_TOKEN
Full information is available here: https://developer.atlassian.com/hipchat/guide/hipchat-rest-api
I am new to web programming- I've recently been familiarizing myself with the webapp2 framework. I'm trying to start building a website, and would like users to login to the site with Facebook and I'll need access to their friends list. I've been trying to find a way to do this- I found out about OAUTH2, and I think this may be a way to do this. All the tutorials for python and OAUTH2 that I've found have been using the google API, I'm not sure if it's any different, but I haven't been able to get it to work.
Does anyone have sample code they can post that uses OAUTH2 (or anything else) to get users to sign in through Facebook? Or any good resources that can help me with this?
Your app needs to authorize users with Facebook, since there's where the resources you need are (e.g. friend lists).
This is a classic use of OAuth2 and you don't have a way around it, because FB implements this protocol.
My suggestion is that you look at the Google sample and then adjust it for FB API. The important changes are:
The endpoint URLs (e.g. authorize, token and user profile
The scopes that define the extent of permissions you are requesting (e.g. list of friends)
The user profile (e.g. the information returned by FB on a user: name, e-mail, etc)
This is a very simple sample that does this in Python. It was meant to run in Google App Engine. The only caveat is that it uses our own library to encapsulate the flow. But you can use it to study how the basic protocol works. Run the live demo and turn on dev tools on your browser to see the network activity.
You will notice that OAuth2 is a rather simple protocol, using simple HTTP requests.
I'm trying to understand OAuth, and I'm having a hard time figuring this basic thing out...
I have developed a service (with Python and Flask), which supports classic authentification through a dedicated login & password combination, and an "official" client in the form of a webapp. I would like my service to support OAuth and looked into flask-oauthprovider, which seems like a perfect fit for this task, but I can't seem to understand how everything should articulate.
My questions are:
Today, all my API entry points required the user to be logged in: once my service supports OAuth, should every entry points become "oauth_required" rather than "login_required"?
What is the proper way to support my "official" webapp front-end? I'd rather not have it go through the regular OAuth flow (with the extra redirections to login on the service). Should it go through OAuth with automatically granted access tokens, or should it bypass OAuth and directly use the "resource owner" login & password?
I think one of the problems with the concept behind oauthlib is that it tries too hard to be everything and the result is a difficult-to-reason-about set of abstractions (this is very similar to the python-oauth2 approach). OAuth providers in particular are tricky because you implicitly need to persist things like tokens not to mention the assumption of some kind of pre-exisiting user management. As such a "good" or idiomatic implementation tends to be more opinionated from framework to framework. In my opinion this is part of why we don't see a single Python OAuth provider implementation as an abstraction: there just aren't great solutions, but plenty of messy ones. Looking at flask-oauthprovider and we see some direct examples of these issues. I've had similar problems with flask-login, which I maintain. At any rate, this past weekend I wrote a very rough first pass of a OAuth provider in Flask that "just works"; feel free to take a look and adapt it to your needs. It assumes some things like, like MongoDB but with minimal work I think any datastore could be used.
1) Protect whichever endpoints you want to be accessible via a third-party, e.g. your public API.
2) I would avoid automatic access tokens, that defeats the person of negotiating authorization on a per-user basis, unless of course you have a different scheme, e.g. a predefined set of clients. I believe the second option you're talking about is xauth, in which case, why not just use OAuth 2.0 and grant_type=password? Bearer tokens are similar in concept but may be a little easier to implement so long as you can provide HTTPS.
After messing with oauth and discovering the final leg of twitter oauth was not reliably sending back the oauth_verifier (though it seemed to authenticate anyway!), i got a bit disgruntled.
then i discovered #anywhere, the javascript twitter lib, and thought i'd give it a go.
#anywhere out of the box seems designed to allow one to do stuff like setup a tweetbox on your page. this is quite lovely but i also want my app to be able to interact with twitter server-side, i.e. from a Django script.
the auth cycle from #anywhere returns a cookie called twitter_anywhere_identity.
its format is defined as something like "userid:signature" where the signature is verifiable via hashing against the application consumer secret to prove that the cookie really came from twitter.
BUT can anyone tell me whether/how the twitter_anywhere_identity cookie (contains information that?) can be used as an access token? (if not, i'm going back to normal oauth...i guess.)
speaking of which, can anyone tell me which python library is really the best for twitter? there seem to be about 8 of them out there.
thanks!
jingles
Twitter's #themattharris pre announced #Anywhere oauth_bridge_code support. You will be able to get an oauth 1.0a token by this API.
See http://blog.abrah.am/2010/09/using-twitter-anywhere-bridge-codes.html for details.
Not yet, but in the works, if I correctly interpret an August 9th comment from Taylor Singletary:
We'll have a solution for this
announced soon that will allow you to
move more seamlessly between the
(non-OAuth 1.0a) access tokens that
make up #Anywhere requests and
server-side REST requests using OAuth
1.0a access tokens.
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/2ec8f0ce984fd6e5/8e4db35fa82b22ca?lnk=gst&q=%40anywhere#8e4db35fa82b22ca
meantime, i got my OAuth1.0a solution working and i'm cool with that. ;)
JB