Skip to content

Authentication With Service Discovery

Jump to bottom
Jean-Sébastien Sevestre edited this page Jul 8, 2019 · 21 revisions

This method uses "google-oauth" and "google-api-python-client" libraries for authentication NB: see google-auth documentation for extend auth capabilities.

WebAuth

You need a refresh token in order to use this method.

from googleapiclient.discovery import build
from google.oauth2.credentials import Credentials


CLIENT_ID = 'XXX.apps.googleusercontent.com'
CLIENT_SECRET = 'YYY'
REFRESH_TOKEN = 'ZZZ'

def build_lumapps_service():
    credentials = Credentials(None, {"client_id":CLIENT_ID,
                                     "client_secret":CLIENT_SECRET,
                                     "refresh_token":REFRESH_TOKEN,
                                     "access_token":None,
                                     "token_uri":'https://accounts.google.com/o/oauth2/token',
                                     })

    service = build('lumsites', 'v1',
                    credentials=credentials,
                    discoveryServiceUrl='https://lumsites.appspot.com/_ah/api/discovery/v1/apis/lumsites/v1/rest')

    return service

Service account with delegation

Service account must have domain wild delegation to use this method.

from google.oauth2 import service_account
from googleapiclient.discovery import build
import json

scopes = ['https://www.googleapis.com/auth/userinfo.email']

email = "EMAIL_TO_USER_WITH_DELEGATION"

def build_lumapps_service():
    credentials = service_account.Credentials.from_service_account_info(json.load(open('service-account.json')))
    credentials = credentials.with_scopes(scopes)
    credentials = credentials.with_subject(email)  # create delegation

    service = build('lumsites', 'v1',
                    credentials=credentials,
                    discoveryServiceUrl='https://lumsites.appspot.com/_ah/api/discovery/v1/apis/lumsites/v1/rest')
    return service

Service account without delegation

Ask LumApps Lab to register your service account clientId on your customer. This allow the service account to retrieve access token for any user on your LumApps platform.

import json
from googleapiclient.discovery import build
from google.oauth2.credentials import Credentials
from google.oauth2 import service_account


scopes = ['https://www.googleapis.com/auth/userinfo.email']

def build_lumapps_service():
    credentials = service_account.Credentials.from_service_account_info(json.load(open('service-account.json')))
    credentials = credentials.with_scopes(_api_scopes)
    #no delegation required

    service = build('lumsites', 'v1',
                    credentials=credentials,
                    discoveryServiceUrl='https://lumsites.appspot.com/_ah/api/discovery/v1/apis/lumsites/v1/rest')
    resp = service.user().getToken(customerId=CUSTOMER_ID, email="user@email.com")


    # use the token
    user_credentials = Credentials(resp['accessToken'])

    user_service = build('lumsites', 'v1',
                    credentials=user_credentials,
                    discoveryServiceUrl='https://lumsites.appspot.com/_ah/api/discovery/v1/apis/lumsites/v1/rest')
    return user_service

Home

Clone this wiki locally