google api and oauth2

Kushal Kumaran kushal.kumaran+python at gmail.com
Wed Sep 26 04:24:17 EDT 2012 

On Wed, Sep 26, 2012 at 11:45 AM, Demian Brecht <demianbrecht at gmail.com> wrote:
>>
>> If you are writing a desktop application, read this:
>> https://developers.google.com/accounts/docs/OAuth2#clientside
>
>
> You mean https://developers.google.com/accounts/docs/OAuth2#installed? Your
> link discusses client side browser implementations.
>

Ah yes, I made a mistake in linking displayed url and scrolled position.

> I'd be curious to know the shortcomings of sanction in the context of
> installed apps. My original intent was to provide a server flow
> implementation. If the installed flow isn't too much of a change (doesn't
> seem like it would be, according to the docs, it's how the "code" is
> retrieved by the application), I'd happily add it in or take a patch to
> cover it.

I tried out sanction from a python shell.  In an installed
application, the user can either start a little web server to handle
redirect_uri, or pass in the special value "urn:ietf:wg:oauth:2.0:oob"
to have the authorization code be shown in a text field in the browser
(all of this is for google, I have no idea how other implementations
or the oauth spec differ).

At the moment, the auth_uri function gives out a URI and leaves it up
to the client to deal with it however it likes.  The library could
provide a function (let's call it drive_auth) to drive the entire
process: start a little web server on any available port, give a url
to that server as redirect_uri, then start the user's web browser to
connect to the authentication endpoint.

The embedded web server will need to handle redirect_uri to grab the
authorization code, generate an HTML response that will close the
browser window (or instruct the user to do so), and then stop itself.

For GUI applications which can embed a web browser widget, there is no
need to start a separate web browser application.  To support such
applications, the drive_auth function can take a callback argument to
navigate to a particular URL.  Then the client applications can hook
in their particular GUI toolkit, or just pass in webbrowser.open if
they like.

All this may be beyond the intended scope of your library.

-- 
regards,
kushal

More information about the Python-list mailing list