I have a weird problem with Flickr OAuth on Google App Engine:
I'm requesting for oauth token and secret from Flickr using the code attached.. it fails most of time when tested on App Engine.. Flickr returns a page saying
"Flickr has the hiccups. We're looking into the problem right now..."
At first I thought it might be the problem with Flickr.. but then if I copied the URL into chrome directly, I could get the oauth token and secret..
So I thought it could be the problem with my code fetching the URL.. but in fact, with the same piece of code, I'm also able to get token and secret at localhost..
Now I'm really confused.. because this used to work perfectly until recently.. is there any update on App Engine dev server that might cause the problem? Please help!!!
url = "http://www.flickr.com/services/oauth/request_token"
params = {
"oauth_timestamp": str(int(time())),
"oauth_signature_method": "HMAC-SHA1",
"oauth_version": "1.0",
"oauth_nonce": sha1(str(random())).hexdigest(),
"oauth_callback": API_CALLBACK,
"oauth_consumer_key": API_KEY,
}
# Setup the Consumer with the key-secret given by Flickr
consumer = oauth2.Consumer(key=API_KEY, secret=API_SECRET)
# Create request
req = oauth2.Request(method="GET", url=url, parameters=params)
# Create signature
signature = oauth2.SignatureMethod_HMAC_SHA1().sign(req, consumer, None)
# Add the Signature to the request
req['oauth_signature'] = signature
h = httplib2.Http()
resp, content = h.request(req.to_url(), "GET")
Update: I changed the code a little bit, keep requesting if I don't get the token (given a max try allowed). It works... still, it is very annoying that I have to write such work-around. Would appreciate if better alternative is available!
You need to use https instead of http (see the comment thread above)
Related
I am trying to capture my access token that is returned by an API during authentication process. The official method of doing the authentication process from the API is:
from xyz_api import accessToken
app_id = "your_app_id"
app_secret = "your_app_secret"
app_session = accessToken.SessionModel(app_id, app_secret)
response = app_session.auth()
The above will return a json like:
{
"code" : 200,
"data" : {
"authorization_code": "some random code"
},
}
Now, the following code is used to generate a URL:
authorization_code = “your_authorization_code”
app_session.set_token(authorization_code)
url = app_session.generate_token()
Now this is where I start having issue.
At this stage, what is recommended by the API author is:
1. Use the generated URL and copy paste it into a browser.
2. The browser will then do the authentication and return the access token to a redirect
url (I used http://localhost:5000).
3. Copy and paste the access token from redirect URL
What I want:
To be able to finish the authentication and get the access_token from
python code itself.
What I tried:
Using requests.get(url), but it doesn't work.
Is there any way to do this all using python only, without having a need to open a browser?
PS: The API I am trying to use is: https://api-docs.fyers.in/v1#authorization
Further Investigation
On further investigation, I discovered the following:
The API uses oauth
The URL obtained from the following code provided by the API author
url = app_session.generate_token()
is same as when I write the following code:
oauth = OAuth2Session('app_id')
authorization_url, state = oauth.authorization_url(url)
The url returned in both cases is of the form:
https://api.fyers.in/api/v1/genrateToken?authorization_code=some_auth_code&appId=my_app_id
If I copy paste this URL in a browser, it send back the access_token to my redirect_url (http://localhost:5000)
I am trying to get the access token using oauth::fetch_token with the following code, which is failing:
oauth1 = OAuth2Session('app_id', state=state, redirect_uri="http://localhost:5000")
token = oauth1.fetch_token('https://api.fyers.in/api/v1/genrateToken/',
client_secret='app_secret',
code='the_auth_code_returned')
Truly appreciate the help.
you are accessing only with Python...
you dont need to do anything manually in a browser..
This API not sure if what you wnat to.
I Believe you registred an APP , got your app_secret
the step
response = app_session.auth()
answer you with a authorization_code
"data" : {
"authorization_code": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqaGdqZzg3NiQ3ODVidjVANjQ3NTZ2NSZnNyM2OTg3Njc5OHhkIjoiWElHVFVYVjBSSSIsImV4cCI6MTU2MTU5NzM5Ny41NjQxNTV9.Agl-Uus63NforrUEdbG7YUlPcbFXu9hLYm4akGuIBkU"
you may access that authorization token like that
import json
r = json.dumps(reponse)
authorization_token = r['data']['authorization_code']
The authorization token AND you app_id must be passed as querystring to https://api.fyers.in/api/v1/genrateToken?
the REAL user will be then asked to accept login trought your app
and if accepted , the user will be redirected to the URL *I imagined you inform in your app register.
let me know if it make sense
I have been working on using the powerbi REST API and I haven't been able to properly make use of it. I made use of this and I was able to register an app and get as far as getting an access token, but still I get 401 statuses on my requests.
My major points of confusion are with regards to the app registration:
1) I am trying to read and write data from a python script. Is this a Native-App or a Web Side Server?
2) What is the meaning of the redirect and home urls on the app registration page? I am currently using my localhost:5000 with different /paths. Could this be the source of the issue?
3) My research indicates that there should be some sort of login interaction. I don't have one, is this an indication that something isn't being done properly?
My code is as follows:
import adal
import requests
AUTHORITY_URL = 'https://login.microsoftonline.com/{my_company}.onmicrosoft.com'
RESOURCE = 'https://analysis.windows.net/powerbi/api'
CLIENT_ID = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
CLIENT_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
def make_headers(access_token):
return {
'Authorization': "Bearer {}".format(access_token)
}
context = adal.AuthenticationContext(AUTHORITY_URL)
token = context.acquire_token_with_client_credentials(RESOURCE, CLIENT_ID, CLIENT_SECRET)
access_token = token['accessToken']
headers = make_headers(access_token)
url = "https://api.powerbi.com/v1.0/myorg/datasets"
resp = requests.get(url, headers=headers)
As I said above this works to give me an access token though a get a status 401 response on the request and there is no sign in prompt.
Any help/guidance would be tremendously appreciated.
1) In your case you should register a Native app.
2) Native apps has only Redirect URI. Redirect URI gives AAD more details about the specific application it authenticates. For Native apps you should set it to https://login.live.com/oauth20_desktop.srf.
3) It's hard to say why you are getting Unauthorized response. Check what rights you gave to your application - does it has rights to read or write all datasets? Try to decode the access token at https://jwt.io and look at scp - does it contain "Dataset.Read.All" or "Dataset.ReadWrite.All"?
I have an API Key for a Google API that I would like to use in all my requests to it. Some of these requests will originate from within a Google App Engine (Python 2.7) application. I had planned to use the UrlFetch library to complete the POST request, basically as follows:
headers = {'Content-Type': 'application/json'}
payload = {'longUrl': request.long_url}
result = urlfetch.fetch([API_REQUEST_URL],
method=urlfetch.POST,
payload=json.dumps(payload),
headers=headers)
json_result = json.loads(result.content)
I had set a referrer restriction on my API Key to *.[my-app].appspot.com/* with the hope that this would protect my API Key from unauthorized use and negate the need to update an IP-based key restriction (as App Engine IPs change all the time).
This approach as failed me though, because it seems that urlfetch does NOT specify a value for referrer on its own. I assume I could add my own referrer, but then so could anyone else. The approach isn't very secure.
What is the best practice? How should I restrict the key given that I'm using urlfetch from within App Engine? If I do use an HTTP Referrer restriction, which address do I use?
Many thanks.
You got like this error message?
Requests from referer <empty> are blocked.
urlfetch seems not to attach Refer automatically, so you should set Refer in your request header.
headers = {'Content-Type': 'application/json','Referer': '*.[my-app].appspot.com/*'}
As you observed the referrer header can be faked, so setting a referrer restriction on your API Key is rather useless to start with.
But you can add a check based on the X-Appengine-Inbound-Appid header, which is sanitized by the GAE infrastructure and precisely identifies the app. From Issuing a request to another App Engine app:
When issuing a request to another App Engine app, your App Engine app
must assert its identity by adding the header
X-Appengine-Inbound-Appid to the request. If you instruct the URL
Fetch service to not follow redirects, App Engine will add this header
to requests automatically.
To instruct the URL Fetch service to not follow redirects, set the
fetch follow_redirects parameter to False.
Note: If you are making requests to another App Engine application, use its appspot.com domain name rather than a custom
domain for your app.
I'm building a SSO setup for a web app. I can login known users and create new unknown users via https://www.googleapis.com/oauth2/v1/userinfo.
I get back a response like this:
{
"access_token":"1/fFAGcxxxxxxxxxxxxxxxxxxx",
"expires_in":3920,
"token_type":"Bearer",
"refresh_token":"1/xEoDL4iW3cxlI7yDbSRFYxxxxxxxxxxxxxxxxxxx"
}
So I get the user:
url = 'https://www.googleapis.com/oauth2/v1/userinfo?access_token=%s' % a['access_token']
req = urllib2.Request( url )
opener = urllib2.build_opener( urllib2.HTTPSHandler( debuglevel=0 ) )
req = opener.open( req )
reply = req.read()
req.close()
a = json.loads( reply )
That gives me the user's info and permission to access their GMail via
my initial scope. But does this method of acquiring the user allow access to the user's
GMail via imap?
http://code.google.com/apis/gmail/oauth/protocol.html
Does the access_token I'm getting allow access to that? I don't see where to use the 'access_token' now that I have it.
(Not sure if you still need an answer to this, but just in case...)
While most Google APIs can now authenticate using OAuth2, the Google IMAP client only supports OAuth 1. This requires not only an access token, but also a token 'secret'; you don't get that with the OAuth2 response (since you don't need it), which means it's pretty much useless to you.
What you can do is use OAuth 1; this is still supported by Google, although it doesn't have all the bells and whistles of OAuth2. The details of using it are at the link you mentioned (which now redirects to https://developers.google.com/google-apps/gmail/oauth_protocol). I would strongly recommend you use a known library for this, such as python-oauth2 (which, despite the name, uses OAuth 1).
I've got a Django template that initiates the Facebook OAuth process by doing:
window.location='https://www.facebook.com/dialog/oauth?client_id=MY_CLIENT_ID&redirect_uri=http%3A//localhost%3A8000/fbpanel/explore-python'
Then, in my Django view, I get the resulting code as follows:
import cgi
import urllib
# [...]
code = request.GET['code']
args = {
'client_id': MY_CLIENT_ID,
'redirect_uri': 'http://localhost:8000/fbpanel/explore_python'
'client_secret': MY_CLIENT_SECRET,
'code': code,
}
url = 'https://graph.facebook.com/oauth/access_token?' + \
urllib.urlencode(args)
raw_response = urllib.urlopen(url).read()
response = cgi.parse_qs(raw_response)
if response:
error = ''
if response['access_token']:
access_token = response['access_token'][0]
if response['expires']:
expires = response['expires'][0]
else:
access_token = 'No access token returned'
expires = 'No expiration given'
error = raw_response
Invariably, response is None and raw_response contains Error: {"error":{"message":"Error validating verification code.","type":"OAuthException"}}
The same credentials validate fine with the JavaScript SDK. I was binding my server to localhost in that case too, and have localhost:8000 set in my official app domain. Before I did that, the JavaScript wouldn't work. After, it did. So I don't think localhost is the issue.
I've manually stepped through the code, printing the code returned by FB out,
then manually running the above code line by line in the python interpreter, and
I can't see anything I'm doing wrong. What are my next debugging steps? The FB
documentation offers little guidance if you receive an OAuthException.
The value used for redirect_uri must be exactly the same when you request the token as it was when you requested the code. Since no actual redirect occurs when requesting the token, it can be easy to miss small differences. The error message is not particularly descriptive in this case; what it really means is "The parameters you are sending don't correspond with the code value you are sending".