colin-b / requests_auth Goto Github PK

Microsoft Application Identifier should be Okta application Identifier

some info on the flow with flask : https://github.com/marvelapp/flask-oauth-example/blob/pkce/app.py

example of first call
https://your-server/v1/authorize?response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2F&client_id=your-client-id&scope=your-scope&nonce=1&state=1&code_challenge=elU6u5zyqQT2f92GRQUq6PautAeNDf4DQPayyR0ek_c&code_challenge_method=S256%20%20

which redirect to
http://localhost/?code=NvC5lj0GcaHnqKPIesEs&state=1

Instead of having to import and create an instance of Auths

In case some might be already taken and application supports multiple redirection on localhost

To send back received authentication (in another auth in theory)

How can we create the authentication for saml based application.

I am trying to use requests_auth.OktaAuthorizationCode and can you please get me any example

It would be helpful if there were an obvious way to provide a refresh token when creating a session. For our use case we do not support any Auth flows other than Authorization Code, but for headless execution we need to be able to persist a token somewhere and provide it.

Ideally this would be an argument to the constructors for OAuth2AuthorizationCodeFlow and the PKCE variant, but a set_refresh_token() method, or a new subclass would also be OK.

I'm happy to prepare a PR if there's a preferred approach.

For now it's a bit painful for users as they need to know what to mock and how.

Fixture should send a token containing the information as provided by the user (with default values for users that may not know the content of a token).

Fixture should also allow to test for various authentication failures sent by requests_auth so that user can test that code handles it properly.

Same as #15 but for the browser queries

Is there a reason that the redirect_uri is hard-coded here? I see that you can set the endpoint and the port, but why not the entire URI?

https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow

It would be nice if the JsonTokenFileCache() class would create the token file cache with limited permissions, for example,

instead of:

with open(self.tokens_path, "w") as tokens_cache_file:
                json.dump(self.tokens, tokens_cache_file)

doing something like:

with open(os.open(self.tokens_path, os.O_WRONLY | os.O_CREAT, 0o600), "w") as tokens_cache_file:
                json.dump(self.tokens, tokens_cache_file)

would make the token cache file accessible for the current user only per default.

Cfr https://oauth.net/2/device-flow/ or https://joonasw.net/view/device-code-flow

For each flow, to ease usage for new users of a specific kind of authentication.

BrowserAuth currently is hardcoded to use http://localhost. Prefer to pass the request_uri_domain as a keyword arg, with default being http://localhost.

Hi @Colin-b ,

First of all, thank you for creating this library that makes it so easy to incorporate the PKCE flow! I'm using this library for a Python Windows desktop app that authenticates with Okta via the PKCE flow. I'm now trying to write integration tests but the issue is that I need to pass in test user credentials instead of using the browser for IWA. Is there a way to achieve this? I am able to call /api/v1/authn with the credentials and get a session token and am at a loss on how to use it to get the auth code bypassing browser auth.

Let me know if there is a way to do that.

Thanks

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()

key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
key = key_client.get_key("key-name")
print(key.name)

how to get the access token from Oauth 2 google analytics api from the above step

I have an issue with a token in the cache that is expiring at time T and a request sent at time T that will use this token as not yet expired. The request fails as the token, when reaching the API backend on T+some ms is expired.
It would be useful to be able to specify some delta/interval (in seconds) that would trigger a refresh of the token if it expires after this delta.
e.g. OAuth2ClientCredentials(validity_duration=5, ...) will request a new token if `now+5>expiry´.

instead of username/password

As for now only + can be used

The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.

in the same spirit as OktaImplicit(instance='testserver.okta-emea.com', authorization_server="my-auth-server", client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd') but for OAuth2ClientCredentials.

Today, I need to write

OAuth2ClientCredentials(
        authorization_url="https://my-okta-instance/oauth2/my-server/v1/authorize",
        token_url="https://my-okta-instance/oauth2/my-server/v1/token",
        username="my-client-id",
        password="my-client-secret",
        scope="my-scope",
    )

while I'd like to write

OktaClientCredentials(
        instance="my-okta-instance",
        authorization_server="my-server",
        client_id="my-client-id",
        client_secret="my-client-secret",
        scope="my-scope",
    )

(the change from username/password to client_id/client_secret is also in #30

Same as AzureActiveDirectory but with v2.0 as explained in https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims

Is it possible to support the 'GET' ? I read a "Unable to properly perform authentication. GET is not supported for now." for LinkedIn OAuth2

context: I am trying to use the module for LinkedIn to manage the oauth2 in https://github.com/HootsuiteLabs/python-linkedin-v2

But we should also expose a dedicated base exception class (itself based on Requests base exception)

In debug mode, the logger display a message "Inserting token expiring on ..." with the complete token (https://github.com/Colin-b/requests_auth/blob/develop/requests_auth/oauth2_tokens.py#L82).

Display secret in logs is not recommended (AFAIK).
Maybe replace in the message the token by just the beginning/end of token ?

Okta provides a pre-configured Custom Authorization Server with the name default. This default authorization server includes a basic access policy and rule, which you can edit to control access. It allows you to specify default instead of the authServerId in requests to it:

https://dev-708457.okta.com/oauth2/default/v1/authorize

It should exists somewhere within OpenID Connect specs

Line

utcnow does not set tzinfo (see https://docs.python.org/3/library/datetime.html#datetime.datetime.utcnow)
timestamp assume localtime of not tzinfo (see
see https://docs.python.org/3/library/datetime.html#datetime.datetime.timestamp)

In case more than one port can be used for redirection but one might not be available from time to time