API Authorization#
Using a GlobusAuthorizer
is hard to grasp without a few examples to reference.
The basic usage should be to create these at client instantiation time.
Access Token Authorization on AuthClient and TransferClient#
Perhaps you’re in a part of your application that only sees Access Tokens. Access Tokens are used to directly authenticate calls against Globus APIs, and are limited-lifetime credentials. You have distinct Access Tokens for each Globus service which you want to access.
With the tokens in hand, it’s just a simple matter of wrapping the tokens in
AccessTokenAuthorizer
objects.
from globus_sdk import AuthClient, TransferClient, AccessTokenAuthorizer
AUTH_ACCESS_TOKEN = "..."
TRANSFER_ACCESS_TOKEN = "..."
# note that we don't provide the client ID in this case
# if you're using an Access Token you can't do the OAuth2 flows
auth_client = AuthClient(authorizer=AccessTokenAuthorizer(AUTH_ACCESS_TOKEN))
transfer_client = TransferClient(
authorizer=AccessTokenAuthorizer(TRANSFER_ACCESS_TOKEN)
)
Refresh Token Authorization on AuthClient and TransferClient#
Refresh Tokens are long-lived credentials used to get new Access Tokens whenever they expire. However, it would be very awkward to create a new client instance every time your credentials expire!
Instead, use a RefreshTokenAuthorizer
to automatically re-up your credentials
whenever they near expiration.
Re-upping credentials is an operation that requires having client credentials for Globus Auth, so creating the authorizer is more complex this time.
from globus_sdk import (
AuthClient,
TransferClient,
ConfidentialAppAuthClient,
RefreshTokenAuthorizer,
)
# for doing the refresh
CLIENT_ID = "..."
CLIENT_SECRET = "..."
# the actual tokens
AUTH_REFRESH_TOKEN = "..."
TRANSFER_REFRESH_TOKEN = "..."
# making the authorizer requires that we have an AuthClient which can talk
# OAuth2 to Globus Auth
internal_auth_client = ConfidentialAppAuthClient(CLIENT_ID, CLIENT_SECRET)
# now let's bake a couple of authorizers
auth_authorizer = RefreshTokenAuthorizer(AUTH_REFRESH_TOKEN, internal_auth_client)
transfer_authorizer = RefreshTokenAuthorizer(
TRANSFER_REFRESH_TOKEN, internal_auth_client
)
# auth_client here is totally different from "internal_auth_client" above
# the former is being used to request new tokens periodically, while this
# one represents a user authenticated with those tokens
auth_client = AuthClient(authorizer=auth_authorizer)
# transfer_client doesn't have to contend with this duality -- it's always
# representing a user
transfer_client = TransferClient(authorizer=transfer_authorizer)
Basic Auth on an AuthClient#
If you’re using an AuthClient
to do OAuth2
flows, you likely want to authenticate it using your client credentials – the
client ID and client secret.
The preferred method is to use the AuthClient
subclass which automatically
specifies its authorizer.
Internally, this will use a BasicAuthorizer
to do Basic Authentication.
By way of example:
from globus_sdk import ConfidentialAppAuthClient
CLIENT_ID = "..."
CLIENT_SECRET = "..."
client = ConfidentialAppAuthClient(CLIENT_ID, CLIENT_SECRET)
and you’re off to the races!
Under the hood, this is implicitly running
AuthClient(authorizer=BasicAuthorizer(CLIENT_ID, CLIENT_SECRET))
but don’t do this yourself – ConfidentialAppAuthClient
has different
methods from the base AuthClient
.