Consuming HTTP Services in Python Transcripts
Chapter: Accessing authenticated HTTP services
Lecture: Introduction to authenticated services

Login or purchase this course to watch this video and the rest of the course contents.
0:01 We've made our way to the authentication section of this course,
0:04 so most of the services that we want to work with that are really interesting
0:09 are about personal data or private data, think of the Basecamp example
0:14 that we looked at, or github or something like that,
0:17 maybe some of that data is public but the really interesting stuff,
0:19 especially if you want to make modifications
0:22 require some sort of sign in and authentication.
0:24 So we are going to talk about that throughout this chapter,
0:26 now, what are the options, for authentication,
0:29 well, we've seen some really simple ones, we could do nothing
0:33 that works pretty well, provided that the service didn't require us to log in.
0:37 We are going to see how we can do username, password,
0:40 authentication which is a very common type of authentication,
0:44 maybe another that is worth mentioning, although it's really simple,
0:48 we probably won't cover too much on it,
0:51 is just adding like an access token as a header value as well,
0:55 so I kind of consider that close to username and passwords,
0:57 so they are similar but not exactly the same,
1:00 and then we have other types of authentication as well,
1:04 we've got oauth, open id, we have certificate based authentication
1:07 so you can take like an x509 certificate type thing and send that
1:11 as a client certificate and the server might only let you in if it trusts your certificate,
1:16 we even have like custom authentication scheme,
1:19 let's call this function with your username and password,
1:22 you got a token back and you use that token for the rest of the request or whatever,
1:25 right, I don't really know how to tell you to work with that one,
1:28 because that is totally custom, but we've done none,
1:30 now we are going to focus on usernames and passwords,
1:33 if you want to look at these other ones, there is some references here
1:36 like the oauth one, there is a request-oauthlib, this one seems to be active,
1:42 it works on both versions of Python and so on,
1:45 similarly, there is a number for open id, number of libraries,
1:48 and some of them be careful they don't support Python 3,
1:51 they are only Python 2, and they are kind of outdated,
1:54 but this one pyoidc seems to be good
1:57 for supporting both Python 2 and Python 3 and is active,
2:00 and they say the full implementation of open id
2:03 also includes as a subset an implementation of oauth,
2:07 so that one might work well for you and then
2:10 here is the certificate documentation showing you how to do this with requests,
2:13 alright, finally, before we get into it, let's just realize that
2:17 authentication is not all of security, we have authentication,
2:20 we have authorization and we have auditing, so the three As of security,
2:24 right now we are just focusing on proving to the server who we are,
2:28 but it's up to the server to decide well, given that I know who you are,
2:32 what can you do authorization and logging and auditing of what did you do.
2:37 The 3 As while they are great, don't cover everything,
2:42 be sure to consider privacy running your services
2:45 only talking to services over ssl and the services if you are controlling them
2:48 obviously you need to validate their data, anything coming in over our service
2:52 should be totally entrusted and maybe even to a lesser degree
2:55 how much do you trust what comes back from that service.
2:58 With all that laid out, let's get started to see
3:01 how we can do authentication in our services.