I'm writing Python 2.7 desktop application which needs to access Google Spreadsheets using OAuth 2.0. I'va found a library for Google Spreadsheets for python here which uses this python OAuth2.0 library. The flow for desktop applications described here tells me that I have to generate RequestToken URL first which user can use to get Authorization Code to the application.
I already have Client ID and Client Secret generated in Developer's Console. But I can't figure out what class/method I can use to generate RequestToken URL in python.
Should I somehow construct it myself or is there an API to do it?
I've figured it out from documentation here
#!/usr/bin/env python
import oauth2client
from oauth2client.client import OAuth2WebServerFlow
flow = OAuth2WebServerFlow(client_id='your_client_id',
client_secret='your_client_secret',
scope='https://spreadsheets.google.com/feeds',
redirect_uri='urn:ietf:wg:oauth:2.0:oob')
auth_uri = flow.step1_get_authorize_url()
print auth_uri
You'd need your own client_id and client_secret here though.
Related
I am building a Web App with Python and I would like to authenticate users.
The pyrebase package seems to be outdated and it generates dependency errors so I cannot use it.
I know that there is a function from the firebase-admin API that works like this:
from firebase import auth
email = example#example.com
user = auth.get_user_by_email(email)
But what if this user has a password? I would like to check if the both the email and the password are provided correctly. Thanks in advance.
The Firebase Admin SDK does not have the concept of a current user, so there's no API to "sign in" a user based on their credentials.
Since you're building a web app, the usual flow is to use the Firebase JavaScript SDK in your client-side code to sign the user in. If needed you can then send the ID token from the client to your Python code on the server, and perform user-based operations there.
Firebase Admin SDK doesn’t provide an API to validate and/or authenticate a user by their password.
However, Firebase provides the Firebase Auth REST API for this purpose. To use the REST API, you need to obtain your Web API Key from the Firebase console.
To Locate the Web API Key
Navigate to Project Settings from Firebase console, then find Web API Key on the General tab. The Web Api key is auto generated whenever you add app to your firebase project. You can also go to an app settings to find apiKey from firebaseConfig
Implement Authentication
Suppose you want to implement user sign in
def sign_in_with_email_and_password(email, password, return_secure_token=True):
payload = json.dumps({"email":email, "password":password, "return_secure_token":return_secure_token})
FIREBASE_WEB_API_KEY = 'the web API key here'
rest_api_url = "https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword"
r = requests.post(rest_api_url,
params={"key": FIREBASE_WEB_API_KEY},
data=payload)
return r.json()
References
https://betterprogramming.pub/user-management-with-firebase-and-python-749a7a87b2b6
https://firebase.google.com/docs/projects/api-keys
https://firebase.google.com/docs/reference/rest/auth
I created 2 applications in my Azure directory, 1 for my API Server and one for my API client. I am using the Python ADAL Library and can successfully obtain a token using the following code:
tenant_id = "abc123-abc123-abc123"
context = adal.AuthenticationContext('https://login.microsoftonline.com/' + tenant_id)
token = context.acquire_token_with_username_password(
'https://myapiserver.azurewebsites.net/',
'myuser',
'mypassword',
'my_apiclient_client_id'
)
I then try to send a request to my API app using the following method but keep getting 'unauthorized':
at = token['accessToken']
id_token = "Bearer {0}".format(at)
response = requests.get('https://myapiserver.azurewebsites.net/', headers={"Authorization": id_token})
I am able to successfully login using myuser/mypass from the loginurl. I have also given the client app access to the server app in Azure AD.
Although the question was posted a long time ago, I'll try to provide an answer. I stumbled across the question because we had the exact same problem here. We could successfully obtain a token with the adal library but then we were not able to access the resource I obtained the token for.
To make things worse, we sat up a simple console app in .Net, used the exact same parameters, and it was working. We could also copy the token obtained through the .Net app and use it in our Python request and it worked (this one is kind of obvious, but made us confident that the problem was not related to how I assemble the request).
The source of the problem was in the end in the oauth2_client of the adal python package. When I compared the actual HTTP requests sent by the .Net and the python app, a subtle difference was that the python app sent a POST request explicitly asking for api-version=1.0.
POST https://login.microsoftonline.com/common//oauth2/token?api-version=1.0
Once I changed the following line in oauth2_client.py in the adal library, I could access my resource.
Changed
return urlparse('{}?{}'.format(self._token_endpoint, urlencode(parameters)))
in the method _create_token_url, to
return urlparse(self._token_endpoint)
We are working on a pull request to patch the library in github.
For the current release of Azure Python SDK, it support authentication with a service principal. It does not support authentication using an ADAL library yet. Maybe it will in future releases.
See https://azure-sdk-for-python.readthedocs.io/en/latest/resourcemanagement.html#authentication for details.
See also Azure Active Directory Authentication Libraries for the platforms ADAL is available on.
#Derek,
Could you set your Issue URL on Azure Portal? If I set the wrong Issue URL, I could get the same error with you. It seems that your code is right.
Base on my experience, you need add your application into Azure AD and get a client ID.(I am sure you have done this.) And then you can get the tenant ID and input into Issue URL textbox on Azure portal.
NOTE:
On old portal(manage.windowsazure.com),in the bottom command bar, click View Endpoints, and then copy the Federation Metadata Document URL and download that document or navigate to it in a browser.
Within the root EntityDescriptor element, there should be an entityID attribute of the form https://sts.windows.net/ followed by a GUID specific to your tenant (called a "tenant ID"). Copy this value - it will serve as your Issuer URL. You will configure your application to use this later.
My demo is as following:
import adal
import requests
TenantURL='https://login.microsoftonline.com/*******'
context = adal.AuthenticationContext(TenantURL)
RESOURCE = 'http://wi****.azurewebsites.net'
ClientID='****'
ClientSect='7****'
token_response = context.acquire_token_with_client_credentials(
RESOURCE,
ClientID,
ClientSect
)
access_token = token_response.get('accessToken')
print(access_token)
id_token = "Bearer {0}".format(access_token)
response = requests.get(RESOURCE, headers={"Authorization": id_token})
print(response)
Please try to modified it. Any updates, please let me know.
I want to utilize gdata.apps.audit.service.AuditService to create mailbox export requests (specifically via createMailboxExportRequest). Is it possible to access this api authenticating via oauth or another means? I'm trying to avoid requiring a user to provide a username and password.
Here is an example piece of code:
audit_service = gdata.apps.audit.service.AuditService(domain="test.com")
#would like to not use ClientLogin
client = audit_service.ClientLogin("adm_user#test.com", "superSecretPassword") # <------
audit_service.createMailboxExportRequest(user="target_user", begin_date=None, end_date=None, include_deleted=True, search_query=None)
audit_service.getAllMailboxExportRequestsStatus()
I'm successfully using oauth2/client_secrets for other admin/audit APIs but I can't figure out how to get the createMailboxExportRequest without ClientLogin. Any help would be appreciated.
The easiest way I've found to hack OAuth 2.0 into the older GData APIs is to build the GData service (but not authorize it), then build a credentials service like you would for the newer OAuth 2.0 discovery Google APIs, then add the proper credentials as a header on the GData service:
audit_service = gdata.apps.audit.service.AuditService(domain="test.com")
... # build your credentials like normal with oauth2client
auth_headers = {u'Authorization': u'Bearer %s' % credentials.access_token}
audit_service.additional_headers = auth_headers
This is a follow-up question for this question:
I have successfully created a private key and have read the various pages of Google documentation on the concepts of server to server authentication.
I need to create a JWT to authorize my App Engine application (Python) to access the Google calendar and post events in the calendar. From the source in oauth2client it looks like I need to use oauth2client.client.SignedJwtAssertionCredentials to create the JWT.
What I'm missing at the moment is a stylised bit of sample Python code of the various steps involved to create the JWT and use it to authenticate my App Engine application for Google Calendar. Also, from SignedJwtAssertionCredentials source it looks like I need some App Engine compatible library to perform the signing.
Can anybody shed some light on this?
After some digging I found a couple of samples based on the OAuth2 authentication. From this I cooked up the following simple sample that creates a JWT to access the calendar API:
import httplib2
import pprint
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
# Get the private key from the Google supplied private key file.
f = file("your_private_key_file.p12", "rb")
key = f.read()
f.close()
# Create the JWT
credentials = SignedJwtAssertionCredentials(
"xxxxxxxxxx#developer.gserviceaccount.com", key,
scope="https://www.googleapis.com/auth/calendar"
)
# Create an authorized http instance
http = httplib2.Http()
http = credentials.authorize(http)
# Create a service call to the calendar API
service = build("calendar", "v3", http=http)
# List all calendars.
lists = service.calendarList().list(pageToken=None).execute(http=http)
pprint.pprint(lists)
For this to work on Google App Engine you will need to enable PyCrypto for your app. This means adding the following to your app.yaml file:
libraries:
- name: pycrypto
version: "latest"
I'm trying to use the Google Docs API with Python+Django and OAuth 2. I've got the OAuth access token, etc. via google-api-python-client, with the code essentially copied from http://code.google.com/p/google-api-python-client/source/browse/samples/django_sample/plus/views.py
Now, I assume I should be using the google gdata API, v 2.0.17. If so, I'm unable to find exactly how to authorize queries made using the gdata client. The docs at http://packages.python.org/gdata/docs/auth.html#upgrading-to-an-access-token (which appear outdated anyway), say to set the auth_token attribute on the client to an instance of gdata.oauth.OAuthToken. If that's the case, what parameters should I pass to OAuthToken?
In short, I'm looking for a brief example on how to authorize queries made using the gdata API, given an OAuth access token.
The OAuth 2.0 sequence is something like the following (given suitably defined application constants for your registered app).
Generate the request token.
token = gdata.gauth.OAuth2Token(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET,
scope=" ".join(SCOPES),
user_agent=USER_AGENT)
Authorise the request token. For a simple command-line app, you can do something like:
print 'Visit the following URL in your browser to authorise this app:'
print str(token.generate_authorize_url(redirect_url=REDIRECT_URI))
print 'After agreeing to authorise the app, copy the verification code from the browser.'
access_code = raw_input('Please enter the verification code: ')
Get the access token.
token.get_access_token(access_code)
Create a gdata client.
client = gdata.docs.client.DocsClient(source=APP_NAME)
Authorize the client.
client = token.authorize(client)
You can save the access token for later use (and so avoid having to do the manual auth step until the token expires again) by doing:
f = open(tokenfile, 'w')
blob = gdata.gauth.token_to_blob(token)
f.write(blob)
f.close()
The next time you start, you can reuse the saved token by doing:
f = open(tokenfile, 'r')
blob = f.read()
f.close()
if blob:
token = gdata.gauth.token_from_blob(blob)
Then, the only change to the authentication sequence is that you pass this token to OAuth2Token by specifying a refresh_token argument:
token = gdata.gauth.OAuth2Token(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET,
scope=" ".join(SCOPES),
user_agent=USER_AGENT,
refresh_token=token.refresh_token)
Hope this helps. It took a while to work it out :-).
This is from https://developers.google.com/gdata/docs/auth/overview:
Warning: Most newer Google APIs are not Google Data APIs. The Google Data APIs documentation applies only to the older APIs that are listed in the Google Data APIs directory. For information about a specific new API, see that API's documentation. For information about authorizing requests with a newer API, see Google Accounts Authentication and Authorization.
You should either use OAuth for both authorization and access or OAuth 2.0 for both.
For OAuth 2.0 API are now at https://developers.google.com/gdata/docs/directory.