Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding 3-legged auth for users getting started. #539

Closed
wants to merge 2 commits into from
Closed

Adding 3-legged auth for users getting started. #539

wants to merge 2 commits into from

Conversation

dhermes
Copy link
Contributor

@dhermes dhermes commented Jan 13, 2015

Addresses final part of #335.

@tseaver Writing Test_get_credentials_from_user_flow.test_succeeds made me feel icky inside. Any suggestions on how to make this less massive?

@silvolu PTAL at the docstrings introduced and the print statements. Should we put this somewhere special in our documentation? We don't have an auth or a getting started section anywhere but I encourage you to clone my repo, check out the add-3LO branch and run

from gcloud import credentials
from gcloud.datastore import SCOPE
credentials = credentials.get_credentials_from_user_flow(SCOPE)

First without a client secrets file present (to test failure modes) and then with one (to test the messages printed, inputs requested).

@craigcitro Also PTAL / see what we could pull into oauth2client.

@silvolu silvolu mentioned this pull request Jan 13, 2015
Closed
6 tasks
@coveralls
Copy link

Coverage Status

Coverage remained the same when pulling ca14078 on dhermes:add-3LO into dcb73d3 on GoogleCloudPlatform:master.

@craigcitro
Copy link
Contributor

substituting @anthmgoogle in my place, who has more feelings about 3LO

silvolu
silvolu reviewed Jan 13, 2015
View reviewed changes
gcloud/credentials.py
def _store_user_credential(credential):
"""Stores a user credential as a well-known file.

Prompts user first if they want to store the minted token and

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

@silvolu
Copy link
Contributor

silvolu commented Jan 13, 2015

@dhermes There is a getting started section on the landing page, that is currently explaining how to install the package, maybe we can add it there. Alternatively, we could add it to the " in 10 seconds" expandables of each top-level module (e.g. Cloud Datastore)

@dhermes dhermes added type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. milestone-feature labels Jan 13, 2015
@coveralls
Copy link

Coverage Status

Coverage remained the same when pulling d50cc57 on dhermes:add-3LO into 8a42ef5 on GoogleCloudPlatform:master.

tseaver
tseaver reviewed Jan 14, 2015
View reviewed changes
gcloud/credentials.py
print 'function, which relies on that environment variable.'
print ''
print 'Keep in mind, the refresh token can only be used with the'
print 'scopes you granted in the original authorization.'

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

This comment was marked as spam.

Sign in to view

@dhermes
Copy link
Contributor Author

dhermes commented Jan 14, 2015

Now that I think about it, the process described in the docstring for get_credentials_from_user_flow() is not any simpler than the process required to set up the files / env vars needed for get_credentials() or get_for_service_account_p12().

@silvolu Do we really need / want user 3LO? I can see cases where someone would want to write a CLI application and have users go through a flow, but we support plugging in arbitrary credentials to our Connection classes so this doesn't preclude them. Instead it puts the onus on those users to define their own flow.

@anthmgoogle
Copy link

I provided some comments on the implementation.

I think a GCloud-specific wrapper for 3LO is relatively low priority, since
there is no user-owned data at stake, so you would typically just use it as
a way to reusing the user's permissions.

One thing that may not be widely known yet is that you can actually now use
the GCloud SDK for this. As of a release in late 2014, the Cloud SDK's
"gcloud auth login" command will also set up the Application Default
Credentials in the well-known-file location and it includes all Cloud API
scopes. This means you can use 3LO with your own credentials as a proxy at
development time, but you don't need to have an any actual 3LO related UI
in you application. We'd love to get feedback about whether this works for
scenarios like this.

That being said, I do belive there is a need for better 3L0 libraries,
primarily for APIs like that DO represent end user data (e.g. Calendar,
GMail). Ultimately I think we should provide a better wrapped
implementation of 3LO in oauth2client, such that writing code such as that
in this change list bcomes 95% UI logic only a few library calls instead of
needed this embedded auth and serialization logic.

On Wed, Jan 14, 2015 at 1:04 PM, Danny Hermes notifications@github.com
wrote:

Now that I think about it, the process described in the docstring for
get_credentials_from_user_flow() is not any simpler than the process
required to set up the files / env vars needed for get_credentials() or
get_for_service_account_p12().

@silvolu https://github.com/silvolu Do we really need / want user 3LO?
I can see cases where someone would want to write a CLI application and
have users go through a flow, but we support plugging in arbitrary
credentials to our Connection classes so this doesn't preclude them.
Instead it puts the onus on those users to define their own flow.


Reply to this email directly or view it on GitHub
#539 (comment)
.

@silvolu
Copy link
Contributor

silvolu commented Jan 15, 2015

@dhermes all I wanted was support for application default credentials :)
@jgeewax you wanted this to make getting started with the demo easier, do you still think that's the case?

@dhermes
Copy link
Contributor Author

dhermes commented Jan 15, 2015

@anthmgoogle that hits it exactly on the head! I somehow forgot that GoogleCredentials.get_default_credentials (which we already use) could use the well-known file.

I am going to close this and we can discuss the best way to document it in #335.

@dhermes dhermes closed this Jan 15, 2015
parthea pushed a commit that referenced this pull request Aug 15, 2023
@gcf-owl-bot
build(deps): [autoapprove] bump pygments from 2.13.0 to 2.15.0 (#539)
ad46b87 
Source-Link: https://togithub.com/googleapis/synthtool/commit/eaef28efd179e6eeb9f4e9bf697530d074a6f3b9
Post-Processor: gcr.io/cloud-devrel-public-resources/owlbot-python:latest@sha256:f8ca7655fa8a449cadcabcbce4054f593dcbae7aeeab34aa3fcc8b5cf7a93c9e
parthea pushed a commit that referenced this pull request Sep 22, 2023
@gcf-owl-bot
fix: Add async context manager return types (#539)
01d15ad 
* fix: Add async context manager return types

chore: Mock return_value should not populate oneof message fields

chore: Support snippet generation for services that only support REST transport

chore: Update gapic-generator-python to v1.11.0
PiperOrigin-RevId: 545430278

Source-Link: googleapis/googleapis@601b532

Source-Link: googleapis/googleapis-gen@b3f18d0
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiYjNmMThkMGY2NTYwYTg1NTAyMmZkMDU4ODY1ZTc2MjA0NzlkN2FmOSJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
parthea pushed a commit that referenced this pull request Oct 21, 2023
@release-please
chore(main): release 3.17.1 (#539)
2fe6cc2 
Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
parthea pushed a commit that referenced this pull request Oct 21, 2023
@gcf-owl-bot
fix: Add async context manager return types (#539)
fdee40a 
* fix: Add async context manager return types

chore: Mock return_value should not populate oneof message fields

chore: Support snippet generation for services that only support REST transport

chore: Update gapic-generator-python to v1.11.0
PiperOrigin-RevId: 545430278

Source-Link: googleapis/googleapis@601b532

Source-Link: googleapis/googleapis-gen@b3f18d0
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiYjNmMThkMGY2NTYwYTg1NTAyMmZkMDU4ODY1ZTc2MjA0NzlkN2FmOSJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
parthea pushed a commit that referenced this pull request Oct 22, 2023
@gcf-owl-bot
docs: Minor formatting (#539)
d3c519a 
* docs: Minor formatting
chore: Update gapic-generator-python to v1.11.5
build: Update rules_python to 0.24.0

PiperOrigin-RevId: 563436317

Source-Link: googleapis/googleapis@42fd37b

Source-Link: googleapis/googleapis-gen@280264c
Copy-Tag: eyJwIjoiLmdpdGh1Yi8uT3dsQm90LnlhbWwiLCJoIjoiMjgwMjY0Y2EwMmZiOTMxNmI0MjM3YTk2ZDBhZjFhMjM0M2E4MWE1NiJ9

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
@release-please release-please bot mentioned this pull request Oct 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@dhermes @coveralls @craigcitro @silvolu @anthmgoogle @tseaver