Consuming HTTP Services in Python Transcripts
Chapter: Accessing authenticated HTTP services
Lecture: Introduction to authenticated services
Login or
purchase this course
to watch this video and the rest of the course contents.
0:01
We've made our way to the authentication section of this course, so most of the services that we want to work with that are really interesting
0:10
are about personal data or private data, think of the Basecamp example that we looked at, or github or something like that,
0:18
maybe some of that data is public but the really interesting stuff, especially if you want to make modifications
0:23
require some sort of sign in and authentication. So we are going to talk about that throughout this chapter,
0:27
now, what are the options, for authentication, well, we've seen some really simple ones, we could do nothing
0:34
that works pretty well, provided that the service didn't require us to log in. We are going to see how we can do username, password,
0:41
authentication which is a very common type of authentication, maybe another that is worth mentioning, although it's really simple,
0:49
we probably won't cover too much on it, is just adding like an access token as a header value as well,
0:56
so I kind of consider that close to username and passwords, so they are similar but not exactly the same,
1:01
and then we have other types of authentication as well, we've got oauth, open id, we have certificate based authentication
1:08
so you can take like an x509 certificate type thing and send that
1:12
as a client certificate and the server might only let you in if it trusts your certificate, we even have like custom authentication scheme,
1:20
let's call this function with your username and password, you got a token back and you use that token for the rest of the request or whatever,
1:26
right, I don't really know how to tell you to work with that one, because that is totally custom, but we've done none,
1:31
now we are going to focus on usernames and passwords, if you want to look at these other ones, there is some references here
1:37
like the oauth one, there is a request-oauthlib, this one seems to be active, it works on both versions of Python and so on,
1:46
similarly, there is a number for open id, number of libraries, and some of them be careful they don't support Python 3,
1:52
they are only Python 2, and they are kind of outdated, but this one pyoidc seems to be good for supporting both Python 2 and Python 3 and is active,
2:01
and they say the full implementation of open id also includes as a subset an implementation of oauth, so that one might work well for you and then
2:11
here is the certificate documentation showing you how to do this with requests, alright, finally, before we get into it, let's just realize that
2:18
authentication is not all of security, we have authentication, we have authorization and we have auditing, so the three As of security,
2:25
right now we are just focusing on proving to the server who we are, but it's up to the server to decide well, given that I know who you are,
2:33
what can you do authorization and logging and auditing of what did you do. The 3 As while they are great, don't cover everything,
2:43
be sure to consider privacy running your services only talking to services over ssl and the services if you are controlling them
2:49
obviously you need to validate their data, anything coming in over our service should be totally entrusted and maybe even to a lesser degree
2:56
how much do you trust what comes back from that service. With all that laid out, let's get started to see how we can do authentication in our services.