# Climate Engine Authentication

The general authentication flow involves authenticating with the [Climate Engine Authorization Server](https://auth.climateengine.com/docs) and obtaining an access token, and using that token to access protected endpoints by including it in the Authorization header.

Here are some important endpoints that will be used in this tutorial:

`POST https://auth.climateengine.com/api/v1/auth/jwt/token`: Obtain an access token using some credentials

`GET https://auth.climateengine.com/api/v1/users/me`: Get information about your account (access token required)

`POST https://auth.climateengine.com/api/v1/clients/`: Create a new api client tied to your account (access token required)



### Requirements

`requests` and `authlib` libraries will be used for code examples in this tutorial, to install:

In [1]:
!pip install requests authlib

# if the above doesn't work, uncomment and try this:
# import sys
# !{sys.executable} -m pip install requests authlib

Defaulting to user installation because normal site-packages is not writeable
You should consider upgrading via the '/usr/bin/python3 -m pip install --upgrade pip' command.[0m[33m
[0m

### Token Endpoint

An access token can be obtained through a `POST` request to `/api/v1/auth/jwt/token` endpoint. The token endpoint supports OAuth2 `password` and `client_credentials` grant types. *Access tokens only last ~15 minutes*

#### **password grant type:**

In order to get an access token with `password` grant type, do a `POST` request to `/api/v1/auth/jwt/token` endpoint with the POST parameters `grant_type=password`, `username=<your_email>` and `password=<your_password>`. On successful authentication, the response will include an access token that is valid for ~15 minutes, along with some expiration information. This grant type is useful for testing, but the recommended grant type to obtain access tokens for client applications is `client_credentials`.

(`client_id` and `client_secret` fields are not required for `password` grant)

#### **client_credentials grant type:**

In order to get an access token with `client_credentials` grant type, you use your previously generated `client_id` and `client_secret` (more on that later) through one of the supported methods below:

(These are included here as a reference and they will generally be automatically handled with an oauth client library that supports these authentication methods (authlib in this tutorial's case).)

(`grant_type=client_credentials` POST parameter must be included for all the methods below)

**`client_secret_basic`:** Provide `client_id` and `client_secret` as username and password in HTTP Basic authorization header.

**`client_secret_post`:** Provide `client_id` and `client_secret` as POST parameters

**`client_secret_jwt`:** Create a JWT as described in the [spec](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) and sign it with `client_secret`. Set `client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer` POST parameter, and include the JWT in `client_assertion` POST parameter.


### Obtain an access token and access a protected endpoint

We will use `requests` for making the requests here, but you can follow along using the [interactive api docs](https://auth.climateengine.com/docs).

In the [interactive api docs](https://auth.climateengine.com/docs), for endpoints that require authentication (e.g the endpoints under the users and clients sections), you can authenticate by clicking the padlock icon on the right and entering your username and password under OAuth2PasswordBearer in the modal that pops up (client_id and client_secret are not required). When the access token expires (and you get a 401 Unauthorized response), you need to logout and re-login using the same modal.


#### Get an access token

In order to get an access token, we will send a POST request to `/api/v1/auth/jwt/token` endpoint with our username and password and grant_type=password as form fields in the body.

(If you get a 401 Unauthorized response for the sections below because the access token is expired, you can renew it by re-running the cell below)

In [2]:
import requests

username = 'bennett@climateengine.com'
password = 'hunter2'

body = {'grant_type': 'password', 'username': username, 'password': password}
# note that we are using data= parameter instead of json=, because this endpoint expects x-www-form-urlencoded body
response = requests.post('https://auth.climateengine.com/api/v1/auth/jwt/token', data=body)
response_data = response.json()
print('status: {}'.format(response.status_code))
print(response_data)

access_token = response_data['access_token']

status: 200
{'access_token': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoiNzU2ZWI4YjQtOTU4Ni00ZDZlLTk3NDctZmM5ZGYwMmY2MjIyIiwiZ3JvdXBzIjpbXSwicm9sZXMiOlsiYWxsLWRhdGFzZXRzIl0sImF1ZCI6WyJodHRwczovL2F1dGguY2xpbWF0ZWVuZ2luZS5jb20iLCJodHRwczovL2FwaS5jbGltYXRlZW5naW5lLmNvbSJdLCJpc3MiOiJodHRwczovL2F1dGguY2xpbWF0ZWVuZ2luZS5jb20iLCJleHAiOjE2NjUwODAwNzcsImp0aSI6ImFhNWYxYWU2LWJjODYtNDgxNS1hNWIzLTg1OTYwZTYwMzE5ZSIsImlhdCI6MTY2NTA3OTE3N30.Isx2UzNR0auKytLXjgIErGufbTrgr0FoEdHPxWFZ-X7CDW6CKJJ3oAo0JbcPAr3roRPMe9eIDp0ancdZhRfuliOk-hszsK8TsoFMgb5hYa2EHlC1kzZyA7Pl3eyHOiKN1O7jbh-641lLGUlcdBoUIL4ZFQ_u7wgrJIZeyZFS2T8-n3ot_mXFTyybCTSRWS5OCJ-XAALpxwzZFEvO6AaZprMvwSwZkuqS_23fPJIDuCx0PQuAi_7fWNtRRBVG3IkombvpSXUFKPncAW5cTfmGEZeky6lpQ2aCPi6MwaoSSfcoN_TjWTj5bErSXfBBMEhU3qafGig8ghDGw8vf-z8WUw', 'token_type': 'bearer', 'expires_at': 1665080017, 'expires_in': 839}


#### Access a protected endpoint using the access token

In [3]:
headers = {
    'Authorization': 'Bearer ' + access_token
}
response = requests.get('https://auth.climateengine.com/api/v1/users/me', headers=headers)
print('status: {}'.format(response.status_code))
print(response.json())

status: 200
{'id': '756eb8b4-9586-4d6e-9747-fc9df02f6222', 'email': 'bennett@climateengine.com', 'is_active': True, 'is_superuser': False, 'is_verified': False}


### Create a `client` object, and use it to obtain access tokens automatically with authlib and requests

#### Create an OAuth2 client_id and client_secret

In order to create a client, we do an empty POST request to `/api/v1/clients` endpoint. `client_secret` is only shown once during client creation and can't be accessed later, so make sure to save it somewhere safe.

In [4]:
response = requests.post('https://auth.climateengine.com/api/v1/clients/', headers=headers)
response_data = response.json()
print('status: {}'.format(response.status_code))
print(response_data)

client_id = response_data['client_id']
client_secret = response_data['client_secret']

status: 201
{'user_id': '756eb8b4-9586-4d6e-9747-fc9df02f6222', 'client_id': 'b2628e59-7391-4ad4-b891-32706a5d7fc6', 'client_secret': 'QnbSL9x6Y_lSX9I708SOEJljah_zWgEa9KLiBlqqIIA'}


#### Create an authlib OAuth2Session client
OAuth2Session is also a requests (library) session, so it can be used just like the requests session. When using the `client_credentials` grant type and once an access token is fetched, authlib will automatically check whether the access token is expired before making a request and fetch a new token as necessary for the remaining requests.

In [5]:
from authlib.integrations.requests_client import OAuth2Session
from authlib.oauth2.rfc7523 import ClientSecretJWT

token_endpoint = 'https://auth.climateengine.com/api/v1/auth/jwt/token'

def client_secret_jwt_client():
    client = OAuth2Session(client_id, client_secret,
                           token_endpoint=token_endpoint,
                           grant_type='client_credentials',
                           token_endpoint_auth_method=ClientSecretJWT(token_endpoint),)
    client.fetch_token()
    return client

client = client_secret_jwt_client()
print('Getting an access_token with client_secret_jwt...')
print(client.fetch_token())

Getting an access_token with client_secret_jwt...
{'access_token': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoiNzU2ZWI4YjQtOTU4Ni00ZDZlLTk3NDctZmM5ZGYwMmY2MjIyIiwiZ3JvdXBzIjpbXSwicm9sZXMiOlsiYWxsLWRhdGFzZXRzIl0sImF1ZCI6WyJodHRwczovL2F1dGguY2xpbWF0ZWVuZ2luZS5jb20iLCJodHRwczovL2FwaS5jbGltYXRlZW5naW5lLmNvbSJdLCJpc3MiOiJodHRwczovL2F1dGguY2xpbWF0ZWVuZ2luZS5jb20iLCJleHAiOjE2NjUwODAwNzgsImp0aSI6Ijk5ZTgxNGExLTcyNjQtNGU1My1iYmI0LThhNWE4ZWFlY2ZiZSIsImlhdCI6MTY2NTA3OTE3OH0.1A2tccUDKX8O0CYEgy-ZvVSvJwavhusn23gxNh-SEe6yRA1Egb6hvoVI2gzuNQmvXfZEqqpwyZDkhBaXPN94QjZHp-zLk4N5WrAeYGSGiLLMrjJOw5GOvyd0E9MWHdJ2sNAziEIkbwY82XzfddGKyB_34MBWBoBkBlG-XZn4c9CvpP6Ie_9bQDQnbQshDJ1gsJjmzrxbT7xb4Cs0aOZjuwE7lgYdrpoDbDYWxoOo6L9vSVvG8Fb2T7P5yLGR77nrgGktKU1u7f1rat6eX3dqMGYiCYlNqd8tPq6Cm4j50kAvb5QRFRKUAM0jsecJAO__sPMR4pMin8Geu0bBmHwXOQ', 'token_type': 'bearer', 'expires_at': 1665080018, 'expires_in': 839}


#### Call a protected endpoints with the authlib `client`

In [6]:
client = client_secret_jwt_client()

response = client.get('https://auth.climateengine.com/api/v1/users/me')
print('status: {}'.format(response.status_code))
print(response.json())

status: 200
{'id': '756eb8b4-9586-4d6e-9747-fc9df02f6222', 'email': 'bennett@climateengine.com', 'is_active': True, 'is_superuser': False, 'is_verified': False}


If you see a `status 200` above, this indicates that you have successfully authenticated to the API.  You can now authenticate using your `client_id` and `client_secret` in future scripts!