I have this easy code sample for the OneDrive API on Python:
import onedrivesdk
from onedrivesdk.helpers import GetAuthCodeServer
redirect_uri = "https://login.live.com/oauth20_desktop.srf"
client_secret = "client-secret-code1234"
client = onedrivesdk.get_default_client(client_id='00000000123456F',
scopes=['wl.signin',
'wl.offline_access',
'onedrive.readwrite'])
auth_url = client.auth_provider.get_auth_url(redirect_uri)
#this will block until we have the code
code = GetAuthCodeServer.get_auth_code(auth_url, redirect_uri)
client.auth_provider.authenticate(code, redirect_uri, client_secret)
returned_item = client.item(drive="me", id="root").children["newfile.txt"].upload("./newfile.txt")
So, when I run this my browser opens and I can choose Yes or No for the permissions of my App. When I choose Yes it should send the auth code back to my python program and upload the file in returned_item.
But it does not come back.
Any ideas how to solve it?
In the oauth authentication flow, after successful authentication of your app the authentication token needs to be sent somewhere. The redirect_uri is where the browser is heading after the authentication.
The case here is that a server listening on http://localhost:8080 is created by the call to GetAuthCodeServer.get_auth_code(auth_url, redirect_uri), waiting for the token.
So you need to use this url as redirect_uri.
Also in order to allow this redirect, you need to add it as 'trusted' in your App Settings under 'API Settings'.
And make sure 'Mobile or desktop client app' is set to 'yes'.
Related
I created a Flask app with endpoints ready for Dropbox webhooks. A Dropbox webhook is a service that calls our defined API endpoint when some event happens in our dropbox folder (like uploading a file). The configuration for my app is like shown in next image, clearly showing that the webhook URI has been enabled, i.e. challenge URI for Dropbox webhook works correctly (API_KEY, API_SECRET, and app.secret_key are hidden here).
Next, you can see the code of my flask app. The problem is that I am expecting the /webhook POST call to be triggered everytime I upload a file to my Dropbox folder, but it never happens. Do you know the correct way to fix this? Thank you.
# App key and secret from the App console (dropbox.com/developers/apps)
APP_KEY = "XXXXXXXXXXXXX"
APP_SECRET = "YYYYYYYYYYYYY"
app = Flask(__name__)
app.debug = True
# A random secret used by Flask to encrypt session data cookies
app.secret_key = "zzzzzzzzzzzzz"
def process_user(account):
print("Yeahhhhh")
#app.route('/webhook', methods=['GET'])
def challenge():
'''Respond to the webhook challenge (GET request) by echoing back the challenge parameter.'''
resp = Response(request.args.get('challenge'))
resp.headers['Content-Type'] = 'text/plain'
resp.headers['X-Content-Type-Options'] = 'nosniff'
return resp
#app.route('/webhook', methods=['POST'])
def webhook():
'''Receive a list of changed user IDs from Dropbox and process each.'''
# Make sure this is a valid request from Dropbox
signature = request.headers.get('X-Dropbox-Signature').encode("utf-8")
if not hmac.compare_digest(signature, hmac.new(APP_SECRET, request.data, sha256).hexdigest()):
abort(403)
for account in json.loads(request.data)['list_folder']['accounts']:
threading.Thread(target=process_user, args=(account,)).start()
return ''
if __name__=='__main__':
app.run(host='0.0.0.0')
There are a few things to check if you're not receiving the expected webhook notification requests from Dropbox. Make sure you have:
the correct app: if you may have registered multiple apps, ensure that you added the webhook URI to the right one
the correct webhook URI: ensure you have the right host/port/path registered in your webook URI. (The dropbox_hook project can be useful for easily simulating webhook notification requests.)
changes in the correct account: ensure that you're making changes in the right account. Dropbox webhook notifications will only be sent for changes in an account that is currently connected to the API app (e.g., authorized by the OAuth app authorization flow, or by generating an access token on the App Console).
changes in the correct folder, if using the "app folder" permission: for apps using the "app folder" permission, such as yours, webhook notifications will only be sent for changes inside the special app folder created in connected users' accounts (by default at /Apps/APP_FOLDER_NAME for accounts using English), and not anywhere else in the accounts.
I'm using Active Directory Authentication library for python following the documentation. Earlier on I managed to get the access_token through the Acquire Token with Client Credentials sample:
import adal
RESOURCE_URI = 'https://<mydomain>.crm.dynamics.com'
AUTHORITY_URL = "https://login.microsoftonline.com/<tenant_id>"
CLIENT_ID = 'xxxx' #application_id
CLIENT_SECRET = 'xxxx'
context = adal.AuthenticationContext(AUTHORITY_URL)
token = context.acquire_token_with_client_credentials(
RESOURCE_URI,
CLIENT_ID,
CLIENT_SECRET)
print token
But I get an error message when I tried the Acquire token and Refresh token sample
context = adal.AuthenticationContext(AUTHORITY_URL)
token = context.acquire_token_with_username_password(
RESOURCE_URI,
USERNAME,
PASSWORD,
CLIENT_ID)
print token
>>> adal.adal_error.AdalError: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.........."correlation_id"......}
adal.adal_error.AdalError: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.........."correlation_id"......}
There are two kinds of app we can register on Azure, native or web app. Based on the error message, it seems that you have register a confident app which requires provide its client secret to acquire the access token.
For this issue please register a native app instead of web app. Also the resource owner password credentials flow should be consider used carefully since this may leak the credentials. Refer the flows from link below:
The OAuth 2.0 Authorization Framework - Authorization Grant
I suffered from the same error.
In app registration section in azure active directory I registered the app as web host/api.
When I changed it to native app everything started to work fine.
I am trying to obtain a token from Azure AD from Python client application. I want users to seamlessly authenticate with just a username and password (client_id / secret will be embedded in the app). I registered my app and given it all permissions and hit the "grant permissions" button in the new portal according to this post:
The user or administrator has not consented to use the application - Send an interactive authorization request for this user and resource
I am sending an http post to:
https://login.microsoftonline.com/{tenant_id}/oauth2/token
with the following data:
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
body = "resource={0}&grant_type=password&username={1}&password={2}&client_id={3}&client_secret={4}&scope=openid".format(app_id_uri,user,password,client_id,client_secret)
I cannot seem to get past this error no matter what I try:
b'{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID \'078c1175-e384-4ac7-9116-efbebda7ccc2\'. Send an interactive authorization request for this user and resource.
Again, my goal:
User enters user / pass and nothing else. App sends user / pass / client_id / client_secret, obtains token.
According to your comment:
The message I'm receiving says to do an interactive request but that is exactly what I'm trying to avoid because this is a python app with no web browser and I'm trying to avoid complexity.
I think you want to build a daemon app or an app only application integrating with Azure AD. You can refer to https://graph.microsoft.io/en-us/docs/authorization/app_only for the general introduction.
Furthermore, you can leverage the ADAL for Python to implement this functionality with a ease. Also, you can refer to client_credentials_sample.py for a quick start.
You should try logging in as an admin to be able to give consent to use the application on your tenant at all.
I am trying to get started with the Box.com SDK and I have a few questions.
from boxsdk import OAuth2
oauth = OAuth2(
client_id='YOUR_CLIENT_ID',
client_secret='YOUR_CLIENT_SECRET',
store_tokens=your_store_tokens_callback_method,
)
auth_url, csrf_token = oauth.get_authorization_url('http://YOUR_REDIRECT_URL')
def store_tokens(access_token, refresh_token):
# store the tokens at secure storage (e.g. Keychain)
1)What is the redirect URL and how do I use it? Do I need to have a server running to use this?
2)What sort of code to I need in the store_tokens method?
The redirect URL is only required if you're runng a Web application that needs to respond to user's requests to authenticate. If you're programtically authenticating, you can simply set this as http://localhost. In a scenario where you require the user to manually authenticate, the redirect URL should invoke some function in your web app to store and process the authentication code returned. Do you need a server running? Well, if you want to do something with the authentication code returned, the URL you specify should be under your control and invoke code to do something useful.
Here's an example of what the store_tokens function should look like. It should accept two parameters, access_token and refresh_token. In the example below, the function will commit these to a local store for use when the API needs to re-authenticate:
From here:
"""An example of Box authentication with external store"""
import keyring
from boxsdk import OAuth2
from boxsdk import Client
CLIENT_ID = 'specify your Box client_id here'
CLIENT_SECRET = 'specify your Box client_secret here'
def read_tokens():
"""Reads authorisation tokens from keyring"""
# Use keyring to read the tokens
auth_token = keyring.get_password('Box_Auth', 'mybox#box.com')
refresh_token = keyring.get_password('Box_Refresh', 'mybox#box.com')
return auth_token, refresh_token
def store_tokens(access_token, refresh_token):
"""Callback function when Box SDK refreshes tokens"""
# Use keyring to store the tokens
keyring.set_password('Box_Auth', 'mybox#box.com', access_token)
keyring.set_password('Box_Refresh', 'mybox#box.com', refresh_token)
def main():
"""Authentication against Box Example"""
# Retrieve tokens from secure store
access_token, refresh_token = read_tokens()
# Set up authorisation using the tokens we've retrieved
oauth = OAuth2(
client_id=CLIENT_ID,
client_secret=CLIENT_SECRET,
access_token=access_token,
refresh_token=refresh_token,
store_tokens=store_tokens,
)
# Create the SDK client
client = Client(oauth)
# Get current user details and display
current_user = client.user(user_id='me').get()
print('Box User:', current_user.name)
if __name__ == '__main__':
main()
I suggest taking a look at the OAuth 2 tutorial. It will help give a better understanding of how OAuth works and what the various parameters are used for.
The redirect URL is set in your Box application's settings:
This is the URL where Box will send an auth code that can be used to obtain an access token. For example, if your redirect URL is set to https://myhost.com, then your server will receive a request with a URL that looks something like https://myhost.com?code=123456abcdef.
Note that your redirect URI doesn't need to be a real server. For example, apps that use a WebView will sometimes enter a fake redirect URL and then extract the auth code directly from the URL in the WebView.
The store_tokens callback is optional, but it can be used to save the access and refresh tokens in case your application needs to shutdown. It will be invoked every time the access token and refresh token changes, giving you an opportunity to save them somewhere (to disk, a DB, etc.).
You can then pass in these tokens to your OAuth2 constructor at a later time so that your users don't need to login again.
If you're just testing, you can also pass in a developer token. This tutorial explains how.
This is the most basic example that worked for me:
from boxsdk import Client, OAuth2
CLIENT_ID = ''
CLIENT_SECRET = ''
ACCESS_TOKEN = '' # this is the developer token
oauth2 = OAuth2(CLIENT_ID, CLIENT_SECRET, access_token=ACCESS_TOKEN)
client = Client(oauth2)
my = client.user(user_id='me').get()
print(my.name)
print(my.login)
print(my.avatar_url)
I am stuck with a problem.
#!/usr/bin/python
import httplib2
import pprint
from apiclient.discovery import build
from apiclient.http import MediaFileUpload
from oauth2client.client import OAuth2WebServerFlow
# Copy your credentials from the console
CLIENT_ID = 'YOUR_CLIENT_ID'
CLIENT_SECRET = 'YOUR_CLIENT_SECRET'
# Check https://developers.google.com/drive/scopes for all available scopes
OAUTH_SCOPE = 'https://www.googleapis.com/auth/drive'
# Redirect URI for installed apps
REDIRECT_URI = 'urn:ietf:wg:oauth:2.0:oob'
# Path to the file to upload
FILENAME = 'document.txt'
# Run through the OAuth flow and retrieve credentials
flow = OAuth2WebServerFlow(CLIENT_ID, CLIENT_SECRET, OAUTH_SCOPE, REDIRECT_URI)
authorize_url = flow.step1_get_authorize_url()
print 'Go to the following link in your browser: ' + authorize_url
code = raw_input('Enter verification code: ').strip()
credentials = flow.step2_exchange(code)
# Create an httplib2.Http object and authorize it with our credentials
http = httplib2.Http()
http = credentials.authorize(http)
drive_service = build('drive', 'v2', http=http)
# Insert a file
media_body = MediaFileUpload(FILENAME, mimetype='text/plain', resumable=True)
body = {
'title': 'My document',
'description': 'A test document',
'mimeType': 'text/plain'
}
file = drive_service.files().insert(body=body, media_body=media_body).execute()
pprint.pprint(file)
The above code asks user to copy the url to the browser, and then authorize their account, and then again, copy-paste the code and paste it on the terminal. I know storing the credentials and using the refresh tokens, users will have to do this just for once.
But, I don't want so much of user-interactions. Is it possible that user authorizes by just logging in to their gmail account? As in, from my code itself, the authorization link should get open in a web browser without user doing it, and just signs in to his/her account, and that's it, authorization is done, and this login should also happen for just one time, as in, one time authorization, so that whatever is uploaded, gets uploaded on his Google Drive account and maintained. The authorization code should be directly retrieved, and these credentials should be stored as usual and be used and tokens should also be refreshed.
I came across Google Drive Service Account, good thing is that user-intervention is gone completely, but bad thing is that, it doesn't allow the account where the file is to be uploaded. It uploads the file on that drive who has created the app.
Can anyone pls help me out with this? If going with the above code, then what should I be doing to automate the task? If going with the Service Account, what should I be doing to make the app upload the data to the user's own drive account?
Any help would be appreciated.
Thanks!
I'm guessing that you have a local Python app (not web app) that you want to be able to access user's Drive. There is no reason why the authorisation needs to be done in your Python app. So for example you could write a small web app that walks the user through the authentication process, then emails you or the user the appropriate strings to paste into the python app.
Did the same for DropBox. You can integrate PyQt's or PySide QWebView (Webkit) where in you can put the auto open the URL. A mix of javascript and python can get the job done.