This is all an ongoing experiment, so I apologize that it's linked to open PRs and whatnot. As far as I know, no one other than myself has really used pyramid_oauthlib yet, either.
Here's the basic idea though: - The library, pyramid_oauthlib, provides `request.verify_request()` which delegates to a registered OAuthLib RequestValidator instance based on the detected authorization type, e.g. bearer authorization header. - The goal is that implementations of grant types, token types, and response types can be shared with other OAuthLib users because they should be able to avoid any pyramid-isms. - To integrate with your Pyramid application, all that is really needed is to register some OAuthLib pieces and then integrate with your authentication policy. Example of adding some OAuthLib parts: config.add_grant_type('oauthlib.oauth2.ClientCredentialsGrant', request_validator=validator) config.add_token_type('oauthlib.oauth2.BearerToken', request_validator=validator, token_generator=generate_signed_token) Example of integrating with a Pyramid authentication policy. In a simplest case, Pyramid itself does no authentication, and instead uses the 'REMOTE_USER' policy: @subscriber(ContextFound) def set_user_from_oauth(event): """A subscriber that checks requests for OAuth credentials and sets the 'REMOTE_USER' environment key to the authorized user (or ``None``).""" request = event.request request.verify_request() request.environ['REMOTE_USER'] = getattr(request, 'user', None) Here's how I'm integrating the draft-ietf-oauth-jwt-bearer spec today: https://github.com/hypothesis/h/pull/2046 Notice that the h.oauth package has nothing Pyramid specific. I am hoping to submit that as a PR to OAuthLib shortly. The biggest open questions in my mind: - Should the grant type implementation should attempt any issuer/audience/expiration validation or if that should all be delegated to the RequestValidator. - Since pyramid_oauthlib makes it easy for each (token|grant|response) type to have its own RequestValidator instance it works to overload the validate_bearer_token method. However, for other OAuthLib users, it might be more sensible to have a validate_web_token method in case the JWT is only used as an authorization grant but the access token uses a more traditionally opaque token. Hope that's helpful. I'm very much seeking feedback here. On Tue, Mar 17, 2015 at 2:44 AM Carel Burger <carelbur...@gmail.com> wrote: > Hi Randall, Let us know when the example is up. I am also interested in > getting OAuth integrated in my webapp. > > On Monday, 16 March 2015 19:48:40 UTC+2, Randall Leeds wrote: > >> I authored pyramid_oauthlib and I've been hacking at JWTs as >> authorization grants. >> >> It might be overkill for your needs, but I'll look at getting an example >> up today/tomorrow. >> >> On Mon, Mar 16, 2015 at 10:38 AM Vincent Catalano < >> vin...@vincentcatalano.com> wrote: >> > Hello everyone, >>> >>> I'm implementing a REST API in Pyramid and I want to use JSON Web Tokens >>> for authorization and authentication (http://jwt.io/). I was looking at >>> using a plugin pyramid_jwtauth >>> <https://github.com/ajkavanagh/pyramid_jwtauth> but there are no >>> examples or documentation on how to actually use it. If anyone has any >>> experience or knowledge in implementing web tokens perhaps you could give >>> me a few pointers for using it in Pyramid. >>> >>> -Vincent >>> >>> -- >>> Vincent Catalano >>> Software Engineer and Web Developer, >>> (520).603.8944 >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "pylons-discuss" group. >>> >> To unsubscribe from this group and stop receiving emails from it, send an >>> email to pylons-discus...@googlegroups.com. >>> To post to this group, send email to pylons-...@googlegroups.com. >> >> >>> Visit this group at http://groups.google.com/group/pylons-discuss. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to pylons-discuss@googlegroups.com. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.