Talons OAuth authentication extension
talons-oauth
provides OAuth 1.0 extension for
Talons WSGI middleware library
in talons.auth
namespace. You can install it with pip:
pip install talons-oauth
Usage example
Use talons-oauth
the same way you would use any other talons auth middleware
import falcon
from falcon.auth.oauth import oauth1
# Assume getappconfig() returns a dictionary of application configuration
# options that may have been read from some INI file...
config = getappconfig()
auth_middleware = middleware.create_middleware(identify_with=[oauth1.Identifier],
authenticate_with=[oauth1.Authenticator],
**config)
app = falcon.API()
talons.auth.oauth.oauth1.Identifier
OAuth authentication flow is a bit more sophisticated than talons.auth
middlewares assumes about typical authentication. There is no clear boundary
between identification and authentication in most of OAuth implementations.
There is no user credentials per se but credentials of oauth consumer
that authenticates on behalf of user. Because of that oauth1.Identifier
identificates "user" by whole set of request body, method, headers and url
parameters. This data will be needed then for verifing request signature.
oauth1.Identifier.identify()
returns True
only if request looks like
OAuth 1.0. request - has either valid auth header, body parameters or query
string (as specified in RFC 5849).
Identity stored in request is a talons.auth.oauth.oauth1.OAuthIdentity
instance that subclasses talons.auth.interfaces.Identity
. All its base
attributes (login
, key
, roles
, groups
) are set to `None' or default
value. This should not break other talons authenticators.
talons.auth.oauth.oauth1.Authenticator
oauth1.Authenticator
won't work OOTB. It uses
oauthlib as oauth provider backend which as
well as falcon and talons do tries to be non opinionated. This means that it
doesn't assume anything about your your type of storage or data architecture.
You must provide an
oauthlib.oauth1.rfc5849.request_validator.RequestValidator
subclass instance that tells library how to validate/save/verify/retrieve your
tokens, nonces, keys, etc. Fortunately this procedure is very simple and well
documented in oauthlib's documentation.
Other thing you would like probably to configure is a list of available authentication realms that are required by your API instance. It can be set as a list of required realms for whole api instance. Unfortunately falcon hooks are not aware of resource affected by request and realms cannot be set per resource individually. If you would like to have diffrent authentication realms for many resources I would advice you splitting your API into many instances based on their realms.
Full list of configuration parameters:
-
oauth1_validator
:oauthlib.oauth1.rfc5849.request_validator.RequestValidator
(required). Defines how to validate/save/verify/retrieve your OAuth 1.0. tokens, nonces, keys, etc. For full documentation refer to oauthlib's RequestValidator documentation. -
oauth1_realms
: list (defaults to []). list of required realms for consumer access tokens.
Providing OAuth 1.0. endpoints
Providing endpoints for accessing/authorizing request tokens and access tokens
is beyond the scope of this library. Once you create your RequestValidator
subclass it should be easy to use
generic oauthlib endpoints.