colin-b / requests_auth Goto Github PK
View Code? Open in Web Editor NEWAuthentication classes to be used with requests
License: MIT License
Authentication classes to be used with requests
License: MIT License
Microsoft Application Identifier should be Okta application Identifier
some info on the flow with flask : https://github.com/marvelapp/flask-oauth-example/blob/pkce/app.py
example of first call
https://your-server/v1/authorize?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2F&client_id=your-client-id&scope=your-scope&nonce=1&state=1&code_challenge=elU6u5zyqQT2f92GRQUq6PautAeNDf4DQPayyR0ek_c&code_challenge_method=S256%20%20
which redirect to
http://localhost/?code=NvC5lj0GcaHnqKPIesEs&state=1
Instead of having to import and create an instance of Auths
In case some might be already taken and application supports multiple redirection on localhost
To send back received authentication (in another auth in theory)
How can we create the authentication for saml based application.
I am trying to use requests_auth.OktaAuthorizationCode and can you please get me any example
It would be helpful if there were an obvious way to provide a refresh token when creating a session. For our use case we do not support any Auth flows other than Authorization Code, but for headless execution we need to be able to persist a token somewhere and provide it.
Ideally this would be an argument to the constructors for OAuth2AuthorizationCodeFlow and the PKCE variant, but a set_refresh_token()
method, or a new subclass would also be OK.
I'm happy to prepare a PR if there's a preferred approach.
For now it's a bit painful for users as they need to know what to mock and how.
Fixture should send a token containing the information as provided by the user (with default values for users that may not know the content of a token).
Fixture should also allow to test for various authentication failures sent by requests_auth so that user can test that code handles it properly.
Same as #15 but for the browser queries
Is there a reason that the redirect_uri is hard-coded here? I see that you can set the endpoint and the port, but why not the entire URI?
It would be nice if the JsonTokenFileCache() class would create the token file cache with limited permissions, for example,
instead of:
with open(self.tokens_path, "w") as tokens_cache_file:
json.dump(self.tokens, tokens_cache_file)
doing something like:
with open(os.open(self.tokens_path, os.O_WRONLY | os.O_CREAT, 0o600), "w") as tokens_cache_file:
json.dump(self.tokens, tokens_cache_file)
would make the token cache file accessible for the current user only per default.
For each flow, to ease usage for new users of a specific kind of authentication.
BrowserAuth currently is hardcoded to use http://localhost. Prefer to pass the request_uri_domain as a keyword arg, with default being http://localhost.
Hi @Colin-b ,
First of all, thank you for creating this library that makes it so easy to incorporate the PKCE flow! I'm using this library for a Python Windows desktop app that authenticates with Okta via the PKCE flow. I'm now trying to write integration tests but the issue is that I need to pass in test user credentials instead of using the browser for IWA. Is there a way to achieve this? I am able to call /api/v1/authn with the credentials and get a session token and am at a loss on how to use it to get the auth code bypassing browser auth.
Let me know if there is a way to do that.
Thanks
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
key = key_client.get_key("key-name")
print(key.name)
how to get the access token from Oauth 2 google analytics api from the above step
I have an issue with a token in the cache that is expiring at time T and a request sent at time T that will use this token as not yet expired. The request fails as the token, when reaching the API backend on T+some ms is expired.
It would be useful to be able to specify some delta/interval (in seconds) that would trigger a refresh of the token if it expires after this delta.
e.g. OAuth2ClientCredentials(validity_duration=5, ...)
will request a new token if `now+5>expiry´.
instead of username/password
As for now only + can be used
The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.
in the same spirit as OktaImplicit(instance='testserver.okta-emea.com', authorization_server="my-auth-server", client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd')
but for OAuth2ClientCredentials.
Today, I need to write
OAuth2ClientCredentials(
authorization_url="https://my-okta-instance/oauth2/my-server/v1/authorize",
token_url="https://my-okta-instance/oauth2/my-server/v1/token",
username="my-client-id",
password="my-client-secret",
scope="my-scope",
)
while I'd like to write
OktaClientCredentials(
instance="my-okta-instance",
authorization_server="my-server",
client_id="my-client-id",
client_secret="my-client-secret",
scope="my-scope",
)
(the change from username/password to client_id/client_secret is also in #30
Same as AzureActiveDirectory but with v2.0 as explained in https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims
Is it possible to support the 'GET' ? I read a "Unable to properly perform authentication. GET is not supported for now." for LinkedIn OAuth2
context: I am trying to use the module for LinkedIn to manage the oauth2 in https://github.com/HootsuiteLabs/python-linkedin-v2
But we should also expose a dedicated base exception class (itself based on Requests base exception)
In debug mode, the logger display a message "Inserting token expiring on ..." with the complete token (https://github.com/Colin-b/requests_auth/blob/develop/requests_auth/oauth2_tokens.py#L82).
Display secret in logs is not recommended (AFAIK).
Maybe replace in the message the token by just the beginning/end of token ?
Okta provides a pre-configured Custom Authorization Server with the name default. This default authorization server includes a basic access policy and rule, which you can edit to control access. It allows you to specify default instead of the authServerId in requests to it:
It should exists somewhere within OpenID Connect specs
Line
self._add_token(key, token, expiry.replace(tzinfo=datetime.timezone.utc).timestamp())
utcnow does not set tzinfo (see https://docs.python.org/3/library/datetime.html#datetime.datetime.utcnow)
timestamp assume localtime of not tzinfo (see
see https://docs.python.org/3/library/datetime.html#datetime.datetime.timestamp)
In case more than one port can be used for redirection but one might not be available from time to time
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.