oauth2client.contrib.appengine module

Utilities for Google App Engine

Utilities for making it easier to use OAuth 2.0 on Google App Engine.

class oauth2client.contrib.appengine.AppAssertionCredentials(**kwargs)[source]

Bases: oauth2client.client.AssertionCredentials

Credentials object for App Engine Assertion Grants

This object will allow an App Engine application to identify itself to Google and other OAuth 2.0 servers that can verify assertions. It can be used for the purpose of accessing data stored under an account assigned to the App Engine application itself.

This credential does not require a flow to instantiate because it represents a two legged flow, and therefore has all of the required information to generate and refresh its own access tokens.

create_scoped(scopes)[source]

Create a Credentials object for the given scopes.

The Credentials type is preserved.

create_scoped_required()[source]

Whether this Credentials object is scopeless.

create_scoped(scopes) method needs to be called in order to create a Credentials object for API calls.

classmethod from_json(json_data)[source]

Instantiate a Credentials object from a JSON description of it.

The JSON should have been produced by calling .to_json() on the object.

Parameters:json_data – string or bytes, JSON to deserialize.
Returns:An instance of a Credentials subclass.
serialization_data
service_account_email

Get the email for the current service account.

Returns:string, The email associated with the Google App Engine service account.
sign_blob(blob)[source]

Cryptographically sign a blob (of bytes).

Implements abstract method oauth2client.client.AssertionCredentials.sign_blob().

Parameters:blob – bytes, Message to be signed.
Returns:tuple, A pair of the private key ID used to sign the blob and the signed contents.
class oauth2client.contrib.appengine.OAuth2Decorator(**kwargs)[source]

Bases: object

Utility for making OAuth 2.0 easier.

Instantiate and then use with oauth_required or oauth_aware as decorators on webapp.RequestHandler methods.

decorator = OAuth2Decorator(
    client_id='837...ent.com',
    client_secret='Qh...wwI',
    scope='https://www.googleapis.com/auth/plus')

class MainHandler(webapp.RequestHandler):
    @decorator.oauth_required
    def get(self):
        http = decorator.http()
        # http is authorized with the user's Credentials and can be
        # used in API calls
authorize_url()[source]

Returns the URL to start the OAuth dance.

Must only be called from with a webapp.RequestHandler subclassed method that had been decorated with either @oauth_required or @oauth_aware.

callback_application()[source]

WSGI application for handling the OAuth 2.0 redirect callback.

If you need finer grained control use callback_handler which returns just the webapp.RequestHandler.

Returns:A webapp.WSGIApplication that handles the redirect back from the server during the OAuth 2.0 dance.
callback_handler()[source]

RequestHandler for the OAuth 2.0 redirect callback.

Usage:

app = webapp.WSGIApplication([
    ('/index', MyIndexHandler),
    ...,
    (decorator.callback_path, decorator.callback_handler())
])
Returns:A webapp.RequestHandler that handles the redirect back from the server during the OAuth 2.0 dance.
callback_path

The absolute path where the callback will occur.

Note this is the absolute path, not the absolute URI, that will be calculated by the decorator at runtime. See callback_handler() for how this should be used.

Returns:The callback path as a string.
credentials

A thread local Credentials object.

Returns:A client.Credentials object, or None if credentials hasn’t been set in this thread yet, which may happen when calling has_credentials inside oauth_aware.
flow

A thread local Flow object.

Returns:A credentials.Flow object, or None if the flow hasn’t been set in this thread yet, which happens in _create_flow() since Flows are created lazily.
get_credentials()[source]

A thread local Credentials object.

Returns:A client.Credentials object, or None if credentials hasn’t been set in this thread yet, which may happen when calling has_credentials inside oauth_aware.
get_flow()[source]

A thread local Flow object.

Returns:A credentials.Flow object, or None if the flow hasn’t been set in this thread yet, which happens in _create_flow() since Flows are created lazily.
has_credentials()[source]

True if for the logged in user there are valid access Credentials.

Must only be called from with a webapp.RequestHandler subclassed method that had been decorated with either @oauth_required or @oauth_aware.

http(*args, **kwargs)[source]

Returns an authorized http instance.

Must only be called from within an @oauth_required decorated method, or from within an @oauth_aware decorated method where has_credentials() returns True.

Parameters:
  • *args – Positional arguments passed to httplib2.Http constructor.
  • **kwargs – Positional arguments passed to httplib2.Http constructor.
oauth_aware(method)[source]

Decorator that sets up for OAuth 2.0 dance, but doesn’t do it.

Does all the setup for the OAuth dance, but doesn’t initiate it. This decorator is useful if you want to create a page that knows whether or not the user has granted access to this application. From within a method decorated with @oauth_aware the has_credentials() and authorize_url() methods can be called.

Parameters:method – callable, to be decorated method of a webapp.RequestHandler instance.
oauth_required(method)[source]

Decorator that starts the OAuth 2.0 dance.

Starts the OAuth dance for the logged in user if they haven’t already granted access for this application.

Parameters:method – callable, to be decorated method of a webapp.RequestHandler instance.
set_credentials(credentials)[source]
set_flow(flow)[source]
class oauth2client.contrib.appengine.OAuth2DecoratorFromClientSecrets(**kwargs)[source]

Bases: oauth2client.contrib.appengine.OAuth2Decorator

An OAuth2Decorator that builds from a clientsecrets file.

Uses a clientsecrets file as the source for all the information when constructing an OAuth2Decorator.

decorator = OAuth2DecoratorFromClientSecrets(
    os.path.join(os.path.dirname(__file__), 'client_secrets.json')
    scope='https://www.googleapis.com/auth/plus')

class MainHandler(webapp.RequestHandler):
    @decorator.oauth_required
    def get(self):
        http = decorator.http()
        # http is authorized with the user's Credentials and can be
        # used in API calls
class oauth2client.contrib.appengine.StorageByKeyName(**kwargs)[source]

Bases: oauth2client.client.Storage

Store and retrieve a credential to and from the App Engine datastore.

This Storage helper presumes the Credentials have been stored as a CredentialsProperty or CredentialsNDBProperty on a datastore model class, and that entities are stored by key_name.

locked_delete
locked_get
locked_put
oauth2client.contrib.appengine.oauth2decorator_from_clientsecrets(*args, **kwargs)[source]

Creates an OAuth2Decorator populated from a clientsecrets file.

Parameters:
  • filename – string, File name of client secrets.
  • scope – string or list of strings, scope(s) of the credentials being requested.
  • message – string, A friendly string to display to the user if the clientsecrets file is missing or invalid. The message may contain HTML and will be presented on the web interface for any method that uses the decorator.
  • cache – An optional cache service client that implements get() and set() methods. See clientsecrets.loadfile() for details.

Returns: An OAuth2Decorator

oauth2client.contrib.appengine.xsrf_secret_key()[source]

Return the secret key for use for XSRF protection.

If the Site entity does not have a secret key, this method will also create one and persist it.

Returns:The secret key.