OAuth2 Flows¶
If you want to get started doing OAuth2 flows, you should read the tutorial and look at the examples.
Flow Managers¶
These objects represent in-progress OAuth2 authentication flows.
Most typically, you should not use these objects, but rather rely on the
globus_sdk.AuthClient
object to manage one of these for you through
its oauth2_*
methods.
All Flow Managers inherit from the
GlobusOAuthFlowManager
abstract class.
They are a combination of a store for OAuth2 parameters specific to the
authentication method you are using and methods which act upon those parameters.
-
class
globus_sdk.auth.
GlobusNativeAppFlowManager
(auth_client, requested_scopes=None, redirect_uri=None, state='_default', verifier=None, refresh_tokens=False, prefill_named_grant=None)[source]¶ Bases:
globus_sdk.auth.oauth2_flow_manager.GlobusOAuthFlowManager
This is the OAuth flow designated for use by clients wishing to authenticate users in the absence of a Client Secret. Because these applications run “natively” in the user’s environment, they cannot protect a secret. Instead, a temporary secret is generated solely for this authentication attempt.
- Parameters:
auth_client (
NativeAppAuthClient
) – TheNativeAppAuthClient
object on which this flow is based. It is used to extract default values for the flow, and also to make calls to the Auth service.requested_scopes (str or iterable of str, optional) – The scopes on the token(s) being requested, as a space-separated string or iterable of strings. Defaults to
openid profile email urn:globus:auth:scope:transfer.api.globus.org:all
redirect_uri (str, optional) – The page that users should be directed to after authenticating at the authorize URL. Defaults to ‘https://auth.globus.org/v2/web/auth-code’, which displays the resulting
auth_code
for users to copy-paste back into your application (and thereby be passed back to theGlobusNativeAppFlowManager
)state (str, optional) – The
redirect_uri
page will have this included in a query parameter, so you can use it to pass information to that page if you use a custom page. It defaults to the string ‘_default’verifier (str, optional) – A secret used for the Native App flow. It will by default be a freshly generated random string, known only to this
GlobusNativeAppFlowManager
instancerefresh_tokens (bool, optional) – When True, request refresh tokens in addition to access tokens. [Default:
False
]prefill_named_grant (str, optional) – Prefill the named grant label on the consent page
-
exchange_code_for_tokens
(auth_code)[source]¶ The second step of the Native App flow, exchange an authorization code for access tokens (and refresh tokens if specified).
- Return type:
Start a Native App flow by getting the authorization URL to which users should be sent.
- Parameters:
additional_params (dict, optional) – Additional query parameters to include in the authorize URL. Primarily for internal use
- Return type:
string
The returned URL string is encoded to be suitable to display to users in a link or to copy into their browser. Users will be redirected either to your provided
redirect_uri
or to the default location, with theauth_code
embedded in a query parameter.
-
class
globus_sdk.auth.
GlobusAuthorizationCodeFlowManager
(auth_client, redirect_uri, requested_scopes=None, state='_default', refresh_tokens=False)[source]¶ Bases:
globus_sdk.auth.oauth2_flow_manager.GlobusOAuthFlowManager
This is the OAuth flow designated for use by Clients wishing to authenticate users in a web application backed by a server-side component (e.g. an API). The key constraint is that there is a server-side system that can keep a Client Secret without exposing it to the web client. For example, a Django application can rely on the webserver to own the secret, so long as it doesn’t embed it in any of the pages it generates.
The application sends the user to get a temporary credential (an
auth_code
) associated with its Client ID. It then exchanges that temporary credential for a token, protecting the exchange with its Client Secret (to prove that it really is the application that the user just authorized).- Parameters:
auth_client (
ConfidentialAppAuthClient
) – TheAuthClient
used to extract default values for the flow, and also to make calls to the Auth service.redirect_uri (str) – The page that users should be directed to after authenticating at the authorize URL.
requested_scopes (str or iterable of str, optional) – The scopes on the token(s) being requested, as a space-separated string or iterable of strings. Defaults to
openid profile email urn:globus:auth:scope:transfer.api.globus.org:all
state (str, optional) – This string allows an application to pass information back to itself in the course of the OAuth flow. Because the user will navigate away from the application to complete the flow, this parameter lets the app pass an arbitrary string from the starting page to the
redirect_uri
refresh_tokens (bool, optional) – When True, request refresh tokens in addition to access tokens. [Default:
False
]
-
exchange_code_for_tokens
(auth_code)[source]¶ The second step of the Authorization Code flow, exchange an authorization code for access tokens (and refresh tokens if specified)
- Return type:
Start a Authorization Code flow by getting the authorization URL to which users should be sent.
- Parameters:
additional_params (dict, optional) – Additional parameters to include in the authorize URL. Primarily for internal use
- Return type:
string
The returned URL string is encoded to be suitable to display to users in a link or to copy into their browser. Users will be redirected either to your provided
redirect_uri
or to the default location, with theauth_code
embedded in a query parameter.
Abstract Flow Manager¶
-
class
globus_sdk.auth.oauth2_flow_manager.
GlobusOAuthFlowManager
[source]¶ Bases:
object
An abstract class definition that defines the interface for the Flow Managers for Globus Auth. Flow Managers are really just bundles of parameters to Globus Auth’s OAuth2 mechanisms, along with some useful utility methods. Primarily they can be used as a simple way of tracking small amounts of state in your application as it leverages Globus Auth for authentication.
For sophisticated use cases, the provided Flow Managers will NOT be sufficient, but you should consider the provided objects a model.
This way of managing OAuth2 flows is inspired by oauth2client. However, because
oauth2client
has an uncertain future (as of 2016-08-31), and we would have to wrap it in order to provide a clean API surface anyway, we implement our own set of Flow objects.-
exchange_code_for_tokens
(auth_code)[source]¶ This method takes an auth_code and produces a response object containing one or more tokens. Most typically, this is the second step of the flow, and consumes the auth_code that was sent to a redirect URI used in the authorize step.
The exchange process may be parameterized over attributes of the specific flow manager instance which is generating it.
- Parameters:
auth_code (str) – The authorization code which was produced from the authorization flow
- Return type:
OAuthTokenResponse
This method consumes no arguments or keyword arguments, and produces a string URL for the Authorize Step of a 3-legged OAuth2 flow. Most typically, this is the first step of the flow, and the user may be redirected to the URL or provided with a link.
The authorize_url may be (usually is) parameterized over attributes of the specific flow manager instance which is generating it.
- Return type:
string
-