Simplifying third-party authentication for web applications.

Since Google OAuth 1.0 is deprecated (see https://developers.google.com/accounts/docs/OAuth), velruse would benefit from a OAuth 2.0 implementation for Google (https://developers.google.com/accounts/docs/OAuth2). It is also much easier to implement and maintain than the OpenID + OAuth hybrid.

I have written a provider called "google2" in my branch (https://github.com/naktinis/velruse/commit/7c75a1c01e68d64b218d83cbfa29df7994ce9371) if it would be of any help. I can create a pull request, or simply leave it to you as a working example.

I installed the current state of velruse, including https://github.com/bbangert/velruse/pull/70, wanted to try the example pyramid app (i.e. pserve example.ini, with a gtihub provider setup in example.ini) and got the following error below, it seems the config.include behavior doesn't work for me, but I cannot figure out why. Can someone help?

File "/home/jasper/Projects/velruse-tut/env/local/lib/python2.7/site-packages/paste/deploy/util.py", line 56, in fix_call val = callable(_args, *_kw) File "/home/jasper/Projects/velruse-tut/env/local/lib/python2.7/site-packages/myapp/init.py", line 72, in main config.add_github_login_from_settings(prefix='github.') File "/home/jasper/Projects/velruse-tut/env/local/lib/python2.7/site-packages/pyramid/config/init.py", line 775, in getattr raise AttributeError(name) AttributeError: add_github_login_from_settings

pip freeze:

Beaker==1.6.3 Chameleon==2.9.0 Mako==0.7.0 MarkupSafe==0.15 PasteDeploy==1.5.0 PyYAML==3.10 Routes==1.13 WebOb==1.2 anykeystore==0.2 certifi==0.0.8 chardet==1.0.1 distribute==0.6.19 httplib2==0.7.4 nose==1.1.2 oauth2==1.5.211 oauthlib==0.1.3 pyasn1==0.1.3 pyramid==1.3.2 python-openid==2.2.5 repoze.lru==0.5 requests==0.13.0 rsa==3.0.1 translationstring==1.1 venusian==1.0a6 wsgiref==0.1.2 zope.deprecation==4.0.0 zope.interface==4.0.1

Hi,

I was wondering if you could configure the email to be returned from linkedin and also make the route consistent.

Following is a diff of the requested changes.

Thanks!

diff --git a/providers/linkedin.py b/providers/linkedin.py
index 17c69d5..ce9915b 100644
--- a/providers/linkedin.py
+++ b/providers/linkedin.py
@@ -44,8 +44,8 @@ def add_linkedin_login_from_settings(config, prefix='velruse.linkedin.'):
 def add_linkedin_login(config,
                        consumer_key,
                        consumer_secret,
-                       login_path='/linkedin/login',
-                       callback_path='/linkedin/login/callback',
+                       login_path='/login/linkedin',
+                       callback_path='/login/linkedin/callback',
                        name='linkedin'):
     """
     Add a Last.fm login provider to the application.
@@ -129,7 +129,7 @@ class LinkedInProvider(object):
                             secret=cred['oauthAccessTokenSecret'])
         client = oauth.Client(consumer, token)
         profile_url = 'http://api.linkedin.com/v1/people/~'
-        profile_url += ':(first-name,last-name,id,date-of-birth,picture-url)'
+        profile_url += ':(first-name,last-name,id,date-of-birth,picture-url,email-address)'
         profile_url += '?format=json'
         resp, content = client.request(profile_url)

@@ -139,8 +139,8 @@ class LinkedInProvider(object):

         # Setup the normalized contact info
         profile = {}
         profile['displayName'] = data['firstName'] + data['lastName']
+        profile['verifiedEmail'] = data['emailAddress']
         profile['name'] = {
             'givenName': data['firstName'],
             'familyName': data['lastName'],

If something goes wrong and csrf fails (which is not always in case of fraud), it would be much friendly to raise Bad Request 400 error instead of Python exception that results in 500.

This branch fixes compatibility issues with python3 related to the usage of binaries instead of strings and also incorrect import for urlencode.

I was not able to fully test these changes against python2, and could not test all the affected providers. The only ones I tried were Facebook, Twitter and GoogleOAuth2.

If we pass 'storage=None' to an openid provider, it should run the python openid consumer in stateless mode.

With the default options I was unable to run multiple wsgi workers and do openid auth because it was using a MemoryStore that was not shared among the workers. In order to run in stateless mode, you have to pass 'store=None' to the openid consumer, but the current OpenID provider was preventing that.

MemoryStore is still the default value for storage, but now if you explicitly pass 'storage=None' it will run in stateless mode.

I have done a lot of work on velruse and splitted my last pull request in small chunks. Feel free to speak with me on irc (kiorky on #pyramid (freenode))

Those pull requests must be assembled in a logical and dependant order:

• documentation https://github.com/bbangert/velruse/pull/44
• [MERGED] includeme_convention https://github.com/bbangert/velruse/pull/45
  • providers_hook https://github.com/bbangert/velruse/pull/53
    • introspectable_configuration https://github.com/bbangert/velruse/pull/47
      • introspectable_providers https://github.com/bbangert/velruse/pull/48
• openid_autoconfiguration https://github.com/bbangert/velruse/pull/46
  • contextual_endpoint https://github.com/bbangert/velruse/pull/51
    • ldap_provider https://github.com/bbangert/velruse/pull/50
• introspectable_configuration / ldap_provider
  • introspectable_ldap_provider https://github.com/bbangert/velruse/pull/49

So, my html form looks like this:

"""

"""

server2 is only locally accessible.

Authentication appears to work, but the information returned when the token is looked up in the velruse store comes back as:

{'status': 'fail', 'reason': {'code': 0, 'description': 'Missing parameter'}}

...which isn't very helpful :-S

What's happening here and how can we make this information more useful?

Okay, same YAML config:

Store: Type: velruse.store.memstore:MemoryStore

OpenID: Realm: http://http://pythonjobs.chrisw.info/ Endpoint Regex: http://http://pythonjobs.chrisw.info/loggedin

Yahoo: true

OpenID Store: Type: openid.store.memstore:MemoryStore """

html form submission is: """

"""

I get:

File "/home/chris/buildout-eggs/Beaker-1.5.4-py2.6.egg/beaker/middleware.py", line 152, in call return self.wrap_app(environ, session_start_response) File "/home/chris/velruse/velruse/app.py", line 198, in call return self.configprovider(environ, start_response) File "/home/chris/velruse/velruse/utils.py", line 109, in call return getattr(self, action)(req, **kwargs) File "/home/chris/velruse/velruse/providers/openidconsumer.py", line 276, in login self.update_authrequest(req, authrequest) File "/home/chris/velruse/velruse/providers/yahoo.py", line 68, in _update_authrequest authrequest.addExtension(oauth_request) File "/home/chris/buildout-eggs/python_openid-2.2.5-py2.6.egg/openid/consumer/consumer.py", line 1493, in addExtension extension_request.toMessage(self.message) File "/home/chris/buildout-eggs/python_openid-2.2.5-py2.6.egg/openid/extension.py", line 45, in toMessage message.updateArgs(self.ns_uri, self.getExtensionArgs()) File "/home/chris/buildout-eggs/python_openid-2.2.5-py2.6.egg/openid/message.py", line 471, in updateArgs self.setArg(namespace, k, v) File "/home/chris/buildout-eggs/python_openid-2.2.5-py2.6.egg/openid/message.py", line 476, in setArg assert value is not None AssertionError

...from:

http://pythonjobs.chrisw.info/velruse/yahoo/auth

What am I doing wrong?

Twitter (and linkedin) providers can load more user data.

I'm still keeping the Portable Contacts format. for twitter, I need to perform another call to the twitter remote service.

Login breaks with Pyramid 1.2. It appears that Pyramid expects the provider login view method to have a different number of arguments. Which version of Pyramid did you test your examples against?

File "<...>/pyramid-1.2-py2.6.egg/pyramid/config/views.py", line 319, in viewresult_to_response
    result = view(context, request)
TypeError: login() takes exactly 2 arguments (3 given)

The two URLs used here

https://github.com/bbangert/velruse/blob/7027acc43df77331d34014fdbb796ee5c54c8d5e/velruse/providers/live.py#L78

and

https://github.com/bbangert/velruse/blob/7027acc43df77331d34014fdbb796ee5c54c8d5e/velruse/providers/live.py#L98

should be replaced with https://login.live.com/oauth20_authorize.srf and https://login.live.com/oauth20_token.srf, respectively.

FB URL has changed to https://www.facebook.com/v3.0/dialog/oauth

This URLmust be changed at providers/facebook.py#L83: https://github.com/bbangert/velruse/blob/master/velruse/providers/facebook.py#L83

You may also need to add all possible "Valid OAuth Redirect URIs" to: https://developers.facebook.com/apps/YOUR_APP_ID/fb-login/settings/

https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/

This adds to auth_complete_view:

• Python 3 compatibility fix with ord
• Use secrets builtin from Python 3.6 if available
• Use pyramid.session.SignedCookieSessionFactory if available

facebook.py crashes File "distlib/velruse/providers/facebook.py", line 121, in callback access_token = dict(parse_qsl(r.text))['access_token'] KeyError: 'access_token'

Facebook Graph API v2.2 ENDS 27 March, 2017

Graph API v2.2 which will reach the end of its 2-year lifetime on 27 March, 2017. To ensure a smooth transition, please migrate all calls to Graph API v2.3 or higher.

To check if your app will be affected by this upgrade you can use the Version Upgrade Tool. This will show you which calls, if any, are affected by this change as well as any replacement calls in newer versions. If you do not see any calls, your app may not be affected by this change.

You can also use our changelog to see the full list of changes in all Graph API versions.

You can view this and other Developer Notifications related to your app, in the App Dashboard.

From their changelog:

[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.

Otherwise the Facebook provider is now broken since they stopped supporting the old way.