OAuth Flows

If you want to get started doing OAuth2 flows, you should read the tutorial and look at the examples.

Flow Managers

These objects represent in-progress OAuth2 authentication flows. Most typically, you should not use these objects, but rather rely on the globus_sdk.AuthClient object to manage one of these for you through its oauth2_* methods.

All Flow Managers inherit from the GlobusOAuthFlowManager abstract class. They are a combination of a store for OAuth2 parameters specific to the authentication method you are using and methods which act upon those parameters.

class globus_sdk.auth.GlobusNativeAppFlowManager(auth_client, requested_scopes=None, redirect_uri=None, state='_default', verifier=None, refresh_tokens=False, prefill_named_grant=None)[source]

Bases: globus_sdk.auth.oauth2_flow_manager.GlobusOAuthFlowManager

This is the OAuth flow designated for use by clients wishing to authenticate users in the absence of a Client Secret. Because these applications run “natively” in the user’s environment, they cannot protect a secret. Instead, a temporary secret is generated solely for this authentication attempt.

Parameters

auth_client (AuthClient)
The NativeAppAuthClient object on which this flow is based. It is used to extract default values for the flow, and also to make calls to the Auth service. This SHOULD be a NativeAppAuthClient
requested_scopes (iterable or string)
The scopes on the token(s) being requested, as a space-separated string or iterable of strings. Defaults to openid profile email urn:globus:auth:scope:transfer.api.globus.org:all
redirect_uri (string)
The page that users should be directed to after authenticating at the authorize URL. Defaults to ‘https://auth.globus.org/v2/web/auth-code‘, which displays the resulting auth_code for users to copy-paste back into your application (and thereby be passed back to the GlobusNativeAppFlowManager)
state (string)
Typically is not meaningful in the Native App Grant flow, but you may have a specialized use case for it. The redirect_uri page will have this included in a query parameter, so you can use it to pass information to that page. It defaults to the string ‘_default’
verifier (string)
A secret used for the Native App flow. It will by default be a freshly generated random string, known only to this GlobusNativeAppFlowManager instance
refresh_tokens (bool)
When True, request refresh tokens in addition to access tokens
prefill_named_grant (string)
Optionally prefill the named grant label on the consent page
exchange_code_for_tokens(auth_code)[source]

The second step of the Native App flow, exchange an authorization code for access tokens (and refresh tokens if specified).

Return type:OAuthTokenResponse
get_authorize_url(additional_params=None)[source]

Start a Native App flow by getting the authorization URL to which users should be sent.

Parameters

additional_params (dict)
A dict or None, which specifies additional query parameters to include in the authorize URL. Primarily for internal use
Return type:string

The returned URL string is encoded to be suitable to display to users in a link or to copy into their browser. Users will be redirected either to your provided redirect_uri or to the default location, with the auth_code embedded in a query parameter.

class globus_sdk.auth.GlobusAuthorizationCodeFlowManager(auth_client, redirect_uri, requested_scopes=None, state='_default', refresh_tokens=False)[source]

Bases: globus_sdk.auth.oauth2_flow_manager.GlobusOAuthFlowManager

This is the OAuth flow designated for use by Clients wishing to authenticate users in a web application backed by a server-side component (e.g. an API). The key constraint is that there is a server-side system that can keep a Client Secret without exposing it to the web client. For example, a Django application can rely on the webserver to own the secret, so long as it doesn’t embed it in any of the pages it generates.

The application sends the user to get a temporary credential (an auth_code) associated with its Client ID. It then exchanges that temporary credential for a token, protecting the exchange with its Client Secret (to prove that it really is the application that the user just authorized).

Parameters

auth_client (ConfidentialAppAuthClient)
The AuthClient used to extract default values for the flow, and also to make calls to the Auth service. It MUST be a ConfidentialAppAuthClient
redirect_uri (string)
The page that users should be directed to after authenticating at the authorize URL. Required.
requested_scopes (iterable or string)
The scopes on the token(s) being requested, as a space-separated string or an iterable of strings. Defaults to openid profile email urn:globus:auth:scope:transfer.api.globus.org:all
state (string)
This is a way of your application passing information back to itself in the course of the OAuth flow. Because the user will navigate away from your application to complete the flow, this parameter lets you pass an arbitrary string from the starting page to the redirect_uri
refresh_tokens (bool)
When True, request refresh tokens in addition to access tokens
exchange_code_for_tokens(auth_code)[source]

The second step of the Authorization Code flow, exchange an authorization code for access tokens (and refresh tokens if specified)

Return type:OAuthTokenResponse
get_authorize_url(additional_params=None)[source]

Start a Authorization Code flow by getting the authorization URL to which users should be sent.

Parameters

additional_params (dict)
A dict or None, which specifies additional query parameters to include in the authorize URL. Primarily for internal use
Return type:string

The returned URL string is encoded to be suitable to display to users in a link or to copy into their browser. Users will be redirected either to your provided redirect_uri or to the default location, with the auth_code embedded in a query parameter.