requests-oauthlib icon indicating copy to clipboard operation
requests-oauthlib copied to clipboard

Published 20 hours ago verified publisher icon requests

Q: "code or authorization_response" or my workflow isn't even oauth?

Open yarikoptic opened this issue 7 years ago • 3 comments

I need to code access to a site which uses "Bearer" token authentication which is obtained by initially providing user/password to the same site without asking for any code or callback. Here it how it is:

$> curl  -k https://test..../v0.0.2/login -d '{"username":"secretename", "password":"secretpassw"}' 
{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."}%                                  

$> curl -k -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...' https://test...../api/v0.0.2/someloadurl...
.... download happens

Is such workflow, without any code or authorization_response, part of oauth and could be supported by requests-oauthlib? whenever I blindly tried

oauthsess = OAuth2Session()
token = oauthsess.fetch_token('https://test..../api/v0.0.2/login', username='secret', password='secret')

I was informed that "code or authorization_response" is needed... anyways - can just code it up in straight request but through possibly to abstract looking for ward fro other oauth cases by starting using this library, so decided to try/ask ;)

Thanks in advance

yarikoptic avatar May 17 '18 21:05 yarikoptic

I'm not sure what your question is. It sounds like you tried to call OAuth2Session.fetch_token(), but you did so incorrectly. Have you read through the documentation and examples? You're right that this project exists to simplify the process of using OAuth with requests, but you still need to be able to understand what you're doing and why.

singingwolfboy avatar May 20 '18 09:05 singingwolfboy

Well -- that pretty much was my question: is workflow I have presented "captured" by oauth specification (and thus I could see how to make oauthlib to assist with it)? or it is just an ad-hoc setup so I should stop bothering you ;-)

yarikoptic avatar May 21 '18 01:05 yarikoptic

Here is some documentation on OAuth grant types. It looks like your workflow is closest to the "password" grant (which is a really bad idea, since it's exactly the thing OAuth was created to prevent in the first place). I believe you can use the LegacyApplicationClient class to do this. Try doing something like this:

from oauthlib.oauth2 import LegacyApplicationClient
from requests_oauthlib import OAuth2Session

session = OAuth2Session(client=LegacyApplicationClient())
token = session.fetch_token('https://test..../api/v0.0.2/login', username='secret', password='secret')

Note that I have not actually tried this, and I have no idea if this will actually work. Let me know if it does!

singingwolfboy avatar May 22 '18 09:05 singingwolfboy