Consuming HTTP Services in Python Transcripts
Chapter: Accessing authenticated HTTP services
Lecture: Introduction to authenticated services

Login or purchase this course to watch this video and the rest of the course contents.
0:01 We've made our way to the authentication section of this course, so most of the services that we want to work with that are really interesting
0:10 are about personal data or private data, think of the Basecamp example that we looked at, or github or something like that,
0:18 maybe some of that data is public but the really interesting stuff, especially if you want to make modifications
0:23 require some sort of sign in and authentication. So we are going to talk about that throughout this chapter,
0:27 now, what are the options, for authentication, well, we've seen some really simple ones, we could do nothing
0:34 that works pretty well, provided that the service didn't require us to log in. We are going to see how we can do username, password,
0:41 authentication which is a very common type of authentication, maybe another that is worth mentioning, although it's really simple,
0:49 we probably won't cover too much on it, is just adding like an access token as a header value as well,
0:56 so I kind of consider that close to username and passwords, so they are similar but not exactly the same,
1:01 and then we have other types of authentication as well, we've got oauth, open id, we have certificate based authentication
1:08 so you can take like an x509 certificate type thing and send that
1:12 as a client certificate and the server might only let you in if it trusts your certificate, we even have like custom authentication scheme,
1:20 let's call this function with your username and password, you got a token back and you use that token for the rest of the request or whatever,
1:26 right, I don't really know how to tell you to work with that one, because that is totally custom, but we've done none,
1:31 now we are going to focus on usernames and passwords, if you want to look at these other ones, there is some references here
1:37 like the oauth one, there is a request-oauthlib, this one seems to be active, it works on both versions of Python and so on,
1:46 similarly, there is a number for open id, number of libraries, and some of them be careful they don't support Python 3,
1:52 they are only Python 2, and they are kind of outdated, but this one pyoidc seems to be good for supporting both Python 2 and Python 3 and is active,
2:01 and they say the full implementation of open id also includes as a subset an implementation of oauth, so that one might work well for you and then
2:11 here is the certificate documentation showing you how to do this with requests, alright, finally, before we get into it, let's just realize that
2:18 authentication is not all of security, we have authentication, we have authorization and we have auditing, so the three As of security,
2:25 right now we are just focusing on proving to the server who we are, but it's up to the server to decide well, given that I know who you are,
2:33 what can you do authorization and logging and auditing of what did you do. The 3 As while they are great, don't cover everything,
2:43 be sure to consider privacy running your services only talking to services over ssl and the services if you are controlling them
2:49 obviously you need to validate their data, anything coming in over our service should be totally entrusted and maybe even to a lesser degree
2:56 how much do you trust what comes back from that service. With all that laid out, let's get started to see how we can do authentication in our services.

Talk Python's Mastodon Michael Kennedy's Mastodon