Auth Redirects Work with Confidential, not with Native:

[James Carr]

I am a bit confused about which type of client to use for which scenario. I have a working auth flow using a Confidential client:

1. User clicks login, our server checks for their globus uuid in our system.

2. oauth2_start_flow(redirect_uri) begins.

3. User logs in to globus and grants us permission if needed. 

4. They are redirected back to our site, we grab the code from the request args

5. oauth2_exchange_code_for_tokens(code)

6. etc...

However, when I tried to set up a transfer client (globus_sdk.TransferClient), the error message says that it's not compatible with Confidential clients and to use Native clients. 

So I created a Native app client and now have both. However, when trying the auth flow with a Native app client, it fails due to an invalid scope (my redirect uri). 

Are automated auth flows not possible with Native clients? I really do not want the user to have to type in a code every time they want to authenticate. 

        client = GlobusOperations().general_auth_client()

        client.oauth2_start_flow(redirect_uri)

        if "code" not in request.args:

            auth_uri = client.oauth2_get_authorize_url()

            return redirect(auth_uri)

        else:

            code = request.args.get("code")

            token = client.oauth2_exchange_code_for_tokens(code)

            go = GlobusOperations()

            globus_uuid = go.general_auth_client(token)

Extra info: I am using the native client in hopes to be able to manage collections, transfer files, etc. As I understand it, it's not possible for a user to view and manage their own collections with the Confidential client. Or am I missing something?

Thank you all! Everyone has been super helpful thus far. 

[Josh Bryan]

James,

At a high level, the primary difference between a "Native" client and a "Confidential" client is that a native client is intended to be used in situations where it is running on the end user's hardware (e.g. a cli application or a mobile app).  Whereas a confidential client is meant to be used in places where the end user does not have access to the hardware it is running on (e.g. a web server).  All oauth flows require a "redirect_uri" to be registered and Globus auth will only allow authentication flows that redirect to that uri (for reasons Karl mentioned in his note on your previous thread).  For convenience to support the CLI use case (or other cases where there is no web server), we provide a Globus hosted redirect uri at https://auth.globus.org/v2/web/auth-code, though to prevent users from using that in cases where they should be hosting their own callback url, we prevent confidential clients from registering that url.  I think that may be what you ran into with the confidential client, buth without code samples or specific errors I am mostly guessing about what is going on.  If you are building a webservice, you might want to look at the flask example using a confidential client in the SDK docs.

Another purpose for confidential clients is that they support an authentication flow called the client credentials grant.  Globus supports that flow and leverages it for supporting automation.  When using the client credentials grant, you can get access tokens for a "client identity" (an identity with a username of the form <clien id>@clients.auth.globus.org).  The SDK also has an example of using client credentials that would be a good resource.  This flow should be used if you are creating a totally offline service that needs to do things with no user interaction.

I hope that clarifies the difference between the two kinds of clients, but if it doesn't I'd suggest opening a ticket with sup...@globus.org and provide code samples with the client IDs that you are using so we can look up errors and give more detailed guidance.

Regards,

Josh

[James Carr]

Hi Josh, 

Thank you for the info. The flask example you gave is what I am using now for the Login aspect, but I lost that bookmark before I got to the transfer section.  The section under "using the tokens" to create a transfer client is where I have been running in to issues, however my authorizer is different, so you are probably correct that its using the wrong redirect uri. I'll test it with that example. I'll test it and update if needed. 

Thanks!

-James

[James Carr]

Resolved by using 
authorizer = globus_sdk.AccessTokenAuthorizer(session["globus_tokens"]["transfer.api.globus.org"]["access_token"])

Cheers!

-James