Python authentication and authorization

Authentication and Authorization: Protecting your API¶

Authentication and Authorization are different topics as you can implement Authentication without Authorization (For rate-limiting or loggin for example).

Authentication¶

The fist thing you can do is to add an Authentication backend. Authentication backend needs a datastore to retreive the user accessing the API. This datastore can be used by another endpoint of your API or a datastore aimed for this purpose only.

In this example, we will use a very simple datastore, meant for testing purpose: the PythonListDataStore.

Define a backend¶

The PythonListDataStore is just a list of python dictionnary. So let’s first create this list:

ressources = ["accesskey": "hackme">, "accesskey": "nopassword">] 

Like any other datastore, you need a Model to describe your datastore:

class KeyModel(models.Model): fields = [ models.StringPkField(name="accesskey", required=True) ] 

Then you can instanciate your datastore:

from rest_api_framework.datastore import PythonListDataStore datastore = PythonListDataStore(ressources, KeyModel) 

Instanciate the Authentication backend¶

To keep this example simple we will use another testing tool, the ApiKeyAuthentication

ApiKeyAuthentication will inspect the query for an “apikey” parameter. If the “apikey” correspond to an existing object in the datastore, it will return this object. Otherwise, the user is anonymous.

from rest_api_framework.authentication import ApiKeyAuthentication authentication = ApiKeyAuthentication(datastore, identifier="accesskey") 

Then you can plug this authentication backend to your endpoint:

controller =  "list_verbs": ["GET", "POST"], "unique_verbs": ["GET", "PUT", "DELETE"], "options": "pagination": Pagination(20), "formaters": [foreign_keys_format], "authentication": authentication> > 

Instanciate the Authorization backend¶

The Authorization backend relies on the Authentication backend to retreive a user. With this user and the request, it will grant access or raise an Unauthorized error.

For this example we will use the base Authentication class. This class tries to authenticate the user. If the user is authenticated, then access is granted. Otherwise, it is not.

from rest_api_framework.authentication import Authorization then add it to the controller options:

controller =  "list_verbs": ["GET", "POST"], "unique_verbs": ["GET", "PUT", "DELETE"], "options": "pagination": Pagination(20), "formaters": [foreign_keys_format], "authentication": authentication, "authorization": Authorization, > > 

Testing Authentication and Authorization Backend¶

curl -i -X GET http://localhost:5000/users/?accesskey=hackme HTTP/1.0 200 OK Content-Type: application/json Content-Length: 350 Server: Werkzeug/0.8.3 Python/2.7.2 Date: Wed, 16 Oct 2013 12:18:52 GMT curl -i -X GET http://localhost:5000/users/?accesskey=helloworld HTTP/1.0 401 UNAUTHORIZED Content-Type: application/json Content-Length: 350 Server: Werkzeug/0.8.3 Python/2.7.2 Date: Wed, 16 Oct 2013 12:19:26 GMT curl -i -X GET http://localhost:5000/users/ HTTP/1.0 401 UNAUTHORIZED Content-Type: application/json Content-Length: 350 Server: Werkzeug/0.8.3 Python/2.7.2 Date: Wed, 16 Oct 2013 12:19:45 GMT

Источник

Authentication with Python Requests: A Complete Guide

Authentication with Python Requests a Complete Guide Cover image

In this tutorial, you’ll learn how to provide authentication for the requests you make with the Python requests library. Many web services, such as APIs, require authentication. This can often be a daunting topic for beginner or novice programmers, alike. This is especially true, given that there are many different types of authentication. Thankfully, the requests library comes with a large number of different authentication methods built-in, making the process simple and easy.

By the end of this tutorial, you’ll have learned:

  • How to use basic authentication with Python requests
  • How to use a basic authorization token as credentials with Python requests
  • How to use digest authentication with Python requests
  • How to use OAuth1 authentication with Python requests
  • How to use OAuth2 and OpenID Connect with Python requests
  • How to create your own authentication methods for using with Python requests

Use Basic Authentication with Python Requests

Basic authentication refers to using a username and password for authentication a request. Generally, this is done by using the HTTPBasicAuth class provided by the requests library. However, as you’ll later learn, the requests library makes this much easier, as well, by using the auth= parameter.

Let’s see how we can pass in a username and password into a simple GET request using the HTTPBasicAuth class:

# Authentication in Requests with HTTPBasicAuth import requests from requests.auth import HTTPBasicAuth auth = HTTPBasicAuth('user', 'pass') print(requests.get('https://httpbin.org/basic-auth/user/pass', auth=auth)) # Returns:

Let’s break down what we did in the code above:

  1. We imported both the requests library as well as only the HTTPBasicAuth class
  2. We then created a new HTTPBasicAuth object, auth , which contains a string for the username and password
  3. Finally, we printed the Response we returned when passing our auth variable into the auth= parameter of the get() function

If you were using this method, you’d change ‘user’ and ‘pass’ to the username and password of your choice.

Because the basic authentication method is used so frequently, the requests library abstracts away some of this complexity. Rather than needing to create a new HTTPBasicAuth object each time, you can simply pass a tuple containing your username and password into the auth= parameter.

Let’s see what this looks like:

# Simplifying Basic Authentication with Python requests import requests print(requests.get('https://httpbin.org/basic-auth/user/pass', auth=('user', 'pass'))) # Returns:

In the code above, we were able to significantly reduce the complexity of our code. The Python requests library handles a lot of the boilerplate code for us!

In the following section, you’ll learn how to use digest authentication in the Python requests library.

Use a Basic Authorization Token as Credentials with Python Requests

Many APIs will simply provide you with a basic authorization (or, auth) token instead of credentials. The Python requests library makes working with these types of authorizations very easy. These tokens can easily be embedded in the headers of a request that’s being made.

In order to use basic authorization tokens as credentials, simply pass the token into the Authorization header of a request:

# Using an Authorization Token as Credentials import requests headers = print(requests.get('https://httpbin.org/basic-auth/user/pass', headers=headers)) # Returns:

The requests library accepts headers in the form of a Python dictionary. In the example above, we passed in a sample token as a string. Simply switch out the token you’re using with your own API key and pass it into the headers parameter.

Use Digest Authentication with Python Requests

A very common way of authenticating HTTP requests is to use the digest authentication method. Similar to the Basic HTTP Authentication method shown above, the requests library provides a class to help with digest authentication.

Let’s see how you can use the HTTPDigestAuth class to authenticate using digest authentication in Python:

# Authentication in Requests with HTTPDigestAuth import requests from requests.auth import HTTPDigestAuth auth = HTTPDigestAuth('user', 'pass') print(requests.get('https://httpbin.org/basic-auth/user/pass', auth=auth)) # Returns:

Let’s break down what we did in the code block above:

  1. We imported requests and the HTTPDigestAuth class from the auth module
  2. We then created an auth object by passing our username and password into the class constructor
  3. Then, we made a request and printed out the response

In the following section, you’ll learn how to use OAuth1 authentication with the Python requests library.

Use OAuth1 Authentication with Python Requests

A very common form of authentication when using web APIs is the OAuth form of authentication. Generally, OAuth authentications come with a client key, client secret, a resource key, and a resource secret. While this may seem like a lot, it’s simple to provide to your request.

In order to use OAuth1 authentication, you need to install the requests-oauthlib library. This can be done easily using the pip installer:

# Installing the requests-oauthlib library $ pip install requests requests-oauthlib

Once the library is installed, you can authentication using OAuth1 using the following code:

# Authenticating Using the OAuth1 Authentication Method import requests from requests_oauthlib import OAuth1 url = 'https://api.twitter.com/1.1/account/verify_credentials.json' auth = OAuth1('YOUR_APP_KEY', 'YOUR_APP_SECRET', 'USER_OAUTH_TOKEN', 'USER_OAUTH_TOKEN_SECRET') requests.get(url, auth=auth)

The OAuth1 method was replaced by the OAuth2 authentication protocol in 2012, making it much more robust and reliable. In the following section, you’ll learn how to authenticate using the OAuth2 method.

Use OAuth2 and OpenID Connect Authentication with Python Requests

The OAuth2 authentication protocol is a more robust and reliable protocol than the OAuth1 method. Similar to the method shown above, the OAuth2 authentication uses access tokens. These access tokens are special kinds of data, often in the form of JSON, that allow users to authenticate for a site or a particular resource. Additionally, these tokens often have an expiry date and time in order to keep them more secure.

In order to use OAuth2 with the requests library, you need to install the requests-oauthlib library. This can be done easily using the pip installer:

# Installing the requests-oauthlib library $ pip install requests requests-oauthlib

Once the library is installed, you can authentication using OAuth2 using the following process:

  1. Obtain credentials from the provider manually. Generally, this will include a client_id , but likely also a client_secret . In some cases, you’ll also need to register a default redirect URI to be used by your application.
  2. Create a OAuth2 session using the requests-oauthlib library
  3. Fetch the token from the session object
  4. Access the resources using the session object
# Authenticating with OAuth2 in Requests from requests_oauthlib import OAuth2Session # Inlcude your data client_id = "include your client_id here" client_secret = "include your client_secret here" redirect_uri = "include your redirect URI here" # Create a session object oauth = OAuth2Session(client_id, redirect_uri = redirect_uri) # Fetch a token token = oauth.fetch_token("", client_secret = client_secret) # Get your authenticated response resp = oauth.get("URL to the resource")

This process was a bit more complicated. However, this is a worthwhile method to learn given the prevalence of OAuth2. In the following section, you’ll learn how to authenticate using custom methods in the Python requests library.

Create Custom Authentication Methods for Python Requests

In some cases, the required form of authentication won’t exist in the requests library. Thankfully, the library allows you to create your own forms of authentication by providing a general structure via a subclass.

Let’s see how we can create our own form of authentication by inheriting from the AuthBase class:

# Creating a Custom Authentication Method import requests from requests.auth import AuthBase class CustomAuth(AuthBase): def __call__(self, r): # Implement authentication here return r requests.get(url, auth=CustomAuth())

In the code above, we demonstrated the basic requirements for how to construct your own form of authentication:

  1. We imported the requests library and the AuthBase class
  2. We then created our own class, inheriting from the AuthBase class
  3. The class only have the __call__() method implemented, currently
  4. The class can then be used the auth= parameter of a HTTP request

Conclusion

In this tutorial, you learned how to provide authentication for the requests you make with the Python requests library. Because most web APIs and services require some form of authentication, having a good handle on how to perform these with the requests library is an important skill. You first learned how to use basic authentication, digest authentication, and token authentication. Then, you learned how to use OAuth1 and OAuth2, as well as custom authentication implementations.

Additional Resources

To learn more about related topics, check out the tutorials below:

Источник

Читайте также:  Java exception object example
Оцените статью