KSrSSKJr SSKrSSKrSSKrSSKrSSKJr SSKJ r SSKJ r SSKJ r SSKJ r SS KJ r SS KJr SSKrSSKJs Jr SS KJr SS KJr SSKJr SrSrSrSrSrSr"SS\ 5r!g!\a \"S 5ef=f)aUtilities for the Flask web framework Provides a Flask extension that makes using OAuth2 web server flow easier. The extension includes views that handle the entire auth flow and a ``@required`` decorator to automatically ensure that user credentials are available. Configuration ============= To configure, you'll need a set of OAuth2 web application credentials from the `Google Developer's Console `__. .. code-block:: python from oauth2client.contrib.flask_util import UserOAuth2 app = Flask(__name__) app.config['SECRET_KEY'] = 'your-secret-key' app.config['GOOGLE_OAUTH2_CLIENT_SECRETS_FILE'] = 'client_secrets.json' # or, specify the client id and secret separately app.config['GOOGLE_OAUTH2_CLIENT_ID'] = 'your-client-id' app.config['GOOGLE_OAUTH2_CLIENT_SECRET'] = 'your-client-secret' oauth2 = UserOAuth2(app) Usage ===== Once configured, you can use the :meth:`UserOAuth2.required` decorator to ensure that credentials are available within a view. .. code-block:: python :emphasize-lines: 3,7,10 # Note that app.route should be the outermost decorator. @app.route('/needs_credentials') @oauth2.required def example(): # http is authorized with the user's credentials and can be used # to make http calls. http = oauth2.http() # Or, you can access the credentials directly credentials = oauth2.credentials If you want credentials to be optional for a view, you can leave the decorator off and use :meth:`UserOAuth2.has_credentials` to check. .. code-block:: python :emphasize-lines: 3 @app.route('/optional') def optional(): if oauth2.has_credentials(): return 'Credentials found!' else: return 'No credentials!' When credentials are available, you can use :attr:`UserOAuth2.email` and :attr:`UserOAuth2.user_id` to access information from the `ID Token `__, if available. .. code-block:: python :emphasize-lines: 4 @app.route('/info') @oauth2.required def info(): return "Hello, {} ({})".format(oauth2.email, oauth2.user_id) URLs & Trigging Authorization ============================= The extension will add two new routes to your application: * ``"oauth2.authorize"`` -> ``/oauth2authorize`` * ``"oauth2.callback"`` -> ``/oauth2callback`` When configuring your OAuth2 credentials on the Google Developer's Console, be sure to add ``http[s]://[your-app-url]/oauth2callback`` as an authorized callback url. Typically you don't not need to use these routes directly, just be sure to decorate any views that require credentials with ``@oauth2.required``. If needed, you can trigger authorization at any time by redirecting the user to the URL returned by :meth:`UserOAuth2.authorize_url`. .. code-block:: python :emphasize-lines: 3 @app.route('/login') def login(): return oauth2.authorize_url("/") Incremental Auth ================ This extension also supports `Incremental Auth `__. To enable it, configure the extension with ``include_granted_scopes``. .. code-block:: python oauth2 = UserOAuth2(app, include_granted_scopes=True) Then specify any additional scopes needed on the decorator, for example: .. code-block:: python :emphasize-lines: 2,7 @app.route('/drive') @oauth2.required(scopes=["https://www.googleapis.com/auth/drive"]) def requires_drive(): ... @app.route('/calendar') @oauth2.required(scopes=["https://www.googleapis.com/auth/calendar"]) def requires_calendar(): ... The decorator will ensure that the the user has authorized all specified scopes before allowing them to access the view, and will also ensure that credentials do not lose any previously authorized scopes. Storage ======= By default, the extension uses a Flask session-based storage solution. This means that credentials are only available for the duration of a session. It also means that with Flask's default configuration, the credentials will be visible in the session cookie. It's highly recommended to use database-backed session and to use https whenever handling user credentials. If you need the credentials to be available longer than a user session or available outside of a request context, you will need to implement your own :class:`oauth2client.Storage`. wrapsN) Blueprint)_app_ctx_stack) current_app)redirect)request)sessionurl_forz/The flask utilities require flask 0.9 or newer.)client) clientsecrets)dictionary_storagez'jonwayne@google.com (Jon Wayne Parrott))emailgoogle_oauth2_credentialszgoogle_oauth2_flow_{0}google_oauth2_csrf_tokenc[R"[RU5S5nUcg[R "U5$)zVRetrieves the flow instance associated with a given CSRF token from the Flask session.N)r pop _FLOW_KEYformatpickleloads) csrf_token flow_pickles 2lib/third_party/oauth2client/contrib/flask_util.py_get_flow_for_tokenrs<++$d,K||K((c\rSrSrSrSSjrSSjrSrSrSSjr S r S r S r \ S 5rS r\ S5r\ S5rSrSSjrSrSrg) UserOAuth2aFlask extension for making OAuth 2.0 easier. Configuration values: * ``GOOGLE_OAUTH2_CLIENT_SECRETS_FILE`` path to a client secrets json file, obtained from the credentials screen in the Google Developers console. * ``GOOGLE_OAUTH2_CLIENT_ID`` the oauth2 credentials' client ID. This is only needed if ``GOOGLE_OAUTH2_CLIENT_SECRETS_FILE`` is not specified. * ``GOOGLE_OAUTH2_CLIENT_SECRET`` the oauth2 credentials' client secret. This is only needed if ``GOOGLE_OAUTH2_CLIENT_SECRETS_FILE`` is not specified. If app is specified, all arguments will be passed along to init_app. If no app is specified, then you should call init_app in your application factory to finish initialization. NcDXlUbUR"U/UQ70UD6 ggN)appinit_app)selfr#argskwargss r__init__UserOAuth2.__init__s' ? MM# / / / rc (XlX`lXlUc[R"[ [ S9nXplUc URRS[5nX l URX4U5 URUR55 g)aInitialize this extension for the given app. Arguments: app: A Flask application. scopes: Optional list of scopes to authorize. client_secrets_file: Path to a file containing client secrets. You can also specify the GOOGLE_OAUTH2_CLIENT_SECRETS_FILE config value. client_id: If not specifying a client secrets file, specify the OAuth2 client id. You can also specify the GOOGLE_OAUTH2_CLIENT_ID config value. You must also provide a client secret. client_secret: The OAuth2 client secret. You can also specify the GOOGLE_OAUTH2_CLIENT_SECRET config value. authorize_callback: A function that is executed after successful user authorization. storage: A oauth2client.client.Storage subclass for storing the credentials. By default, this is a Flask session based storage. kwargs: Any additional args are passed along to the Flow constructor. N)keyGOOGLE_OAUTH2_SCOPES)r#authorize_callback flow_kwargsrDictionaryStorager _CREDENTIALS_KEYstorageconfigget_DEFAULT_SCOPESscopes _load_configregister_blueprint_create_blueprint) r%r#r5client_secrets_file client_id client_secretr-r1r's rr$UserOAuth2.init_apps|0"4! ?(::-/G >ZZ^^$:OLF  --H t5578rcU(aU(aX#sUlUlgU(aURU5 gSURR;a)URURRS5 gURRSURRSsUlUlg![ a [ S5ef=f)a`Loads oauth2 configuration in order of priority. Priority: 1. Config passed to the constructor or init_app. 2. Config passed via the GOOGLE_OAUTH2_CLIENT_SECRETS_FILE app config. 3. Config passed via the GOOGLE_OAUTH2_CLIENT_ID and GOOGLE_OAUTH2_CLIENT_SECRET app config. Raises: ValueError if no config could be found. N!GOOGLE_OAUTH2_CLIENT_SECRETS_FILEGOOGLE_OAUTH2_CLIENT_IDGOOGLE_OAUTH2_CLIENT_SECRETzOAuth2 configuration could not be found. Either specify the client_secrets_file or client_id and client_secret or set the app configuration variables GOOGLE_OAUTH2_CLIENT_SECRETS_FILE or GOOGLE_OAUTH2_CLIENT_ID and GOOGLE_OAUTH2_CLIENT_SECRET.)r:r;_load_client_secretsr#r2KeyError ValueError)r%r9r:r;s rr6UserOAuth2._load_configs 1: .DND.    % %&9 :  .$((// A  % % CD F  L 9: => /DND. LKL L Ls ;=B99Cc[R"U5up#U[R:wa[SR U55eUSUlUSUlg)z-Loads client secrets from the given filename.z+The flow specified in {0} is not supported.r:r;N)rloadfileTYPE_WEBrCrr:r;)r%filename client_type client_infos rrAUserOAuth2._load_client_secrets;s\#0#9#9(#C -00 0=DD!" "%[1(9rc j[R"[R"S55R 5nU[ [ '[R"UUS.5nURR5nURU5 URS/5n[UR5R[U55n[ R""SUR$UR&UU[)SSS9S.UD6n[*R-U5n [.R"U5[ U 'U$) zCreates a Web Server Flowi)r return_urlr5zoauth2.callbackT) _external)r:r;scopestate redirect_uri)hashlibsha256osurandom hexdigestr _CSRF_KEYjsondumpsr.copyupdatersetr5unionr OAuth2WebServerFlowr:r;r rrr) r%rMr'rrPkw extra_scopesr5flowflow_keys r _make_flowUserOAuth2._make_flowFs^^BJJt$45??A '  $$      " " $ &vvh+ T[[!''L(9:))nn,, !2dC   ##J/"LL. rc[S[5nURSSUR5 URSSUR5 U$)Noauth2z/oauth2authorize authorizez/oauth2callbackcallback)r__name__ add_url_ruleauthorize_view callback_view)r%bps rr8UserOAuth2._create_blueprintesA x * *K9L9LM ):t7I7IJ rc<[RR5n[RRS5US'UR SS5nUc[R =(d SnUR "SSU0UD6nUR5n[U5$)zlFlask view that starts the authorization flow. Starts flow by redirecting the user to the OAuth2 provider. r5rMN/rR) r r&to_dictgetlistrreferrerrdstep1_get_authorize_urlr)r%r&rMrbauth_urls rrlUserOAuth2.authorize_viewls ||##%!--h7XXXlD1   ))0SJ=*==//1!!rcS[R;a_[RRS[RRSS55nSRU5[R 4$[RSn[ [n[RSn[R"U5nUSnUS nXc:waS [R 4$[U5nUcS [R 4$URU5n UR&R)U 5 UR*(aUR+U 5 [-U5$![a S[R 4s$f=f![[4a S [R 4s$f=f![RaLn [ R"R%U 5 S RU 5n U [R 4sS n A $S n A ff=f) zFlask view that handles the user's return from OAuth2 provider. On return, exchanges the authorization code for credentials and stores the credentials. errorerror_descriptionzAuthorization failed: {0}rPcodezInvalid requestrrMzInvalid request stateNzAn error occurred: {0})r r&r3rhttplib BAD_REQUESTr rXrBrYrrCrstep2_exchanger FlowExchangeErrorrlogger exceptionr1putr-r) r%reason encoded_state server_csrfr|rP client_csrfrMrb credentialsexchange_errorcontents rrmUserOAuth2.callback_views gll "\\%%#W\\%5%5gr%BDF/66v>'') ) :#LL1M!),K<<'D @JJ}-E -K|,J  %*G,?,?? ?";/ <*G,?,?? ? 0--d3K %  " "  # #K 0 ##A :$g&9&99 9 :H% @*G,?,?? ? @'' 0    ( ( 8.55nEGG/// / 0sC53E) E<F$E98E9<"F! F!$H8AG?9H?Hc[Rn[U[5(dURR 5UlUR $)z  s,--,0LL,<,<,>C ),,,rcUR(dgURR(aURR(dgg)zAReturns True if there are valid credentials for the current user.FT)raccess_token_expired refresh_tokenr%s rhas_credentialsUserOAuth2.has_credentialss233$$22rcUR(dgURRS$![aE [RR SR URR55 gf=f)a Returns the user's email address or None if there are no credentials. The email address is provided by the current credentials' id_token. This should not be used as unique identifier as the user can change their email. If you need a unique identifier, use user_id. NrInvalid id_token {0}rid_tokenrBrrryrrs rrUserOAuth2.emailsm J##,,W5 5 J    $ $&--d.>.>.G.GH J J-A A<;A<cUR(dgURRS$![aE [RR SR URR55 gf=f)zReturns the a unique identifier for the user Returns None if there are no credentials. The id is provided by the current credentials' id_token. Nsubrrrs ruser_idUserOAuth2.user_idsm J##,,U3 3 J    $ $&--d.>.>.G.GH J Jrc [SSU0UD6$)aCreates a URL that can be used to start the authorization flow. When the user is directed to the URL, the authorization flow will begin. Once complete, the user will be redirected to the specified return URL. Any kwargs are passed into the flow constructor. rM)zoauth2.authorizer )r%rMr's r authorize_urlUserOAuth2.authorize_urlsKjKFKKrc :^^^UUU4SjnU(aU"U5$U$)zDecorator to require OAuth2 credentials for a view. If credentials are not available for the current user, then they will be redirected to the authorization flow. Once complete, the user will be redirected back to the original page. c8>^[T5UUUU4Sj5nU$)Nc>TRS[R5n[TR5nTbU[T5-nTR 5(aUTR R-n[U5nTR 5(a(TR RU5(aT"U0UD6$TR"U4SU0TD6n[U5$)NrMr5) rr urlr]r5rrlist has_scopesrr) r&r'rMrequested_scopesrvdecorator_kwargsr5r%wrapped_functions rrequired_wrapperDUserOAuth2.required..curry_wrapper..required_wrappers-11, L #&t{{#3 %$F 3$''))$(8(8(?(??$#'(8#9 ((**((334DEE+T.curry_wrappers# # $ .% .2$ #rrR)r%decorated_functionr5rrs` `` rrequiredUserOAuth2.requireds $:  !34 4 rcUR(d [S5eURR[R"U0UD65$)anReturns an authorized http instance. Can only be called if there are valid credentials for the user, such as inside of a view that is decorated with @required. Args: *args: Positional arguments passed to httplib2.Http constructor. **kwargs: Positional arguments passed to httplib2.Http constructor. Raises: ValueError if no credentials are available. zNo credentials available.)rrCrhhttplib2Http)r%r&r's rhttpUserOAuth2.https>89 9))(--*H*HIIr)r#r-r:r;r.r5r1r")NNNNNN)NN)rj __module__ __qualname____firstlineno____doc__r(r$r6rArdr8rlrmpropertyrrrrrrr__static_attributes__rRrrrrs(0 >BHL'9R$LL :>"(0$d--  J J J J L)!VJrr)"r functoolsrrSrYrUrflaskrrrrr r r ImportErrorrsix.moves.http_clientmoves http_clientr} oauth2clientr roauth2client.contribr __author__r4r0rrXrobjectrrRrrrsTl  I$!''&37 . $ &  )ZJZJ?I G HHIs *A<<B