by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
phrfpeixoto
@phrfpeixoto

Hello! I'm new to the OAuth world, and I've been reading the oauthlib docs, as well as oauth.com. It's not clear to me the difference between a Grant Type and Response Type, specially when reading this: https://oauthlib.readthedocs.io/en/latest/oauth2/server.html#client-or-consumer

Response Type:
Required, if using a grant type with an associated response type (eg. Authorization Code Grant) or using a grant which only utilizes response types (eg. Implicit Grant)

Aren't all grant types associated with a response type, somehow? In the authorization request, the Client WILL send in a response_type parameter, which is directly related to the grant type it wants to obtain, right? Could someone please break this down to me?

Jonathan Huot
@JonathanHuot
Yes, the confusion is natural. All you need to know is that if it mentions the "Grant Type", most likely it's referencing the type of authorization, whereas if it mentions either "response_type" or "grant_type", that's the field name. Each "Grant Type" has a different combination of response_type/grant_type, so it is confusing. Ideally, the field grant_type in OAuth2 RFC would have been named differently .
Basically the "Grant Type" is the name of the Authorization flow. "grant_type" is the name of the field when sending request to the Token endpoint; "response_type" is the name of the field when sending request to the Authorization endpoint.
The flow can contains either only the Authorization endpoint (implicit), or both Authorization & Token endpoints (Authorization Code), or only token endpoint (client credentials). (+variants from OIDC world)
phrfpeixoto
@phrfpeixoto

Basically the "Grant Type" is the name of the Authorization flow. "grant_type" is the name of the field when sending request to the Token endpoint; "response_type" is the name of the field when sending request to the Authorization endpoint.

Nice! Thanks for the clarification!

Mickey Pashov
@mickeypash
Hi team
I'm being a bit silly here but I want to access the Meetup API via OAuth2 and was wondering when I write my client library do I actually need to spin up an Authorisation Server? Just so I can make requests?
Jonathan Huot
@JonathanHuot
Hi @mickeypash, the authorization server is not needed because the ResourceServer (API) will not be be able to accept the tokens generated by yours. You have to figure out what are the supported AS for Meetup
Basically, if you just want to use public API, you just need a client (requests-oauthlib), or write your own client, hut that's often not needed.
Jared Vacanti
@jaredvacanti
I've been digging through the docs for the last week or so and I'm interested in adding some external authentication (oauth google login at first) to an existing aiohttp project. Is there any async support currently to help in this process? Otherwise, I'm looking at requests-oauthlib, when it is 'built' on oauthlib, does oauthlib provide the classes for the workflows and requests wraps the steps in the auth process? Do these wrappers do more? Just trying to figure out what it takes to implement a new project with oauthlib on its own
Omer Katz
@thedrow
oauthlib does not do any I/O
So it's up for our third-parties to implement those
@jaredvacanti Yes, you are correct.
Jonathan Huot
@JonathanHuot
Hi /all, I'm going to force merge the PR lacking for reviewers in a couple of days. It's waiting for long time and it impacts the latest documentation available on the RTD site. Last chance to give your input !! :) Any inputs are welcomed
Omer Katz
@thedrow
Which PR?
Jonathan Huot
@JonathanHuot
I have integrated two PRs, feel free to read the documentation https://oauthlib.readthedocs.io/en/latest/oauth2/oidc.html and comment :)
Omer Katz
@thedrow
@JonathanHuot Any idea what should we do with oauthlib/oauthlib#724 ?
Jonathan Huot
@JonathanHuot
I agree that's a mess... I think we should remove the variants and include allinone package only for the sake's of simplicity. Then,
if anyone want to submit PR, as long as it simplifies maintenance, then I'm good for it
Omer Katz
@thedrow
@JonathanHuot Hi how are you? I see that you're less active these days.
Jonathan Huot
@JonathanHuot
Hello, I'm good :) Yeah, not much time to spend. I was trying to grab more privilege on requests-oauthlib, but without success. I think it is key to have more hands on oauthlib framework
Omer Katz
@thedrow
I don't have much time either
Jonathan Huot
@JonathanHuot
Ideally I'd like to improve the OIDC doc on oauthlib side; maybe a graph of calls... not sure.
Omer Katz
@thedrow
Reviewing PRs is more important
We have a bunch waiting
With some, I don't know what to do
Especially when its related to OAuth1
Jonathan Huot
@JonathanHuot
About OAuth1 I'm totally useless :D
Jonathan Huot
@JonathanHuot
I'm merging the PR related to OAuth2 Client
did you see the bump in the nb of "used by" packages ? we were used by 30k repositories, now we're used by 55k repositories :o
Jonathan Huot
@JonathanHuot
I'm merging the longlansting PR oauthlib/oauthlib#705 since no feedback since
Omer Katz
@thedrow
Nice!
Asif Saif Uddin
@auvipy
hi
Jonathan Huot
@JonathanHuot
Hi @auvipy and welcome ;)
educatedguessing
@educatedguessing
Hi all
first of all, thanks for Oauthlib! Currently I'm looking into using requests-oauthlib in conjunction with yelp/bravado. However, I would have to implement some changes. Is anyone here familiar/responsible for requests-oauthlib? I would appreciate a small chat before initiating a public conversation (I'm not that familiar with open source / pull requests)
Thanks
Jonathan Huot
@JonathanHuot
Hi @educatedguessing , I'm more familiar with the provider part than the client part, however I could help about the OSS/PR part.
educatedguessing
@educatedguessing
Hi @JonathanHuot ,I might take you up on your offer. However looking at more reported issues I realized that my idea might introduce other problems or at least complicate fixing them. Therefor I'm not going to request a PR just yet.
Preet Sharma
@sharmapreet.pune_gitlab
Hi All, I am new to OAuth2 and need some expert help here. Can someone help me to provide some information on Authorization server creation for PKCE flow ?
Jonathan Huot
@JonathanHuot
Hi @sharmapreet.pune_gitlab , sure you can ask
Jonathan Huot
@JonathanHuot
did you want to create your own oauth2 provider to allow PKCE flow ? do you have oauth2 native/desktop/mobile clients where you want to use PKCE ?
have you considered using a public oauth2 provider ?
Preet Sharma
@sharmapreet.pune_gitlab
Hi @JonathanHuot .Yes . we are in need to create our own oauth2 provider for PKCE flow coz of some customer requirement . we propose various public oauth2 provider however customer want own provider. Appreciate your help.
Jonathan Huot
@JonathanHuot
which webframework are you going to use ?
P Sharma
@pcsharma.uda_gitlab
iI am planning to use Django
Jonathan Huot
@JonathanHuot
You can follow the requestValidators implementation and implement the basic authorization code flow. Then implement the PKCE specifics methods.
Preet Sharma
@sharmapreet.pune_gitlab
@JonathanHuot Thanks for help. OK, let me try in this way. by the way any existing repo of server source code to reuse ?
Jonathan Huot
@JonathanHuot
I think not on my knowledge
Django-Oauth-Toolkit is implementing most of it though
but I not personally tested it; a lot of ppl is using it there.