Re: [web2py] Re: Alternative to Janrain: in pure Python

[Massimo Di Pierro]

I opened an issue about this.

On Tuesday, 14 August 2012 12:52:52 UTC-5, Alec Taylor wrote:
>
> Can we get an update?
>
> I think this would be a good selling point for web2py, if ported.
>
> On Thursday, July 19, 2012 8:12:43 AM UTC+10, Daniel Gonzalez wrote:
>>
>> Hi,
>>
>> I have tried the example in this "sanction" library and it looks that the 
>> authentication using oauth2 is really easy to implement. Unfortunately the 
>> example uses BaseHTTPRequestHandler and not web2py (which is the point of 
>> this discussion, of course)
>>
>> I think that a first step would be, as the example in sanction 
>> demonstrates, to have an authentication token which can be used to access 
>> account info, which can be used to setup an internal web2py user linked to 
>> the oauth2 account. The data which can be accessed via oauth2 will differ 
>> from provider to provider, but probably some basic identification data can 
>> be obtained. It is not clear to me which data can be obtained, how the link 
>> account in web2py can be setup, what is the role of the authentication 
>> token, whether the authentication token can be saved for later use, how 
>> long is the authentication token valid, and lots of other open questions.
>>
>> In my research to have a OAuth2 system working I have also tried to use 
>> the oauth2 framework used in the application described in this 
>> thread
>>  (Movuca ), but it turns out that 
>> the whole OAuth2 interaction is integrated with the data structures used by 
>> the application, and I have failed to split the pure OAuth2 parts from the 
>> rest.
>>
>> My goal is to have a basic demo of how to integrate a OAuth2 library with 
>> web2py, preferably this sanction library, since it seems that lots of 
>> providers are supported out of the box, and that more can be easily added.
>> My main problem is that I am not familiar with the Auth system and I do 
>> not know to configure the login system in web2py to use the OAuth2 library.
>> Maybe somebody could provide some assistance. I would be willing to 
>> contribute back of course.
>>
>> Regards,
>> Daniel
>>
>

-- 

Re: [web2py] Re: Alternative to Janrain: in pure Python

[Alec Taylor]

Can we get an update?

I think this would be a good selling point for web2py, if ported.

On Thursday, July 19, 2012 8:12:43 AM UTC+10, Daniel Gonzalez wrote:
>
> Hi,
>
> I have tried the example in this "sanction" library and it looks that the 
> authentication using oauth2 is really easy to implement. Unfortunately the 
> example uses BaseHTTPRequestHandler and not web2py (which is the point of 
> this discussion, of course)
>
> I think that a first step would be, as the example in sanction 
> demonstrates, to have an authentication token which can be used to access 
> account info, which can be used to setup an internal web2py user linked to 
> the oauth2 account. The data which can be accessed via oauth2 will differ 
> from provider to provider, but probably some basic identification data can 
> be obtained. It is not clear to me which data can be obtained, how the link 
> account in web2py can be setup, what is the role of the authentication 
> token, whether the authentication token can be saved for later use, how 
> long is the authentication token valid, and lots of other open questions.
>
> In my research to have a OAuth2 system working I have also tried to use 
> the oauth2 framework used in the application described in this 
> thread
>  (Movuca ), but it turns out that 
> the whole OAuth2 interaction is integrated with the data structures used by 
> the application, and I have failed to split the pure OAuth2 parts from the 
> rest.
>
> My goal is to have a basic demo of how to integrate a OAuth2 library with 
> web2py, preferably this sanction library, since it seems that lots of 
> providers are supported out of the box, and that more can be easily added.
> My main problem is that I am not familiar with the Auth system and I do 
> not know to configure the login system in web2py to use the OAuth2 library.
> Maybe somebody could provide some assistance. I would be willing to 
> contribute back of course.
>
> Regards,
> Daniel
>

-- 

Re: [web2py] Re: Alternative to Janrain: in pure Python

[Daniel Gonzalez]

Hi,

I have tried the example in this "sanction" library and it looks that the 
authentication using oauth2 is really easy to implement. Unfortunately the 
example uses BaseHTTPRequestHandler and not web2py (which is the point of 
this discussion, of course)

I think that a first step would be, as the example in sanction 
demonstrates, to have an authentication token which can be used to access 
account info, which can be used to setup an internal web2py user linked to 
the oauth2 account. The data which can be accessed via oauth2 will differ 
from provider to provider, but probably some basic identification data can 
be obtained. It is not clear to me which data can be obtained, how the link 
account in web2py can be setup, what is the role of the authentication 
token, whether the authentication token can be saved for later use, how 
long is the authentication token valid, and lots of other open questions.

In my research to have a OAuth2 system working I have also tried to use the 
oauth2 framework used in the application described in this 
thread
 (Movuca ), but it turns out that 
the whole OAuth2 interaction is integrated with the data structures used by 
the application, and I have failed to split the pure OAuth2 parts from the 
rest.

My goal is to have a basic demo of how to integrate a OAuth2 library with 
web2py, preferably this sanction library, since it seems that lots of 
providers are supported out of the box, and that more can be easily added.
My main problem is that I am not familiar with the Auth system and I do not 
know to configure the login system in web2py to use the OAuth2 library.
Maybe somebody could provide some assistance. I would be willing to 
contribute back of course.

Regards,
Daniel

-- 

RE: [web2py] Re: Alternative to Janrain: in pure Python

[Demian Brecht]

I also confirm this. Each provider is left to determine their own API to
expose resources (most follow a RESTful interface).

However, the *authorization* portion is relatively consistent for each
provider (relatively in that there are slight deviations, such as returned
data being in either JSON or a URL format). The auth portion is something
that *can* be easily implemented to cover all providers, for all server-side
flows (I've tested both authorization code and client credentials flows with
the library that I wrote). The rest is simply requests sent using the
credentials retrieved by the auth flow.

The point here is that cross-provider auth using slightly deviant OAuth 2.0
implementations can be a bit of a pain, especially if you aren't relatively
intimately familiar with OAuth 2.0. IMHO, adding this to a framework is very
little work, with relatively large benefit for the users.

-Original Message-
From: web2py@googlegroups.com [mailto:web2py@googlegroups.com] On Behalf Of
Michele Comitini
Sent: Wednesday, July 18, 2012 2:13 PM
To: web2py@googlegroups.com
Subject: Re: [web2py] Re: Alternative to Janrain: in pure Python

I confirm.  Information about the user depend on the producer.  It is
usually a simple REST call.
In theory there is not even guarantee that any user data is available to the
consumer.
OAuth is about giving authorization to fetch authenticated user data by a
third party, i.e. the OAuth consumer.
The only specified result from a successful authentication is an expiring
session token that must not contain any direct reference to user info.

mic


> The authentication is interoperable (is this user allowed to login?) 
> but not the request for credentials (who is this user?).
>
>
>
>
>
> On Wednesday, 18 July 2012 13:24:12 UTC-5, rdodev wrote:
>>
>> OAuth2 authorization for web2py would be huge. +1
>>
>> On Thursday, July 5, 2012 10:42:20 AM UTC-4, Alec Taylor wrote:
>>>
>>> A rather good 64-line OAuth 2 client implementation for Python has 
>>> been open-sourced.
>>>
>>> Source-code (announcement)
>>>
>>> This has been tested-and includes example code-with:
>>>
>>> Facebook
>>> Google
>>> Foursquare
>>>
>>> https://github.com/demianbrecht/sanction/blob/master/example/server.
>>> py
>>>
>>> Please share your thoughts below, specify if you would like how to 
>>> use it with web2py, e.g.: for the online web2py book. [Disclaimer: 
>>> haven't spoken with Massimo yet]
>>>
>>> Thanks,
>>>
>>> Alec Taylor
>
> --
>
>
>

-- 




-- 

Re: [web2py] Re: Alternative to Janrain: in pure Python

[Michele Comitini]

I confirm.  Information about the user depend on the producer.  It is
usually a simple REST call.
In theory there is not even guarantee that any user data is available
to the consumer.
OAuth is about giving authorization to fetch authenticated user data
by a third party, i.e. the OAuth consumer.
The only specified result from a successful authentication is an
expiring session token that must not contain any direct reference to
user info.

mic


> The authentication is interoperable (is this user allowed to login?) but not
> the request for credentials (who is this user?).
>
>
>
>
>
> On Wednesday, 18 July 2012 13:24:12 UTC-5, rdodev wrote:
>>
>> OAuth2 authorization for web2py would be huge. +1
>>
>> On Thursday, July 5, 2012 10:42:20 AM UTC-4, Alec Taylor wrote:
>>>
>>> A rather good 64-line OAuth 2 client implementation for Python has been
>>> open-sourced.
>>>
>>> Source-code (announcement)
>>>
>>> This has been tested—and includes example code—with:
>>>
>>> Facebook
>>> Google
>>> Foursquare
>>>
>>> https://github.com/demianbrecht/sanction/blob/master/example/server.py
>>>
>>> Please share your thoughts below, specify if you would like how to use it
>>> with web2py, e.g.: for the online web2py book. [Disclaimer: haven't spoken
>>> with Massimo yet]
>>>
>>> Thanks,
>>>
>>> Alec Taylor
>
> --
>
>
>

-- 

Re: [web2py] Re: Alternative to Janrain: in pure Python

[Alec Taylor]

Hey Massimo,

What he was referring to is what the maintainer has added examples
for: https://github.com/demianbrecht/sanction/blob/master/example/server.py

(I also made a commit)

On Sat, Jul 7, 2012 at 11:30 AM, Massimo Di Pierro
 wrote:
> Hello Demian,
>
> I do not understand your comment. Is there code we can look at?
>
>
> On Friday, 6 July 2012 10:36:57 UTC-5, Demian Brecht wrote:
>>>
>>> Since the OP, I've also added handling and examples for:
>>
>> GitHub
>> Stack Exchange
>> Instagram
>> bitly