Velruse… or what else?
60 views
Skip to first unread message
Jens Troeger
Jun 3, 2019, 9:59:22 PM6/3/19
to pylons-discuss
Hi,
Interesting OAuth thread here, thank you! And just in time for my question.
I’ve been using Velruse quite happily for a while now, although it’s been stale for a few years. MichaelM was somewhat active on that project too, and he still seems to be around working on Pylons in general.
However, a few things could need updating with Velruse (see its issues) and now that Apple has released a sign-in API, it would be nice to add that to Velruse as well.
So I was wondering: are there plans to continue working on Velruse, maybe integrating it closer into Pyramid? Are there more recent alternatives? Are there people here who are using Velruse?
Much thanks,
Jens
Michael Merickel
Jun 3, 2019, 11:26:11 PM6/3/19
to Pylons
On Mon, Jun 3, 2019 at 8:59 PM Jens Troeger <jens.t...@gmail.com> wrote:
I’ve been using Velruse quite happily for a while now, although it’s been stale for a few years. MichaelM was somewhat active on that project too, and he still seems to be around working on Pylons in general.However, a few things could need updating with Velruse (see its issues) and now that Apple has released a sign-in API, it would be nice to add that to Velruse as well.So I was wondering: are there plans to continue working on Velruse, maybe integrating it closer into Pyramid? Are there more recent alternatives? Are there people here who are using Velruse?
Yep I'm active on other Pylons projects but I haven't worked on velruse in years.
I put a significant amount of time into reworking velruse so that it integrated very well into Pyramid and I think that work was a success and shows a good pattern for how to do it. The problem is that the velruse test suite (and anyone else who tries to consume arbitrary third party providers) is a damn nightmare to run. It required setting up accounts on all of the services, including some that required google translate to even get through, and then constantly tweaking the slow selenium tests. It's unavoidable work but it burned me out. On top of that, it's actually really easy (imo) to consume OAuth 2.x + OpenID Connect apis directly. Most bindings for velruse end up being just a very thin wrapper around a small amount of code you can easily write yourself. It basically just involves implementing a redirection endpoint that the provider will send the browser to once the user has granted access, and from there taking the token and querying whatever you want from the provider's api. OpenID Connect has helped a lot in standardizing the type of data you'd want to receive - something velruse was trying to standardize before that standard existed.
I don't have any plans to do anything with velruse in the future and ultimately it's Ben's project and it'd be up to him what he wants to do with it.
- Michael
Jens Troeger
Jun 7, 2019, 3:38:26 AM6/7/19
to pylons-discuss
Thank you Michael for sharing your insights here. I’ve looked through some of the code but, as you said, the testing looked rather daunting to me.
On top of that, it's actually really easy (imo) to consume OAuth 2.x + OpenID Connect apis directly. Most bindings for velruse end up being just a very thin wrapper around a small amount of code you can easily write yourself. It basically just involves implementing a redirection endpoint that the provider will send the browser to once the user has granted access, and from there taking the token and querying whatever you want from the provider's api. OpenID Connect has helped a lot in standardizing the type of data you'd want to receive - something velruse was trying to standardize before that standard existed.
This statement of yours aligns nicely with my thoughts/suspicion that perhaps I ought to drop Velruse altogether, and instead use an OAuth2 package to talk with the providers directly. The website uses only Google, LinkedIn, Live anyway (and I’m thinking to add Apple now) and they all—I think—speak OAuth2.
The recent OAuth thread recommends requests-oauthlib… Can you recommend any particular package, is the that one good?
Much thanks!
Jens
Christian Ledermann
Jun 7, 2019, 9:45:26 AM6/7/19
to pyramid
https://github.com/python-social-auth/social-app-pyramid may be worth a try
(I used https://github.com/python-social-auth/social-app-django with great success)
--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/d1292058-f1d9-48a7-8068-e5f290199bf8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Best Regards,
Christian Ledermann
Newark-on-Trent - UK
Mobile : +44 7474997517
https://uk.linkedin.com/in/christianledermann
https://github.com/cleder/
<*)))>{
If you save the living environment, the biodiversity that we have left,
you will also automatically save the physical environment, too. But If
you only save the physical environment, you will ultimately lose both.
1) Don’t drive species to extinction
2) Don’t destroy a habitat that species rely on.
3) Don’t change the climate in ways that will result in the above.
}<(((*>
Christian Ledermann
Newark-on-Trent - UK
Mobile : +44 7474997517
https://uk.linkedin.com/in/christianledermann
https://github.com/cleder/
<*)))>{
If you save the living environment, the biodiversity that we have left,
you will also automatically save the physical environment, too. But If
you only save the physical environment, you will ultimately lose both.
1) Don’t drive species to extinction
2) Don’t destroy a habitat that species rely on.
3) Don’t change the climate in ways that will result in the above.
}<(((*>
Michael Merickel
Jun 7, 2019, 12:49:42 PM6/7/19
to Pylons
On Fri, Jun 7, 2019 at 2:38 AM Jens Troeger <jens.t...@gmail.com> wrote:
The recent OAuth thread recommends requests-oauthlib… Can you recommend any particular package, is the that one good?
I've used requests-oauthlib successfully in the past. I'd recommend it. I never found much reason to use it during the process of acquiring an access token, but you can. Once you have an access token and possibly a refresh token, it serves as a nice wrapper around a requests.Session to handle adding the appropriate Authorization header as well as assisting in token expiration and using the refresh token to get new access tokens.
- Michael
Jens Troeger
Jul 26, 2019, 1:14:08 PM7/26/19
to pylons-discuss
Thanks!
Christian, the social-app-pyramid package doesn’t seem to be maintained anymore (last updated Feb 2017), so that makes me a little nervous.
Michael, requests-oauthlib looks good, but there’s still the Pyramid integration that I would need to add.
Regarding Pyramid and OAuth2, there are a few projects, e.g. pyramid_oauth2_provider (last updated Jun 2017), pyramid_oauth2_client (last updated Feb 2012), pyramid-oauthlib (last updated Jun 2019). Other projects like apex seem also unmaintained. Then there is pyramid_fullauth (last updated Mar 2019) which seems to support an interface to use auth with other providers but I can’t quite tell if they’re built in.
Considering that I’m currently using Velruse and need to move on, are there any recommendations from the community regarding Pyramid and OAuth2 to simplify talking with auth providers (e.g. Google, Live, etc.)?
Bert JW Regeer
Jul 26, 2019, 1:38:34 PM7/26/19
to Pylons Project
On Jul 26, 2019, at 11:14, Jens Troeger <jens.t...@gmail.com> wrote:Thanks!Christian, the social-app-pyramid package doesn’t seem to be maintained anymore (last updated Feb 2017), so that makes me a little nervous.Michael, requests-oauthlib looks good, but there’s still the Pyramid integration that I would need to add.
This is something you are going to run in with whatever package you end up using. Unlike Django where everything is set in stone and it is easy for addons to change a small thing, you are going to have to do some of the integration work yourself in Pyramid because of its flexibility.
requests-oauthlib is dead simple to use, and integration is as simple as following it's instructions on how to integrate it into your views.
Steps are:
1. User visits login page and clicks button
2. User is redirected to oauth provider
3. <outside of your scope of your webapp>
4. User gets redirect back to your app (hopefully successfully) with a code
5. Using request-oauthlib exchange code for an access token and refresh token
6. Store the tokens/use them to access the API's, or if this is for authentication only don't even store the tokens
7. Party
Supporting multiple auth providers isn't that difficult either with requests-oauthlib, needs some extra glue code that isn't written for you, but you can keep an array of parameters and depending on the button the user clicks on the login page you substitute in the appropriate auth provider information.
Regarding Pyramid and OAuth2, there are a few projects, e.g. pyramid_oauth2_provider (last updated Jun 2017), pyramid_oauth2_client (last updated Feb 2012), pyramid-oauthlib (last updated Jun 2019). Other projects like apex seem also unmaintained. Then there is pyramid_fullauth (last updated Mar 2019) which seems to support an interface to use auth with other providers but I can’t quite tell if they’re built in.Considering that I’m currently using Velruse and need to move on, are there any recommendations from the community regarding Pyramid and OAuth2 to simplify talking with auth providers (e.g. Google, Live, etc.)?
Bert JW Regeer
Jonathan Vanasco
Jul 26, 2019, 1:48:16 PM7/26/19
to pylons-discuss
On Friday, July 26, 2019 at 1:14:08 PM UTC-4, Jens Troeger wrote:
Regarding Pyramid and OAuth2, there are a few projects, e.g. pyramid_oauth2_provider (last updated Jun 2017), pyramid_oauth2_client (last updated Feb 2012), pyramid-oauthlib (last updated Jun 2019). Other projects like apex seem also unmaintained. Then there is pyramid_fullauth (last updated Mar 2019) which seems to support an interface to use auth with other providers but I can’t quite tell if they’re built in.
I opensourced pyramid_oauthlib_lowlevel a few months ago, but it's been used in production for a few years. It is a very lowlevel implementation of the oauthlib library that may be more adaptable to your needs than the other libraries. It lets you very quickly put together custom oauth APIs and endpoints for Pyramid + SqlAlchemy, but doesn't auto-generate any routes/views itself. If you're only talking with one provider or offering one api, one of the other libraries is likely better, as they do the automatic route generation.
Mike Orr
Jul 26, 2019, 10:57:20 PM7/26/19
to pylons-...@googlegroups.com
I tried 'pyramid_oauth2_client' first and had this experience:
"pyramid_oauth2_client, oauth2demo, and yasso (a Python OAuth2
provider) The easiest to understand, but it hasn't been updated since
2012. I had to make it compatible with Python 3 and Pyramid 1.9.2. I
got the demo to sometimes log in to yasso but when it came back to the
site it got an invalid state error (akin to a CSRF token mismatch) --
it predates Pyramid's CSRF token support too."
The old date and obsolete parts really make me question it. It was
written when OAuth2 first appeared and the author may not have fully
understood it or anticipated how it and Pyramid would evolve.
'pyramid_oauthlib' confusing because I couldn't tell which grant
classes and views I needed for a client use case; they all looked like
provider use cases.
I got 'requests-authlib' to work with help from Jonathan and others,
so I can answer questions about that. I have one private provider, and
a '/login' view with a button that redirects to the authentication
site, and an '/auth/enter' view that receives the redirect, fetches
the token, parses it to get the claims dict, puts the needed user
metadata in the session, has a SessionAuthenticationPolicy that
fetches the precalculated principles from the session, saves a "User
object" to Redis to track the user's last login and properties (hash:
userid to JSON dict) for admin reports, and saves the claims in Redis
for debugging (hash: userid to JSON dict). I may migrate the latter
two to Postgres when the fields stabilize.
I haven't dealt with saving the token or refreshing it yet. I might
need to use it to allow admin screens to query the Keycloak API and
create a user, but I'm not tthere yet. I also need to test the
"/logout" endpoint to have Keycloak delete its cookie; without that,
they're not fully logged out. (Meaning if they log out and back in, or
of somebody else logs in in the same browser, Keycloak automatically
logs them in without asking for credentials and they can't switch to a
different account.)
--
Mike Orr <slugg...@gmail.com>
"pyramid_oauth2_client, oauth2demo, and yasso (a Python OAuth2
provider) The easiest to understand, but it hasn't been updated since
2012. I had to make it compatible with Python 3 and Pyramid 1.9.2. I
got the demo to sometimes log in to yasso but when it came back to the
site it got an invalid state error (akin to a CSRF token mismatch) --
it predates Pyramid's CSRF token support too."
The old date and obsolete parts really make me question it. It was
written when OAuth2 first appeared and the author may not have fully
understood it or anticipated how it and Pyramid would evolve.
'pyramid_oauthlib' confusing because I couldn't tell which grant
classes and views I needed for a client use case; they all looked like
provider use cases.
I got 'requests-authlib' to work with help from Jonathan and others,
so I can answer questions about that. I have one private provider, and
a '/login' view with a button that redirects to the authentication
site, and an '/auth/enter' view that receives the redirect, fetches
the token, parses it to get the claims dict, puts the needed user
metadata in the session, has a SessionAuthenticationPolicy that
fetches the precalculated principles from the session, saves a "User
object" to Redis to track the user's last login and properties (hash:
userid to JSON dict) for admin reports, and saves the claims in Redis
for debugging (hash: userid to JSON dict). I may migrate the latter
two to Postgres when the fields stabilize.
I haven't dealt with saving the token or refreshing it yet. I might
need to use it to allow admin screens to query the Keycloak API and
create a user, but I'm not tthere yet. I also need to test the
"/logout" endpoint to have Keycloak delete its cookie; without that,
they're not fully logged out. (Meaning if they log out and back in, or
of somebody else logs in in the same browser, Keycloak automatically
logs them in without asking for credentials and they can't switch to a
different account.)
> --
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/fc586c8e-7068-4443-8a7b-3cc9808e4cd7%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
--
Mike Orr <slugg...@gmail.com>
Reply all
Reply to author
Forward
0 new messages