The OAuth library for Python
See all
Members (158)

Stream

 
I just updated our custom OAuth2 provider implementation, which only supported the Authorization Code Grant, to the fantastic OAuthLib.

I'm glad to say it was an easy decision to make and to accomplish.

Thanks to the OAuthLib authors for this awesome library.

Check out our new implementation live at https://yithlibrary.herokuapp.com/
1
Add a comment...

Chris White

Discussion  - 
1
Chris White's profile photo
2 comments
 
I've edited my post on stackoverflow to provide clearer logging to help debug.
Add a comment...

Ib Lundgren
owner

Discussion  - 
 
Hey everyone!

Finally have some time after a long crunch of course assignments and other pressing duties and am happy to say that the loooong overdue release of OAuthLib 0.6.1 is pushed to PyPI. This includes numerous small updates so check out the README. It might contain some fairly raw features related to revocation so please let me know if you run into anything!

That was OAuthlib, going to catch up on requests-oauthlib (cc Cory Benfield)  on Wednesday :)
1
Add a comment...

Jan Wrobel

Discussion  - 
 
Hello! When do you plan a next OAuthLib release?
1
Add a comment...

Hsiaoming Yang

Discussion  - 
 
FYI, I've just submitted a pull request to oauth.net https://github.com/aaronpk/oauth.net/pull/55
1
Hsiaoming Yang's profile photo
 
It is merged.
Add a comment...

André Cruz

Discussion  - 
 
I'm implementing an OAuth2 provider. On my RequestValidator.validate_client_id() I already store the client as an attribute on request. However, when Server.validate_authorization_request() returns I don't have access to that request object. I need this object in order to properly ask the user for authorisation and as it stands I need to fetch it again from the DB. Can't this oauthlib "request" object be returned as well?
1
André Cruz's profile photoIb Lundgren's profile photo
5 comments
 
Cheers!
Add a comment...

John Sheehan

Discussion  - 
 
Is there an easy way to extract the signature base string that was generated while signing an OAuth 1.0a request?  This is useful during debugging when trying to find how the SBS doesn't match the server-generated one.
1
Ib Lundgren's profile photo
 
Extract, afraid not. Show, yes :-) by enabling debug logging for the 'oauthlib' logger as shown in http://oauthlib.readthedocs.org/en/latest/oauth1/server.html#let-us-know-how-it-went.
Add a comment...

Ib Lundgren
owner

Discussion  - 
 
Deciding on OAuth token vs API keys?

If you want to protect your API so only authorized clients may access it then the common approach is to use API keys and basic authentication. This is useful when the API does not protect user data but generic data such as sport league results, tv listings, etc. Here any client with a valid API key is authorized to access any data and authenticates using said key.

When your API protects user data (tweets, pictures, etc.) you might want to restrict the clients so that they can only access user data after said user have given them permission. This is where OAuth comes in. OAuth gives a token which is essentially a temporary API key bound to only one users data. Often you want to restrict this even further by only allowing access to the users pictures. That is what OAuth scopes are used for. Note here that the user allowing a client access to its data is the "Authorization" of OAuth. 

To make sure the token sent from a client is from a valid client authentication is needed as well but optional in OAuth 2. Confidential (authenticated) clients in OAuth 2 usually authenticate using Basic Auth (but could be using pub/priv keys or any other method as well).

However if you will have mobile clients you are running into the issue of reliable authentication as there is no technically safe way to hide a secret on a device out of your control. OAuth 2 (Implicit grant) makes a compromise by not requiring authentication here but instead limiting the time a token might be used.
3
2
Ib Lundgren's profile photoMichael Russo's profile photo
Add a comment...

Ib Lundgren
owner

Discussion  - 
 
OAuthLib 0.6 is out!

0.6 features a major interface change on the provider side where the method contract on all endpoints, OAuth 1 & 2, change to a three-tuple down from a four-tuple. Redirect URI is now placed in headers as Location where it belongs.

Other changes include a number of clean ups in tests and can proudly say we now reach 97% coverage :) With more edge case tests and clean ups on the horizon.

Next up on the to do list is Token Revocation, this spec is still a draft but fairly small in scope and doubt much changes will be made before RFC.

cc #python #oauth
1
Add a comment...
 
requests-oauthlib 0.3.3 is now on PYPI!
...this version includes the fix for the OAuth1Session issue with parsing out access tokens =)

In other news: I just pushed a few changes to master, including a compliance fix for facebook to make their non spec compliant https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/ flow work. You can find the tutorial at RTDs.

Install from master with pip install -e git+https://github.com/requests/requests-oauthlib.git#egg=requests_oauthlib.

#python   #oauth   #facebook  
2
1
Ross Hendrickson's profile photo
Add a comment...

jinwoo Hong

Discussion  - 
 
oauthlib 0.5.0 ResourceEndpoint class called "validate_timestamp_and_nonce" method using "request_token" parameter.
Is this collect?
I think that it shoud use access_token, shouldn't it??
1
Ib Lundgren's profile photojinwoo Hong's profile photo
4 comments
 
Nice~ Thank you~
Add a comment...

Kevin O'Connor

Discussion  - 
 
If I have an OAuth2 Client that's configured to only allow the 'password' grant type, shouldn't oauthlib stop me from displaying a web page in conjunction with the 'authorization_code' grant type?  It seems like 'validate_grant_type' (https://github.com/idan/oauthlib/blob/8671b4bf6bfb4c6e457d97a8d0b3ad7f638d75e1/oauthlib/oauth2/rfc6749/request_validator.py#L359) isn't getting called when displaying the /authorize endpoint that I'm generating after using  'validate_authorization_request'.
1
Add a comment...

Kristen Bond

Discussion  - 
2
Ib Lundgren's profile photoKristen Bond's profile photo
2 comments
 
Hsiaoming released an update and it works. I guess the release of oauthlib 0.6.1 caused a chain reaction. My issue is resolved but I just tried Chris White's issue re: requests-oauthlib and flask-oauthlib and am having the same issue.
Add a comment...
 
Hi, Thank for good lib. Success to implement to my tornado web project.
1
Ib Lundgren's profile photo
 
Awesome! How was the experience? Don't hesitate to point out shortcomings in the docs/code :)

Also, I don't think there is an extension for Tornado yet so if that tickles your fancy I'm sure others would find it useful. https://github.com/idan/oauthlib/issues/176
Add a comment...

Hsiaoming Yang

Discussion  - 
 
Hi, everyone. I've written an article on creating OAuth providers. I need some suggestion on the article, since I am not a native English speaker.
3
Hsiaoming Yang's profile photo
 
+Ib Lundgren Any comment on this post?
Add a comment...

André Cruz

Discussion  - 
 
Is it possible to implement an OAuth2 provider without using scopes? It seems that create_authorization_response mandates some scope to be set:

  File "/Users/andre/work/penv/discosite/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py", line 181, in create_authorization_response
    raise ValueError('Scopes must be set on post auth.')
ValueError: Scopes must be set on post auth.
1
André Cruz's profile photoIb Lundgren's profile photo
3 comments
 
Ah true, yea is None is probably more fitting.
Add a comment...
 
Hello,

Could anyone tell me why grant type create_response_token methods return different content types? For example client credentials http://goo.gl/kuWIky returns text/html, authorization code http://goo.gl/Gkrrw1 returns application/json, resource owner password http://goo.gl/N7ddEY returns application/json. From what I understand the RFC example http://goo.gl/qNSXgQ shows application/json for client credentials.
1
Ib Lundgren's profile photoAleksandr Vladimirskiy's profile photo
2 comments
 
Cool. I submitted a pull request.
Add a comment...

Ib Lundgren
owner

Discussion  - 
 
Quick How To: Fetching GMail emails using SASL XOAuth 2 (cc #Python)
2
Add a comment...
 
Have a wish/suggestion for what to include in the #requests-oauthlib docs? I'd love a comment here or at https://github.com/requests/requests-oauthlib/issues/48.

It could be anything that needs improving (change structure, less/more detail etc) or something you want added. A specific guide/tutorial or example on how to use provider X.

A few obvious sections are missing related to the non web application flow, if you know providers other than Google offering these, let me know!
1
Add a comment...

Andrew Sumner

Discussion  - 
 
Trying to use oauthlib with magento on the server side.  It works fine for a get, but when I try a post the request header's Content-Type is changed from application/json to application/x-www-form-urlencoded.  Magento returns an error stating that it can't understand the request.

I haven't been able to find a way to get it to use application/json, any suggestions would be most welcome.  Code snippets below...

This works:
oauth = OAuth1(client_key=consumer_key, client_secret=consumer_secret, resource_owner_key=access_key, resource_owner_secret=access_secret)
r = request.get(url=base_url+'/api/rest/products', auth=oauth)

r.request.headers is {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate, compress', 'Authorization': 'OAuth oauth_nonce="stuff", oauth_timestamp="stuff", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="stuff", oauth_token="stuff", oauth_signature="stuff"', 'User-Agent': 'blah'}

This does not work:-
oauth = OAuth1(client_key=consumer_key, client_secret=consumer_secret, resource_owner_key=access_key, resource_owner_secret=access_secret)
 r = request.post(url=base_url+'/api/rest/products', data=mydata, auth=oauth)

r.request.headers is {'Content-Length': u'276', 'Accept-Encoding': 'gzip, deflate, compress', 'Accept': '*/*', 'User-Agent': 'python-blah blah', 'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': 'OAuth oauth_nonce="stuff", oauth_timestamp="stuff", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_consumer_key="stuff", oauth_token="stuff", oauth_signature="stuff"'}
1
Ib Lundgren's profile photoAndrew Sumner's profile photo
8 comments
 
Aha!  Right you are, I hadn't surrounded it with quotes to make it a string so python was turning it into a dict.  A bit of fiddling around and its now working - Magento is very picky about what it accepts, it needs json names/strings double-quoted (not apostrophe'd) but integer values not quoted at all.  Anyway, thanks again.
Add a comment...