google api and oauth2
Kushal Kumaran
kushal.kumaran+python at gmail.com
Wed Sep 26 01:24:23 EDT 2012
(making no attempt to fix messed up quoting, please take a look at
your mail client configuration)
On Wed, Sep 26, 2012 at 1:52 AM, Littlefield, Tyler <tyler at tysdomain.com> wrote:
> On 9/25/2012 2:05 PM, Demian Brecht wrote:
>
> This is a shameless plug, but if you want a much easier to understand method
> of accessing protected resources via OAuth2, I have a 55 LOC client
> implementation with docs and examples here:
> https://github.com/demianbrecht/sanction (Google is one of the tested
> providers with an access example).
>
>
> No complaints from me if it works. Honestly I was a bit discouraged at
> Google's decent lack of documentation and the quality of the code.
>
If you are writing a desktop application, read this:
https://developers.google.com/accounts/docs/OAuth2#clientside
>
> Are you trying to access resources client side (through Javascript) or
> server side? Either way, the redirect URI *is* important. The first step is
> to have your user authorize your application using Google's authorization
> page. As one of the query parameters, you must specify the redirect URI
> (which must match those registered through Google's app console).
>
> I'm trying to access it through a desktop Python application, which made me
> really confused. There was something else that talked about returning the
> tokens in a different way, but it talked about returning them in the title
> of the webpage, and since I'd be spawning a browser to request
> authorization, I'd have to write something that would pull the window
> information and then parse out the token from the title, which doesn't sound
> to stable.
>
After authenticating with google from a web browser, and authorizing
your application, the user will be presented with a web page from
which they can copy the access token (from the url or a text field
presented in the web page) and input into your application using
whatever mechanism you choose. If you are a simple text-based app,
you can just use input() to ask for the token.
If you are a GUI app, you can do other things, such as embedding a web
browser into your application and reading the redirected URL.
>
> Once the user has authorized your application, they're redirected back to
> your site (via the specified redirect URI), with a "code" attached as a
> query param. Once you get that code, you must exchange that with Google's
> token endpoint to retrieve the access and refresh tokens.
>
> Awesome. I could theoretically just create a webpage on my server to
> redirect people to with the query, but I'm still not quite sure how I'd
> retrieve that from the desktop application.
>
>
> No, it doesn't matter which library you use. Google's (imho) is overly
> verbose and difficult to grok (especially for someone new to either OAuth
> 2.0 or Python, or both). The client ID doesn't need to be kept private, but
> the secret does. You should *never* put this anywhere that can be read
> publicly.
>
> I plan on storing them both in variables. It's not going to be the best
> solution, but I plan to use python -O to create pyo files, which from what I
> understand are harder to decompile, and it'll be in a py2exe executable.
> Still not to hard to get at, but it's not right there either.
>
Don't worry about it. There is no way to keep it secret for desktop
applications. It is exactly the same as the DRM problem. The google
documentation itself admits: "... These applications, in general,
cannot keep secrets.". You should store the given tokens
persistently, though.
> <snipped>
In the past, I made a half-hearted attempt to writing something to
upload stuff to google calendar from .ics files. Here's the
google-authentication part of the code, if you can use it. I cannot,
at the moment, recall why I did not use the oauth2client library from
google.
#!/usr/bin/env python3
import datetime
import json
import os.path
import configparser
import requests
import webbrowser
import urllib.parse
def _store_tokens(auth_data, filename):
expiry_time = (datetime.datetime.now() +
datetime.timedelta(seconds=int(auth_data['expires_in'])))
auth_data['expiry_time'] = expiry_time.isoformat()
with open(filename, 'w') as file_stream:
json.dump(auth_data, file_stream)
def _get_new_token(config, token_file):
payload = {
'response_type' : 'code',
'client_id' : config['api']['client_id'],
'redirect_uri' : config['api']['redirect_uri'],
'scope' : 'https://www.googleapis.com/auth/calendar',
'state' : 'init'
}
url = 'https://accounts.google.com/o/oauth2/auth'
params = ['{}={}'.format(key, urllib.parse.quote(value))
for (key, value) in payload.items()]
webbrowser.open('{}?{}'.format(url, '&'.join(params)), new=2)
auth_code = input('Enter authorization code obtained: ')
payload = {
'code' : auth_code,
'client_id' : config['api']['client_id'],
'client_secret' : config['api']['client_secret'],
'redirect_uri' : config['api']['redirect_uri'],
'grant_type' : 'authorization_code'
}
r = requests.post('https://accounts.google.com/o/oauth2/token',
data=payload)
auth_data = json.loads(r.text)
_store_tokens(auth_data, token_file)
return auth_data['access_token']
def _refreshed_token(config, auth_data, token_file):
payload = {
'refresh_token' : auth_data['refresh_token'],
'client_id' : config['api']['client_id'],
'client_secret' : config['api']['client_secret'],
'grant_type' : 'refresh_token'
}
r = requests.post('https://accounts.google.com/o/oauth2/token',
data=payload)
auth_data = json.loads(r.text)
_store_tokens(auth_data, token_file)
return auth_data['access_token']
def _get_existing_token(config, token_file):
with open(token_file) as token_stream:
auth_data = json.load(token_stream)
now = datetime.datetime.now().isoformat()
if auth_data['expiry_time'] < now:
return _refreshed_token(config, auth_data, token_file)
return auth_data['access_token']
def auth(config):
token_file = os.path.expanduser(config['api']['token_file'])
if os.path.exists(token_file):
return _get_existing_token(config, token_file)
else:
return _get_new_token(config, token_file)
The "config" object required by the auth function is from a config
file that looks like this:
[api]
client_id = <get your client id from google>
client_secret = <get your client secret from google>
redirect_uri = urn:ietf:wg:oauth:2.0:oob
token_file = ~/.google-tokens
The "scope" value in the _get_new_token function will need to be
changed to whatever scope your application needs. This code uses the
python requests module for http(s) requests. It will start up a web
browser to let the user authenticate and then asks for the token.
The google api will issue two tokens: an "access" token and a
"refresh" token. The access token will have a short expiry time,
after which you need to get another access token issued. You use the
refresh token for that reissue request.
--
regards,
kushal
More information about the Python-list
mailing list