Re: [pylons-discuss] Velruse… or what else?

[Mike Orr]

I tried 'pyramid_oauth2_client' first and had this experience:

"pyramid_oauth2_client, oauth2demo, and yasso (a Python OAuth2
provider) The easiest to understand, but it hasn't been updated since
2012. I had to make it compatible with Python 3 and Pyramid 1.9.2. I
got the demo to sometimes log in to yasso but when it came back to the
site it got an invalid state error (akin to a CSRF token mismatch) --
it predates Pyramid's CSRF token support too."

The old date and obsolete parts really make me question it. It was
written when OAuth2 first appeared and the author may not have fully
understood it or anticipated how it and Pyramid would evolve.

'pyramid_oauthlib' confusing because I couldn't tell which grant
classes and views I needed for a client use case; they all looked like
provider use cases.

I got 'requests-authlib' to work with help from Jonathan and others,
so I can answer questions about that. I have one private provider, and
a '/login' view with a button that redirects to the authentication
site, and an '/auth/enter' view that receives the redirect, fetches
the token, parses it to get the claims dict, puts the needed user
metadata in the session, has a SessionAuthenticationPolicy that
fetches the precalculated principles from the session, saves a "User
object" to Redis to track the user's last login and properties (hash:
userid to JSON dict) for admin reports, and saves the claims in Redis
for debugging (hash: userid to JSON dict). I may migrate the latter
two to Postgres when the fields stabilize.

I haven't dealt with saving the token or refreshing it yet. I might
need to use it to allow admin screens to query the Keycloak API and
create a user, but I'm not tthere yet. I also need to test the
"/logout" endpoint to have Keycloak delete its cookie; without that,
they're not fully logged out. (Meaning if they log out and back in, or
of somebody else logs in in the same browser, Keycloak automatically
logs them in without asking for credentials and they can't switch to a
different account.)

On Fri, Jul 26, 2019 at 10:14 AM Jens Troeger  wrote:
>
> Thanks!
>
> Christian, the social-app-pyramid package doesn’t seem to be maintained 
> anymore (last updated Feb 2017), so that makes me a little nervous.
>
> Michael, requests-oauthlib looks good, but there’s still the Pyramid 
> integration that I would need to add.
>
> Regarding Pyramid and OAuth2, there are a few projects, e.g. 
> pyramid_oauth2_provider (last updated Jun 2017), pyramid_oauth2_client (last 
> updated Feb 2012), pyramid-oauthlib (last updated Jun 2019). Other projects 
> like apex seem also unmaintained. Then there is pyramid_fullauth (last 
> updated Mar 2019) which seems to support an interface to use auth with other 
> providers but I can’t quite tell if they’re built in.
>
> Considering that I’m currently using Velruse and need to move on, are there 
> any recommendations from the community regarding Pyramid and OAuth2 to 
> simplify talking with auth providers (e.g. Google, Live, etc.)?
>
> --
> You received this message because you are subscribed to the Google Groups 
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to pylons-discuss+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/pylons-discuss/fc586c8e-7068-4443-8a7b-3cc9808e4cd7%40googlegroups.com.



-- 
Mike Orr 

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3Dupf_DORZVT-T9BKgdDqN-J_%2Ba8QEK8ytZ%3D35rUxj%3D%2BJEg%40mail.gmail.com.

Re: [pylons-discuss] Velruse… or what else?

[Jonathan Vanasco]

On Friday, July 26, 2019 at 1:14:08 PM UTC-4, Jens Troeger wrote:
>
>
> Regarding Pyramid and OAuth2, there are a few projects, e.g. 
> pyramid_oauth2_provider 
>  (last updated 
> Jun 2017), pyramid_oauth2_client 
>  (last updated Feb 
> 2012), pyramid-oauthlib 
> 
>  
> (last updated Jun 2019). Other projects like apex 
>  seem also unmaintained. Then there is 
> pyramid_fullauth  (last 
> updated Mar 2019) which seems to support an interface to use auth with 
> other providers but I can’t quite tell if they’re built in.
>

I opensourced pyramid_oauthlib_lowlevel 
 a few months ago, 
but it's been used in production for a few years. It is a very lowlevel 
implementation of the oauthlib library that may be more adaptable to your 
needs than the other libraries.  It lets you very quickly put together 
custom oauth APIs and endpoints for Pyramid + SqlAlchemy, but doesn't 
auto-generate any routes/views itself.  If you're only talking with one 
provider or offering one api, one of the other libraries is likely better, 
as they do the automatic route generation.  

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/0f9b3199-bb41-4809-8029-45326a6e42cc%40googlegroups.com.

Re: [pylons-discuss] Velruse… or what else?

[Bert JW Regeer]

> On Jul 26, 2019, at 11:14, Jens Troeger  wrote:
> 
> Thanks!
> 
> Christian, the social-app-pyramid 
>  package doesn’t 
> seem to be maintained anymore (last updated Feb 2017), so that makes me a 
> little nervous.
> 
> Michael, requests-oauthlib  
> looks good, but there’s still the Pyramid integration that I would need to 
> add.

This is something you are going to run in with whatever package you end up 
using. Unlike Django where everything is set in stone and it is easy for addons 
to change a small thing, you are going to have to do some of the integration 
work yourself in Pyramid because of its flexibility.

requests-oauthlib is dead simple to use, and integration is as simple as 
following it's instructions on how to integrate it into your views.

Steps are:

1. User visits login page and clicks button
2. User is redirected to oauth provider
3. 
4. User gets redirect back to your app (hopefully successfully) with a code
5. Using request-oauthlib exchange code for an access token and refresh token
6. Store the tokens/use them to access the API's, or if this is for 
authentication only don't even store the tokens
7. Party

Supporting multiple auth providers isn't that difficult either with 
requests-oauthlib, needs some extra glue code that isn't written for you, but 
you can keep an array of parameters and depending on the button the user clicks 
on the login page you substitute in the appropriate auth provider information.

> 
> Regarding Pyramid and OAuth2, there are a few projects, e.g. 
> pyramid_oauth2_provider 
>  (last updated Jun 
> 2017), pyramid_oauth2_client 
>  (last updated Feb 2012), 
> pyramid-oauthlib  (last updated 
> Jun 2019). Other projects like apex  seem also 
> unmaintained. Then there is pyramid_fullauth 
>  (last updated Mar 2019) which 
> seems to support an interface to use auth with other providers but I can’t 
> quite tell if they’re built in.
> 
> Considering that I’m currently using Velruse 
>  and need to move on, are there any 
> recommendations from the community regarding Pyramid and OAuth2 to simplify 
> talking with auth providers (e.g. Google, Live, etc.)?

Bert JW Regeer

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/E2C95A72-9D7C-4B80-BC3A-B133D3BAE0E8%400x58.com.

Re: [pylons-discuss] Velruse… or what else?

[Michael Merickel]

On Fri, Jun 7, 2019 at 2:38 AM Jens Troeger  wrote:

> The recent OAuth thread
> 
> recommends requests-oauthlib
> … Can you recommend any
> particular package, is the that one good?
>

I've used requests-oauthlib successfully in the past. I'd recommend it. I
never found much reason to use it during the process of acquiring an access
token, but you can. Once you have an access token and possibly a refresh
token, it serves as a nice wrapper around a requests.Session to handle
adding the appropriate Authorization header as well as assisting in token
expiration and using the refresh token to get new access tokens.

- Michael

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwFnYSgNLW%3Dfac606p86cQLo_QAF8iZ5OgQ%2Bot-uth5MCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [pylons-discuss] Velruse… or what else?

[Christian Ledermann]

https://github.com/python-social-auth/social-app-pyramid may be worth a try
(I used https://github.com/python-social-auth/social-app-django with great
success)

On Fri, 7 Jun 2019 at 08:38, Jens Troeger  wrote:

> Thank you Michael for sharing your insights here. I’ve looked through some
> of the code but, as you said, the testing looked rather daunting to me.
>
> On top of that, it's actually really easy (imo) to consume OAuth 2.x +
>> OpenID Connect apis directly. Most bindings for velruse end up being just a
>> very thin wrapper around a small amount of code you can easily write
>> yourself. It basically just involves implementing a redirection endpoint
>> that the provider will send the browser to once the user has granted
>> access, and from there taking the token and querying whatever you want from
>> the provider's api. OpenID Connect has helped a lot in standardizing the
>> type of data you'd want to receive - something velruse was trying to
>> standardize before that standard existed.
>>
>
> This statement of yours aligns nicely with my thoughts/suspicion that
> perhaps I ought to drop Velruse altogether, and instead use an OAuth2
> package to talk with the providers directly. The website uses only Google,
> LinkedIn, Live anyway (and I’m thinking to add Apple now) and they all—I
> think—speak OAuth2.
>
> The recent OAuth thread
> 
> recommends requests-oauthlib
> … Can you recommend any
> particular package, is the that one good?
>
> Much thanks!
> Jens
>
> --
> You received this message because you are subscribed to the Google Groups
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pylons-discuss+unsubscr...@googlegroups.com.
> To post to this group, send email to pylons-discuss@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/pylons-discuss/d1292058-f1d9-48a7-8068-e5f290199bf8%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Best Regards,

Christian Ledermann

Newark-on-Trent - UK
Mobile : +44 7474997517

https://uk.linkedin.com/in/christianledermann
https://github.com/cleder/


<*)))>{

If you save the living environment, the biodiversity that we have left,
you will also automatically save the physical environment, too. But If
you only save the physical environment, you will ultimately lose both.

1) Don’t drive species to extinction

2) Don’t destroy a habitat that species rely on.

3) Don’t change the climate in ways that will result in the above.

}<(((*>

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/CABCjzWooFFaNcCCJnDOvxv13N594J8H0sUVo%2Bc%3DWq55MTEo1SA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [pylons-discuss] Velruse… or what else?

[Jens Troeger]

Thank you Michael for sharing your insights here. I’ve looked through some 
of the code but, as you said, the testing looked rather daunting to me.

On top of that, it's actually really easy (imo) to consume OAuth 2.x + 
> OpenID Connect apis directly. Most bindings for velruse end up being just a 
> very thin wrapper around a small amount of code you can easily write 
> yourself. It basically just involves implementing a redirection endpoint 
> that the provider will send the browser to once the user has granted 
> access, and from there taking the token and querying whatever you want from 
> the provider's api. OpenID Connect has helped a lot in standardizing the 
> type of data you'd want to receive - something velruse was trying to 
> standardize before that standard existed.
>

This statement of yours aligns nicely with my thoughts/suspicion that 
perhaps I ought to drop Velruse altogether, and instead use an OAuth2 
package to talk with the providers directly. The website uses only Google, 
LinkedIn, Live anyway (and I’m thinking to add Apple now) and they all—I 
think—speak OAuth2.

The recent OAuth thread 
 
recommends requests-oauthlib … 
Can you recommend any particular package, is the that one good?

Much thanks!
Jens

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/d1292058-f1d9-48a7-8068-e5f290199bf8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [pylons-discuss] Velruse… or what else?

[Michael Merickel]

On Mon, Jun 3, 2019 at 8:59 PM Jens Troeger  wrote:

> I’ve been using Velruse  quite
> happily for a while now, although it’s been stale for a few years.
> MichaelM  was somewhat active on that
> project too, and he still seems to be around working on Pylons in general.
>
> However, a few things could need updating with Velruse (see its issues
> ) and now that Apple has
> released a sign-in API, it would be nice to add that to Velruse as well.
>
> So I was wondering: are there plans to continue working on Velruse, maybe
> integrating it closer into Pyramid? Are there more recent alternatives? Are
> there people here who are using Velruse?
>

Yep I'm active on other Pylons projects but I haven't worked on velruse in
years.

I put a significant amount of time into reworking velruse so that it
integrated very well into Pyramid and I think that work was a success and
shows a good pattern for how to do it. The problem is that the velruse test
suite (and anyone else who tries to consume arbitrary third party
providers) is a damn nightmare to run. It required setting up accounts on
all of the services, including some that required google translate to even
get through, and then constantly tweaking the slow selenium tests. It's
unavoidable work but it burned me out. On top of that, it's actually really
easy (imo) to consume OAuth 2.x + OpenID Connect apis directly. Most
bindings for velruse end up being just a very thin wrapper around a small
amount of code you can easily write yourself. It basically just involves
implementing a redirection endpoint that the provider will send the browser
to once the user has granted access, and from there taking the token and
querying whatever you want from the provider's api. OpenID Connect has
helped a lot in standardizing the type of data you'd want to receive -
something velruse was trying to standardize before that standard existed.

I don't have any plans to do anything with velruse in the future and
ultimately it's Ben's project and it'd be up to him what he wants to do
with it.

- Michael

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwEH7vgXs9TjA1Za-hDKpBBiJcrzd69hrTJU-Wk1okj1rg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[pylons-discuss] Velruse… or what else?

[Jens Troeger]

Hi,

Interesting OAuth thread here 
, thank 
you! And just in time for my question.

I’ve been using Velruse  quite happily 
for a while now, although it’s been stale for a few years. MichaelM 
 was somewhat active on that project too, and 
he still seems to be around working on Pylons in general.

However, a few things could need updating with Velruse (see its issues 
) and now that Apple has 
released a sign-in API, it would be nice to add that to Velruse as well.

So I was wondering: are there plans to continue working on Velruse, maybe 
integrating it closer into Pyramid? Are there more recent alternatives? Are 
there people here who are using Velruse?

Much thanks,
Jens

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to pylons-discuss@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/59d49299-53d7-4439-98d5-3d93627cb8f1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.