Tornado – 3rd Party Authentication – OpenID and OAuth


 

You might have observed and experienced so many Website or Web APIs that let authenticate an user with their Google, Facebook or Twitter accounts. Well, this possible because of third party authentication (or a concept that I like referring as ‘Authentication As A Service’). With the open standards (also referred as protocols) authentication like OpenID and OAuth (latest being OAuth2), authentication can treated as an independent entity apart from services a web API or Website provides. Not only does it eschews the users from creating login accounts for all websites but also the website developer’s effort in proving authentication service is saved.

OpenID and OAuth provides a framework in which users can register with OpenID provider (like Google)¬† or OAuth provider (like Github, Facebook) and then use Google or Facebook accounts to login to other sites that provide third party authentication. As a web developer providing third party authentication requires you to create a web application with the service providers. For instance, using OAuth2 authentication of Facebook, requires you to register your app (for API Key and Application Secret) with Facebook at their developers page. Google provides both OpenID and OAuth authentication, but registration is not required…

Web application based on Tornado can leverage these open standards for authenticating a user with help of Tornado’s abstraction for OpenID and OAuth with tornado.auth.OpenIDMixin, tornado.auth.OAuthMixin and tornado.auth.OAuth2Mixin. Methods that are used by these classes are

  • authenticate_redirect(), authorize_redirect(): To redirect the user to appropriate service providers authentication page¬† and
  • get_authenticated_user(): To get the user information as provided by service provider

Tornado also provides abstraction for authenticating users with Facebook, Twitter with tornado.auth.FacebookMixin (Facebook OAuth authentication) and tornado.auth.TwitterMixin (Twitter OAuth authentication) and tornado.auth.GoogleMixin (works for both Google OpenID and OAuth authentication).

Let’s understand more with an example.

Above example is similar to one we used for Tornado – Authentication blog.. It’s important note the usage of self.get_argument(“openid.mode”) – which signifies using OpenID Authentication.

 

 

About these ads

About Chetan Giridhar

An avid technologist, blogger and a newbie photographer.

Posted on September 4, 2012, in Python, Tornado and tagged , , , , , , , . Bookmark the permalink. 1 Comment.

  1. Very true most of the websites uses twitter, facebook and google and not openid which I preferred using most of the time when commenting. Especially that I use keywords for my websites such as grovespot.com the best bar, restaurant cafe in miami. Thisu helps me better than logging in through different accounts. Thank you for such a great article.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: