Usage with httpx 'auth'

[oryon-dominik]

Can I use httpx-oauth to directly connect authenticated to any url?

# this doesn't work
auth = GitHubOAuth2(client_id, client_secret)
with httpx.Client as client:
    r = client.get(url, auth=auth)

I don't want to start a server.

Maybe I'm missing a detail.
Usecase: programmatically authenticating myself on a service that supports oauth (e.g social login via github), using httpx.

How can I use httpx-oauth to identify myself with such a service?!

[frankie567]

Hi @oryon-dominik!

Unfortunately, OAuth2 is a bit more complex and involves a bit more steps than that 🙃 I strongly recommend you to read detailed resources about the protocol, but here is a simplified overview:

1. Authorization URL

Generate an authorization URL for the service provider (GitHub, Google...). This URL points to a web page where you'll be able to allow your application to access your personal data (you probably already seen and used this kind of interface).

authorization_url = await client.get_authorization_url(
    "http://localhost:8000/oauth-callback", scope=["SCOPE1", "SCOPE2", "SCOPE3"],
)

The first argument is the redirect URL: it's a URL on your own web server where the user will be redirected when they have clicked on the "Allow"/"Deny" button on the authorization page. You see that OAuth2 is a protocol mainly thought for the web.

The scopes are a list of strings determining the things you'll be allowed to do with the API. Every service provider has its own list of scopes to finely determine the level of access to their API.

2. The callback

When the user has finished on the authorization page, they are redirected to your redirect URL. If everything went well, you'll have a temporary code in the query parameters of the URL. Something like this:

http://localhost:8000/oauth-callback?code=XXXXXX

This code can be used to generate a proper access token to the API. Retrieve it and call the get_access_token method:

access_token = await client.get_access_token("XXXXXX", "http://localhost:8000/oauth-callback")

Notice that you need to put again the exact same redirect URL as a safety check.

The access_token is a dictionary with several properties about the token, including the token itself. Properties can vary greatly from a service to another but, usually, you can get access token like this:

token = access_token["access_token"]

3. Use the token

You now have an access token to authorize your HTTP calls to the service API. Usually, you need to pass it in an Authorization header with the Bearer scheme.

with httpx.Client(headers={"Authorization": f"Bearer {token}"}) as client:
    r = client.get(url)

[oryon-dominik]

Thanks for the detailed explanation @frankie567 .

I guess I'm confusing the roles here, as I'm the user in my example.
I want to mock the users behaviour on the "authorization page" programmatically, (instead of clicking on the website..).

If I understand this correctly, I need to get a valid authorization_url from the third party client, feed it with my creentials and receive a redirect_url which grants me the token, I need to bear for subsequent requests.

So.. httpx-oauth does the client-side?!

Phew..

[frankie567]

I want to mock the users behaviour on the "authorization page" programmatically, (instead of clicking on the website..).

Well, you can't do that. The purpose of OAuth is to let users decide if they want to give you access or not.

If you're doing it just for yourself, an easy way is just to copy-paste the authorization URL in your browser, click "Accept" and copy-paste the temporary code from the callback URL.

httpx-oauth is an API client to help developers implement the OAuth2 flow into their apps, as most OAuth2 libraries out there.