google api and oauth2

Demian Brecht demianbrecht at gmail.com
Tue Sep 25 16:05:48 EDT 2012 

This is a shameless plug, but if you want a much easier to understand
method of accessing protected resources via OAuth2, I have a 55 LOC client
implementation with docs and examples here:
https://github.com/demianbrecht/sanction (Google is one of the tested
providers with an access example).

Are you trying to access resources client side (through Javascript) or
server side? Either way, the redirect URI *is* important. The first step is
to have your user authorize your application using Google's authorization
page. As one of the query parameters, you must specify the redirect URI
(which must match those registered through Google's app console).

Once the user has authorized your application, they're redirected back to
your site (via the specified redirect URI), with a "code" attached as a
query param. Once you get that code, you must exchange that with Google's
token endpoint to retrieve the access and refresh tokens.

No, it doesn't matter which library you use. Google's (imho) is overly
verbose and difficult to grok (especially for someone new to either OAuth
2.0 or Python, or both). The client ID doesn't need to be kept private, but
the secret does. You should *never* put this anywhere that can be read
publicly.

On Tue, Sep 25, 2012 at 12:04 PM, Littlefield, Tyler <tyler at tysdomain.com>wrote:

> Hello all:
> I've been trying  to figure out the oauth2client part of google's api, and
> I am really confused.
> It shows a flow, and even with the client flow, you need a redirect uri.
> This isn't important because I just want to get both an access and refresh
> token.
> Has anyone had any experience with this? Is it  easier to use a more
> developed oauth2 library to handle this? If so, can anyone make any
> suggestions?
>
> If I understand everything correctly, it doesn't matter what library I
> would use to work with the oauth2 protocol, so I could break out of this
> workflow thing that looks like it's more designed for web apps.
> Finally, they caution you about being careful about your client id and
> your client secret; is  there much in the way of obviscation or something I
> can do to keep this secret?
>
> --
> Take care,
> Ty
> http://tds-solutions.net
> The aspen project: a barebones light-weight mud engine:
> http://code.google.com/p/**aspenmud <http://code.google.com/p/aspenmud>
> He that will not reason is a bigot; he that cannot reason is a fool; he
> that dares not reason is a slave.
>
> --
> http://mail.python.org/**mailman/listinfo/python-list<http://mail.python.org/mailman/listinfo/python-list>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20120925/0deeac44/attachment.html>

More information about the Python-list mailing list