Thanks all. Ikai Lan, the security issue I was thinking of was session hijacking. But I've since come across gae-sessions (https://github.com/ dound/gae-sessions) and am taking them on their word that they've got that figured out. :-)
So what I'm doing now is creating a user object upon oauth sign-in, saving that to the datastore, and then saving the entire object to a variable in the session. This works fine. Though the session library saves all the info directly into a cookie. And that's a lot of data to go in a cookie that I don't necessarily need on all pages. Which isn't best practice for fast page loads (the cookie info gets passed to all requests to the same domain... including all static files). So I may switch up to create a session object with a subset of user info and just use that to load the user object when I need additional info or need to act on the object. Or I'll just leave it like this and not worry about a negligible issue. :-) Patrick, I'm doing something similar... saving the user object upon oauth login, and then if they haven't done so already, taking the user to a "complete your profile" page to get other pieces of info and agreement to terms. According to their terms, you need to get explicit permission from the user to save any info from linkedin anyway, which I understand to require an additional step beyond the oauth login itself. On Jan 24, 10:16 pm, Patrick Poon <[email protected]> wrote: > One thing to keep in mind is that LinkedIn's API does not provide a > method to obtain a User's email address. On my site, when a user > signs in, I check whether their LinkedIn ID already exists in my > database. If it doesn't, I prompt them to register their email > address the first time they sign in. This is the only time it is a > two-step process. > > Once they sign in, I stash a session cookie that gets checked > everytime they visit. If the session has not expired, they can access > their data directly. If not or if their LinkedIn access token has > expired or been revoked, I have them go through a one-step LinkedIn > authentication process. > > To manage users and sessions, I'm currently using gae-patch, but plan > on upgrading to Django-nonrel (http://www.allbuttonspressed.com) in > the upcoming weeks. > > Hope this helps. > > - Patrick > > On Jan 25, 6:15 am, "Ikai Lan (Google)" <[email protected]> > wrote: > > > > > > > > > That is roughly correct. LinkedIn is not an openID provider. > > > Your flow looks like this: > > > (Before anything happens, get a consumer key and secret from LinkedIn) > > > 1. User goes to your app. Is there a token? Yes? No? If there's a token and > > it's valid, just use that to make OAuth calls. > > 2. Is the token invalid or doesn't exist? Send user to LinkedIn's > > authorization page. User authorizes your app to make calls to LinkedIn on > > their behalf, they are redirected to your callback URL with token > > information. > > 3. Save the token and make API calls. > > > -- > > Ikai Lan > > Developer Programs Engineer, Google App Engine > > Blogger:http://googleappengine.blogspot.com > > Reddit:http://www.reddit.com/r/appengine > > Twitter:http://twitter.com/app_engine > > > On Fri, Jan 21, 2011 at 1:59 PM, Bob <[email protected]> wrote: > > > Some of these questions may be basic. Be gentle. I've been reading all > > > the articles and going through examples for oauth and openid, and I > > > could use a sounding board to make sure I'm understanding it all. > > > > I'm building a python web app (let's call it myapp) that I would like > > > to use to interact with the linkedin api. > > > > First, as I understand, the OAuth service (http://code.google.com/ > > > appengine/docs/python/oauth/overview.html) is not appropriate here... > > > that service is about allowing myapp to serve as an oauth provider. > > > But in this case I want to be an oauth consumer, so that service > > > doesn't sound like it will help me. > > > > So I could use some python library that allows me to do oauth with > > > linkedin, like this one:http://code.google.com/p/python-linkedin/ > > > > Now as I understand, oauth wouldn't make much sense unless the user > > > has already logged in somehow. I just get credentials returned... but > > > nothing gets stored as a cookie so I know that "this" user goes with > > > "these" credentials. So I should probably already have the user login > > > somehow (like with openid) and then store those credentials on the > > > user record (or on a model that extends the user, like UserProfile or > > > something). > > > > So if I wanted to use LinkedIn for openid, it's a two-step process. > > > First, I show the user the linkedin login button, take them through > > > the openid process for linkedin, and then I need to separately ask > > > them to go through the oauth process to authorize myapp to work with > > > their account on linkedin. > > > > Is that right? There's no way to do this with just one step? > > > > And DOES linkedin act as an openid provider? If so, what is their > > > provider URL? I've looked but cannot find it. > > > > Please let me know if I'm off-base with any of my assumptions. > > > > Thanks! > > > Bob > > > > -- > > > You received this message because you are subscribed to the Google Groups > > > "Google App Engine" group. > > > To post to this group, send email to [email protected]. > > > To unsubscribe from this group, send email to > > > [email protected]<google-appengine%2Bunsubscrib > > > [email protected]> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
