Account app: help wanted!

[Anton Danilchenko]

Hello team!

We want to develop "account" application for authentificate registered
users. We can register new users and store his information in the
local datastore. But, we also need add support for auth with OAuth,
OpenID, Google accounts, Twitter, Facebook connect and mach more.

I need you help in complete this application. Who have ideas and
resources (time, energy, skills) - please feedback to me and we
togethe complete this component more faster.

I am waiting for you comments and proposals. Thank you!

[Massimo Di Pierro]

well, if you use web2py, you get Role Based Access Control with pluggable authentication out of the box.
we support these login methods:

oauth10a_account.py
basic_auth.py
cas_auth.py
oauth20_account.py
email_auth.py
extended_login_form.py
openid_auth.py
gae_google_account.py
pam_auth.py
ldap_auth.py
rpx_account.py
linkedin_account.py

I recommend rpx_account.py which provides Janrain integration.
If you use the wizard (here in demo mode only: http://web2py.com/demo_admin/wizard) it will configure Janrain for you and create an app that runs on GAE.

massimo

[Anton Danilchenko]

Thanks Massimo!

Your auth connectors can be run on GAE, or designed by relational
database like MySQL? Where I can found source code of this files with
authentification methods? Many thanks for the fas feedback!

This link is helpful and provide more information about OAuth on GAE
http://code.google.com/intl/en/appengine/docs/python/oauth/

[Massimo Di Pierro]

sorry for the late reply.

the code is here:
http://code.google.com/p/web2py/source/browse/#hg/gluon/contrib/login_methods

They should all run on GAE and/or any of the supported RDBMs. They all run on top of the web2py database abstraction layer.

[Niklas Rosencrantz]

Hi Anton, friends and collaborators,
The 2 providers I found more difficult than the others to integrate with GAE are Twitter and Facebook while OpenID, Yahoo, MySpace, Wordpress and some more account providers are quite simple to enable with backend federated login and frontend JQuery or similar frontend. What I do is just pass the relevant parameters eg
http://gae-appengine-system.appspot.com/_ah/login_redir?claimid=yahoo.com&continue=http://gae-appengine-system.appspot.com/ and then third-party logins get enabled that way. The example shown here is for a Yahoo login. For a userfriendly interface a JQuery plugin is available
http://plugins.jquery.com/project/simpleopenid
I used this approach for an app and I hope you can comment it.
Cheers,
Niklas

[Anton Danilchenko]

Hi Massimo! How can I use this code in our project, and how cn I do
make changes of code? We need fork your code parts, or use it freely?
Can you tell me you role in web2py project.

Hi Niklas! I have look at the example of OpenID plugin for jQuery. But
this plugin not work for Google account authentification in my Google
Chrome browser.


If you have time and interests to provide the authentification
mechanism for our project - please contact with me and we disscuss
about our goal and plans. This is useful part of our project, and I
single have not enought time to do all tasks :-) I need your help.

Thanks guys!

On 8 дек, 13:59, Niklas Rosencrantz <nikla...@gmail.com> wrote:
> Hi Anton, friends and collaborators,
> The 2 providers I found more difficult than the others to integrate with GAE
> are Twitter and Facebook while OpenID, Yahoo, MySpace, Wordpress and some
> more account providers are quite simple to enable with backend federated
> login and frontend JQuery or similar frontend. What I do is just pass the

> relevant parameters eghttp://gae-appengine-system.appspot.com/_ah/login_redir?claimid=yahoo...

> then third-party logins get enabled that way. The example shown here
> is

> for a Yahoo login. For a userfriendly interface a JQuery plugin is availablehttp://plugins.jquery.com/project/simpleopenid

[Massimo Di Pierro]

You would only be able to used the code if you build your app using web2py because it is very much integrated with it. You are free to take any part of the code out in respect of the GPL2 license but I do not think it would be much use.

I am the lead developer for web2py.

Massimo

[Anton Danilchenko]

I have found next helpful materials:

http://code.google.com/p/google-app-engine-samples/source/browse/#svn/trunk/openid-consumer - OpenID sample on GAE

http://code.google.com/intl/en/appengine/docs/python/oauth/ - beta version. Should be reviewed before make our auth mechanism

[Niklas Rosencrantz]

Hi Anton and team!
I too read up on articles where the one about OpenID that links to the JQuery plugin is
http://code.google.com/appengine/articles/openid.html
But it doesn't say how for twitter and facebook logins. The other providers I tried and saw it works.
To integrate the JQuery login interface I had to change small parts of the code. You may inspect it live here if you like:
http://www.koolbusiness.com/login
Note that presumtion is having done the switch to federated login according to instructions from google.
It will not work on local dev server, only on production server and includes adding backend like the following which is mentioned in the article

if not user:      
# let user choose authenticator       
  for p in openIdProviders:
    p_name = p.split('.')[0] # take "AOL" from "AOL.com"
    p_url = p.lower()        # "AOL.com" -> "aol.com"
    loginmsg = loginmsg + '<a href="%s">%s</a> ' % (users.create_login_url(federated_identity=p_url), p_name)

I hope the team can enable this usecase since everyone I discussed using thirdparty logins with are positive about it and see the advantages. Also a discussion is available here
Combining federated, openid, twitter and facebook logins   Niklasro nikla...@gmail.com google-appengine-python Thanks for testing the login
. It appears that with wordpress you also must have registered a blog with
wordpress to use the OpenID. Having an ID only will not work. When created a
blog, I could login like Do you want to pass your http://nisse2.wordpress.com/
...
Oct 7 by Niklasro
Sincerely,
Niklas

[Anton Danilchenko]

Hi Niklas!

You have this functional based on other library (backed) or create your own solution? You have stored local information about user, such as username, age, avatar and other information in datastore on your server side? How you habe implemented access control list (ACL)?

I am interested in adding functionality for login users with popular websites (like Twitter, Google, facebook, Microsoft, etc) and store user information on server side. Also, I need detect user role (admin, manager, etc) to do somthing on site. For example, only blog moderators have access to approve and edit blog entities from all users.

Can you help us implement this "account" application?

Thanks!

[Anton Danilchenko]

Also I have found that Nick Thomson already have implemented auth with Twitter, Yahoo and MySpace. Learn this code: https://github.com/Arachnid/AppEngine-OAuth-Library

[Anton Danilchenko]

User app discussion you can find in our issue tracker by address http://code.google.com/p/appengine-framework/issues/detail?id=13

I have attached file in the last comment with sample of how to use ACL in configurations without change Python code.

[Niklas Rosencrantz]

Thank you Anton! I'm following the links to catch up on implementation
practices.
Best regards,
Niklas

[Anton Danilchenko]

Hi Niklas!

Can you help me implement user application for GAE framework with registration and authorization for store user information in datastore. Also II need add user authentification with Sessions (I think that we need use memcach for this). Thaks!

[Anton Danilchenko]

I have found this OpenID providers viw jQuery plugin: http://jvance.com/pages/JQueryOpenIDPlugin.xhtml

[David Underhill]

You mention storing sessions in memcache.  If you're doing this for speed, I suggest using gae-sessions; by default it uses secure cookies which have 2 advantages of memcache:

1) Faster.

2) Won't be randomly lost when your memcache unexpectedly evicts your data.

~ David

[Anton Danilchenko]

Thanks David! I have search this project (gae-sessions) around the web last 5 hours. Thank you!

Can you help us create useful and easy for use USER application for register, login and logout functionality? We need implement support for many OAuthh and OpenID providers. Useful thing is in support Facebook and VK.com (vkontakte) login associated with this social networks.

[David Underhill]

I've found RPX to be quite helpful.  I use the free version on my sites so visitors can login with Facebook or  any OpenID.  It has a nice interface and is pretty easy to get setup.  (gae-sessions repo includes a demo of using it in conjunction with RPX).

~ David

[Anton Danilchenko]

Thanks. I can start implement auth with gae-sesions library. After few hours I commit changes to repository. Thank you for link to this library!

Can you provide information about how to login to facebook. If available - can you show full code for study. I want to understand how to implement flexible way for users to extend auth providers easier.

[David Underhill]

On Sat, Dec 11, 2010 at 14:30, Anton Danilchenko <anton.da...@gmail.com> wrote:

Thanks. I can start implement auth with gae-sesions library. After few hours I commit changes to repository. Thank you for link to this library!

You're welcome.  Hopefully it will be pretty easy to get up and running with it.

 

Can you provide information about how to login to facebook. If available - can you show full code for study. I want to understand how to implement flexible way for users to extend auth providers easier.

If you're using RPX, it is pretty straightforward.  The demo code is here:

https://github.com/dound/gae-sessions/tree/master/demo

The code requires two pieces be configured to work on one's own GAE app:

1. BASE_URL needs to point to your app (replace the "your-app-id" text).
2. LOGIN_IFRAME needs to point to your RPX account (replace "gae-sessions-demo").

Configuring which providers (e.g., Facebook, Google) show up on your login page is controlled through a web interface provided by RPX.

~ David

[Anton Danilchenko]

I have added only session handling.

Now GAE framework users can access to app.session in request handlers to set and get session information.

Next step - is to implement user models and add registration and auth.

[Niklas Rosencrantz]

class Account(db.Model) can check passwords if you like the idea?
Checking passwords oneself SHA1 authorization is a way

   def __encrypt(self, plaintext, salt=""):
       """returns the SHA1 hexdigest of a plaintext and salt"""
       phrase = hashlib.sha1()
       phrase.update("%s--%s" % (plaintext, salt))
       return phrase.hexdigest()
   def set_password(self, new_password):
       """sets the user's crypted_password"""
       from datetime import datetime, timedelta
       import datetime
       if not self.salt:
           self.salt = self.__encrypt(str(datetime.datetime.now()))
       self.crypted_password = self.__encrypt(new_password,self.salt)
   def check_password(self, plaintext):
       return self.__encrypt(plaintext, self.salt) == self.crypted_password

If you want we can add the above password check to the GAE framework + JQuery frontend + python backend for registration to an app (http://blobsystem.appspot.com ?) that has already OpenID authorization, other or brand new app we select
since OpenID and that requires production deployment and easy for us to agree a deployed version looks right.
I hope you'll comment this proposal.
Thanks!

[Anton Danilchenko]

Yes, we need add double authentification solutions - users registered in our database by email OR login with OAuth and OpenId servers. We need provide only large auth-providers such as Google, Facebook, MySpace etc.

If user want to auth with OpenId or OAuth - no problem. We need store auth information in our database (automatically register this user in datastore). If user want to enter email + password - we can provide this case for users.

I go to sleep. On my clock is 2 hours of night. To see you leter ;-)

Thanks!

[Anton Danilchenko]

I have found also this article about OpenId auth to facebook and other sites (designed for Django).

http://uswaretech.com/blog/2009/08/django-socialauth-login-via-twitter-facebook-openid-yahoo-google/

[Niklas Rosencrantz]

Thank you Anton! Deploying GAE Framework to production server worked
from here (http://niklas-app.appspot.com/). Now it's very good to know
how the login ui shall display like the example from the article you
mention. Since webapp.py and def run(project_dir): is more like GAE
and the article more like django I suggest we stay with def
run(project_dir): and add the connect urls to the Account app without
adding urls.py and also without adding manage.py

What I see is that django projects use manage.py and urls.py which
default GAE doesn't and we currently don't.

Best regards,
Niklas

[Anton Danilchenko]

GAE framework is not Django. We have build our own ideas. But, now we contuinue using Django Templates and Django Forms only. All other pieces of code - writed by GAE framework team.

In SVN trunk today I have commited changes: now we have not used standard Google auth and replaced it to own implementation for register and login users to site. This is user application places in apps/user. Now I continue implement and improve this appliation. Now you have not login to site and registration also not implemented. But after some time we have complete this task.

Our project work like this:

1) look to apps/config.yaml and search configurations for each application in apps section

2) user request page than we see to apps directory and find what application need to start. For example, url like "/blog/new" look to file apps/blog/config.yaml in the urls section for get request handler for this request and run this request handler

3) page result send in response to user browser

We have not used manage.py and config.py and urls.py files. We have own ideology of project structure - simple and flexible, easy to understand.

If you have additional question - you can ask it here.

[David Underhill]

On Sun, Dec 12, 2010 at 13:55, Anton Danilchenko <anton.da...@gmail.com> wrote:

GAE framework is not Django. We have build our own ideas. But, now we contuinue using Django Templates and Django Forms only. All other pieces of code - writed by GAE framework team.

Personally, I find Django forms restrictive and slow.  I used them in the past, but now I prefer Mako.  Others may have different preferences.  (And no choice will please everyone).

 

[Niklas Rosencrantz]

It works getting the SVN version (312) seeing that the link "Login"
changed reaching a 404 supposedly where it's not implemented.

ERROR 2010-12-12 22:18:29,317 webapp.py:52] Not found
'user_logout.controllers.user'
INFO 2010-12-12 22:18:29,318 recording.py:327] Saved; key:
__appstats__:009300, part: 31 bytes, full: 1072 bytes, overhead: 0.000
+ 0.001; link: http://localhost:8080/stats/details?time=1292192309316
INFO 2010-12-12 22:18:29,336 dev_appserver.py:3317] "GET
/user/logout HTTP/1.1" 404 -

I wonder whether user_logout.controllers.user' is implemented? We also
can add the JQuery and OpenID parts here or await further updates. 2
projects I've failed with Django forms so far is form validation and
form preview I tried with djangoforms.ModelForm.
Cheers!
Niklas

[Anton Danilchenko]

I have fixed this incorrect message in SVN copy. Not found this controller:

Not found 'user.controllers.user_logout'

Now I have impolement user login and registration on local version. But I found bug in the gae-sessions library and have reported to gae-session author. I am waiting to fix of this bug, and after this I can commit change with correct user authorizaton working. Now I can't commit this change because after first login we can't access to pages because we have a critical error.

Please wait 12 - 24 hours while we fix this bug. You can start implement you ideas. But now you can't test you code with user auth.

[Anton Danilchenko]

I have complete implementation of user registration on site and login to site with email and password.

You can find this latest version in our SVN trunk repository http://code.google.com/p/appengine-framework/source/checkout

Please try this and report about bugs. Also welcome your ideas.

Best regards, Anton.

[Niklas Rosencrantz]

Thank you Anton for great work! I will deploy latest SVN version + ideas ASAP. Best regards. /Niklas

[Anton Danilchenko]

Good. Please show me result after you complete implementation and bug fixing. If all right - we can start integration of your new features to GAE framework.

[Anton Danilchenko]

Now we can access to curent logged in user in request handlers as app.user.

# in apps/app_name/controllers.py file

def my_request_handler(app):

  return "You are logged in as %s" % app.user

[Anton Danilchenko]

Fixed problem with user compare. If you can try to compare two user objects - that this return False. But we need compare two objects by Key value.

We have fixed this problem and now you can compare users correctly.

[Niklas Rosencrantz]

Very good work Anton! I got the latest SVN version and proceed
according to instructions.
Thanks

[Anton Danilchenko]

I have found problem on deploy version with changed user application.

Previously we have used basic Google accounts for identificate users. On our site GAEframewok.com we have blog posts and other information depends on Google accounts. In property "author" we have saved email address of user. After last change we have support ONLY local users, and we have saved KEY value of user in "author" property. In this case - we need migrate all data from old to new user application.

I think that we need delete all old blog entities and other information from site, and create new copy of this data with new users. Or we can update all records, and replace email addresses of Google users to local users Key.

Any idea how we can authomatically migrate data after changes in model structure?

[Anton Danilchenko]

Now we have stored not protected user passwords. We need authomatically convert plain password to encoded (for example with md5) and compare encoded paswords.

[Niklas Rosencrantz]

It admits basic OpenID login with an OpenID account (eg http://niklas-app.appspot.com/login)
We can follow a discussion today in python group where methods are mentioned
http://riccomini.name/Topics/Web/GoogleAppEngine/FacebookConnect/
Twitter How to:
http://blog.notdot.net/2010/02/Writing-a-twitter-service-on-App-Engine
http://groups.google.com/group/google-appengine-python/browse_thread/thread/96524f04cce1b25d
I now add the facebook/twitter and provider icons welcoming your comments.
Niklas
--
{% block base_js %}       
<!-- Simple OpenID Selector -->
<script type="text/javascript" src="static/js/jquery.min.js"></script>
<script type="text/javascript" src="static/js/openid-jquery.js"></script>
 <script type="text/javascript">
 $(document).ready(function() {document.getElementById('continue').value='http://'+document.domain;
            openid.init('claimid');
        });
</script>
<!-- /Simple OpenID Selector -->   
{% block js %}
<link rel="stylesheet" href="static/css/openid.css" />
{% endblock %}
{% endblock %}
{% block base_css %}
  <link type="text/css" rel="stylesheet" href="/static/user/css/base.css" />
{% block css %}{% endblock %}
--

[Anton Danilchenko]

Can you please not use JS code in templates, and move this code to separate base.js file.

Also you not need include jquery.min.js because this include to page by default in base.html template.

Please move file from static/js/openid-jquery.js to apps/user/static/js/openid-jquery.js and in template use "/static/user/js/openid-jquery.js" (with initial slash).

Update css includes to this:

{% block base_css %}
  <link type="text/css" rel="stylesheet" href="/static/user/css/base.css" />

  <link type="text/css" rel="stylesheet" href="/static/css/openid.css" />

{% endblock %}

Please continue development. I am waiting result of OpenID and OAuth auth integration. Thanks!

[Niklas R]

Thanks for informing the instructions Anton. The Facebook code I added
I confirm works easy:
http://riccomini.name/Topics/Web/GoogleAppEngine/FacebookConnect/files/google_app_engine_facebook_connect_python.zip
I deployed this FacebookConnect to my app noting that it's slightly
other ways for instance to get
user name and whether user is logged in. It basically looks like 4
different cases we call "multilogin" ideally to combine so that
the tag {{name}} or {{user.nickname}} will output the name of the
logged in user whatever login credentials are:
1) OpenID
2) Custom
3) Twitter
4) Facebook
We could store data like username in Session object if you like. So
the login to enable next is twitter and
agree like exactly how we output stuff like username without having to
check on every request whether
it's FB, twitter or OpenID. Perhaps in a BaseHandler?
Thanks!
Niklas

On Dec 15, 9:40 pm, Anton Danilchenko <anton.danilche...@gmail.com>
wrote:

[Anton Danilchenko]

You can integrate this auth with out current user.models ?

[Niklas Rosencrantz]

Yes Anton, towards the user it's quite easy. I research the twitter part this week and i deployed a working example with facebook login (http://www.koolbusiness.com/fblogin) and will integrate the relevant parts to my local version of gae framework this week and review with you that both views and functions towards user go well and that you approve the code. Ill report back soon when i deployed the twitter part + encrypt own passwords. Thanks!

[Niklas Rosencrantz]

Dear Anton and group,
To my deployment I added the facebook connect button to connect with facebook. The code I used was from here:
http://riccomini.name/Topics/Web/GoogleAppEngine/FacebookConnect/
Then FB connect needs an API key for a registered application. I'm not sure whether that requires a custom domain or can be done with plain appspot deployments. I got a custom domain for another appspot deployment that now easily admits facebook logins. Then the idea Calvin presented in appengine group how to add new authentication methods without changing the user model seems quite promising:
http://groups.google.com/group/google-appengine-python/browse_thread/thread/0cdff56921184660

And the twitter part appears possible to take via this link:
http://blog.notdot.net/2010/02/Writing-a-twitter-service-on-App-Engine

If we have a session object we can keep the username etc in the session object or agree some other way to
abstract which account type is used. Please let us know your comments.
Thank you

[Anton Danilchenko]

Niklas, can you please see on this http://www.tipfy.org/wiki/extensions/auth/

[Niklas R]

Thanks for providing the link. I also looked at Janrain and could
enable twitter login using an OAuth module called
twitter_oauth_handler
For the example which twitter user has which apartment I can use a
variable like this

client = OAuthClient('twitter', self)
info = client.get('/account/verify_credentials')
apartment.twitterID = int(info['id'])

And similar for facebook. I wonder how to arrange user classes having
seen examples I don't yet use until we know what structure we want:

class User(db.Model):
class UserAccount(polymodel.PolyModel):
class GoogleUserAccount(UserAccount):
class TwitterAccount(db.Model):

Instead I got a class for "content" or ("usage") just store the
external id for a content entity like a variable called twitterID or
facebookID to connect users with usage. It seems there're several
solutions to this.
Regards,
Niklas

[Anton Danilchenko]

We have moved our source code from SVN to Mercurial. And you can see latest code changes on http://code.google.com/p/gaeframework/

I have changed user application. Now we have used only one model named User. All other - LocalUser, EmailUser, OpenIdUser - was removed. Model class User now have a "nick" and "password" properties.

Please note about this changes.

What you plans to provide integration with OpenId and OAuth servers? Can I help you?