This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import logging | |
| import httplib2 | |
| from apiclient.discovery import build | |
| from django.contrib.auth.decorators import login_required | |
| from django.core.urlresolvers import reverse | |
| from django.http import HttpResponse | |
| from django.http import HttpResponseBadRequest | |
| from django.http import HttpResponseRedirect | |
| from django.shortcuts import render_to_response | |
| from django_sample.plus.models import CredentialsModel | |
| from django_sample import settings | |
| from oauth2client import xsrfutil | |
| from oauth2client.client import flow_from_clientsecrets | |
| from oauth2client.django_orm import Storage | |
| # CLIENT_SECRETS, name of a file containing the OAuth 2.0 information for this | |
| # application, including client_id and client_secret, which are found | |
| # on the API Access tab on the Google APIs | |
| # Console <http://code.google.com/apis/console> | |
| CLIENT_SECRETS = os.path.join(os.path.dirname(__file__), '..', 'client_secrets.json') | |
| FLOW = flow_from_clientsecrets( | |
| CLIENT_SECRETS, | |
| scope='https://www.googleapis.com/auth/plus.me', | |
| redirect_uri='http://localhost:8000/oauth2callback') | |
| @login_required | |
| def index(request): | |
| storage = Storage(CredentialsModel, 'id', request.user, 'credential') | |
| credential = storage.get() | |
| if credential is None or credential.invalid == True: | |
| FLOW.params['state'] = xsrfutil.generate_token(settings.SECRET_KEY, | |
| request.user) | |
| authorize_url = FLOW.step1_get_authorize_url() | |
| return HttpResponseRedirect(authorize_url) | |
| else: | |
| http = httplib2.Http() | |
| http = credential.authorize(http) | |
| service = build("plus", "v1", http=http) | |
| activities = service.activities() | |
| activitylist = activities.list(collection='public', | |
| userId='me').execute() | |
| logging.info(activitylist) | |
| return render_to_response('plus/welcome.html', { | |
| 'activitylist': activitylist, | |
| }) | |
| @login_required | |
| def auth_return(request): | |
| if not xsrfutil.validate_token(settings.SECRET_KEY, request.REQUEST['state'], | |
| request.user): | |
| return HttpResponseBadRequest() | |
| credential = FLOW.step2_exchange(request.REQUEST) | |
| storage = Storage(CredentialsModel, 'id', request.user, 'credential') | |
| storage.put(credential) | |
| return HttpResponseRedirect("/") |
Really? So I attempted to get this framework working in my app for hours. It requires that you use the google model objects and the xsrfutil libs to work (I guess I never got it to).
https://developers.google.com/accounts/docs/OAuth2WebServer
and
https://code.google.com/p/google-api-python-client/source/browse/samples/django_sample/plus/views.py
This FLOW framework obscures the oauth2 process from the developer, so you are completely dependent on the code base being simple to understand to get the implementation working. Secondly creating the oauth2 app client credentials are buried deep in google's "API Dashboard". It was the longest amount of time I have ever spent on an oauth2 implementation. I have done many of these and this one is very difficult to work with.
Compare this to oauth2 providers that actually give you the curl approaches directly, and allow you to compare it to their API. Their oauth2 implementation is not hidden, and you can easily figure out what needs to be done.
Paypal
https://developer.paypal.com/docs/api/#authorizations
Pretty good outh2 implementation, well documented, easy to use API. Poor user object returned on successful auth in some cases.
Github
https://developer.github.com/v3/oauth/
Its good. Period.
Coinbase
https://www.coinbase.com/docs/api/authentication
Good implementation and documentation. The python examples were a little off but a python dev can figure it our. Their support responds to problems. Worthy.
Here are my recommendations to oauth providers:
- Make the entire three legged process easy to natively implement via curl commands.
- Build auth apis that are simple extensions of that flow
- Make sure that the client api can access enough user information to create a user record on the target app without asking for more information.
- Make it easy for developer to create client app secrets and manage multiple environments.
No comments:
Post a Comment