This is all an ongoing experiment, so I apologize that it's linked to open
PRs and whatnot. As far as I know, no one other than myself has really used
pyramid_oauthlib yet, either.
Here's the basic idea though:
- The library, pyramid_oauthlib, provides `request.verify_request()` which
delegates to a registered OAuthLib RequestValidator instance based on the
detected authorization type, e.g. bearer authorization header.
- The goal is that implementations of grant types, token types, and
response types can be shared with other OAuthLib users because they should
be able to avoid any pyramid-isms.
- To integrate with your Pyramid application, all that is really needed is
to register some OAuthLib pieces and then integrate with your
authentication policy.
Example of adding some OAuthLib parts:
config.add_grant_type('oauthlib.oauth2.ClientCredentialsGrant',
request_validator=validator)
config.add_token_type('oauthlib.oauth2.BearerToken',
request_validator=validator, token_generator=generate_signed_token)
Example of integrating with a Pyramid authentication policy. In a
simplest case, Pyramid itself does no authentication, and instead uses the
'REMOTE_USER' policy:
@subscriber(ContextFound)
def set_user_from_oauth(event):
"""A subscriber that checks requests for OAuth credentials and sets
the
'REMOTE_USER' environment key to the authorized user (or
``None``)."""
request = event.request
request.verify_request()
request.environ['REMOTE_USER'] = getattr(request, 'user', None)
Here's how I'm integrating the draft-ietf-oauth-jwt-bearer spec today:
https://github.com/hypothesis/h/pull/2046
Notice that the h.oauth package has nothing Pyramid specific. I am hoping
to submit that as a PR to OAuthLib shortly.
The biggest open questions in my mind:
- Should the grant type implementation should attempt any
issuer/audience/expiration validation or if that should all be delegated to
the RequestValidator.
- Since pyramid_oauthlib makes it easy for each (token|grant|response) type
to have its own RequestValidator instance it works to overload the
validate_bearer_token method. However, for other OAuthLib users, it might
be more sensible to have a validate_web_token method in case the JWT is
only used as an authorization grant but the access token uses a more
traditionally opaque token.
Hope that's helpful. I'm very much seeking feedback here.
On Tue, Mar 17, 2015 at 2:44 AM Carel Burger <carelbur...@gmail.com> wrote:
> Hi Randall, Let us know when the example is up. I am also interested in
> getting OAuth integrated in my webapp.
>
> On Monday, 16 March 2015 19:48:40 UTC+2, Randall Leeds wrote:
>
>> I authored pyramid_oauthlib and I've been hacking at JWTs as
>> authorization grants.
>>
>> It might be overkill for your needs, but I'll look at getting an example
>> up today/tomorrow.
>>
>> On Mon, Mar 16, 2015 at 10:38 AM Vincent Catalano <
>> vin...@vincentcatalano.com> wrote:
>>
> Hello everyone,
>>>
>>> I'm implementing a REST API in Pyramid and I want to use JSON Web Tokens
>>> for authorization and authentication (http://jwt.io/). I was looking at
>>> using a plugin pyramid_jwtauth
>>> <https://github.com/ajkavanagh/pyramid_jwtauth> but there are no
>>> examples or documentation on how to actually use it. If anyone has any
>>> experience or knowledge in implementing web tokens perhaps you could give
>>> me a few pointers for using it in Pyramid.
>>>
>>> -Vincent
>>>
>>> --
>>> Vincent Catalano
>>> Software Engineer and Web Developer,
>>> (520).603.8944
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "pylons-discuss" group.
>>>
>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to pylons-discus...@googlegroups.com.
>>> To post to this group, send email to pylons-...@googlegroups.com.
>>
>>
>>> Visit this group at http://groups.google.com/group/pylons-discuss.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pylons-discuss+unsubscr...@googlegroups.com.
> To post to this group, send email to pylons-discuss@googlegroups.com.
> Visit this group at http://groups.google.com/group/pylons-discuss.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to pylons-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.
