Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!goblin2!goblin.stu.neva.ru!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.000 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'argument': 0.04; 'context': 0.05; 'retrieved': 0.05; 'python': 0.09; 'callback': 0.09; 'port,': 0.09; 'received:mail-vc0-f174.google.com': 0.09; 'sep': 0.09; 'spec': 0.09; 'cc:addr:python-list': 0.10; 'gui': 0.11; 'itself.': 0.11; 'library': 0.15; 'discusses': 0.16; 'endpoint.': 0.16; 'happily': 0.16; 'subject:api': 0.16; 'url.': 0.16; 'wed,': 0.16; 'wrote:': 0.17; 'url:accounts': 0.17; 'code,': 0.18; 'sender:addr:gmail.com': 0.18; '(or': 0.18; '(all': 0.22; 'displayed': 0.22; "user's": 0.22; "i'd": 0.22; 'this:': 0.23; 'installed': 0.23; 'patch': 0.24; 'cc:no real name:2**0': 0.24; 'idea': 0.24; 'pass': 0.25; 'tried': 0.25; 'cc:addr:python.org': 0.25; 'header:In-Reply-To:1': 0.25; 'skip:" 20': 0.26; 'am,': 0.27; 'embedded': 0.27; 'separate': 0.27; 'cc:2**2': 0.27; 'library.': 0.27; 'message-id:@mail.gmail.com': 0.27; 'embed': 0.29; 'leaves': 0.29; 'received:209.85.220.174': 0.29; 'position.': 0.30; 'window': 0.30; 'function': 0.30; 'code': 0.31; 'google,': 0.32; 'could': 0.32; 'curious': 0.33; 'handle': 0.33; 'received:google.com': 0.34; 'text': 0.34; 'server': 0.35; 'received:209.85.220': 0.35; 'received:209.85': 0.35; 'there': 0.35; 'add': 0.36; 'flow': 0.36; 'client': 0.36; 'too': 0.36; 'beyond': 0.37; 'received:209': 0.37; 'subject:: ': 0.38; 'mean': 0.38; 'url:docs': 0.38; 'gives': 0.39; 'little': 0.39; 'header:Received:5': 0.40; 'your': 0.60; 'link': 0.60; 'side': 0.61; 'provide': 0.62; 'close': 0.63; 'grab': 0.64; '26,': 0.65; 'special': 0.73; '11:45': 0.84; 'mistake': 0.91; 'navigate': 0.91 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=gJncP1OcbgfD9byEmuTPTfEjOoxNj/7N+cbGDvPazvY=; b=lQqBS+UUbXxY0bgjtrKmdTGbJUaJ8qlJFU3DFrxN0YeO7AVDRLPc5fgUNyjTMyuITW Nxer3rIeyFse1FFmRKP0rglcSyUQwvUmdDT7NZlIbQmDa4V/psfBETj2tUA/0ojQ95Dz //u1pL6RhMaHhC0D4HnzWqGP1HUwFqbRr4O1II7auIDKUpvTllO/8ha+chsW3a9dvw7i 9pPsRL5ZTbj0x1utJzxQrB0IokCgS75YvEU7Q7DjA+KS9wRjtRpC3GZrufEvWniBlVPh CwoYTdAKaQMbbCHyDozs4TTVwjftrsz5dqgB2Qta6gPXFlsNYHFpk5/p80nZ8BIZoSDp gO6Q== MIME-Version: 1.0 Sender: kushal.kumaran@gmail.com In-Reply-To: References: <5062003A.9020208@tysdomain.com> <50621279.8060700@tysdomain.com> From: Kushal Kumaran Date: Wed, 26 Sep 2012 13:54:17 +0530 X-Google-Sender-Auth: 454-Kko9pcb5a_h_dHldobUt2Rg Subject: Re: google api and oauth2 To: Demian Brecht Content-Type: text/plain; charset=UTF-8 Cc: python-list@python.org X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 49 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1348647884 news.xs4all.nl 6889 [2001:888:2000:d::a6]:34521 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:30161 On Wed, Sep 26, 2012 at 11:45 AM, Demian Brecht wrote: >> >> If you are writing a desktop application, read this: >> https://developers.google.com/accounts/docs/OAuth2#clientside > > > You mean https://developers.google.com/accounts/docs/OAuth2#installed? Your > link discusses client side browser implementations. > Ah yes, I made a mistake in linking displayed url and scrolled position. > I'd be curious to know the shortcomings of sanction in the context of > installed apps. My original intent was to provide a server flow > implementation. If the installed flow isn't too much of a change (doesn't > seem like it would be, according to the docs, it's how the "code" is > retrieved by the application), I'd happily add it in or take a patch to > cover it. I tried out sanction from a python shell. In an installed application, the user can either start a little web server to handle redirect_uri, or pass in the special value "urn:ietf:wg:oauth:2.0:oob" to have the authorization code be shown in a text field in the browser (all of this is for google, I have no idea how other implementations or the oauth spec differ). At the moment, the auth_uri function gives out a URI and leaves it up to the client to deal with it however it likes. The library could provide a function (let's call it drive_auth) to drive the entire process: start a little web server on any available port, give a url to that server as redirect_uri, then start the user's web browser to connect to the authentication endpoint. The embedded web server will need to handle redirect_uri to grab the authorization code, generate an HTML response that will close the browser window (or instruct the user to do so), and then stop itself. For GUI applications which can embed a web browser widget, there is no need to start a separate web browser application. To support such applications, the drive_auth function can take a callback argument to navigate to a particular URL. Then the client applications can hook in their particular GUI toolkit, or just pass in webbrowser.open if they like. All this may be beyond the intended scope of your library. -- regards, kushal