[web2py] Re: Web2Py + OAuth2 Server
Massimo, If an OAuth2 server is viable, would it also support the Two-Legged authentication case? That is, I need to use OAuth2 to support a mobile app user logging in to a server and maintaining a long-term session, where both are produced by the same company (my employer). Please note that I am new to web2py and although it looks impressive, I have to dig a little deeper than the docs. Thanks ... Richard Prosser PS We may well move to the more conventional Three-Legged case in future, hence the use of OAuth I believe. On Tuesday, 29 May 2012 03:39:06 UTC+1, Massimo Di Pierro wrote: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py? -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups web2py-users group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [web2py] Re: Web2Py + OAuth2 Server
it was about time. Thanks for the info. 2012/10/14 Luther Goh Lu Feng elf...@yahoo.com Seems that Oauth 2.0 is finalised as an official standard in IETF RFCS 6749 and 6750: http://dickhardt.org/2012/10/oauth-2-0/ On Monday, August 20, 2012 9:33:10 PM UTC+8, João Alves wrote: Hello, I didn't develop an OAuth 2.0 server to the web2py's core but I wrote a module instead. You can take a look herehttps://github.com/joaoqalves/web2py-oauth2 . Unfortunately, I don't have much time and I just implemented a version to work with pymongo + mongoDB, but it's quite easy to extend the OAuthStorage class to work with DAL properly. Feel free to comment and/or fork it ;) Best regards, João On Monday, July 30, 2012 8:00:53 PM UTC+1, Massimo Di Pierro wrote: We would be interested. Look at the way cas is integrated in auth (gluon/tools.py) and look at the oauth 2.0 client (gluon/contrib/login_methods/**oauth20_account.py). It would be nice if: 1) an oauth 2.0 server were to be exposed in the same way as the cas server is exposed. 2) oauth20_account.py would be able to interoperate with it. We would require that this does not use any third party software or (at least) only one BSD/MIT library in contrib. massimo On Monday, 30 July 2012 13:43:45 UTC-5, João Alves wrote: Hi. I'm developing an API through *web2py* framework and I would like to use the OAuth2 protocol to authenticate the user/app. I've seen some links (http://hiidef.github.com/**oauth2app/http://hiidef.github.com/oauth2app/ and http://blog.**savored.com/2011/10/14/oauth-** server-authentication-in-**pythondjango/http://blog.savored.com/2011/10/14/oauth-server-authentication-in-pythondjango/) and I'm planning to develop something like that, but for *web2py*. Do you have interest in have OAuth2 on the core of the framework? It could be interesting and since I'll develop the solution, I could share it for everyone. Best regards, João On Tuesday, May 29, 2012 3:39:06 AM UTC+1, Massimo Di Pierro wrote: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py? -- --
[web2py] Re: Web2Py + OAuth2 Server
Seems that Oauth 2.0 is finalised as an official standard in IETF RFCS 6749 and 6750: http://dickhardt.org/2012/10/oauth-2-0/ On Monday, August 20, 2012 9:33:10 PM UTC+8, João Alves wrote: Hello, I didn't develop an OAuth 2.0 server to the web2py's core but I wrote a module instead. You can take a look herehttps://github.com/joaoqalves/web2py-oauth2 . Unfortunately, I don't have much time and I just implemented a version to work with pymongo + mongoDB, but it's quite easy to extend the OAuthStorage class to work with DAL properly. Feel free to comment and/or fork it ;) Best regards, João On Monday, July 30, 2012 8:00:53 PM UTC+1, Massimo Di Pierro wrote: We would be interested. Look at the way cas is integrated in auth (gluon/tools.py) and look at the oauth 2.0 client (gluon/contrib/login_methods/oauth20_account.py). It would be nice if: 1) an oauth 2.0 server were to be exposed in the same way as the cas server is exposed. 2) oauth20_account.py would be able to interoperate with it. We would require that this does not use any third party software or (at least) only one BSD/MIT library in contrib. massimo On Monday, 30 July 2012 13:43:45 UTC-5, João Alves wrote: Hi. I'm developing an API through *web2py* framework and I would like to use the OAuth2 protocol to authenticate the user/app. I've seen some links (http://hiidef.github.com/oauth2app/ and http://blog.savored.com/2011/10/14/oauth-server-authentication-in-pythondjango/) and I'm planning to develop something like that, but for *web2py*. Do you have interest in have OAuth2 on the core of the framework? It could be interesting and since I'll develop the solution, I could share it for everyone. Best regards, João On Tuesday, May 29, 2012 3:39:06 AM UTC+1, Massimo Di Pierro wrote: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py? --
[web2py] Re: Web2Py + OAuth2 Server
Hello, I didn't develop an OAuth 2.0 server to the web2py's core but I wrote a module instead. You can take a look herehttps://github.com/joaoqalves/web2py-oauth2 . Unfortunately, I don't have much time and I just implemented a version to work with pymongo + mongoDB, but it's quite easy to extend the OAuthStorage class to work with DAL properly. Feel free to comment and/or fork it ;) Best regards, João On Monday, July 30, 2012 8:00:53 PM UTC+1, Massimo Di Pierro wrote: We would be interested. Look at the way cas is integrated in auth (gluon/tools.py) and look at the oauth 2.0 client (gluon/contrib/login_methods/oauth20_account.py). It would be nice if: 1) an oauth 2.0 server were to be exposed in the same way as the cas server is exposed. 2) oauth20_account.py would be able to interoperate with it. We would require that this does not use any third party software or (at least) only one BSD/MIT library in contrib. massimo On Monday, 30 July 2012 13:43:45 UTC-5, João Alves wrote: Hi. I'm developing an API through *web2py* framework and I would like to use the OAuth2 protocol to authenticate the user/app. I've seen some links ( http://hiidef.github.com/oauth2app/ and http://blog.savored.com/2011/10/14/oauth-server-authentication-in-pythondjango/) and I'm planning to develop something like that, but for *web2py*. Do you have interest in have OAuth2 on the core of the framework? It could be interesting and since I'll develop the solution, I could share it for everyone. Best regards, João On Tuesday, May 29, 2012 3:39:06 AM UTC+1, Massimo Di Pierro wrote: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py? --
[web2py] Re: Web2Py + OAuth2 Server
Hi. I'm developing an API through *web2py* framework and I would like to use the OAuth2 protocol to authenticate the user/app. I've seen some links ( http://hiidef.github.com/oauth2app/ and http://blog.savored.com/2011/10/14/oauth-server-authentication-in-pythondjango/) and I'm planning to develop something like that, but for *web2py*. Do you have interest in have OAuth2 on the core of the framework? It could be interesting and since I'll develop the solution, I could share it for everyone. Best regards, João On Tuesday, May 29, 2012 3:39:06 AM UTC+1, Massimo Di Pierro wrote: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py? --
[web2py] Re: Web2Py + OAuth2 Server
We would be interested. Look at the way cas is integrated in auth (gluon/tools.py) and look at the oauth 2.0 client (gluon/contrib/login_methods/oauth20_account.py). It would be nice if: 1) an oauth 2.0 server were to be exposed in the same way as the cas server is exposed. 2) oauth20_account.py would be able to interoperate with it. We would require that this does not use any third party software or (at least) only one BSD/MIT library in contrib. massimo On Monday, 30 July 2012 13:43:45 UTC-5, João Alves wrote: Hi. I'm developing an API through *web2py* framework and I would like to use the OAuth2 protocol to authenticate the user/app. I've seen some links ( http://hiidef.github.com/oauth2app/ and http://blog.savored.com/2011/10/14/oauth-server-authentication-in-pythondjango/) and I'm planning to develop something like that, but for *web2py*. Do you have interest in have OAuth2 on the core of the framework? It could be interesting and since I'll develop the solution, I could share it for everyone. Best regards, João On Tuesday, May 29, 2012 3:39:06 AM UTC+1, Massimo Di Pierro wrote: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py? --
Re: [web2py] Re: Web2Py + OAuth2 Server
Looking forward to seeing this project come to light. I'm sure it'll bring a lot of people to web2py :) This is the latest version of the oauth2 lib I could find: https://github.com/operasoftware/python-oauth2 - But it seems to be oauth1 even though it says oauth2. Can someone confirm? On Wed, May 30, 2012 at 10:28 AM, Horus dwayne.o.cla...@gmail.com wrote: I am doing a bit on research on it and looking to wrap my head around it to build a server and client in Web2Py however, there isn't a lot of documentation and some implementations differ from other (I guess that is getting back to what Massimo said). Essentially, I will build a core system and have my apps built around that core (API Centric). I think that will be a little project to start in coming weeks. On Tuesday, May 29, 2012 9:16:44 AM UTC-4, mcm wrote: Yes it is definitely possible. OAuth2.0 was born because OAuth1.0 had all sort of hashing to do on both client and server side. That was to allow for better security, on a clear channel, but failed since OAuth1.0a is deprecated on non TSL channels. They really simplified things in OAuth2.0 so it is much easier to implement, but as Massimo points out the spec is still a bit rough and does just a little more than OpenID. Anyway OAuth2.0 is now adopted by Twitter, Linkedin, Google and Facebook (actually with some little differences, but nothing serious). This means that having OAuth2.0 service is now seen as an important feature. It is something on my TODO list so if you go ahead I can give you some support. mic 2012/5/29 Massimo Di Pierro massimo.dipie...@gmail.com: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py?
Re: [web2py] Re: Web2Py + OAuth2 Server
Yes it is definitely possible. OAuth2.0 was born because OAuth1.0 had all sort of hashing to do on both client and server side. That was to allow for better security, on a clear channel, but failed since OAuth1.0a is deprecated on non TSL channels. They really simplified things in OAuth2.0 so it is much easier to implement, but as Massimo points out the spec is still a bit rough and does just a little more than OpenID. Anyway OAuth2.0 is now adopted by Twitter, Linkedin, Google and Facebook (actually with some little differences, but nothing serious). This means that having OAuth2.0 service is now seen as an important feature. It is something on my TODO list so if you go ahead I can give you some support. mic 2012/5/29 Massimo Di Pierro massimo.dipie...@gmail.com: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py?
Re: [web2py] Re: Web2Py + OAuth2 Server
I am doing a bit on research on it and looking to wrap my head around it to build a server and client in Web2Py however, there isn't a lot of documentation and some implementations differ from other (I guess that is getting back to what Massimo said). Essentially, I will build a core system and have my apps built around that core (API Centric). I think that will be a little project to start in coming weeks. On Tuesday, May 29, 2012 9:16:44 AM UTC-4, mcm wrote: Yes it is definitely possible. OAuth2.0 was born because OAuth1.0 had all sort of hashing to do on both client and server side. That was to allow for better security, on a clear channel, but failed since OAuth1.0a is deprecated on non TSL channels. They really simplified things in OAuth2.0 so it is much easier to implement, but as Massimo points out the spec is still a bit rough and does just a little more than OpenID. Anyway OAuth2.0 is now adopted by Twitter, Linkedin, Google and Facebook (actually with some little differences, but nothing serious). This means that having OAuth2.0 service is now seen as an important feature. It is something on my TODO list so if you go ahead I can give you some support. mic 2012/5/29 Massimo Di Pierro massimo.dipie...@gmail.com: Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py?
[web2py] Re: Web2Py + OAuth2 Server
Theoretically yes. In fact I may even have somewhere a Oauth 1.0 server. The problem is that the Oauth 2.0 specs are very poor. They specify how a the client asks the server if a user is authenticated but do not say anything about what information the server should provide to the client (user name? email?). This means a client written for one server will only work with that server and vice versa. The facebook Oath 2.0 follows its own rules. You can build a client that works with it. You can build a server that mimics them but there is very little in the Oauth 2.0 spects that tells you how to. Moreover your app is unlikely to provide the same services as facebook and therefore clients written for facebook will not work for it. I would stay away from Oauth 2.0 unless you need it as a client to authenticate to third party services. Massimo On Monday, 28 May 2012 20:25:52 UTC-5, Horus wrote: I have seen that web2py supports integration with Facebook + Twitter. What if I want to create my own OAuth2 Server like what is offered by Facebook and Twitter? Is this possible with Web2Py?