/requests-oauth

Python's Requests OAuth (Open Authentication) plugin

Primary LanguagePythonBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

requests-oauth

This plugins adds OAuth v1.0 support to @kennethreitz well-known requests library providing both header and url-encoded authentication.

requests-oauth wants to provide the simplest and easiest way to do OAuth in Python. It was initially based on python-oauth2 (which looks unmaintained), kudos to the authors and contributors for doing a huge effort in providing OAuth to python httplib2. From that point on, the code base has been cleaned, fixing several bugs and heavily refactoring it to eliminate dependencies with python-oauth2, being now a stand-alone plugin.

Installation

You can install requests-oauth by simply doing:

pip install requests-oauth

Usage

Import the hook doing:

from oauth_hook import OAuthHook

You can initialize the hook passing it 5 parameters: access_token, access_token_secret, consumer_key, consumer_secret and header_auth. First two access_token and access_token_secret are optional, in case you want to retrieve those from the API service (see later for an example). There are two ways to do initialize the hook. First one:

oauth_hook = OAuthHook(access_token, access_token_secret, consumer_key, consumer_secret, header_auth)

The header_auth parameter lets you chose the authentication method used. It's a boolean, if you set it to True you will be using an Authorization header. If your API supports this authentication method, it's the one you should be using and the prefered method by the OAuth spec (RFC 5849), an example would be Twitter's API. By default header_auth is set to False, which means url encoded authentication will be used. This is because this the most widely supported authentication system.

If you are using the same consumer_key and consumer_secret all the time, you probably want to setup those fixed, so that you only have to pass the token parameters for setting the hook:

OAuthHook.consumer_key = consumer_key
OAuthHook.consumer_secret = consumer_secret
oauth_hook = OAuthHook(access_token, access_token_secret, header_auth=True)

Now you need to pass the hook to python-requests, you probably want to do it as a session, so you don't have to do this every time:

client = requests.session(hooks={'pre_request': oauth_hook})

What you get is python-requests client which you can use the same way as you use requests API. Let's see a GET example:

response = client.get('http://api.twitter.com/1/account/rate_limit_status.json')
results = json.loads(response.content)

And a POST example:

response = client.post('http://api.twitter.com/1/statuses/update.json', {'status': "Yay! It works!", 'wrap_links': True})

3-legged Authorization

First time authorization and authentication follows a system named three legged OAuth, very well described in Twitter documentation.

Basically it is composed of three steps. Let's see an example based on Imgur's API. All the other APIs work pretty much the same way, only endpoints (urls) change:

Step 1: Obtaining a request token

We start asking for a request token, which will finally turn into an access token, the one we need to operate on behalf of the user.

imgur_oauth_hook = OAuthHook(consumer_key=YOUR_IMGUR_CONSUMER_KEY, consumer_secret=YOUR_IMGUR_CONSUMER_SECRET)
response = requests.post('http://api.imgur.com/oauth/request_token', hooks={'pre_request': imgur_oauth_hook})
qs = parse_qs(response.text)
oauth_token = qs['oauth_token'][0]
oauth_secret = qs['oauth_token_secret'][0]

Step 2: Redirecting the user for getting authorization

In this step we give the user a link or open a web browser redirecting him to an endpoint, passing the oauth_token got in the previous step as a url parameter. The user will get a dialog asking for authorization for our application. In this case we are doing an out of band desktop application, so the user will have to input us a code named verifier. In web apps, we will get this code as a webhook.

print "Go to http://api.imgur.com/oauth/authorize?oauth_token=%s allow the app and copy your PIN" % oauth_token
oauth_verifier = raw_input('Please enter your PIN:')

Step 3: Authenticate

Once we get user's authorization, we request a final access token, to operate on behalf of the user. We build a new hook using previous request token information achieved on step1 and pass the verifier (got in step2) as data using oauth_verifier key:

new_imgur_oauth_hook = OAuthHook(oauth_token, oauth_secret, IMGUR_CONSUMER_KEY, IMGUR_CONSUMER_SECRET)
response = requests.post('http://api.imgur.com/oauth/access_token', {'oauth_verifier': oauth_verifier}, hooks={'pre_request': new_imgur_oauth_hook})
response = parse_qs(response.content)
final_token = response['oauth_token'][0]
final_token_secret = response['oauth_token_secret'][0]

These final_token and final_token_secret are the credentials we need to use for handling user's oauth, so most likely you will want to persist them somehow. These are the ones you should use for building a requests session with a new hook. Beware that not all OAuth APIs provide unlimited time credentials.

Testing

If you want to run the tests, you will need to copy test_settings.py.template into test_settings.py. This file is in the .gitignore index, so it won't be committed:

cp test_settings.py.template test_settings.py

Then fill in the information there. The testing of the library is done in a functional way, doing GETs and POSTs against public OAuth APIs like Twitter, so use a test account and not your personal account:

./tests.py

Contributing

If you'd like to contribute, simply fork the repository, commit your changes to the dev branch (or branch off of it), and send a pull request. Make sure you add yourself to AUTHORS.