# Lesson 2 - Credentials

## Overview

The Application Framework implements OAuth 2.0 for delegating access to your Logging, Event and Directory Sync services.

The `pancloud` SDK comes packaged with OAuth 2.0 support to ease the process of:

- Generating an authorization URL
- Exchanging an authz code for tokens (authorization code grant)
- Refreshing tokens
- Revoking tokens
- Token caching
- Using a custom credentials store (storage adapters)

In this lesson we'll step through the process of generating, accessing, storing and refreshing credentials.

> **Note:** Run the following code cells using the <button class="btn btn-default btn-xs"><i class="fa-step-forward fa"></i><span class="toolbar-btn-label">Run</span></button> button or `Shift-Enter`.

**Step 0: Install TinyDB**  
The TinyDB package is required by the default credentials store

In [None]:
!pip install tinydb

**Step 1: Import Credentials**  
To get started, you will first need to import the `Credentials` class

In [None]:
from pancloud import Credentials

**Step 2: Instantiate credentials class**  
Next, let's construct a credentials instance using "dummy" credentials.

In [None]:
c = Credentials(
    access_token='instance_access_token',
    client_id='instance_client_id',
    client_secret='instance_client_secret',
    refresh_token='instance_refresh_token'
)

At this point, a `Credentials` object has been created and assigned to the variable `c`. Let's try to access its properties.

**Step 3: Accessing Credentials**  
The `Credentials` class provides easy access to your `client_id`, `client_secret`, `refresh_token` and `access_token`. Let's take a peek at the credentials we set in the previous step.

In [None]:
c.access_token

In [None]:
c.client_id

In [None]:
c.client_secret

In [None]:
c.refresh_token

Accessing credentials one at a time can be useful but what if you need them all at once? Let's try using the `get_credentials()` method which returns a read-only, `namedtuple` representation of the credentials.

In [None]:
c.get_credentials()

> **Note:** The `get_credentials()` method returns a snapshot of the most current credentials at the time it is executed.

**Step 4: Refreshing Tokens**
The minimal credentials needed to perform a `refresh()` are `client_id`, `client_secret` and `refresh_token`. Let's try to perform a token `refresh()`.

> **Note:** You should receive a `PanCloudError` and a message indicating "Invalid client or client credentials". Don't worry. This is expected behavior, since we are using "dummy" credentials. We'll try again later using valid credentials.

In [None]:
c.refresh()

These "dummy" credentials are ruining this session. Let's ditch them and try again.

In [None]:
c = Credentials()
c.refresh()

If the `refresh()` operation succeeded it should have returned an `access_token`. To be sure we stored it, let's try reading it again as a property.

In [None]:
c.access_token

**Step 5: Credential Resolver**

Another important feature of the `Credentials` class is its ability to look for credentials in different places, following a particular lookup order. The following describes this lookup pattern:

`1.` Credentials passed as Credentials constructor key-word arguments:

```python
c = Credentials(
    access_token=<access_token>,
    client_id=<client_id>,
    client_secret=<client_secret>,
    refresh_token=<refresh_token>
)
```

`2.` Credentials stored as environment variables:

- `PAN_ACCESS_TOKEN`
- `PAN_CLIENT_ID`
- `PAN_CLIENT_SECRET`
- `PAN_REFRESH_TOKEN`

`3.` Credentials stored in a credentials file (~/.config/pancloud/credentials.json) or custom store:

```json
{
    "profiles": {
        "1": {
            "access_token": <access_token>,
            "client_id": <client_id>,
            "client_secret": <client_secret>,
            "profile": <profile>,
            "refresh_token": <refresh_token>
        }
    }
}
```

All clear? Now let's see it in action.

In [None]:
# First, let's start with a fresh Credentials instance
c = Credentials()

# Read credentials from store
c.get_credentials()

# Set "dummy" credentials as environment variables
%env PAN_ACCESS_TOKEN=envar_access_token
%env PAN_CLIENT_ID=envar_client_id
%env PAN_CLIENT_SECRET=envar_client_secret
%env PAN_REFRESH_TOKEN=envar_refresh_token
    
# Read credentials from envars
c.get_credentials()

Now, the credentials are getting retrieved from environment variables. Let's try to override them by passing the `access_token` as a constructor argument.

In [None]:
c = Credentials(access_token='instance_access_token')
c.get_credentials()

Let's see what happens if we try to `refresh()` now.

In [None]:
c.refresh()

Finally, let's delete our environment variables and start with a fresh `Credentials` instance to revert to our credentials store.

In [None]:
import os
del os.environ['PAN_ACCESS_TOKEN']
del os.environ['PAN_CLIENT_ID']
del os.environ['PAN_CLIENT_SECRET']
del os.environ['PAN_REFRESH_TOKEN']

c = Credentials()
c.get_credentials()

## Next steps

This concludes the lesson on `Credentials`. Continue to [Lesson 3 - Logging Service](Lesson 3 - Logging Service.ipynb) to run some queries.