I have an existing webapp, running in Python on App Engine, in which users can login through open-id using a Yahoo account. Now, once they're signed in, I'd like them to be able to access their Yahoo contacts, through OAuth. I'm working though the Yahoo Python SDK and am just stuck.
I have the consumer key, consumer secret, app ID, and the callback URL is the same page, the use leaves from. Going to the Yahoo login pages seems to work fine and the user comes back to my site with an auth_token and auth_verifier. What do I do with those? Which strings do I need to store for future requests? Is there good sample code anywhere for these kinds of requests? Thanks.
You should look for OpenID+Oauth Hybrid protocol.
OpenID+OAuth Hybrid protocol lets web developers combine an OpenID request with an OAuth authentication request.
This extension is useful for web developers who use both OpenID and OAuth, particularly in that it simplifies the process for users by requesting their approval once instead of twice.
The goal of OAuth is to acquire an
access token from Google, which can
then be used to exchange user-specific
data with a Google service (such as
calendar information or an address
book). The regular OAuth process is a
four-step sequence: (1) ask for a
"request" token, (2) ask for the token
to be authorized, which triggers user
approval, (3) exchange the authorized
request token for an "access" token,
and (4) use the access token to
interact with the user's Google
service data. For a more detailed
description, see OAuth for Web
Applications.
With OpenID+OAuth, this sequence
remains essentially the same. The
difference is that getting an
authorized OAuth request token (steps
1 and 2) is wrapped up in the OpenID
authentication request. In this way,
the user can approve login and service
access at the same time.
Here a demo and source code (php) of Hybrid protocol using Google.
Here and here the Yahoo documentation to combine an OpenID authentication request with the approval of an OAuth request token.
Related
I don't know why I can't find confirmation in the docs, maybe I am not navigating them correctly, although MSAL seems to have options to fit it into any application. This is my first time integrating a SAML sso procedure into any of my web-apps. I am just looking for some clarity on the correct, and secure way to verify the person attempting to login, is actually logged in with the IDP.
I am confused at the part after confirmation of login is given to my redirect API, I currently have it all happening on the front-end, then submitting the response to my back-end. Which is a RESTful API built with Django, and postgres database. At this point, I am thinking I need to verify my accessToken for authenticity, but I am unsure if I should be creating another PublicClient instance in python, and then sending the same commands to the IDP.
To guess at this point, I'm thinking this is wrong, as I need to verify the token, rather than get another Access and Refresh token. I'm thinking I just need to verify there is a session open with the IDP, and that the Access Token matches. Can anyone shed some light on this, possibly provide even just some direction.
The client Python Django Web App uses the Microsoft Authentication Library (MSAL) to sign-in and obtain an Access Token from Azure AD.
The access token is used as a bearer token to authorize the user to call the Python Flask Web API protected by Azure AD.
The Python Flask Web API then receives a token for Azure Resource Management API using the On-Behalf-Of flow.
To learn more about handing access token validation at the API layer, look into this sample walkthrough: https://github.com/Azure-Samples/ms-identity-python-on-behalf-of#about-the-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
The documentation google + domains api to create a post using the 'service' object, obtained here by this method. But in my project to authenticate via google and other sites I use the python social auth
and after authorization I have a ready access token.
The problem lies in the fact that I need a service object to work with api, but I can not figure out how to get it already having access token. Please help me and sorry for my english.
For the domains API, you typically will implement using a service account authorization flow - which is not retrieved in the same way as a user OAuth flow. This is because service accounts can be authorized for services that users typically should not be authorized for (e.g. retrieving domain-wide lists of user names).
The service account credentials, used to authorize your application, are created using the Google Developer Console and then are downloaded as a JSON or p12 file that is used to authenticate your Python client, as shown in this example.
That said, you still can do some actions with that access token which is why the auth flow you're seeing is doing this. Service credentials are how you should be authorizing for domains-related management features which may explain the behavior you're seeing.
I am pretty new to developing APIs. This is part of my class project and the goal is to create a RESTful API in python where the delegation is done via OAuth and these tokens should be sent as part of the HTTP request.
I was advised that I should create an API that involves delegating the OAuth model into a proxy-like approach where authentication tokens are sent as part of the HTTP request. What exactly does a proxy-like approach mean? Any ideas?
I would really appreciate if anyone could help me out with this and also on how to create an API (even if it is not python specific, I can take cue from that)
If you are new to REST services, then this link will be nice kick start for you.
You can find here how to develop a basic rest api in python and the same with authentication.
So what is OAuth?
OAuth can be many things. It is most commonly used to allow an application (the consumer) to access data or services that the user (the resource owner) has with another service (the provider), and this is done in a way that prevents the consumer from knowing the login credentials that the user has with the provider.
For example, consider a website or application that asks you for permission to access your Facebook account and post something to your timeline. In this example you are the resource holder (you own your Facebook timeline), the third party application is the consumer and Facebook is the provider. Even if you grant access and the consumer application writes to your timeline, it never sees your Facebook login information.
This usage of OAuth does not apply to a client/server RESTful API. Something like this would only make sense if your RESTful API can be accessed by third party applications (consumers).
In the case of a direct client/server communication there is no need to hide login credentials, the client (curl in the examples above) receives the credentials from the user and uses them to authenticate requests with the server directly.
I'm trying to implement openid login with Django and having some trouble. The library I'm trying to use now is Django-openid-auth. I haven't found any django+openid libraries that have much documentation. How can I actually go about using this as a login and store the information I need for my app based on the users that come in from openid? How does this store the information shared from the openid provider and does this library already store it?
The OpenID identity verification process most commonly uses the
following steps:
The user enters their OpenID into a field on the consumer'ssite, and hits a login button.
The consumer site discovers the user's OpenID provider using
the Yadis protocol.
The consumer site sends the browser a redirect to the OpenID
provider. This is the authentication request as described in
the OpenID specification.
The OpenID provider's site sends the browser a redirect back to
the consumer site. This redirect contains the provider's
response to the authentication request.
your web app needs to keep track of:
-the user's identity URL and the list of endpoints discovered for
that URL
-State of relationships with servers, i.e. shared secrets
(associations) with servers and nonces seen on signed messages.
This information should persist from one session to the next
and should not be bound to a particular user-agent.
hope this helps:D
I'm using the Google AppEngine 1.3.4 SDK which offers to allow your application to act as a OAuth service provider (http://code.google.com/appengine/docs/python/oauth/). Setting up a standard application on my localhost and using the following:
Request URL /_ah/OAuthGetRequestToken
Authorize URL /_ah/OAuthAuthorizeToken
Access Token URL /_ah/OAuthGetAccessToken
The client application just gets sent to a page requesting to grant OAuth access even though no user is logged in. Clicking 'Grant access' results in a message saying 'OAuth access granted' with no tokens or anything exchange. Can't see how this could work when it's not even prompting for a login.
As this functionality is quite new I can't find much out there. I've created a OAuth provider before in Rails and know that you need a Consumer Key and Secret, something that seems to be lacking in GAE?
Any ideas on how to get OAuth working in a sample GAE project are most welcome.
I would hazard a guess that the SDK implementation simply grants access regardless. It's also possible you still have a dev_appserver login cookie. Either way, try it in production - it'll almost certainly request login in that case.