Here's how it currently works:

# Map URLs to handlers
Route('/auth/<provider>',
         handler='handlers.AuthHandler:_simple_auth',
         name='auth_login'),
Route('/auth/<provider>/callback', 
         handler='handlers.AuthHandler:_auth_callback',
         name='auth_callback'),

Nice tip from @erichiggins:

Perhaps a convenience function could be written that simply supplies a list of
supported providers from the app's config file/dict. Then folks could make the above
route expression(s) programmatically.

Moved here from https://code.google.com/p/gae-simpleauth/issues/detail?id=5

Google OAuth separates the users' email address from the rest of their profile information. In order to get it, you must request both scopes.
https://developers.google.com/accounts/docs/OAuth2Login#scopeparameter

Currently, simpleauth expects the scope to be a string/single value. It should allow a tuple or list then add all defined scopes.

Some refactoring may be required, since simpleauth sends a dictionary mapping of parameters to urllib.urlencode. A list of tuples is also valid for the 'query' parameter, and would be more appropriate in this case.
http://docs.python.org/library/urllib.html#urllib.urlencode

Seems there is no way to specify returnUrl as destination after /auth//callback was processed.

Seems this need to be encoded as part of state [1] variable that google OAuth2 returns back. The 'state' variable is currently used (as key/value) for cross site vulnerability detection.

Or is there some some API that I missed?

[1] https://developers.google.com/accounts/docs/OAuth2WebServer#formingtheurl

Hi,

I cannot find any way to get data other than the default profile using LinkedIn2.

For example, if I choose the following scopes (space separated as prescribed by the linkedin api)

r_basicprofile r_emailaddress

the authentication screen correctly displays that the application is requesting the basic profile and the email but the 'data' argument of the '_on_signin' method only contains the basic profile, not the email.

This is true of any other scope that I tried.

Has anybody successfully obtained more than basic profile with LinkedIn2?

Thanks,
Eric

I'm thinking to make _get_<provider>_user_info() call optional. This way one could spare a URL fetch call when existing users sign in as their profile data have probably been already stored during some previous logins.

Additionally, this could make it easier for a backend profile fetch instead of doing it during the user facing request.

Would this be a good idea?

I'm seeing the production site not redirecting properly back to itself after authentication with Twitter. It's showing a local domain instead of the production URL. Is there any special setup I'm missing in regards to Twitter? BTW, everything is working as expected on the local development setup.

Hi, crhym3

It seems that simpleauth supports using client_id / client_secret in the request-body for client authentication.

Howerver, OAuth 2.0 protocol says,

http://tools.ietf.org/html/rfc6749#section-2.3.1

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes)

Please support the HTTP Basic authentication scheme for client authentication, especailly at token endpoint

It would be great if we can store user data in order to consume the provider APIs later.
I was thinking about a model like this one but I can't figure out how to implement it.

class User(db.Model):
provider = db.StringProperty(required=True) // example (Facebook user id)
id = db.StringProperty(required=True) // example (Facebook, Google...)
created = db.DateTimeProperty(auto_now_add=True)
updated = db.DateTimeProperty(auto_now=True)
name = db.StringProperty(required=True)
profile_url = db.StringProperty(required=True)
access_token = db.StringProperty(required=True)

When attempting to authenticate via Twitter, the last lines fails with an error due to 'screen_name' not being present in uinfo.

    resp, content = client.request(
      'https://api.twitter.com/1/account/verify_credentials.json'
    )
    uinfo = json.loads(content)
    uinfo.setdefault('link', 'http://twitter.com/%s' % uinfo['screen_name'])

uinfo is actually an error message:

The Twitter REST API v1 is no longer active. Please migrate to API v1.1. https://dev.twitter.com/docs/api/1.1/overview.

It'd be great if simpleauth could be updated to support the new Twitter REST APi version.

Any plans or ideas on modifying simpleauth to stop using Google+ API and use their latest API? It is shutting down in a few weeks and simpleauth will start failing.

Here is the Google link to the announcement:
https://developers.google.com/+/api-shutdown

Hi @crhym3

in some condition _oauth2_request return an error. I think better if code have handle for error :

 def _oauth2_request(self, url, token, token_param='access_token'):
    """Makes an HTTP request with OAuth 2.0 access token using App Engine
    URLfetch API.
    """
    target_url = url.format(urlencode({token_param:token}))
    #return urlfetch.fetch(target_url).content
    resp = urlfetch.fetch(target_url)
    if resp.status_code != 200:
        raise AuthProviderResponseError(
          '%s (status: %d)' % (resp.content, resp.status_code))
    else:
        return resp.content

thank you

In SimpleAuthHandler#_get_twitter_user_info(), you have to modify twitter's endpont from

'https://api.twitter.com/1/account/verify_credentials.json'

to

'https://api.twitter.com/1.1/account/verify_credentials.json'

Logging into Google+ from https://simpleauth.appspot.com/ fails with:

"ValueError: No JSON object could be decoded".

I get the same error when using SimpleAuth in my own project, stacktrace below.

Traceback (most recent call last):
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1535, in call
rv = self.handle_exception(request, response, e)
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1529, in call
rv = self.router.dispatch(request, response)
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1278, in default_dispatcher
return route.handler_adapter(request, response)
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 1102, in call
return handler.dispatch()
File "/base/data/home/apps/smigraine-view/9.382668147855496066/app/authentication.py", line 32, in dispatch
webapp2.RequestHandler.dispatch(self)
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 572, in dispatch
return self.handle_exception(e, self.app.debug)
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 570, in dispatch
return method(_args, *_kwargs)
File "/base/data/home/apps/smigraine-view/9.382668147855496066/libs/simpleauth/handler.py", line 179, in _auth_callback
result = meth(provider, *cfg[-1:])
File "/base/data/home/apps/smigraine-view/9.382668147855496066/libs/simpleauth/handler.py", line 279, in _oauth2_callback
auth_info = _parser(resp.content)
File "/base/data/home/apps/smigraine-view/9.382668147855496066/libs/simpleauth/handler.py", line 580, in _json_parser
return json.loads(body)
File "/base/data/home/runtimes/python27/python27_dist/lib/python2.7/json/init.py", line 338, in loads
return _default_decoder.decode(s)
File "/base/data/home/runtimes/python27/python27_dist/lib/python2.7/json/decoder.py", line 365, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/base/data/home/runtimes/python27/python27_dist/lib/python2.7/json/decoder.py", line 383, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

from the documentation.

[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.

Hi for basic authentication OpenID Connect is now required for endpoints such as the Azure V2 endpoint. Any plans to implement this in Simpleauth - I am using it for several customer facing Apps and it works very well.

With the need to support Office 365 user authentication I now need to implement OpenID Connect and it is a real shame to have to move to another libary.

Any thoughts?
All the best,
Ian

Reported by montsamu

(On Windows 7, install Python 2.7.3 and GAE 1.7.6, and easy_install 0.6c11)

C:\Python27>set PYTHONPATH=C:\Google\google_appengine

C:\Python27>python.exe
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] on win
32
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys
>>> sys.path
['', 'C:\\Google\\google_appengine', 'C:\\windows\\system32\\python27.zip', 'C:\
\Python27\\DLLs', 'C:\\Python27\\lib', 'C:\\Python27\\lib\\plat-win', 'C:\\Pytho
n27\\lib\\lib-tk', 'C:\\Python27', 'C:\\Python27\\lib\\site-packages']
>>> ^Z

C:\Python27>Scripts\easy_install.exe httplib2
Searching for httplib2
Reading http://pypi.python.org/simple/httplib2/
Reading http://code.google.com/p/httplib2/
Best match: httplib2 0.8
Downloading http://httplib2.googlecode.com/files/httplib2-0.8.zip
Processing httplib2-0.8.zip
Running httplib2-0.8\setup.py -q bdist_egg --dist-dir c:\users\ibm_ad~1\appdata\
local\temp\easy_install-r3ah_h\httplib2-0.8\egg-dist-tmp-yb3tvi
zip_safe flag not set; analyzing archive contents...
httplib2.__init__: module references __file__
Adding httplib2 0.8 to easy-install.pth file

Installed c:\python27\lib\site-packages\httplib2-0.8-py2.7.egg
Processing dependencies for httplib2
Finished processing dependencies for httplib2

C:\Python27>Scripts\easy_install.exe oauth2
Searching for oauth2
Reading http://pypi.python.org/simple/oauth2/
Reading http://github.com/simplegeo/python-oauth2
Best match: oauth2 1.5.211
Downloading http://pypi.python.org/packages/source/o/oauth2/oauth2-1.5.211.tar.g
z#md5=987ad7365a70e2286bd1cebb344debbc
Processing oauth2-1.5.211.tar.gz
Running oauth2-1.5.211\setup.py -q bdist_egg --dist-dir c:\users\ibm_ad~1\appdat
a\local\temp\easy_install-ucqgeb\oauth2-1.5.211\egg-dist-tmp-jfe94s
Adding oauth2 1.5.211 to easy-install.pth file

Installed c:\python27\lib\site-packages\oauth2-1.5.211-py2.7.egg
Processing dependencies for oauth2
Finished processing dependencies for oauth2

C:\Python27>
C:\Python27>Scripts\easy_install.exe simpleauth
Searching for simpleauth
Reading http://pypi.python.org/simple/simpleauth/
Reading http://code.google.com/p/gae-simpleauth
Reading http://code.google.com/p/gae-simpleauth/source/checkout
Best match: simpleauth 0.1.4
Downloading http://pypi.python.org/packages/source/s/simpleauth/simpleauth-0.1.4
.tar.gz#md5=9d8d2c821d0a7c18ae2dce7af4f2c03a
Processing simpleauth-0.1.4.tar.gz
Running simpleauth-0.1.4\setup.py -q bdist_egg --dist-dir c:\users\ibm_ad~1\appd
ata\local\temp\easy_install-hrj9re\simpleauth-0.1.4\egg-dist-tmp-ekwtca
Traceback (most recent call last):
  File "C:\Python27\Scripts\easy_install-script.py", line 8, in <module>
    load_entry_point('setuptools==0.6c11', 'console_scripts', 'easy_install')()
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
1712, in main
    with_ei_usage(lambda:
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
1700, in with_ei_usage
    return f()
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
1716, in <lambda>
    distclass=DistributionWithoutHelpCommands, **kw
  File "C:\Python27\lib\distutils\core.py", line 152, in setup
    dist.run_commands()
  File "C:\Python27\lib\distutils\dist.py", line 953, in run_commands
    self.run_command(cmd)
  File "C:\Python27\lib\distutils\dist.py", line 972, in run_command
    cmd_obj.run()
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
211, in run
    self.easy_install(spec, not self.no_deps)
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
446, in easy_install
    return self.install_item(spec, dist.location, tmpdir, deps)
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
476, in install_item
    dists = self.install_eggs(spec, download, tmpdir)
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
655, in install_eggs
    return self.build_and_install(setup_script, setup_base)
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
930, in build_and_install
    self.run_setup(setup_script, setup_base, args)
  File "C:\Python27\lib\site-packages\setuptools\command\easy_install.py", line
919, in run_setup
    run_setup(setup_script, args)
  File "C:\Python27\lib\site-packages\setuptools\sandbox.py", line 62, in run_se
tup
    lambda: execfile(
  File "C:\Python27\lib\site-packages\setuptools\sandbox.py", line 105, in run
    return func()
  File "C:\Python27\lib\site-packages\setuptools\sandbox.py", line 64, in <lambd
a>
    {'__file__':setup_script, '__name__':'__main__'}
  File "setup.py", line 12, in <module>
ImportError: No module named simpleauth

Workaround of sorts is to easy_install pip, and then pip install simpleauth, which works.

pjdelport

Pull request: https://code.google.com/r/pjdelport-gae-simpleauth/

8b2c8e3428f7 should fix this, by using read() instead of import to get the version.

Moved here from https://code.google.com/p/gae-simpleauth/issues/detail?id=8

It currently errors out with:

NotAllowedError: OpenID 2.0 support is decomissione

https://travis-ci.org/x1ddos/simpleauth/builds/215787074

Related to #40

Facebook authentication has stopped working on our production site - it is also not working on your demo site ( https://simpleauth.appspot.com/ ) - any idea what the problem is?
Thanks

If anybody feel like code reviewing:
http://codereview.appspot.com/6499104/

Issue discussion is over here:
http://code.google.com/p/gae-simpleauth/issues/detail?id=1

Here's how I did it.

def _to_user_model_attrs(self, data, attrs_map):
  """Get the needed information from the provider dataset."""
  user_attrs = {}
  for k, v in attrs_map.iteritems():
    attr = (v, data.get(k)) if isinstance(v, str) else v(data.get(k))
    user_attrs.setdefault(*attr)

  return user_attrs

Here is the content of the GAE announcement

"Dear URL Fetch users,

We’re contacting you because you’re listed as the administrator for your organization’s App Engine application, which uses the URL Fetch service. During the phased rollout of an update to this service, we determined that your application may be affected by the change described below.

Currently, the URL Fetch service preserves your original HTTP method (e.g., GET, POST) when it receives and responds to a 302 Moved Temporarily response. Modern user agents typically issue a GET request in response to a 302. After the update, URL Fetch will only issue a GET request after receiving a 302 response, rather than preserving the original method. This may cause requests to be routed differently and/or return 404s or other errors, and will drop the message body from POST requests.

To avoid being affected by this change, please verify that either:
Your app sends non-GET requests (such as POST) directly to the final URL that will handle the request rather than to one that redirects. Some common services, including App Engine, use 302 to redirect HTTP connections to HTTPS and vice versa, so it’s important to check that your protocol is correct as well. You can use the final_url field of the Response object (or a similar object in other APIs) to determine if your fetches are being redirected.
The destination server sends a 303 or 307 HTTP code, each of which specifies the redirect behavior with respect to HTTP methods, rather than a 302.

We will apply the update to your affected application’s URL Fetch usage on April 25, 2015.

If you have any questions, please contact our support team - even if you do not have a support contract.

Sincerely,
Google Cloud Platform team "

Here's Twitter docs:
https://dev.twitter.com/docs/auth/application-only-auth

Hi, thanks for providing this. I made a mistake that took me hours to fix, and I think a small change could make it easier for others. In secrets.py.template you have:

# Google APIs
GOOGLE_APP_ID = 'app id'
GOOGLE_APP_SECRET = 'app secret'

But Google calls these the client ID and client secret. The Google app ID is something else. I was inserting the Google app ID and not the Google client ID and thus it wasn't working. Please change these two lines to:

# Google APIs
GOOGLE_CLIENT_ID = 'client id'
GOOGLE_CLIENT_SECRET = 'client secret'

thanks!

It seems that twitter login need some fix. I tried to figure out why it doesn't work but ....
You can actually verify the demo... :(

I'm getting:

DeadlineExceededError:Deadline exceeded while waiting for HTTP response from URL: https://accounts.google.com/o/oauth2/token

This stack overflow post explains.

"An invalid_grant is returned when the refresh token can't be used to get a new access token from the current user. This is happening to you because the stored Credentials object has a null refresh token, i.e.

credentials.refresh_token is None
True
As mentioned in the NOTE in How to make 'access_type=offline' / server-only OAuth2 operations on GAE/Python?:

If a user has already authorized your client ID, the subsequent times you perform OAuth for these users they will not see the OAuth dialog and you won't be given a refresh token.

You need to make sure your Credentials are stored with a valid refresh token and the easiest way to do this, as mentioned in your last question as well as in all 3 questions you linked to is to use approval_prompt=force when creating your OAuth2WebServerFlow or OAuth2Decorator object (whichever you are using)."

@crhym3 In the installation instructions, is there any reason why the simpleauth could not be moved to the lib directory? I noticed the following line in the main.py but it seems to not bring in the modules from the 'lib' directory:

if 'lib' not in sys.path:
  sys.path[0:0] = ['lib']

Reported by muijsenbergq

Hi,

I'm using your library and i need to be able to use stored tokens and try to reuse them. As a separate path from the OAuth flow.

At the moment a hacked away a little bit to achieve this functionality but maybe it's an idea to implement this (the right way)?

This i my method to use existing tokens and tap into your library.
I made "get_consumer_info_for()" a class method,made it always return a 3-tuple and for the rest using the implementation from your demo.

def try_oauth(tokens):
    provider = tokens.provider
    client_id, client_secret, scope = AuthHandler.get_consumer_info_for(provider)
    fetcher = getattr(AuthHandler(), '_get_%s_user_info' % provider)
    auth_info = {'oauth_token': tokens.oauth_token, 'oauth_token_secret': tokens.oauth_secret}
    user_data = fetcher(auth_info, key=client_id, secret=client_secret)
    if user_data:
        auth_id = get_auth_id(user_data, provider)
        ....

btw, using this class to store tokens in db

class UserTokens(db.Model):
    created = db.IntegerProperty(required=True)
    provider = db.StringProperty(indexed=False, required=True)
    cookie = db.StringProperty()
    oauth_token = db.StringProperty(indexed=False, required=True)
    oauth_secret = db.StringProperty(indexed=False, required=True)
    user = ....

Thanks!

Moved here from https://code.google.com/p/gae-simpleauth/issues/detail?id=6

Google has turned off support for open id 2.0. Thanks for letting me know Google!

https://cloud.google.com/appengine/docs/deprecations/open_id

This breaks the yahoo login as implemented by simpleauth

The demo project here:

https://simpleauth.appspot.com

illustrates the issue

Docs: https://developer.linkedin.com/documents/authentication

Very rarely (1 in 100 requests or so) an invalid session is set to the 'auth' cookie. The valid deserialized cookie looks like this: {u'_user': [5690665774088192, 1, u'0u48LYOY8mdVNf38bluT6n', 1407275076, 1407360509]}. And the invalid deserialized cookie looks like this: {}

This becomes the cookie for auth, and the users session cannot recover.

I have one theory, but its tenuous. By putting a try around the dispatch call in https://github.com/crhym3/simpleauth/blob/master/example/handlers.py that you may in some cases be invalidating the session? For instance an exception is fired before the session can be properly set?

Reported by guillermo

For this step
pip install simpleauth

You need to add the google app engine to your PYTHONPATH first, with a mac this would be

export PYTHONPATH=$PYTHONPATH:/Applications/GoogleAppEngineLauncher.app/Contents/Resources/GoogleAppEngine-default.bundle/Contents/Resources/google_appengine

pjdelport

See issue 8: The fix in https://code.google.com/r/pjdelport-gae-simpleauth/ should resolve this issue too, and no longer require the SDK to be on the path for the install to work.

Moved here from https://code.google.com/p/gae-simpleauth/issues/detail?id=7

The following snippet appends to auth_ids directly instead of using User.add_auth_id. Doing so prevents the creation of a new Unique instance to account for the additional auth_id.

u.auth_ids.append(auth_id)
u.populate(**_attrs)
u.put()

Here's another way:

u.populate(**_attrs)
u.add_auth_id(auth_id)

Note: add_auth_id makes a put() call.

https://developer.yahoo.com/oauth2/guide/
#40

@crhym3 I have been playing with the SimpleAuth for a few days and I noticed that it uses a single User object for an individual user and links the additional social networks to this logged in user. I'm thinking about adding some functionality where I would like the first logged in account to be used when displaying the profile information instead of switching profiles every time user links an account. Thus, do you see this as a good addition to the SimpleAuth module?

Is there a forum where I might be able to get some help? I have simpleauth working but on some machines, there are problems while on others all is well. Worse, I get no error logs anywhere I can find. I'm new to Python so there might be (probably is) something I just don't know about.