Using Google OAuth2 with Flask
Another answer mentions Flask-Rauth, but doesn't go into detail about how to use it. There are a few Google-specific gotchas, but I have implemented it finally and it works well. I integrate it with Flask-Login so I can decorate my views with useful sugar like @login_required.
I wanted to be able to support multiple OAuth2 providers, so part of the code is generic and based on Miguel Grinberg's excellent post about supporting OAuth2 with Facebook and Twitter here.
First, add your specific Google authentication information from Google into your app's configuration:
GOOGLE_LOGIN_CLIENT_ID = "<your-id-ending-with>.apps.googleusercontent.com"GOOGLE_LOGIN_CLIENT_SECRET = "<your-secret>"OAUTH_CREDENTIALS={ 'google': { 'id': GOOGLE_LOGIN_CLIENT_ID, 'secret': GOOGLE_LOGIN_CLIENT_SECRET }}And when you create your app (in my case, the module's __init__.py):
app = Flask(__name__)app.config.from_object('config')In your app module, create auth.py:
from flask import url_for, current_app, redirect, requestfrom rauth import OAuth2Serviceimport json, urllib2class OAuthSignIn(object): providers = None def __init__(self, provider_name): self.provider_name = provider_name credentials = current_app.config['OAUTH_CREDENTIALS'][provider_name] self.consumer_id = credentials['id'] self.consumer_secret = credentials['secret'] def authorize(self): pass def callback(self): pass def get_callback_url(self): return url_for('oauth_callback', provider=self.provider_name, _external=True) @classmethod def get_provider(self, provider_name): if self.providers is None: self.providers={} for provider_class in self.__subclasses__(): provider = provider_class() self.providers[provider.provider_name] = provider return self.providers[provider_name]class GoogleSignIn(OAuthSignIn): def __init__(self): super(GoogleSignIn, self).__init__('google') googleinfo = urllib2.urlopen('https://accounts.google.com/.well-known/openid-configuration') google_params = json.load(googleinfo) self.service = OAuth2Service( name='google', client_id=self.consumer_id, client_secret=self.consumer_secret, authorize_url=google_params.get('authorization_endpoint'), base_url=google_params.get('userinfo_endpoint'), access_token_url=google_params.get('token_endpoint') ) def authorize(self): return redirect(self.service.get_authorize_url( scope='email', response_type='code', redirect_uri=self.get_callback_url()) ) def callback(self): if 'code' not in request.args: return None, None, None oauth_session = self.service.get_auth_session( data={'code': request.args['code'], 'grant_type': 'authorization_code', 'redirect_uri': self.get_callback_url() }, decoder = json.loads ) me = oauth_session.get('').json() return (me['name'], me['email'])This creates a generic OAuthSignIn class that can be subclassed. The Google subclass pulls its information from Google's published list of information (in JSON format here). This is information that is subject to change, so this approach will make sure it is always up-to-date. One limitation of this is that if an Internet connection is not available on your server at the time the Flask application is initialized (the module imported), it will not be instantiated correctly. This should almost never be a problem, but storing last-known values in the configuration database to cover this eventuality is a good idea.
Finally, the class returns a tuple of name, email in the callback() function. Google actually returns a lot more information, including the Google+ profile if available. Inspect the dictionary returned by oauth_session.get('').json() to see it all.If in the authorize() function you expand the scope (for my app, email is sufficient), you can get access to even more information through the Google API.
Next, write the views to tie it all together:
from flask.ext.login import login_user, logout_user, current_user, login_required@app.route('/authorize/<provider>')def oauth_authorize(provider): # Flask-Login function if not current_user.is_anonymous(): return redirect(url_for('index')) oauth = OAuthSignIn.get_provider(provider) return oauth.authorize()@app.route('/callback/<provider>')def oauth_callback(provider): if not current_user.is_anonymous(): return redirect(url_for('index')) oauth = OAuthSignIn.get_provider(provider) username, email = oauth.callback() if email is None: # I need a valid email address for my user identification flash('Authentication failed.') return redirect(url_for('index')) # Look if the user already exists user=User.query.filter_by(email=email).first() if not user: # Create the user. Try and use their name returned by Google, # but if it is not set, split the email address at the @. nickname = username if nickname is None or nickname == "": nickname = email.split('@')[0] # We can do more work here to ensure a unique nickname, if you # require that. user=User(nickname=nickname, email=email) db.session.add(user) db.session.commit() # Log in the user, by default remembering them for their next visit # unless they log out. login_user(user, remember=True) return redirect(url_for('index'))Finally, my /login view and template to make it all happen:
@app.route('/login', methods=['GET', 'POST'])def login(): if g.user is not None and g.user.is_authenticated(): return redirect(url_for('index')) return render_template('login.html', title='Sign In')login.html:
{% extends "base.html" %}{% block content %} <div id="sign-in"> <h1>Sign In</h1> <p> <a href={{ url_for('oauth_authorize', provider='google') }}><img src="{{ url_for('static', filename='img/sign-in-with-google.png') }}" /></a> </div>{% endblock %}Make sure the correct callback addresses are registered with Google, and the user should simply have to click on "Sign in with Google" on your login page, and it will register them and log them in.
I've searched for quite a bit about using different libraries but all of them seemed ether overkill in some sense (you can use it on any platform but for that you need ton of code) or documentation did not explained what I wanted to. Long story short - I wrote it from scratch thus understanding process of authentication true Google API. It's not as hard as it sounds. Basically you need to follow https://developers.google.com/accounts/docs/OAuth2WebServer guidelines and that's it. For this you also will need to register at https://code.google.com/apis/console/ to generate credentials and register your links. I've used simple subdomain pointing to my office IP since it only allows domains.
For user login/management and sessions I've used this plugin for flask http://packages.python.org/Flask-Login/ - there will be some code based on that.
So first thing first - index view:
from flask import render_templatefrom flask.ext.login import current_userfrom flask.views import MethodViewfrom myapp import appclass Index(MethodView): def get(self): # check if user is logged in if not current_user.is_authenticated(): return app.login_manager.unauthorized() return render_template('index.html')so this view will not open until we will have authenticated user.Talking about users - user model:
from sqlalchemy.orm.exc import NoResultFoundfrom sqlalchemy import Column, Integer, DateTime, Boolean, Stringfrom flask.ext.login import UserMixinfrom myapp.metadata import Session, Baseclass User(Base): __tablename__ = 'myapp_users' id = Column(Integer, primary_key=True) email = Column(String(80), unique=True, nullable=False) username = Column(String(80), unique=True, nullable=False) def __init__(self, email, username): self.email = email self.username = username def __repr__(self): return "<User('%d', '%s', '%s')>" \ % (self.id, self.username, self.email) @classmethod def get_or_create(cls, data): """ data contains: {u'family_name': u'Surname', u'name': u'Name Surname', u'picture': u'https://link.to.photo', u'locale': u'en', u'gender': u'male', u'email': u'propper@email.com', u'birthday': u'0000-08-17', u'link': u'https://plus.google.com/id', u'given_name': u'Name', u'id': u'Google ID', u'verified_email': True} """ try: #.one() ensures that there would be just one user with that email. # Although database should prevent that from happening - # lets make it buletproof user = Session.query(cls).filter_by(email=data['email']).one() except NoResultFound: user = cls( email=data['email'], username=data['given_name'], ) Session.add(user) Session.commit() return user def is_active(self): return True def is_authenticated(self): """ Returns `True`. User is always authenticated. Herp Derp. """ return True def is_anonymous(self): """ Returns `False`. There are no Anonymous here. """ return False def get_id(self): """ Assuming that the user object has an `id` attribute, this will take that and convert it to `unicode`. """ try: return unicode(self.id) except AttributeError: raise NotImplementedError("No `id` attribute - override get_id") def __eq__(self, other): """ Checks the equality of two `UserMixin` objects using `get_id`. """ if isinstance(other, UserMixin): return self.get_id() == other.get_id() return NotImplemented def __ne__(self, other): """ Checks the inequality of two `UserMixin` objects using `get_id`. """ equal = self.__eq__(other) if equal is NotImplemented: return NotImplemented return not equalThere is probably something wrong with UserMixin, but I'll deal with that latter. Your user model will look differently, just make it compatible with flask-login.
So what is left - authentication it self. I set for flask-login that login view is 'login'. Login view renders html with login button that points to google - google redirects to Auth view. It should be possible just to redirect user to google in case it's website only for logged in users.
import loggingimport urllibimport urllib2import jsonfrom flask import render_template, url_for, request, redirectfrom flask.views import MethodViewfrom flask.ext.login import login_userfrom myapp import settingsfrom myapp.models import Userlogger = logging.getLogger(__name__)class Login(BaseViewMixin): def get(self): logger.debug('GET: %s' % request.args) params = { 'response_type': 'code', 'client_id': settings.GOOGLE_API_CLIENT_ID, 'redirect_uri': url_for('auth', _external=True), 'scope': settings.GOOGLE_API_SCOPE, 'state': request.args.get('next'), } logger.debug('Login Params: %s' % params) url = settings.GOOGLE_OAUTH2_URL + 'auth?' + urllib.urlencode(params) context = {'login_url': url} return render_template('login.html', **context)class Auth(MethodView): def _get_token(self): params = { 'code': request.args.get('code'), 'client_id': settings.GOOGLE_API_CLIENT_ID, 'client_secret': settings.GOOGLE_API_CLIENT_SECRET, 'redirect_uri': url_for('auth', _external=True), 'grant_type': 'authorization_code', } payload = urllib.urlencode(params) url = settings.GOOGLE_OAUTH2_URL + 'token' req = urllib2.Request(url, payload) # must be POST return json.loads(urllib2.urlopen(req).read()) def _get_data(self, response): params = { 'access_token': response['access_token'], } payload = urllib.urlencode(params) url = settings.GOOGLE_API_URL + 'userinfo?' + payload req = urllib2.Request(url) # must be GET return json.loads(urllib2.urlopen(req).read()) def get(self): logger.debug('GET: %s' % request.args) response = self._get_token() logger.debug('Google Response: %s' % response) data = self._get_data(response) logger.debug('Google Data: %s' % data) user = User.get_or_create(data) login_user(user) logger.debug('User Login: %s' % user) return redirect(request.args.get('state') or url_for('index'))So everything is splited to two parts - one for getting google token in _get_token. Other for using it and retrieving basic user data in _get_data.
My settings file contains:
GOOGLE_API_CLIENT_ID = 'myid.apps.googleusercontent.com'GOOGLE_API_CLIENT_SECRET = 'my secret code'GOOGLE_API_SCOPE = 'https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email'GOOGLE_OAUTH2_URL = 'https://accounts.google.com/o/oauth2/'GOOGLE_API_URL = 'https://www.googleapis.com/oauth2/v1/'Keep in mind that views has to have url path attached to app so I've use this urls.py file so that I could track my views more easily and import less stuff to flask app creation file:
from myapp import appfrom myapp.views.auth import Login, Authfrom myapp.views.index import Indexurls = { '/login/': Login.as_view('login'), '/auth/': Auth.as_view('auth'), '/': Index.as_view('index'),}for url, view in urls.iteritems(): app.add_url_rule(url, view_func=view)All of this together makes working Google authorization in Flask. If you copy paste it - it might take some mending with flask-login documentation and SQLAlchemy mappings, but the idea is there.
Give Authomatic a try (I'm the maintainer of that project). It is very simple to use, works with any Python framework and supports 16 OAuth 2.0, 10 OAuth 1.0a providers and OpenID.
Here is a simple example about how to authenticate a user with Google and get his/her list of YouTube videos:
# main.pyfrom flask import Flask, request, make_response, render_templatefrom authomatic.adapters import WerkzeugAdapterfrom authomatic import Authomaticfrom authomatic.providers import oauth2CONFIG = { 'google': { 'class_': oauth2.Google, 'consumer_key': '########################', 'consumer_secret': '########################', 'scope': oauth2.Google.user_info_scope + ['https://gdata.youtube.com'], },}app = Flask(__name__)authomatic = Authomatic(CONFIG, 'random secret string for session signing')@app.route('/login/<provider_name>/', methods=['GET', 'POST'])def login(provider_name): response = make_response() # Authenticate the user result = authomatic.login(WerkzeugAdapter(request, response), provider_name) if result: videos = [] if result.user: # Get user info result.user.update() # Talk to Google YouTube API if result.user.credentials: response = result.provider.access('https://gdata.youtube.com/' 'feeds/api/users/default/playlists?alt=json') if response.status == 200: videos = response.data.get('feed', {}).get('entry', []) return render_template(user_name=result.user.name, user_email=result.user.email, user_id=result.user.id, youtube_videos=videos) return responseif __name__ == '__main__': app.run(debug=True)There is also a very simple Flask tutorial which shows how to authenticate a user by Facebook and Twitter and talk to their APIs to read the user's newsfeeds.