# OAuth2 e OpenID


In [1]:
import requests
import os

os.environ['GCLOUD_PROJECT_ID']

'dev-openid-288208'

## OAuth2.0
OAuth2 e' un protocollo utilizzato per garantire ad un client l'autorizzazione per le API di un server.

L'autorizzazione e' espressa attraverso un token, chiamato `access_token`, che deve essere contenuto negli header delle richieste API.

### 0. Registrazione dell'applicazione

In [2]:
print('id:',     os.environ['GCLOUD_CLIENT_ID'])
print('secret:', 'GCLOUD_CLIENT_SECRET' in os.environ)

id: 359913789820-tfbqpn1mpan21vgjb408i42rd1ruc9mv.apps.googleusercontent.com
secret: True


### A-1. Richiesta del token
redirect 301 alla pagina di aturotizzazione, specificando `client_id` e `redirect_uri` dell'applicazione registrata

In [3]:
from urllib.parse import quote
port = 8000

authorization_url = 'https://accounts.google.com/o/oauth2/v2/auth'
response_type     = 'code'
client_id         = os.environ['GCLOUD_CLIENT_ID']
redirect_uri      = quote(f'http://localhost:{port}')
scope             = quote('email openid https://www.googleapis.com/auth/drive.file')
state             = 'piccirimello'

params = '&'.join([
    f'response_type={response_type}', # Comportamento del server di autorizzazione
    f'client_id={client_id}',         # Identificativo dell'applicazione
    f'redirect_uri={redirect_uri}',   # Dove far redirect una volta che il processo di autorizzazione e' terminato
    f'scope={scope}',                 # Autorizzazioni richieste
    f'state={state}',                 # Stato che viene ritornato indietro al server
])
redirect_to = f'{authorization_url}?{params}'

print(redirect_to)

https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=359913789820-tfbqpn1mpan21vgjb408i42rd1ruc9mv.apps.googleusercontent.com&redirect_uri=http%3A//localhost%3A8000&scope=email%20openid%20https%3A//www.googleapis.com/auth/drive.file&state=piccirimello


### A-2. Attesa dell'access token
Ci si mette in ascolto sulla porta specificata nel redirect, in attesa che il client compia il login.

In [14]:
import http.server
from urllib.parse import urlparse

handler = http.server.SimpleHTTPRequestHandler

print('Waiting for authorization...')

with http.server.HTTPServer(('', port), handler) as server:
    sock, _ = server.get_request()
    raw_http = sock.recv(2048).decode('utf-8')
    
raw_url, _ = raw_http.split('\r\n', 1)
request_url = urlparse(raw_url)
print(raw_url)

Waiting for authorization...
GET /?state=piccirimello&code=4%2F0AY0e-g7JqWPDR83xkLMaGZgtQlZF7zWO0BX-leo63FDcgPQ6HP7deDSEZ-xuZQfUFvvULQ&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.file+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&prompt=none HTTP/1.1


### B-1. Lettura dell'access code ricevuto

In [5]:
from urllib.parse import parse_qs
from pprint import  pprint

querystring = request_url.query
params = parse_qs(querystring)

pprint(params)
auth_code = params['code'][0]

{'authuser': ['0'],
 'code': ['4/0AY0e-g5OTppuhm_1O5CGHBaXi2UVQL_N0yR5nuworeQKf6hQYfjuhVvpTokC1uDTzDG0xg'],
 'prompt': ['consent HTTP/1.1'],
 'scope': ['email https://www.googleapis.com/auth/userinfo.email openid '
           'https://www.googleapis.com/auth/drive.file'],
 'state': ['piccirimello']}


### B-2. Scambio autorization_code e credenziali client per access token


In [6]:
import requests

response = requests.post('https://oauth2.googleapis.com/token', json={
    'code':          auth_code,
    'client_id':     os.environ['GCLOUD_CLIENT_ID'],
    'client_secret': os.environ['GCLOUD_CLIENT_SECRET'],
    'redirect_uri':  f'http://localhost:{port}',
    'grant_type':    'authorization_code'
})

In [7]:
jresponse = response.json()

access_token = jresponse['access_token']
pprint(jresponse)

{'access_token': 'ya29.a0AfH6SMAJXm-4k3T9c4QqSf0aZ0ygfdszbC49N4xgZt2b2oZYn48PfosfylQxofdVirV5ZLvIiw_UUqS53Si0FCJOctNxYKym-a7F6kR-AC7fzRzdhO13CvbpLtZDxoBvh3PQ_YYbALQmCIW5F-zhpRjRtttb',
 'expires_in': 3599,
 'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6ImRlOTU1NmFkNDY4MDMxMmMxMTdhZmFlZjI5MjBmNWY5OWE0Yzc5ZmQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzNTk5MTM3ODk4MjAtdGZicXBuMW1wYW4yMXZnamI0MDhpNDJyZDFydWM5bXYuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiIzNTk5MTM3ODk4MjAtdGZicXBuMW1wYW4yMXZnamI0MDhpNDJyZDFydWM5bXYuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDI1NTkwNDg4NDg2MjMwNjk5NDgiLCJlbWFpbCI6ImFsZWNyZDk4QGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdF9oYXNoIjoiT2ljMHZlMWtXZHliMlVZbVRCRzRvQSIsImlhdCI6MTYxOTQyMDk1MSwiZXhwIjoxNjE5NDI0NTUxfQ.pkTGbT35zuDVguBy9WRIi2zbDjIhtfxM71B_Bvp9HQeVAQPZO8ht2Daq7ERDsayiUYwM0-KYbfzY1VFbyB2Y2xyB3WknJHvV-qlErx85HKw4rY2cdS01vpNGcKlTlB_QnciNWEAyt4BOLTIKYsFsYqJ_OkZh-f_kbNX7ir-Sd_mbQl9-JIojZeQRlQO5rkPBjpcJuoWPAZ1oqPzFC_O

### C. Richiesta a Google Drive con access-token

In [8]:
import hashlib, datetime

now = datetime.datetime.now().isoformat()
now_hash = hashlib.sha256(now.encode('utf-8')).hexdigest()

file_content = f'''
Data: {now}
Hash: {now_hash}
'''

print(file_content)


Data: 2021-04-26T07:10:02.698531
Hash: 119ab72baba158e07ba1bde3d87456ece5a80dd156701ecb3b380add107faa48



In [9]:
headers = {'Content-Type': 'text/plain', 'Authorization': f'Bearer {access_token}'}

drive_response = requests.post('https://www.googleapis.com/upload/drive/v3/files?uploadType=media',
                               headers=headers,
                               data=file_content)

jdrive_response = drive_response.json()
pprint(jdrive_response)

{'id': '1nXhtwBQdtiwSesAXasInxtlA-CbvK9tw',
 'kind': 'drive#file',
 'mimeType': 'text/plain',
 'name': 'Untitled'}


In [10]:
print(f'https://drive.google.com/open?id={jdrive_response["id"]}')

https://drive.google.com/open?id=1nXhtwBQdtiwSesAXasInxtlA-CbvK9tw


![authorization-code.png](attachment:authorization-code.png)

## Autenticazione con OpenID

In [11]:
import base64, json
jwt = jresponse['id_token']

head, body, checksum = jwt.split('.')

decoded_head = json.loads(base64.b64decode(head + '=='))
decoded_body = json.loads(base64.b64decode(body + '=='))

In [12]:
pprint(decoded_head)

{'alg': 'RS256',
 'kid': 'de9556ad4680312c117afaef2920f5f99a4c79fd',
 'typ': 'JWT'}


In [13]:
pprint(decoded_body)

{'at_hash': 'Oic0ve1kWdyb2UYmTBG4oA',
 'aud': '359913789820-tfbqpn1mpan21vgjb408i42rd1ruc9mv.apps.googleusercontent.com',
 'azp': '359913789820-tfbqpn1mpan21vgjb408i42rd1ruc9mv.apps.googleusercontent.com',
 'email': 'alecrd98@gmail.com',
 'email_verified': True,
 'exp': 1619424551,
 'iat': 1619420951,
 'iss': 'https://accounts.google.com',
 'sub': '102559048848623069948'}
