Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Jonathan Huot
@JonathanHuot
Hi @alex-pobeditel-2011:matrix.org , lot of questions there ;)
note that oauthlib is a framework for building oauth2 provider (in your case) and it does not come with an actual implementation. If you're looking for an implementation, you may want to check django-oauth-toolkit for instance
alex-pobeditel-2011
@alex-pobeditel-2011:matrix.org
[m]

For sure, I understood rough estimates of work to be done.
But project I'm working on uses FastAPI (which has it's own implementation of OAuth2 and has no oauthlib integration) and we need to have an OIDC provider to allow users to login into several "satellite" sites with just one central authentication portal.
So for me it looks like we have to implement OIDC provider ourselves (despite the existence of OAuth2 in FastAPI) and oauthlib looks like a appropriate foundation to base on.

As I see in django-oauth-toolkit, there is client secret in Application model (which is definitely a Relying Party) - and that answers question 2.
Also it looks like registration from question 1 is considered there too).
And now it looks like I've got a purpose of user field (from question 3) - it's just to forbid registration of "anonymous" applications which has total sense :)

So now, when these questions were answered, can you please tell me one more general thing - is oauthlib suitable for building OpenID Connect Provider for FastAPI application? Oauthlib is positioned as framework-agnostic but existence of the OAuth2 implementation in FastAPI confuses me.

Jonathan Huot
@JonathanHuot
Hi @alex-pobeditel-2011:matrix.org . OAuth2 is a complex protocol. I just read the documentation about OAuth2 integration into FastAPI... I totally understand why you get confused. The FastAPI Oauth2 implementation has NOTHING to do with OAuth2 except the name. Unfortunately they have no concept of clients and only one grant (password grant, which is deprecated).
alex-pobeditel-2011
@alex-pobeditel-2011:matrix.org
[m]
Thank you, that makes sense! Then I'll try to integrate oauthlib with FastAPI, hope it will work if I would put enough effort :)
Jonathan Huot
@JonathanHuot
To answer your oauthlib's related question, you can build a wrapper on top of fastapi calling oauthlib, (see bottle-oauthlib as an example). Once done, you can implement the oauthlib RequestValidator endpoints and has to implement in fastAPI 1) data storage, 2) the admin pages, and so on, which can be cumbersome if it is not your priority..
alex-pobeditel-2011
@alex-pobeditel-2011:matrix.org
[m]
Thanks, I will take it as a starting point!
Jonathan Huot
@JonathanHuot
if you just want to play around with an OAuth2/OIDC Provider and see its relationship with the "web apps", I will suggest using django-oauth-toolkit :)
1 reply
Jonathan Vanasco
@jvanasco
@JonathanHuot FYI, the test-suites in my pyramid integration library, https://github.com/jvanasco/pyramid_oauthlib_lowlevel, run a full oauth1 and oauth2 flow through test webapps and clients.
Jonathan Huot
@JonathanHuot
Oh great! good to know. Note that you can include it into our Makefile to be sure we run your unit tests when we release a newer version of oauthlib
Iwan Aucamp
@aucampia
hi, I want to use oauthlib to get a token to use in grpc calls, but I'm not really clear on how to go about this, where should I start looking at this?
Jonathan Huot
@JonathanHuot
Hi @aucampia , are you trying to use an access token and add it into a grpc call ? do you have any documentations on the grpc API side ? they should help on how to mint a token and with which scope, or things like that.
Iwan Aucamp
@aucampia
grpc has some standard way of adding the token to the channel, I did this for now:
        client = BackendApplicationClient(
            client_id=client_id, scope="a:action b:action"
        )
        # OAUTHLIB_INSECURE_TRANSPORT
        oauth = OAuth2Session(client=client)
        token = oauth.fetch_token(
            token_url=token_endpoint,
            client_id=client_id,
            client_secret=client_secret,
        )
And then I just use the token
but I dunno if this is ideal
arshad96
@arshad96:matrix.org
[m]
hi all, i am trying to Validate a bearer token created by Oauth library in csharp and want use it in django to authenticate that bearer token while providing level of permissions in django , i am able to get the token in python but i dont know how to validate that token to provide permissions in django..... please help.
Jonathan Huot
@JonathanHuot
hi @aucampia , not sure what django-oauth-toolkit provide for it, but it could be in validate_resource oauthlib endpoint
iamshaikarshad
@iamshaikarshad
hi @JonathanHuot , I obtained Bearer Token from my authorization server, But now I want to decode it to know what level of permission and roles it has in Python Django. But I can not find any Oauth2 function that can decode it. I would really appreciate your help if you guide me on how to decode this Bearer token in Python Django
Jonathan Huot
@JonathanHuot
sorry it is not clear, what is the role of your Django app ? API? Oauth client? the access token format is defined by your AS. Is it JWT with clear documentation? do you have to call introspect call?
arshad96
@arshad96:matrix.org
[m]
what is the role of your Django app ? i want to make a back end api the which takes tokens from Oauth2 but instead of direct connection to server I have to fetch the Access token from a Csharp back end API the access token format is defined by your AS. Is it JWT with clear documentation? it is in bearer token format not in JWT form. for ("access_token": "F2ZKDSni998To0k3hfdWgadadHwQTFtMX9u5RPaldEPLqrxUTaK6EL6xjJf1OcNNLhHrBuac_dadadfCohqtMSovSitmXPESee5STDsU-IY5S4JhiTky4gt1ndV4UTvhIIvE5x8Mr0d7wtHmjHbZvpEIe6W1ohxp7rYm5x58dadas6pPAFVqDjd3wcNdCEP4O79mD-XhXRLEHLrcSeT5QMv0mABQOeql8ZEzmnfDUwEB5Z1hjXn7-INjZu9IOtAn095b1bb5PDvuxHJ0JdVF_1qadg_onHSX80qxhiDMLB_vEHHsxtGewI4NBaDB-F-gHc2acHadjrZiiPFqAEn2LijhZLC9_Llq300ctrh1z1D9xEevZJji9JMQ_yNqC-jCfo1xr3lOx6Nj0KtTlA3Kqsfz8m0c7-lxKbtiHgSZS3xV6OkqUaet95LDC1XA7LmwxRy8jNjKG6eEyx7R17CdFqoCm9WoVLpgQ5lPj0SZ-MSzONzcJSmjTgaXmQntGdJP_E5B6Ls-9RKBlXubo0s7xapNisHd0EFQRJyQUXgUjaB-pUSOgQlUhw57LanneCCVXN-WK3Dvu6zUc64XP0cReWOWjf5bggXWxW1_byoWyM7F_vfXtZmeS757Yp9v9fXW583jXJ8fszrcEm7n85WEnNgJoBeMK7LZj3qSxOIfCo9nnCSSZxdv--zJjZEo13UBFhCVwS4qEpBOjwbcKIZl1XPfcWvmbWJMAZ63UcfASB18eiNZVhP",
"token_type": "bearer",
"expires_in": 86399,)
arshad96
@arshad96:matrix.org
[m]

:point_up: Edit: what is the role of your Django app ?

I want to make a back end api which takes tokens from Oauth2 but instead of direct connection to server I have to fetch the Access token from a Csharp back end API

The access token format is defined by your AS. Is it JWT with clear documentation?

it is in bearer token format not in JWT form. for example
("access_token": "F2ZKDSni998To0k3hfdWgadadHwQTFtMX9u5RPaldEPLqrxUTaK6EL6xjJf1OcNNLhHrBuac_dadadfCohqtMSovSitmXPESee5STDsU-IY5S4JhiTky4gt1ndV4UTvhIIvE5x8Mr0d7wtHmjHbZvpEIe6W1ohxp7rYm5x58dadas6pPAFVqDjd3wcNdCEP4O79mD-XhXRLEHLrcSeT5QMv0mABQOeql8ZEzmnfDUwEB5Z1hjXn7-INjZu9IOtAn095b1bb5PDvuxHJ0JdVF_1qadg_onHSX80qxhiDMLB_vEHHsxtGewI4NBaDB-F-gHc2acHadjrZiiPFqAEn2LijhZLC9_Llq300ctrh1z1D9xEevZJji9JMQ_yNqC-jCfo1xr3lOx6Nj0KtTlA3Kqsfz8m0c7-lxKbtiHgSZS3xV6OkqUaet95LDC1XA7LmwxRy8jNjKG6eEyx7R17CdFqoCm9WoVLpgQ5lPj0SZ-MSzONzcJSmjTgaXmQntGdJP_E5B6Ls-9RKBlXubo0s7xapNisHd0EFQRJyQUXgUjaB-pUSOgQlUhw57LanneCCVXN-WK3Dvu6zUc64XP0cReWOWjf5bggXWxW1_byoWyM7F_vfXtZmeS757Yp9v9fXW583jXJ8fszrcEm7n85WEnNgJoBeMK7LZj3qSxOIfCo9nnCSSZxdv--zJjZEo13UBFhCVwS4qEpBOjwbcKIZl1XPfcWvmbWJMAZ63UcfASB18eiNZVhP",
"token_type": "bearer",
"expires_in": 86399,)

Do you have to call introspect call?
We dont have a introspect call we decrypt the token using machine key

<machineKey validationKey='88F606D92<>63B5026AFFB1D3F84DA900A0EB6adsasdadq3fafdBE8fvszvda--FJF00F81D6016B78AEDEAA9B6CD0558D94960B328371FEAFDEBF00' decryptionKey='<><adasd797F5F0231BEE024E40CEB7E470B2095' validation='SHA1' decryption="AES" />

arshad96
@arshad96:matrix.org
[m]

I get my access token from this url with this parameters

https://<myURL....>/api/authentication

User-Agent: Fiddler
content-type: application/x-www-form-urlencoded
Origin: http://localhost:45112/
Content-Length: 93
Host: Userauth-userauthorisation-test.azurwebsites.net

grant_type=password&username=admin@<email>.co.uk&password=password&scope=scriptingAPI

and then we receive the token in this format

{
"access_token": "F2ZKDSni998To0k3hfdWgvGvEHwQTFtMX9u5RPaldEPLqrxUTaK6EL6xjJf1OcNNLhHrBuac_hwREfCohqtMSovSitmXPESee5STDsU-IY5S4JhiTky4gt1ndV4UTvhIIvE5x8Mr0d7wtHmjHbZvpEIe6W1ohxp7rYm5x581UQ6pPAFVqDjd3wcNdCEP4O79mD-XhXRLEHLrcadadasdfadav0mABQOeql8ZEzmnfDUwEB5Z1hjXn7-INjZu9IOtAnadadqdb5PDvuxHJ0JdVF_1qadg_onHSX80qxhiDMLB_vEHHsxtGewI4NBaDB-F-gHc2acHadjrZiiPFqAEn2LijhZLC9_Llq300ctrh1z1D9xEevZJji9JMQ_yNqC-jCfo1xr3lOx6Nj0KtTlA3Kqsfz8m0c7-adadgqSZS3xV6OkqUaet95LDC1XA7LmwxRy8jNjKG6eEyx7R17CdFqoCm9WoVLpgQ5lPj0SZ-MSzONzcJSmjTgaXmQntGdJP_E5B6Ls-9RKBlXubo0s7xapNisHd0EFQRJyQUXgUjaB-pUSOgQlUhw57LanneCCVXN-WK3Dvu6zUc64XP0cReWOWjf5bggXWxW1_byoWyM7F_vfXtZmeS757Yp9v9fXW583jXJ8fszrcEm7n85WEnNgJoBeMK7LZj3qSxOIfCo9nnCSSZxdv--zJjZEo13UBFhCVwS4qEpBOjwbcKIZl1XPfcWvmbWJMAZ63UcfASB18eiNZVhP",
"token_type": "bearer",
"expires_in": 86399,
"forcePassword": "false",
"SupplierId": "",
".issued": "Mon, 04 Oct 2021 16:30:05 GMT",
".expires": "Tue, 05 Oct 2021 16:30:05 GMT"
}

The Access token is encrypted and contains permissions (Read,Write,Limited Access)

we just want to decode this bearer token so that we get the permissions from the token and our api calls are authorised

Jonathan Huot
@JonathanHuot
is this bearer token coming from django-oauth-toolkit ?
arshad96
@arshad96:matrix.org
[m]
@JonathanHuot: This bearer token is coming from C sharp Oauthserver
Jonathan Huot
@JonathanHuot
so you have to check on their documentation. that's the AS who tell how the AT can be decoded for the resource server.
arshad96
@arshad96:matrix.org
[m]
Yes...but my authorization server is just my company's server which is returns Oauth2 token encoded in C sharp. So it should be decoded like Oauth2. But I can not figure it out
Jonathan Huot
@JonathanHuot
if your company's server is not exposing the format, you have no way to decode it. It is normal and perfectly compatible with Oauth2 where the AT format is opaque from Oauth2 client.
Eirikr70
@Eirikr70
Hi folks, pfff ! Quite complicated the Oauth2.0 process ! I'm quite low-experienced python programmer (not my profession), I have build my own RPi NAS and I would like to automatically import documents from my bank, telecom provider, ... But I'm already stuck with authentication (I can ask but can't retrieve the first token). I guess it's far away from my poor competences ! :-(
frostidentity
@frostidentity
WOW, that is so kind of all of you here to give a helping hand to others with their issues. I am very new with API, for the last 5 weeks I have been searching and reading to try and find a solution, I am trying to call private API from python via its client id and client secret. the API uses OAuth2 for web authentication, I only have the API url, but I dont have a token url nor redirect url. The company who have created the API doesn't have proper documentation. I am trying to get authenticated with the client id and client secret and then get the bearer token to use it in my get request head, another issue is that the API doesn't allow post request. any advice please?
Jonathan Huot
@JonathanHuot
Hi @Eirikr70 , any doc around how to access your bank/or telecom?
Hi @frostidentity , do you said you have bearer token?
frostidentity
@frostidentity
Hi @JonathanHuot No, I dont have the bearer token, I have to get the token from the API via the client ID and client secret. so all I have is the URL, client id and client secret. I need to use only these to retrieve the bearer token and then include it in a get request header to be able to call the endpoint and get data from there
arshad96
@arshad96:matrix.org
[m]
This is the sample code to get bearer token use the code according to you grant type https://developer.byu.edu/docs/consume-api/use-api/oauth-20/oauth-20-python-sample-code
hope this might help
frostidentity
@frostidentity
Hi @arshad96:matrix.org, Thank you for your reply. unfortunately that didn't help, I have tried that before and I couldn't use it as it has a (PUT) request which is not allowed on this API so I always get ("code":"","message":"Authorization has been denied for this request." )
Marnanel Thurman
@marnanel_gitlab
hello world. You asked for people using oauthlib to tell you about it. I've been adding support for the Mastodon protocol to a homebrew bulletin board called GROGGS, which involves authenticating the clients via openid. I have plans to spin the Mastodon API stuff off into a separate library, and if I do I suppose the oauth stuff comes with.

There is one infelicity I've run into. oauth2_provider.http.OAuth2ResponseRedirect checks the URL it's redirecting to, and raises DisallowedRedirect if it's not a recognised protocol. But this breaks some Android clients, which use made-up protocols to send the user back to the same app. So I monkey-patch it:

https://gitlab.com/marnanel/yarrow3/-/blob/mastodon/yarrow3/trilby_api/views/oauth.py#L28

Jonathan Huot
@JonathanHuot
Hi @marnanel_gitlab , thanks for the feedback ! It needs to be fixed in oauthlib to better support Native/custom... I think we already have an open issue about it, but we are missing PR
Kai Roesner
@KaiRoesner
Hi everybody, I'm trying to implement certificate-based authentication with requests-oauthlib. So I just learned the hard way that while the RTD OAuth2 guide that is linked on the lib's pypi page has a section on TLS Client Authentication, the released v1.3.0 version of the lib does not yet support it. Can we please have a release that includes the feature? (It seems it has been in master for a while...)
Asif Saif Uddin
@auvipy
i think a new release is WIP now
Andrew Koch
@ak47
Hello, I'm seeking guidance on how to override the "prepare_request_body" function - this returns a body in “application/x-www-form-urlencoded” format - however, the API I'm attempting to authenticate with requires "application/json" (ie. a JSON object). Is there any way to modify/override for this scenario?
Till Steinbach
@tillsteinbach
Hello, I'm searching for client code supporting "response_type=code+id_token+token" so basically client side openid support. Is there something in the pipeline?
Mike Kelly
@kellyma2
@auvipy Any chance you can re-review oauthlib/oauthlib#795 ?
Asif Saif Uddin
@auvipy
yes sure
Mike Kelly
@kellyma2
Thanks!
Isiah cloyd
@Ziahcloyd31
What is oauth involved with?
NovaDecker
@NovaDecker
Hello, do anyone want to share a openid-connect server script? I do need a server that will authenticate against a LDAP-server, and eventually a MySQL database. I actually don't have enough time to explore this myself, but I do have programming experience.
BTW, I forgot, it would be good if that server also could handle requests like Facebook-login, but it is not important. The important is LDAP.
NovaDecker
@NovaDecker
I do mean example script for example. I prefer Python, but everything else is also accepted :-)