Authomatic: python library for authentication and authorization
Almost any web application provides the ability to authorize a user using a user account in any of the known social services.Authorization magic occurs strictly according to the OAuth 1.0a and OAuth 2.0 protocol and greatly simplifies the life of the web application owner and the user himself.
It remains a trifle, to implement the desired protocol in relation to a specific web application. Registering and logging into TheOnlyPage web service using Facebook , Google , LinkedIn and Microsoft Live accounts works thanks to the Authomatic python library.
')
According to the documentation Authomatic has the following remarkable features:
- Weak connectivity
- Compact but powerful interface
- The only, and optional, dependency: python-openid library
- CSRF protection
- Thanks to adapters there is no binding to a specific framework. Django , Flask and Webapp2 are supported right out of the box .
- Ability to include new, emerging authorization and authentication protocols
- Requests to the program interface (API) of the provider - there is no place to be easier.
- Asynchronous request support
- As a bonus javascript library
- Immediately out of the box support:
- OAuth 1.0a providers: Bitbucket, Flickr, Meetup, Plurk, Twitter, Tumblr, UbuntuOne, Vimeo, Xero, Xing and Yahoo
- OAuth 2.0 providers: Behance, Bitly, Cosm, DeviantART, Facebook, Foursquare, GitHub, Google, LinkedIn, PayPal, Reddit, Viadeo, VK, WindowsLive, Yammer and Yandex.
- python-openid and google appid openid
On top of that, it is noted that the library is at a very early stage of its creation , and is practically not tested .
Despite this self-critical statement, if you refer to the demo page , you can make sure that the library provides trouble-free work with various providers of OAuth 1.0a and OAuth 2.0 .
Quality documentation provides enough information to use the library with frameworks: Django , Flask , Pyramid and Webapp2 .
We illustrate the work with Authomatic on the example of real life. In order to register / log into the TheOnlyPage web service via a Facebook , Google , LinkedIn and Microsoft Live account, just click the corresponding button on the service login page:
The authorization process is implemented using the Authomatic library. At the same time, TheOnlyPage runs on the Flask framework. In order to use the Authomatic library in conjunction with the Flask framework, provided that the library is already present in the workspace, you need:
- Register your application with each of the OAuth providers.
- Add OAuth providers parameters to configuration file.
- Initiate the base object with
authomaticparameters stored in the configuration file. - Create a view that will fulfill the request to the provider and get the result from it.
Let's do these 4 simple steps:
Application registration
Each provider has its own registration features. Application Registration Addresses
for Facebook: developers.facebook.com/apps
for Google: console.developers.google.com/project
for LinkedIn: www.linkedin.com/secure/developer
for Microsoft Live: account.live.com/developers/applications/create
Some parameters that need to be specified may differ for different providers, but among other parameters they are necessarily present:
- addresses of our service from which redirection is allowed with a request to the provider
- the address where the provider returns the user to our service after providing access
- the address where the provider returns the user to our service if access is denied
In the case of using the Authomatic library in the 1st and 2nd cases it is convenient to specify the same address, so for the respective providers we will use the addresses:
www.theonlypage.com/login/facebook
www.theonlypage.com/login/google
www.theonlypage.com/login/linkedin
www.theonlypage.com/login/microsoft
Also on the application registration page with the provider, we need to get the user code and secret key , in terms of various providers, they are respectively called:
| user code | The secret key | |
|---|---|---|
| App ID | App Secret | |
| Client ID | Client secret | |
| API Key | Secret key | |
| Microsoft Live | Client ID | Client secret |
In addition, in the registration section of the application with the provider, we need to find out under what name the data we need appears. For example, a user's email address is indicated by:
for Facebook: email
for Google: email
for LinkedIn: r_emailaddress
for Microsoft Live: wl.emails
After the application is registered in all providers, the redirect addresses are specified, the user code and secret key are received, there is clarity about how the data is applied to each provider, you can proceed to setting up the configuration file.
OAuth Provider Configuration Definition
In the standard configuration file of the flask-application, you need to add a dictionary containing the parameters of all providers:
OAUTH_CONFIG = { 'facebook': { 'class_': oauth2.Facebook, 'consumer_key': 123456789012345', 'consumer_secret': ' edcba987654321012345679abcdedcab', 'scope': ['email',], }, 'google': { 'class_': oauth2.Google, 'consumer_key': '123456789098.apps.googleusercontent.com', 'consumer_secret': ' ABcDEFgiJKLmNOPQRStUVWxyz ', 'scope': ['email',], }, 'linkedin': { 'class_': oauth2.LinkedIn, 'consumer_key': ' ABC123df45GIJ6h ', 'consumer_secret': 'zyx987vutSRQponM ', 'scope': ['r_emailaddress',], }, 'microsoft': { 'class_': oauth2.WindowsLive, 'consumer_key': '0000000012345A67', 'consumer_secret': ' ABcDe123fgHIJK45LmnO6789PQrS0tUVXyz ', 'scope': ['wl.emails',], }, } As we see, each provider is assigned a dictionary with the following attributes:
class_ is a class that is part of the Authomatic library and corresponds to the next provider;consumer_key - user code at the next provider;consumer_secret - the secret key of the next provider;scope - a list of data that is supposed to be requested from the next provider.Presets are made.
Initiating the base authomatic object
It happens very simply, with the configuration data and the secret string:
from authomatic import Authomatic from config import OAUTH_CONFIG authomatic = Authomatic(OAUTH_CONFIG, 'very secret string', report_errors=False) Creating a view
It remains to create a presentation that:
- corresponds to the Internet address from which the data request is redirected to the provider and the data is received from the provider;
- receives the user's email address from the oauth provider;
- and, if this user is registered in the system - opens access to it.
import re from authomatic.adapters import WerkzeugAdapter from flask import redirect, make_response from flask.ext.login import login_user from models import User from app import app EMAIL_REGEX = re.compile(r'[^@]+@[^@]+\.[^@]+') @app.route('/login/<provider_name>') def login(provider_name): # WerkzeugAdapter response response = make_response() try: # oauth2 # result = None result = authomatic.login( WerkzeugAdapter( request, response ), provider_name ) if result: # oauth- if result.user: # # result.user.update() # email email = result.user.email if email and EMAIL_REGEX.match(email): # # user = User.query.filter_by( email = email ).first() if user: # # login_user( user ) # return redirect( url_for( 'index' ) ) # # ... # ... else: # oauth- (result=None) # response return response The basic part of the interaction with the oauth-provider is reduced to one line:
result = authomatic.login( WerkzeugAdapter( request, response ), provider_name ) at the initial entry to the address:
authomatic.login redirects to the specified provider and transfers the necessary parameters;then the provider redirects to the same address and
authomatic.login receives the required data from the provider.As you can see it is not difficult. Most of the time is not programming, but registering your application with each of the providers used.
Source: https://habr.com/ru/post/239189/
All Articles