Flask-OAuth is an extension to Flask that allows you to interact with remote OAuth enabled applications. Currently it only implements the consumer interface so you cannot expose your own API with OAuth.
Flak-OAuth depends on the python-oauth2 module.
Install the extension with one of the following commands:
$ pip install Flask-OAuth
Alternatively, use easy_install:
$ easy_install Flask-OAuth
To connect to a remote application create a OAuth object and register a remote application on it using the remote_app() method:
from flask_oauth import OAuth
oauth = OAuth()
the_remote_app = oauth.remote_app('the remote app',
...
)
A remote application must define several URLs required by the OAuth machinery:
Additionally the application should define an issued consumer_key and consumer_secret.
You can find these values by registering your application with the remote application you want to connect with.
Additionally you can provide a base_url that is prefixed to all relative URLs used in the remote app.
For Twitter the setup would look like this:
twitter = oauth.remote_app('twitter',
base_url='https://api.twitter.com/1/',
request_token_url='https://api.twitter.com/oauth/request_token',
access_token_url='https://api.twitter.com/oauth/access_token',
authorize_url='https://api.twitter.com/oauth/authenticate',
consumer_key='<your key here>',
consumer_secret='<your secret here>'
)
Now that the application is created one can start using the OAuth system. One thing is missing: the tokengetter. OAuth uses a token and a secret to figure out who is connecting to the remote application. After authentication/authorization this information is passed to a function on your side and it is your responsibility to remember it.
The following rules apply:
For a simple test application, storing that information in the session is probably sufficient:
from flask import session
@twitter.tokengetter
def get_twitter_token(token=None):
return session.get('twitter_token')
If the token does not exist, the function must return None, and otherwise return a tuple in the form (token, secret). The function might also be passed a token parameter. This is user defined and can be used to indicate another token. Imagine for instance you want to support user and application tokens or different tokens for the same user.
The name of the token can be passed to to the request() function.
To sign in with Twitter or link a user account with a remote Twitter user, simply call into authorize() and pass it the URL that the user should be redirected back to. For example:
@app.route('/login')
def login():
return twitter.authorize(callback=url_for('oauth_authorized',
next=request.args.get('next') or request.referrer or None))
If the application redirects back, the remote application will have passed all relevant information to the oauth_authorized function: a special response object with all the data, or None if the user denied the request. This function must be decorated as authorized_handler():
from flask import redirect
@app.route('/oauth-authorized')
@twitter.authorized_handler
def oauth_authorized(resp):
next_url = request.args.get('next') or url_for('index')
if resp is None:
flash(u'You denied the request to sign in.')
return redirect(next_url)
session['twitter_token'] = (
resp['oauth_token'],
resp['oauth_token_secret']
)
session['twitter_user'] = resp['screen_name']
flash('You were signed in as %s' % resp['screen_name'])
return redirect(next_url)
We store the token and the associated secret in the session so that the tokengetter can return it. Additionally we also store the Twitter username that was sent back to us so that we can later display it to the user. In larger applications it is recommended to store satellite information in a database instead to ease debugging and more easily handle additional information associated with the user.
For Facebook the flow is very similar to Twitter or other OAuth systems but there is a small difference. You’re not using the request_token_url at all and you need to provide a scope in the request_token_params:
facebook = oauth.remote_app('facebook',
base_url='https://graph.facebook.com/',
request_token_url=None,
access_token_url='/oauth/access_token',
authorize_url='https://www.facebook.com/dialog/oauth',
consumer_key=FACEBOOK_APP_ID,
consumer_secret=FACEBOOK_APP_SECRET,
request_token_params={'scope': 'email'}
)
Furthermore the callback is mandatory for the call to authorize() and has to match the base URL that was specified in the Facebook application control panel. For development you can set it to localhost:5000.
The APP_ID and APP_SECRET can be retrieved from the Facebook app control panel. If you don’t have an application registered yet you can do this at facebook.com/developers.
Now the user is signed in, but you probably want to use OAuth to call protected remote API methods and not just sign in. For that, the remote application object provides a request() method that can request information from an OAuth protected resource. Additionally there are shortcuts like get() or post() to request data with a certain HTTP method.
For example to create a new tweet you would call into the Twitter application as follows:
resp = twitter.post('statuses/update.json', data={
'status': 'The text we want to tweet'
})
if resp.status == 403:
flash('Your tweet was too long.')
else:
flash('Successfully tweeted your tweet (ID: #%s)' % resp.data['id'])
Or to display the users’ feed we can do something like this:
resp = twitter.get('statuses/home_timeline.json')
if resp.status == 200:
tweets = resp.data
else:
tweets = None
flash('Unable to load tweets from Twitter. Maybe out of '
'API calls or Twitter is overloaded.')
Flask-OAuth will do its best to send data encoded in the right format to the server and to decode it when it comes back. Incoming data is encoded based on the mimetype the server sent and is stored in the data attribute. For outgoing data a default of 'urlencode' is assumed. When a different format is needed, one can specify it with the format parameter. The following formats are supported:
Unknown incoming data is stored as a string. If outgoing data of a different format is needed, content_type should be specified instead and the data provided should be an encoded string.
Registry for remote applications. In the future this will also be the central class for OAuth provider functionality.
Registers a new remote applicaton. If param register is set to False the application is not registered in the remote_apps dictionary. The keyword arguments are forwarded to the OAuthRemoteApp consturctor.
Represents a remote application.
Parameters: |
|
---|
Returns a redirect response to the remote authorization URL with the signed callback given. The callback must be None in which case the application will most likely switch to PIN based authentication or use a remotely stored callback URL. Alternatively it’s an URL on the system that has to be decorated as authorized_handler().
Injects additional authorization functionality into the function. The function will be passed the response object as first argument if the request was allowed, or None if access was denied. When the authorized handler is called, the temporary issued tokens are already destroyed.
the base_url all URLs are joined with.
Handles an oauth1 authorization response. The return value of this method is forwarded as first argument to the handling view function.
Handles an oauth2 authorization response. The return value of this method is forwarded as first argument to the handling view function.
Called if an unknown response came back from the server. This usually indicates a denied response. The default implementation just returns None.
Creates a new oauth2 Client object with the token attached. Usually you don’t have to do that but use the request() method instead.
Sends a request to the remote server with OAuth tokens attached. The url is joined with base_url if the URL is relative.
New in version 0.12: added the token parameter.
Parameters: |
|
---|---|
Returns: | an OAuthResponse object. |
Given request data, checks if the status is okay.
Registers a function as tokengetter. The tokengetter has to return a tuple of (token, secret) with the user’s token and token secret. If the data is unavailable, the function must return None.
If the token parameter is passed to the request function it’s forwarded to the tokengetter function:
@oauth.tokengetter
def get_token(token='user'):
if token == 'user':
return find_the_user_token()
elif token == 'app':
return find_the_app_token()
raise RuntimeError('invalid token')
Contains the response sent back from an OAuth protected remote application.
the parsed content from the server
a Headers object with the response headers the application sent.
the raw, unencoded content from the server
The status code of the response.
Raised if authorization fails for some reason.
If available, the parsed data from the remote API that can be used to pointpoint the error.
A helpful error message for debugging
A unique type for this exception if available.