How to use gspread with python-social-auth - python-social-auth

I'm trying to use gspread with python-social-auth, I followed the sample describe on documentation and I've created this class to use as credential store:
class Credentials(object):
def __init__ (self, access_token=None, scope=None):
self.access_token = access_token
self.scope=scope
def refresh (self, http):
# get new access_token
# this only gets called if access_token is None
pass
And at my code I've used:
import gspread
credentials = Credentials(access_token=user.social_auth.get_access_token(),
scope=['https://spreadsheets.google.com/feeds'])
sh = gspread.authorize(credentials)
And asking any response from API using:
sh.get_spreadsheets_feed()
This error appears on the console:
*** RequestError: (401, '401: <HTML>\n<HEAD>\n<TITLE>Token invalid - AuthSub token has wrong scope</TITLE>\n</HEAD>\n<BODY BGCOLOR="#FFFFFF" TEXT="#000000">\n<H1>Token invalid - AuthSub token has wrong scope</H1>\n<H2>Error 401</H2>\n</BODY>\n</HTML>\n')
I have defined the scope at my settings and this is working well, for example trying to get contacts from Google Contacts
SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = [
'https://www.googleapis.com/auth/contacts.readonly',
'https://www.googleapis.com/auth/spreadsheets.readonly'
]
Any ideas?

You have to add these scopes also to Python Social Auth settings:
SOCIAL_AUTH_GOOGLE_OAUTH2_SCOPE = [
...
'https://www.googleapis.com/auth/spreadsheets.readonly',
'https://spreadsheets.google.com/feeds',
'https://www.googleapis.com/auth/drive.file'
]

Related

authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "iss"

I'm building an oauth2 client with Flask and Authlib. My code to register the oauth is:
google = oauth.register(
name='google',
client_id='',
client_secret="",
access_token_url="https://accounts.google.com/o/oauth2/token",
access_token_params=None,
authorize_url="https://accounts.google.com/o/oauth2/auth",
authorize_params=None,
api_base_url="https://www.googleapis.com/oauth2/v1/",
client_kwargs={'scope': 'openid email'},
server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
)
And my /authorize endpoint looks like this:
#app.route('/authorize')
def authorize():
google = oauth.create_client('google')
token = google.authorize_access_token()
resp = google.get('userinfo')
resp.raise_for_status()
userinfo = resp.json()
return str(userinfo)
But I am getting the error
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "iss"
I had this issue and removing the openid value from scope fixed it. I guess my google config didn't accomodate it,

FastAPI auth check before granting access to sub-applications

I am mounting a Flask app as a sub-application in my root FastAPI app, as explained in the documentation
Now I want to add an authentication layer using HTTPAuthorizationCredentials dependency, as nicely explained in this tutorial
tutorial code
How can I do that?
Preferably, I would like that any type of access attempt to my Flask sub-application goes first through a valid token authentication process implemented in my FastAPI root app. Is that possible?
You can use a custom WSGIMiddleware and authorize the call to flask app inside that like this:
from fastapi import FastAPI, Depends, HTTPException
from fastapi.middleware.wsgi import WSGIMiddleware
from flask import Flask, escape, request
from starlette.routing import Mount
from starlette.types import Scope, Receive, Send
flask_app = Flask(__name__)
def authenticate(authorization: str = Header()):
# Add logic to authorize user
if authorization == "VALID_TOKEN":
return
else:
raise HTTPException(status_code=401, detail="Not Authorized")
class AuthWSGIMiddleware(WSGIMiddleware):
async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
_, authorization = next((header for header in scope['headers'] if header[0] == b'authorization'), (b'authorization', "" ))
authenticate(authorization.decode('utf-8'))
await super().__call__(scope, receive, send)
routes = [
Mount("/v1", AuthWSGIMiddleware(flask_app)),
]
# OR Optionally use this as you were doing
# The above one is preferred as per starlette docs
# app.mount("/v1", WSGIMiddleware(flask_app))
#flask_app.route("/")
def flask_main():
name = request.args.get("name", "World")
return f"Hello, {escape(name)} from Flask!"
app = FastAPI(routes=routes, dependencies=[Depends(authenticate)])
#app.get("/v2")
def read_main():
return {"message": "Hello World"}
For the tutorial you are looking at, you can replace the invoking authenticate function in my example inside AuthWSGIMiddleware->__call__() with
AuthHandler().decode_toke(authorization)

Connecting to Facebook's API

I am facing this issue connecting with Facebook's API using httr package, while testing on 'me' node I came along the following problem.
I was under the impression that me node does not require special permissions.
Testing on the browser with 'https://graph.facebook.com/me' gave the same results, it would be great if some one could provide an explanation.
# Define keys
app_id = 'my_app_id'
app_secret = 'my_app_secret'
# Define the app
fb_app <- oauth_app(appname = "facebook",
key = app_id,
secret = app_secret)
# Get OAuth user access token
fb_token <- oauth2.0_token(oauth_endpoints("facebook"),
fb_app,
scope = 'public_profile',
type = "application/x-www-form-urlencoded",
cache = TRUE)
response <- GET("https://graph.facebook.com",
path = "/me",
config = config(token = fb_token))
# Show content returned
content(response)
$error
$error$message
[1] "An active access token must be used to query information about the current user."
$error$type
[1] "OAuthException"
$error$code
[1] 2500
$error$fbtrace_id
[1] "ARRnb93rZHmWLlXK_MMJlfi"
Noting that I have signed in using the app.

Salesforce making REST calls using access token uses local host rather instance url

I am using a ionic app and have implemented oauth using forcejs described here https://github.com/ccoenraets/forcejs/blob/master/README.md
my code looks like below:
getContacts(){
let service = DataService.getInstance();
service.query('select id, Name from contact LIMIT 50')
.then(response => {
let contacts = response.records;
console.log(JSON.stringify(contacts))
});
}
login(){
let oauth = OAuth.createInstance('mycousmerappid','','http://localhost:8100/tabs/tab1');
oauth.login().then(oauthResult => {
DataService.createInstance(oauthResult);
console.log("Logged Into Salesforce Successfully:::" + JSON.stringify(oauthResult));
this.getContacts()
});
}
the oauth token instance url and refresh token all comes up in login but get contact throws error as below
zone-evergreen.js:2952 GET http://localhost:8100/tabs/services/data/v41.0/query?q=select%20id%2C%20Name%20from%20contact%20LIMIT%2050 404 (Not Found)
scheduleTask # zone-evergreen.js:2952
scheduleTask # zone-evergreen.js:378
onScheduleTask # zone-evergreen.js:272
core.js:9110 ERROR Error: Uncaught (in promise): XMLHttpRequest: {"__zone_symbol__readystatechangefalse":[{"type":"eventTask","state":"scheduled","source":"XMLHttpRequest.addEventListener:readystatechange","zone":"angular","runCount":8}],"__zone_symbol__xhrSync":false,"__zone_symbol__xhrURL":"http://localhost:8100/tabs/services/data/v41.0/query?q=select%20id%2C%20Name%20from%20contact%20LIMIT%2050","__zone_symbol__xhrScheduled":true,"__zone_symbol__xhrErrorBeforeScheduled":false,"__zone_symbol__xhrTask":{"type":"macroTask","state":"scheduled","source":"XMLHttpRequest.send","zone":"angular","runCount":0}}
at resolvePromise (zone-evergreen.js:797)
at resolvePromise (zone-evergreen.js:754)
at zone-evergreen.js:858
at ZoneDelegate.invokeTask (zone-evergreen.js:391)
at Object.onInvokeTask (core.js:34182)
at ZoneDelegate.invokeTask (zone-evergreen.js:390)
at Zone.runTask (zone-evergreen.js:168)
at drainMicroTaskQueue (zone-evergreen.js:559)
at ZoneTask.invokeTask [as invoke] (zone-evergreen.js:469)
at invokeTask (zone-evergreen.js:1603)
based on link i am not expecting it to use the base url localhost. Please advise how to fix this issue
i dont know how to resolve the same way but then i used direct http rest format using the accessToken and instanceUrl coming from oAuth. That works just fine

How to set HTTP password in gerrit while making a REST call using python-requests?

Using requests module want to query Gerrit server and for this need set authentication in below code. And this needs to be done without using any other module like pygerrit2. And if this can be done using HTTP password generated from gerrit. If this is not doable, share an example if auth has to be passed along with Get request.
import requests
import json
import os
GERRIT_SERVER = 'https://gerrit.abc.com'
class GerritServer():
def __init__(self):
self._base_url = GERRIT_SERVER
self._endpoints = {
'CHANGES': 'changes',
}
def _get_endpoint(self, token):
try:
endpoint = self._endpoints[token]
except ValueError:
raise Exception('endpoint not defined for {0}'.format(token))
return '{0}/{1}'.format(self._base_url, endpoint)
def get_endpoint_changes(self):
return self._get_endpoint('CHANGES')
Gerrit's REST API uses digest auth.
username = 'foo'
httpassword = 'bar'
api = 'baz'
auth = requests.auth.HTTPDigestAuth(username, httpassword)
r = requests.get(api, auth=auth)