I tried 'pyramid_oauth2_client' first and had this experience: "pyramid_oauth2_client, oauth2demo, and yasso (a Python OAuth2 provider) The easiest to understand, but it hasn't been updated since 2012. I had to make it compatible with Python 3 and Pyramid 1.9.2. I got the demo to sometimes log in to yasso but when it came back to the site it got an invalid state error (akin to a CSRF token mismatch) -- it predates Pyramid's CSRF token support too."
The old date and obsolete parts really make me question it. It was written when OAuth2 first appeared and the author may not have fully understood it or anticipated how it and Pyramid would evolve. 'pyramid_oauthlib' confusing because I couldn't tell which grant classes and views I needed for a client use case; they all looked like provider use cases. I got 'requests-authlib' to work with help from Jonathan and others, so I can answer questions about that. I have one private provider, and a '/login' view with a button that redirects to the authentication site, and an '/auth/enter' view that receives the redirect, fetches the token, parses it to get the claims dict, puts the needed user metadata in the session, has a SessionAuthenticationPolicy that fetches the precalculated principles from the session, saves a "User object" to Redis to track the user's last login and properties (hash: userid to JSON dict) for admin reports, and saves the claims in Redis for debugging (hash: userid to JSON dict). I may migrate the latter two to Postgres when the fields stabilize. I haven't dealt with saving the token or refreshing it yet. I might need to use it to allow admin screens to query the Keycloak API and create a user, but I'm not tthere yet. I also need to test the "/logout" endpoint to have Keycloak delete its cookie; without that, they're not fully logged out. (Meaning if they log out and back in, or of somebody else logs in in the same browser, Keycloak automatically logs them in without asking for credentials and they can't switch to a different account.) On Fri, Jul 26, 2019 at 10:14 AM Jens Troeger <[email protected]> wrote: > > Thanks! > > Christian, the social-app-pyramid package doesn’t seem to be maintained > anymore (last updated Feb 2017), so that makes me a little nervous. > > Michael, requests-oauthlib looks good, but there’s still the Pyramid > integration that I would need to add. > > Regarding Pyramid and OAuth2, there are a few projects, e.g. > pyramid_oauth2_provider (last updated Jun 2017), pyramid_oauth2_client (last > updated Feb 2012), pyramid-oauthlib (last updated Jun 2019). Other projects > like apex seem also unmaintained. Then there is pyramid_fullauth (last > updated Mar 2019) which seems to support an interface to use auth with other > providers but I can’t quite tell if they’re built in. > > Considering that I’m currently using Velruse and need to move on, are there > any recommendations from the community regarding Pyramid and OAuth2 to > simplify talking with auth providers (e.g. Google, Live, etc.)? > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/fc586c8e-7068-4443-8a7b-3cc9808e4cd7%40googlegroups.com. -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3Dupf_DORZVT-T9BKgdDqN-J_%2Ba8QEK8ytZ%3D35rUxj%3D%2BJEg%40mail.gmail.com.
