Comments (22)
The purpose of oauthlib is to be a strict to-spec implementation. Since 2-legged oauth isn't defined in the spec, it's outside the scope of this project. If I'm wrong here (and I certainly could be), please point me at the bit of the oauth rfc that deals with 2-legged oauth, and if it's not already working we'll add it:
http://tools.ietf.org/html/rfc5849
from oauthlib.
This is part of the problem with the global OAuth community - the lack of community consensus on how to define things.
@sontek - If two legged auth isn't in the spec, I wonder if it might be worth it to start a project that uses OAuthlib as a foundation to provide it. In fact, that's the poorly stated (which is all my fault) purpose of the project. To be the foundation of other projects.
from oauthlib.
@dgouldin it's as far as I am aware unspecified and everyone seem to have their own idea of what it does. Google describes one use in https://developers.google.com/accounts/docs/OAuth which is basically oauth without user authorization, which we do indeed support since it basically just omit the oauth token & token secret.
I've not looked into how open social do things but can see if I find some time this weekend.
from oauthlib.
@ib-lundgren this is the closest thing I could find to a spec:
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html
Given it's a draft from 4 years ago with no work done since, I'm skeptical it will actually become a standard, but if somebody (like Google) is actively using it, @pydanny is right: it could live as its own project on top of oauthlib.
from oauthlib.
Google might still be using it but they have officially deprecated OAuth 1 (and flavours like 2 legged) since April. http://googledevelopers.blogspot.com/2012/04/changes-to-deprecation-policies-and-api.html
from oauthlib.
Yeah, it is not in the spec, its just a common use case for handling authentication for APIs.
My current use case is for my mobile app to communicate to my own API. I wont be authorizing 3rd party applications to talk to this API, so I just need to make sure the API is coming from the trusted source (my app).
from oauthlib.
I would be willing to implement the 2-legged auth version of this but right now i'm still reading through the code to figure out how everything works and familiarizing myself with the spec itself. I think some documentation on using oauthlib would be really beneficial, since currently there aren't any true examples.
Something like a base wsgi app or a small flask app utilizing oauthlib as a server would be great.
from oauthlib.
Looks like https://github.com/ib-lundgren/flask-oauthprovider might be enough of an example for me to work off of. I'm not using flask but I was just looking for a real example of using oauthlib.
from oauthlib.
OAuth is for authorization and not authentication. You should look into creating some unique identifier (which cant be forged by other mobile apps) and use SSL to your API. Authenticate using whichever method your research finds best (http basic auth is quite common).
You can never entirely trust a mobile app or any app not living in an environment outside of your control (ie in browser js app) which renders OAuth 1 pretty useless. OAuth 2 attempts to address the issue to some extent but not very successfully.
When you want to open up your API for third party devs then come back and enjoy some OAuth. For documentation look at https://github.com/idan/oauthlib/blob/master/docs/server.rst or the flask extension you just found.
from oauthlib.
I think OAuth can still serve the purpose of securing the request. I plan on using it for my browser js requests as well.
Obviously having the private key in the website isn't that secure but at least its going to be per app, per user key and verifies that the request coming in is fairly legit.
If I wasn't using two-legged oauth I would basically just re-invent the wheel and implement most of the features myself anyways.
from oauthlib.
@ib-lundgren I did see the server.rst but for me at least that wasn't enough documentation to get started without reading through the source. So they probably could be improved but could just be because this is my first time doing oauth.
from oauthlib.
It might be a bit terse, improving/adding documentation is a big bold thing on my todo list. Don't fear the source thou, it's not that bad =)
Before doing javascript OAuth 1 please read http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/
What you might want to use instead is OAuth 2 Implicit Grant which will (if i find time) be in oauthlib in the not too distant future. To get an idea what it is without reading the spec have a look at https://developers.google.com/accounts/docs/OAuth2UserAgent which is using the implicit grant workflow under a different name.
from oauthlib.
@ib-lundgren I do fear the source. Always. Which is why I spend so much time documenting. :-)
from oauthlib.
@ib-lundgren Yeah, I've read that oauth2 provides better support for what I want to do for javascript but I'm working with the tools I have available ;)
I would love me some OAuth2 Server support if you get the chance! I'm not even close to familiar enough with this stuff to think about doing it myself.
from oauthlib.
@ib-lundgren I do have beer money and will be at PyCon if support for it somehow lands in this repository
from oauthlib.
If support for it comes with documentation I'll have coffee money for the morning after as well!
from oauthlib.
Hehe sounds good but not sure I'll make PyCon. I'll try and get some initial support + docs going as soon as I can find time =)
from oauthlib.
@sontek you're not at djangocon are you? I'm planning a djangocon oauthlib sprint. I'll be sprinting Friday and Saturday.
from oauthlib.
@dgouldin I'm not but I would be happy to sprint remotely. I'm living in Santiago right now so trips to the US for conferences aren't as easy as they used to be
from oauthlib.
@dgouldin @ib-lundgren I'm still working on it but I got bored lastnight and started building out an OAuth2 Provider:
https://github.com/sontek/oauth2_provider
Right now I have the legs for 4.1.1 and 4.2.1 implemented. Which is response_type 'code' and 'token' with grant_type as authentication_code. I still have a long way to go but I had never even looked at this spec before so I have to learn a lot to implement a little.
from oauthlib.
Seems like you are heading in a similar direction as I took with my branch. Will try and clean it up and push it this week so we can develop together =)
from oauthlib.
Yeah, I would prefer to get all this in oauthlib, primarily because I don't want to be the maintainer of it ;)
I have a completely working OAuth2 Authorization server with 100% test coverage in my repo, Let me know when you get all your stuff pushed and we'll see how to get everything integrated together
from oauthlib.
Related Issues (20)
- Show Diff for Changed Scope HOT 2
- OAuth1 - Adding parameter to authorization header HOT 1
- 3.2.0 caused "NotImplementedError: Subclasses must implement this method." error HOT 1
- oauth2 implicit grant does not seem to properly return the error in uri fragment when client is unauthorized to use response_type token HOT 1
- RFC5849 oauth1 signature base_string_uri doesn't parse IPv6 addresses
- Pre-configured OIDC server should use OIDC refresh token grant type HOT 5
- Security Issue in OAuthLib HOT 1
- CI/Pipeline broken since TravisCI consumed all "OSS credits" HOT 2
- Merging the fix of CVE-2022-36087 into tag v3.2.1 HOT 8
- URI validation does not support shortform localhost IPv6 URIs HOT 1
- Latest version on pypi.org (3.2.2) not reflected here - is it safe? HOT 2
- private_key_jwt
- Will the default warning behavior for scope changes be updated? HOT 1
- Please support http.client as the a request client HOT 3
- OAuth2Session is not pickleable HOT 2
- Docs: Add link to GitHub project sidebar? HOT 1
- Support for refresh token expiration
- typing issues HOT 2
- Problem with use oauthlib with last version cryptography
- Adopt `build` because running `setup.py` is deprecated for security reasons
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauthlib.