# Oauth2 Flask Service
[](https://travis-ci.org/dataspot/dgp-oauth2)
A generic OAuth2 authentication service and user permission manager.
Based off [OpenSpending auth service](https://github.com/openspending/os-conductor).
## Quick start
### Clone the repo and install
`make install`
### Run tests
`make test`
### Run server
`python server.py`
## Env Vars
- `PRIVATE_KEY` & `PUBLIC_KEY` an RSA key-pair in PEM format.
See `tools/generate_key_pair.sh` for more info.
- `GOOGLE_KEY` & `GOOGLE_SECRET`: OAuth credentials for authenticating with Google
- `GITHUB_KEY` & `GITHUB_SECRET`: OAuth credentials for authenticating with Github
- `DATABASE_URL`: A SQLAlchemy compatible database connection string (where user data is stored)
- `EXTERNAL_ADDRESS`: The hostname where this service is located on
- `ALLOWED_SERVICES`:
Which permissions providers are available. A `;` delimited list of provider identifiers.
Each provider identifier takes the form of `[alias:]provider`, where `provider` is the name of a Python module
which exports a `get_permissions(service, userid)` function.
- `INSTALLED_EXTENSIONS`:
List of installed extensions. A `;` delimited list of `extension` - the name of a Python modules which exports one or all of these functions
- `on_new_user(user_info)`
- `on_user_login(user_info)`
- `on_user_logout(user_info)`
## API
### Check an authentication token's validity
`/auth/check`
**Method:** `GET`
**Query Parameters:**
- `jwt` - authentication token
- `next` - URL to redirect to when finished authentication
**Returns:**
If authenticated:
```json
{
"authenticated": true,
"profile": {
"id": "<user-id>",
"name": "<user-name>",
"email": "<user-email>",
"avatar_url": "<url-for-user's-profile-photo>",
"idhash": "<unique-id-of-the-user>",
"username": "<user-selected-id>" # If user has a username
}
}
```
If not:
```json
{
"authenticated": false,
"providers": {
"google": {
"url": "<url-for-logging-in-with-the-Google-provider>"
},
"github": {
"url": "<url-for-logging-in-with-the-Github-provider>"
},
}
}
```
When the authentication flow is finished, the caller will be redirected to the `next` URL with an extra query parameter
`jwt` which contains the authentication token. The caller should cache this token for further interactions with the API.
### Get permission for a service
`/auth/authorize`
**Method:** `GET`
**Query Parameters:**
- `jwt` - user token (received from `/user/check`)
- `service` - the relevant service (e.g. `storage-service`)
**Returns:**
```json
{
"token": "<token-for-the-relevant-service>"
"userid": "<unique-id-of-the-user>",
"permissions": {
"permission-x": true,
"permission-y": false
},
"service": "<relevant-service>"
}
```
### Change the username
`/auth/update`
**Method:** `POST`
**Query Parameters:**
- `jwt` - authentication token (received from `/user/check`)
- `username` - A new username for the user profile (this action is only allowed once)
**Returns:**
```json
{
"success": true,
"error": "<error-message-if-applicable>"
}
```
__Note__: trying to update other user profile fields like `email` will fail silently and return
```json
{
"success": true
}
```
### Receive authorization public key
`/auth/public-key`
**Method:** `GET`
**Returns:**
The service's public key in PEM format.
Can be used by services to validate that the permission token is authentic.
Raw data
{
"_id": null,
"home_page": "https://github.com/dataspot/dgp-oauth2",
"name": "dgp-oauth2",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "data,authentication,oauth2",
"author": "Adam Kariv, Open Knowledge (International), Datopian",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/fd/d4/060e88d28408d488a59da9f4b3a2ee775c39b330823bd3ab93fecabbd468/dgp-oauth2-1.3.4.tar.gz",
"platform": null,
"description": "# Oauth2 Flask Service\n\n[](https://travis-ci.org/dataspot/dgp-oauth2)\n\nA generic OAuth2 authentication service and user permission manager.\n\nBased off [OpenSpending auth service](https://github.com/openspending/os-conductor).\n\n## Quick start\n\n### Clone the repo and install\n\n`make install`\n\n### Run tests\n\n`make test`\n\n### Run server\n\n`python server.py`\n\n## Env Vars\n- `PRIVATE_KEY` & `PUBLIC_KEY` an RSA key-pair in PEM format.\n See `tools/generate_key_pair.sh` for more info.\n- `GOOGLE_KEY` & `GOOGLE_SECRET`: OAuth credentials for authenticating with Google\n- `GITHUB_KEY` & `GITHUB_SECRET`: OAuth credentials for authenticating with Github\n- `DATABASE_URL`: A SQLAlchemy compatible database connection string (where user data is stored)\n- `EXTERNAL_ADDRESS`: The hostname where this service is located on\n- `ALLOWED_SERVICES`:\n Which permissions providers are available. A `;` delimited list of provider identifiers.\n Each provider identifier takes the form of `[alias:]provider`, where `provider` is the name of a Python module\n which exports a `get_permissions(service, userid)` function.\n- `INSTALLED_EXTENSIONS`:\n List of installed extensions. A `;` delimited list of `extension` - the name of a Python modules which exports one or all of these functions\n - `on_new_user(user_info)`\n - `on_user_login(user_info)`\n - `on_user_logout(user_info)`\n\n\n## API\n\n### Check an authentication token's validity\n`/auth/check`\n\n**Method:** `GET`\n\n**Query Parameters:**\n\n - `jwt` - authentication token\n - `next` - URL to redirect to when finished authentication\n\n**Returns:**\n\nIf authenticated:\n\n```json\n{\n \"authenticated\": true,\n \"profile\": {\n \"id\": \"<user-id>\",\n \"name\": \"<user-name>\",\n \"email\": \"<user-email>\",\n \"avatar_url\": \"<url-for-user's-profile-photo>\",\n \"idhash\": \"<unique-id-of-the-user>\",\n \"username\": \"<user-selected-id>\" # If user has a username\n }\n}\n```\n\nIf not:\n\n```json\n{\n \"authenticated\": false,\n \"providers\": {\n \"google\": {\n \"url\": \"<url-for-logging-in-with-the-Google-provider>\"\n },\n \"github\": {\n \"url\": \"<url-for-logging-in-with-the-Github-provider>\"\n },\n }\n}\n```\n\nWhen the authentication flow is finished, the caller will be redirected to the `next` URL with an extra query parameter\n`jwt` which contains the authentication token. The caller should cache this token for further interactions with the API.\n\n### Get permission for a service\n`/auth/authorize`\n\n**Method:** `GET`\n\n**Query Parameters:**\n\n - `jwt` - user token (received from `/user/check`)\n - `service` - the relevant service (e.g. `storage-service`)\n\n**Returns:**\n\n```json\n{\n \"token\": \"<token-for-the-relevant-service>\"\n \"userid\": \"<unique-id-of-the-user>\",\n \"permissions\": {\n \"permission-x\": true,\n \"permission-y\": false\n },\n \"service\": \"<relevant-service>\"\n}\n```\n\n### Change the username\n`/auth/update`\n\n**Method:** `POST`\n\n**Query Parameters:**\n\n - `jwt` - authentication token (received from `/user/check`)\n - `username` - A new username for the user profile (this action is only allowed once)\n\n**Returns:**\n\n```json\n{\n \"success\": true,\n \"error\": \"<error-message-if-applicable>\"\n}\n```\n\n__Note__: trying to update other user profile fields like `email` will fail silently and return\n\n```json\n{\n \"success\": true\n}\n```\n\n### Receive authorization public key\n`/auth/public-key`\n\n**Method:** `GET`\n\n**Returns:**\n\nThe service's public key in PEM format.\n\nCan be used by services to validate that the permission token is authentic.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "{{ DESCRIPTION }}",
"version": "1.3.4",
"project_urls": {
"Homepage": "https://github.com/dataspot/dgp-oauth2"
},
"split_keywords": [
"data",
"authentication",
"oauth2"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "f8ca664e980fa6ddbec44d7b21b7db8fac6cbc321595d65df4d3ea7a6390efbe",
"md5": "42cf9a124a6bc3b00411cf8d610e6c21",
"sha256": "31bd74be50a268f6978e69a6742764caedd05a67ee64ab054ecb27d8cc672a6e"
},
"downloads": -1,
"filename": "dgp_oauth2-1.3.4-py3-none-any.whl",
"has_sig": false,
"md5_digest": "42cf9a124a6bc3b00411cf8d610e6c21",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 12937,
"upload_time": "2023-11-18T16:29:58",
"upload_time_iso_8601": "2023-11-18T16:29:58.680900Z",
"url": "https://files.pythonhosted.org/packages/f8/ca/664e980fa6ddbec44d7b21b7db8fac6cbc321595d65df4d3ea7a6390efbe/dgp_oauth2-1.3.4-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "fdd4060e88d28408d488a59da9f4b3a2ee775c39b330823bd3ab93fecabbd468",
"md5": "4c49fbfb3e9c14b1d7e3210f7601650b",
"sha256": "ef1b3fd2af2e69b0b3eddc73b9841b2bf8a96bc87ce0c8a5fe3da41fa8f14de5"
},
"downloads": -1,
"filename": "dgp-oauth2-1.3.4.tar.gz",
"has_sig": false,
"md5_digest": "4c49fbfb3e9c14b1d7e3210f7601650b",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 81205,
"upload_time": "2023-11-18T16:30:00",
"upload_time_iso_8601": "2023-11-18T16:30:00.582804Z",
"url": "https://files.pythonhosted.org/packages/fd/d4/060e88d28408d488a59da9f4b3a2ee775c39b330823bd3ab93fecabbd468/dgp-oauth2-1.3.4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-18 16:30:00",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "dataspot",
"github_project": "dgp-oauth2",
"travis_ci": true,
"coveralls": false,
"github_actions": false,
"requirements": [],
"tox": true,
"lcname": "dgp-oauth2"
}
JSON
