Skip to content

Authentication With Service Discovery

Jump to bottom
js.sevestre edited this page Oct 11, 2019 · 21 revisions

This methods use google-oauth and google-api-python-client libraries for authentication.

see google-auth documentation for extend auth capabilities

see google documentatoin Using OAuth 2.0 to Access Google APIs for resource in other languages

WebAuth

You need a refresh token in order to use this method. It can be retrieve by building a web app and setup an login process, or by using the oauthplayground

from googleapiclient.discovery import build
from google.oauth2.credentials import Credentials


CLIENT_ID = 'XXX.apps.googleusercontent.com'
CLIENT_SECRET = 'YYY'
REFRESH_TOKEN = 'ZZZ'

def build_lumapps_service():
    credentials = Credentials(None, {"client_id":CLIENT_ID,
                                     "client_secret":CLIENT_SECRET,
                                     "refresh_token":REFRESH_TOKEN,
                                     "access_token":None,
                                     "token_uri":'https://accounts.google.com/o/oauth2/token',
                                     })

    service = build('lumsites', 'v1',
                    credentials=credentials,
                    discoveryServiceUrl='https://lumsites.appspot.com/_ah/api/discovery/v1/apis/lumsites/v1/rest')

    return service

Service account with delegation

Service account must have domain wide delegation to use this method.

from google.oauth2 import service_account
from googleapiclient.discovery import build
import json

scopes = ['https://www.googleapis.com/auth/userinfo.email']

email = "EMAIL_TO_USER_WITH_DELEGATION"

def build_lumapps_service():
    credentials = service_account.Credentials.from_service_account_info(json.load(open('service-account.json')))
    credentials = credentials.with_scopes(scopes)
    credentials = credentials.with_subject(email)  # create delegation

    service = build('lumsites', 'v1',
                    credentials=credentials,
                    discoveryServiceUrl='https://lumsites.appspot.com/_ah/api/discovery/v1/apis/lumsites/v1/rest')
    return service

Service account without delegation

Ask LumApps Lab to register your service account clientId on your customer. This allow the service account to retrieve access token for any user on your LumApps platform.

import json
from googleapiclient.discovery import build
from google.oauth2.credentials import Credentials
from google.oauth2 import service_account


scopes = ['https://www.googleapis.com/auth/userinfo.email']

def build_lumapps_service():
    # A / create credential with the service account only
    credentials = service_account.Credentials.from_service_account_info(json.load(open('service-account.json')))
    credentials = credentials.with_scopes(scopes)

    # B / connect to lumapps and ask the user/getToken url
    service = build('lumsites', 'v1',
                    credentials=credentials,
                    discoveryServiceUrl='https://lumsites.appspot.com/_ah/api/discovery/v1/apis/lumsites/v1/rest')
    resp = service.user().getToken(customerId=CUSTOMER_ID, email="user@email.com")
    # resp contains the "accessToken"

    # C / next calls use only the nuser token 
    user_credentials = Credentials(resp['accessToken'])
    user_service = build('lumsites', 'v1',
                    credentials=user_credentials,
                    discoveryServiceUrl='https://lumsites.appspot.com/_ah/api/discovery/v1/apis/lumsites/v1/rest')

    # ex user_service.user().get() will return the user profile
    # it's also possible to use a direct GET call to https://lumsites.appspot.com/_ah/api/lumsites/v1/user/get
    # using the token in the "Autorization" header

    
    return user_service

Home

Clone this wiki locally