Flask-OAuth¶
Flask-OAuth is an extension to Flask that allows you to interact with remote OAuth enabled applications. Currently it only implements the consumer interface so you cannot expose your own API with OAuth. It depends on the python-oauth2 module. You can install the requirements from PyPI with easy_install or pip or download them by hand.
Features¶
- support for OAuth 1.0a
- friendly API
- direct integration with Flask
- basic support for remote method invocation of RESTful APIs
Installation¶
Install the extension with one of the following commands:
$ easy_install Flask-OAuth
or alternatively if you have pip installed:
$ pip install Flask-OAuth
Defining Remote Applications¶
To use connect to a remote application you need to create a OAuth object and register a remote application on it. This can be done with the remote_app() method:
oauth = OAuth()
the_remote_app = oauth.remote_app('the remote app',
...
)
A remote application has to defined with a couple of URLs required for the OAuth machinery: the request_token_url, access_token_url, and authorize_url. You will most likely get these values after you registered your own application on the developer page of the remote application you want to connect with. Additionally a per-application issued consumer_key and consumer_secret is needed.
Additionally you can provide a base_url that is prefixed to all relative URLs used in the remote app. This would also affect the request_token_url but because The prefix for oauth and the regular twitter API are different one has to provide absolute URLs for the OAuth token and authenticate methods.
For Twitter the setup would look like this:
twitter = oauth.remote_app('twitter',
base_url='http://api.twitter.com/1/',
request_token_url='http://api.twitter.com/oauth/request_token',
access_token_url='http://api.twitter.com/oauth/access_token',
authorize_url='http://api.twitter.com/oauth/authenticate',
consumer_key='<your key here>',
consumer_secret='<your secret here>'
)
Twitter supports two authorization urls: /authenticate and /authorize. The difference is the user interface shown to the user on twitter. /authenticate should be used if the intent of OAuth is to use the twitter identity of the user to sign in to your own website, the /authorize endpoint should be used to just access the twitter API and not using the user profile on your own website.
Now that the application is created one can start using the OAuth system. One thing is missing: the tokengetter. OAuth uses a token and a secret to basically figure out who is connecting to the remote application. After authentication/authorization this information is passed to a function on your side and it’s your responsibility to remember it.
The following rules apply:
- it’s your responsibility to store that information somewhere
- that information lives for as long as the user did not revoke the access for your application on the remote application. If it was revoked and the user re-enabled the application you will get different keys, so if you store them in the database don’t forget to check if they changed in the authorization callback.
- During the authorization handshake a temporary token and secret are issued, your tokengetter is not used during that period.
For a simple test application, storing that information in the session is probably good enough:
from flask import session
@twitter.tokengetter
def get_twitter_token():
return session.get('twitter_token')
Note that the function must return None if the token does not exist, and otherwise return a tuple in the form (token, secret).
Signing in / Authorizing¶
If you want to sign in with Twitter or link a user account with a remote twitter user, all you have to do is to call into authorize() and pass it the URL to where the user should be redirected back. Here an example:
@app.route('/login')
def login():
return twitter.authorize(callback=url_for('oauth_authorized',
next=request.args.get('next') or request.referrer or None))
If the application redirects back, Twitter will have passed all the relevant information to the oauth_authorized function. It is passed a special response object with all the data, or None if the user denied the request. This function has to be decorated as authorized_handler():
from flask import redirect
@app.route('/oauth-authorized')
@twitter.authorized_handler
def oauth_authorized(resp):
next_url = request.args.get('next') or url_for('index')
if resp is None:
flash(u'You denied the request to sign in.')
return redirect(next_url)
session['twitter_token'] = (
resp['oauth_token'],
resp['oauth_token_secret']
)
session['twitter_user'] = resp['screen_name']
flash('You were signed in as %s' % resp['screen_name'])
return redirect(next_url)
As you can see here: we store the token and the associated secret in the session so that the tokengetter can return it. Additionally we also remember the Twitter screen name that was sent back to us so that we can display that information to the user. In larger applications it is recommended to store that information in the database instead because it allows you to easier debug things and you can store additional information associated with the user.
Invoking Remote Methods¶
Now the user is signed in, that is nice, but most likely you want to use OAuth to call protected remote API methods and not just sign in. For that, the remote application object provides a request() method that can request information from an OAuth protected resource. Additionally there are shortcuts like get() or post() to request data with a certain HTTP method.
For example to create a new tweet you would call into the twitter application like this:
resp = twitter.post('statuses/update.json', data={
'status': 'The text we want to tweet'
})
if resp.status == 403:
flash('Your tweet was too long.')
else:
flash('Successfully tweeted your tweet (ID: #%s)' % resp.data['id'])
Or to display the users’s home timeline we can do something like this:
resp = twitter.get('statuses/home_timeline.json')
if resp.status == 200:
tweets = resp.data
else:
tweets = None
flash('Unable to load tweets from Twitter. Maybe out of '
'API calls or Twitter is overloaded.')
Flask-OAuth will do its best to sent data encoded in the right format to the server and to decode it when it comes back. Incoming data is encoded based on the mimetype the server sent and stored in the data attribute. For outgoing data a default of 'urlencode' is assumed and when a different format is wanted, one can specify it with the format parameter. The following formats are supported:
- Outgoing:
- 'urlencode' - form encoded data (GET as URL and POST/PUT as request body)
- 'json' - JSON encoded data (POST/PUT as request body)
- Incoming
- 'urlencode' - stored as flat unicode dictionary
- 'json' - decoded with JSON rules, most likely a dictionary
- 'xml' - stored as elementtree element
Unknown incoming data is stored as string. If outgoing data of a different format should be used, a content_type can be specified instead and the data provided a encoded string.
Facebook OAuth¶
For facebook the flow is very similar to twitter or other OAuth systems but there is a small difference. You’re not using the request_token_url at all and you need to provide a scope in te request_token_params:
facebook = oauth.remote_app('facebook',
base_url='https://graph.facebook.com/',
request_token_url=None,
access_token_url='/oauth/access_token',
authorize_url='https://www.facebook.com/dialog/oauth',
consumer_key=FACEBOOK_APP_ID,
consumer_secret=FACEBOOK_APP_SECRET,
request_token_params={'scope': 'email'}
)
Furthermore the callback is mandatory for the call to authorize() and has to match the base URL that was specified in the facebook application control panel. For development you can set it to localhost:5000.
The APP_ID and APP_SECRET can be retrieved from the facebook app control panel. If you don’t have an application registered yet you can do this at facebook.com/developers.
An example of how to use the facebook API is provided in the examples folder.
API Reference¶
- class flaskext.oauth.OAuth¶
Registry for remote applications. In the future this will also be the central class for OAuth provider functionality.
- remote_app(name, register=True, **kwargs)¶
Registers a new remote applicaton. If param register is set to False the application is not registered in the remote_apps dictionary. The keyword arguments are forwarded to the OAuthRemoteApp consturctor.
- class flaskext.oauth.OAuthRemoteApp(oauth, name, base_url, request_token_url, access_token_url, authorize_url, consumer_key, consumer_secret, request_token_params=None, access_token_method='GET')¶
Represents a remote application.
Parameters: - oauth – the associated OAuth object.
- name – then name of the remote application
- request_token_url – the URL for requesting new tokens
- access_token_url – the URL for token exchange
- authorize_url – the URL for authorization
- consumer_key – the application specific consumer key
- consumer_secret – the application specific consumer secret
- request_token_params – an optional dictionary of parameters to forward to the request token URL or authorize URL depending on oauth version.
- access_token_method – the HTTP method that should be used for the access_token_url. Defaults to 'GET'.
Returns a redirect response to the remote authorization URL with the signed callback given. The callback must be None in which case the application will most likely switch to PIN based authentication or use a remotely stored callback URL. Alternatively it’s an URL on the system that has to be decorated as authorized_handler().
Injects additional authorization functionality into the function. The function will be passed the response object as first argument if the request was allowed, or None if access was denied. When the authorized handler is called, the temporary issued tokens are already destroyed.
- base_url = None¶
the base_url all URLs are joined with.
- handle_oauth1_response()¶
Handles an oauth1 authorization response. The return value of this method is forwarded as first argument to the handling view function.
- handle_oauth2_response()¶
Handles an oauth2 authorization response. The return value of this method is forwarded as first argument to the handling view function.
- handle_unknown_response()¶
Called if an unknown response came back from the server. This usually indicates a denied response. The default implementation just returns None.
- make_client()¶
Creates a new oauth2 Client object with the token attached. Usually you don’t have to do that but use the request() method instead.
- request(url, data=None, headers=None, format='urlencoded', method='GET', content_type=None)¶
Sends a request to the remote server with OAuth tokens attached. The url is joined with base_url if the URL is relative.
Parameters: - url – where to send the request to
- data – the data to be sent to the server. If the request method is GET the data is appended to the URL as query parameters, otherwise encoded to format if the format is given. If a content_type is provided instead, the data must be a string encoded for the given content type and used as request body.
- headers – an optional dictionary of headers.
- format – the format for the data. Can be urlencoded for URL encoded data or json for JSON.
- method – the HTTP request method to use.
- content_type – an optional content type. If a content type is provided, the data is passed as it and the format parameter is ignored.
Returns: an OAuthResponse object.
- tokengetter(f)¶
Registers a function as tokengetter. The tokengetter has to return a tuple of (token, secret) with the user’s token and token secret. If the data is unavailable, the function must return None.
- class flaskext.oauth.OAuthResponse(resp, content)¶
Contains the response sent back from an OAuth protected remote application.
- data = None¶
the parsed content from the server
- headers = None¶
a Headers object with the response headers the application sent.
- raw_data = None¶
the raw, unencoded content from the server
- status¶
The status code of the response.
