[Python-ideas] Support for OAuth2/OIDC in the standard distribution ?

Thu Nov 17 09:45:32 EST 2016

On Thu, Nov 17, 2016 at 11:51 PM, Roland Hedberg <roland at catalogix.se> wrote:
>> A quick query of the PyPI download database for the three months shows the following download counts for those modules:
>>
>> - requests-oauthlib == 1,897,048
>> - oauth2 == 349,759
>> - pyoidc == 10,520
>>
>> This is not intended to be chastening for Roland: all new modules start with low download counts.
>
> No offence taken ! :-)
> But you should distinguish between OAuth2 and OIDC. OIDC is a profile of OAuth2 for usage in the case where you not only need
> authorization (and access tokens) but also authentication and/or user info.

When you're looking at oauth2, there are myriad uses for it, and thus
large numbers of people looking for the module. But OIDC is something
I had never heard of until this thread (turns out it's something built
on top of OAuth2). Your module may well be best-in-show for OIDC
(unproven, but assume it for the nonce), but unless it's also
best-in-show for OAuth2, it's not going to have the broad draw/appeal
that I would hope for in a new stdlib module.

Perhaps the best step forward is to publish blog posts demonstrating
how your module compares to other OAuth2 libraries. That would put the
module name alongside various keywords that people will search for,
and thus improve its visibility. Consider this thought process, which
I'd say is fairly typical:

1) I want to use Fred's Wonderful Spamination API.
2) FWSA's docs say that I need to use this thing called OAuth.
3) What's OAuth? How do I use it? Search the web.
4) Oh, there's OAuth1 and OAuth2. Which should I use? Ahh, FWSA's docs
say OAuth2. Okay.
5) I need a Python module that does OAuth2.
6) Search the web, or search PyPI?

Personally, when I hit step 6, I search the web. PyPI search is
exhaustive but not very usefully ranked (for this purpose). Searching
for a keyword or protocol will give undue weight to a module whose
name is simply that word, even if that module is terrible,
unmaintained, etc, etc. Properly-ranked web search results are
generally more useful in pointing me to the appropriate package, even
if they're telling me to use something with a very different name.
(Consider a search for "python http". You'll get httplib/http.client,
but shortly after that, you get pointed to 'requests'.)

As another bonus, blog posts of that nature will help to explain to
more experienced devs "why should this matter to me". People who've
already used requests-oauthlib are unlikely to reach for a new and
unproven package without a good reason. So give them that reason! :)

Also, as I mentioned earlier, the Python Wiki may well have an
appropriate spot for this to be mentioned. It's worth a check.

ChrisA