Using Google OAuth on localhost

python oauth google-api google-api-client

17,758

Solution 1

Just to be clear, you can use the web application flow with localhost while developing on either OAuth 1.0 or OAuth 2.0. OAuth 2.0 should be preferred as it's the mechanism we are focussed on. The user experience for OAuth 2.0 is going to be substantially better.

There's nothing stopping you from using localhost as your callback URL. I do this myself all the time. You just need to make sure the callback URL matches exactly, including any port numbers, and you can't deploy your application that way for obvious reasons. Installed applications are more complicated, but if you're doing something with Django, it's possible to take advantage of the fact that OAuth 2.0 is a bearer-token system. As long as you're keeping the refresh token server-side, you can authenticate with your own application out-of-band and then send the bearer token to the installed application. Your installed application will have roughly a one-hour window in which to make calls before you'll need to repeat the process. This can happen transparently to the user in most cases. Transmission of the bearer token should happen over an encrypted channel.

Solution 2

OAuth 1.0 for Installed Applications

Besides that, you probably don't want to include your actual CONSUMER_KEY and CONSUMER_SECRET in the example code.

Solution 3

Try your code without arguments:

return HttpResponseRedirect(request_token.generate_authorization_url())

17,758

Author by

I159

Updated on June 01, 2022

Comments

I159 almost 2 years

I started to use OAuth with Python and Django. I need it for Google APIs. I working on localhost, so I can't register a domain for url-callback. I've read about that Google OAuth could be used with anonymous domain. Can't find, how and where I can do that?

Edit:

I have this view:

def authentication(request):
    CONSUMER_KEY = 'xxxxx'
    CONSUMER_SECRET = 'xxxxx'
    SCOPES = ['https://docs.google.com/feeds/', ]

    client = gdata.docs.client.DocsClient(source='apiapp')
    oauth_callback_url = 'http://%s/get_access_token' % request.META.get('HTTP_HOST')
    request_token = client.GetOAuthToken(
      SCOPES, oauth_callback_url, CONSUMER_KEY, consumer_secret=CONSUMER_SECRET)
   domain = '127.0.0.1:8000'
   return HttpResponseRedirect(
        request_token.generate_authorization_url(google_apps_domain=domain))

And this error:

Sorry, you've reached a login page for a domain that isn't using Google Apps. Please check the web address and try again.

Registered via https://code.google.com/apis/console/

Edit:

CONSUMER_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
CONSUMER_SECRET = 'xxxxxxxxxxxxxxxxxxxxxxxxx'
SCOPES = ['https://docs.google.com/feeds/', ]
DOMAIN = 'localhost:8000'


def authentication(request):    
    client = gdata.docs.client.DocsClient(source='apiapp')
    oauth_callback_url = 'http://%s/get_access_token' % DOMAIN

    request_token = client.GetOAuthToken(SCOPES,
                                     oauth_callback_url,
                                     CONSUMER_KEY,
                                     consumer_secret=CONSUMER_SECRET)

    return HttpResponseRedirect(
        request_token.generate_authorization_url())


def verify(request):
    client = gdata.docs.client.DocsClient(source='apiapp')
    f = open('/home/i159/.ssh/id_rsa')
    RSA_KEY = f.read()
    f.close()

    oauth_callback_url = 'http://%s/get_access_token' % DOMAIN

    request_token = client.GetOAuthToken(SCOPES,
                                     oauth_callback_url,
                                     CONSUMER_KEY,
                                     rsa_private_key=RSA_KEY)
    return HttpResponseRedirect(
        request_token.generate_authorization_url(google_apps_domain=DOMAIN))

The error:

Unable to obtain OAuth request token: 400, Consumer does not have a cert: xxxxxxxxxxxxxxx.apps.googleusercontent.com

Ellie Kesselman over 12 years

+1 for your good advice about what NOT to include in the example code. I thought OAuth 2.0 was the standard now, but I'm guessing it is still experimental in this context based on your answer?
Ellie Kesselman over 12 years

Yes, you're so right @Cody Hess. I just read this stackoverflow.com/questions/5408971/… and there's lots more all over Google groups. OAuth 1.0 is the way, for now.
Cody Hess over 12 years

@FeralOink The 2.0 documentation also mentions installed applications with a special redirect URL, but there's a grossness where your user has to copy-paste an access token from a browser window.
I159 over 12 years

I tried your advice. Google has requested allow for access to documents. This is it I think. And now Google has redirected me to 127.0.0.1:8000/get_access_token?oauth_verifier=... This is error for me now, but this is movement.
Bob Aman over 12 years

I work for Google. Please use OAuth 2.0, not OAuth 1.0. Our OAuth 2.0 implementation is actively supported and is currently the best way to authorize against a Google API. Don't let the "Experimental" tag on the API intimidate you. See the docs for the different application flows we support on OAuth 2.0: code.google.com/apis/accounts/docs/OAuth2.html
I159 over 12 years

Bob, I appreciate your attention to my problem. I moved to one step in my issue with @Stanpol 's advice. But I still have this problem, on /get_access_token/?oauth_verifier= I've got an error: Consumer does not have a cert... I made changes to my question, consisting of the latest code. I would be very grateful for the code example, how do you do this, since Google bit confusing me.
Bob Aman over 12 years

Have you tried playing around with the OAuth Playground? It may help to give you more insight into how OAuth 1 works.
Bob Aman over 12 years

And just to be clear, you cannot manage the localhost domain because it's not reachable from the manage domains tool, which is where you would upload an X.509 certificate. The domain has to be verified before you can upload a certificate for it and that can't be done with localhost. This is just one more reason you should be using OAuth 2. I believe OAuth 1 can only be done with localhost if you're using the HMAC-SHA1 signature method. If you absolutely must use OAuth 1, you're going to need to switch your signature method.
Ellie Kesselman over 12 years

@BobAman That is important that you mention that. I thought the Experimental tag on OAuth 2.0 meant it wasn't ready for general use, and that OAuth 1.0 was the de facto standard. THANK YOU for clarifying! I will amend a post I wrote about it accordingly gooplex.wordpress.com/2011/03/07/…
Bob Aman over 12 years

@FeralOink Experimental really just means that breaking changes may happen, but even so, that's not going to be common. The advantages of OAuth 2.0 vastly outweigh the risks here. However, to clarify, "Experimental" and "Labs" aren't all that different. "Experimental" just means that there aren't really any formal promises about reliability, availability, or breaking changes. But this is Google. Our "experiments" are often the preferred way of doing things. :-)