OAuth2¶

Ferris provides utilities for interacting with Google’s implementation of OAuth2 Service Account Flow as well as obtaining the access token from the active endpoints request. This makes it easy to obtain account credentials and access Google APIs.

This documentation assumes you have an understanding of OAuth2. If you’d like to read more on the subject of OAuth2 and how Google uses it please read Google’s documentation.

Endpoints Credentials¶

If your endpoint require authentication then you can obtain the user’s authorization token. You can use this to access Google APIs as long as the token was authorized for the appropriate scope. Do not that endpoints does not provide the refresh token so these access tokens are short-lived (at most 1 hour) so it is not advisable to store these credentials.

ferris3.oauth2.get_endpoints_credentials()[source]¶

Gets the oauth2 credentials from the user authenticated to Google Cloud Endpoints.

Presently, this does not work for Android and iOS clients. We are open to patches to fix it.

Example of using this to get the user’s information:

from ferris3 import auto_service, auto_method, Service, oauth2, google_apis

@auto_service
class AuthInfoService(Service):

    @auto_method(returns=UserInfoMessage)
    def info(self, request):
        creds = oauth2.get_endpoints_credentials()
        client = google_apis.build('oauth2', 'v2', creds)

        r = client.userinfo().get().execute()
        logging.info(r)

Service Account Configuration¶

In order to use Ferris’ OAuth2 features, you must first configure client settings in app/settings.py. The Google Developer Console provides service account credentials with a JSON file. You can load these directly:

import json
with open('app/service_account.json') as f:
    settings['oauth2_service_account'] = json.load(f)

Or you can manually configure it:

settings['oauth2_service_account'] = {
    'client_id': None, # ...apps.googleusercontent.com
    'client_email': None,  # ..@developer.gserviceaccount.com
    'private_key' None,  # The private key in PEM format
}

Using Service Accounts¶

ferris3.oauth2.build_service_account_credentials(scope, user=None)[source]¶: Builds service account credentials using the configuration stored in settings and masquerading as the provided user.

Example:

credentials = build_service_account_credentials(
    scope=["https://www.googleapis.com/drive/file"],
    user="user@domain.com")

credentials.authorize(http)

Warning

Service account credentials will not work properly on local development environments that are missing the PyCrypto or PyOpenSSL modules. If you get errors concerning SignedJwtCredentials check your Python installation.

Note

Ferris ensures that the access token is stored in the datastore/memcache to reduce calls to Google’s authorization service and avoid quota issues.