Tornado – 3rd Party Authentication – OpenID and OAuth
You might have observed and experienced so many Website or Web APIs that let authenticate an user with their Google, Facebook or Twitter accounts. Well, this possible because of third party authentication (or a concept that I like referring as ‘Authentication As A Service’). With the open standards (also referred as protocols) authentication like OpenID and OAuth (latest being OAuth2), authentication can treated as an independent entity apart from services a web API or Website provides. Not only does it eschews the users from creating login accounts for all websites but also the website developer’s effort in proving authentication service is saved.
OpenID and OAuth provides a framework in which users can register with OpenID provider (like Google) or OAuth provider (like Github, Facebook) and then use Google or Facebook accounts to login to other sites that provide third party authentication. As a web developer providing third party authentication requires you to create a web application with the service providers. For instance, using OAuth2 authentication of Facebook, requires you to register your app (for API Key and Application Secret) with Facebook at their developers page. Google provides both OpenID and OAuth authentication, but registration is not required…
Web application based on Tornado can leverage these open standards for authenticating a user with help of Tornado’s abstraction for OpenID and OAuth with tornado.auth.OpenIDMixin, tornado.auth.OAuthMixin and tornado.auth.OAuth2Mixin. Methods that are used by these classes are
- authenticate_redirect(), authorize_redirect(): To redirect the user to appropriate service providers authentication page and
- get_authenticated_user(): To get the user information as provided by service provider
Tornado also provides abstraction for authenticating users with Facebook, Twitter with tornado.auth.FacebookMixin (Facebook OAuth authentication) and tornado.auth.TwitterMixin (Twitter OAuth authentication) and tornado.auth.GoogleMixin (works for both Google OpenID and OAuth authentication).
Let’s understand more with an example.
Above example is similar to one we used for Tornado – Authentication blog.. It’s important note the usage of self.get_argument(“openid.mode”) – which signifies using OpenID Authentication.