changed google auth to use openid2.0, fixes #68

2b4c0b35 · Ben Adida · d5775a0e · 2b4c0b35 · 2b4c0b35 · 2b4c0b35
Commit 2b4c0b35 authored 10 years ago by Ben Adida
--- a/helios_auth/auth_systems/google.py
+++ b/helios_auth/auth_systems/google.py
@@ -7,41 +7,53 @@ from django.http import *
 from django.core.mail import send_mail
 from django.conf import settings

+import httplib2,json
+
 import sys, os, cgi, urllib, urllib2, re
-from xml.etree import ElementTree

-from openid import view_helpers
+from oauth2client.client import OAuth2WebServerFlow

 # some parameters to indicate that status updating is not possible
 STATUS_UPDATES = False

 # display tweaks
 LOGIN_MESSAGE = "Log in with my Google Account"
-OPENID_ENDPOINT = 'https://www.google.com/accounts/o8/id'

-# FIXME!
-# TRUST_ROOT = 'http://localhost:8000'
-# RETURN_TO = 'http://localhost:8000/auth/after'
+def get_flow(redirect_url=None):
+  return OAuth2WebServerFlow(client_id=settings.GOOGLE_CLIENT_ID,
+            client_secret=settings.GOOGLE_CLIENT_SECRET,
+            scope='profile email',
+            redirect_uri=redirect_url)

 def get_auth_url(request, redirect_url):
-  # FIXME?? TRUST_ROOT should be diff than return_url?
-  request.session['google_redirect_url'] = redirect_url
-  url = view_helpers.start_openid(request.session, OPENID_ENDPOINT, redirect_url, redirect_url)
-  return url
+  flow = get_flow(redirect_url)
+
+  request.session['google-flow'] = flow
+  return flow.step1_get_authorize_url()

 def get_user_info_after_auth(request):
-  data = view_helpers.finish_openid(request.session, request.GET, request.session['google_redirect_url'])
+  flow = request.session['google-flow']
+  code = request.GET['code']
+  credentials = flow.step2_exchange(code)

-  if not data.has_key('ax'):
-    return None
+  # the email address is in the credentials, that's how we make sure it's verified
+  id_token = credentials.id_token
+  if not id_token['email_verified']:
+    raise Exception("email address with Google not verified")
+   
+  email = id_token['email']
+
+  # get the nice name
+  http = httplib2.Http(".cache")
+  http = credentials.authorize(http)
+  (resp_headers, content) = http.request("https://www.googleapis.com/plus/v1/people/me", "GET")
+
+  response = json.loads(content)

-  email = data['ax']['email'][0]
+  name = response['displayName']
  
-  # do we have a firstname/lastname?
-  if data['ax'].has_key('firstname') and data['ax'].has_key('lastname'):
-    name = "%s %s" % (data['ax']['firstname'][0], data['ax']['lastname'][0])
-  else:
-    name = email
+  # watch out, response also contains email addresses, but not sure whether thsoe are verified or not
+  # so for email address we will only look at the id_token
  
  return {'type' : 'google', 'user_id': email, 'name': name , 'info': {'email': email}, 'token':{}}
    

--- a/requirements.txt
+++ b/requirements.txt
@@ -23,3 +23,4 @@ bleach==1.4
 boto==2.27.0
 django-ses==0.6.0
 validate_email==1.2
+oauth2client==1.2
\ No newline at end of file
--- a/settings.py
+++ b/settings.py
@@ -200,6 +200,10 @@ HELIOS_PRIVATE_DEFAULT = False
 AUTH_ENABLED_AUTH_SYSTEMS = get_from_env('AUTH_ENABLED_AUTH_SYSTEMS', 'google').split(",")
 AUTH_DEFAULT_AUTH_SYSTEM = get_from_env('AUTH_DEFAULT_AUTH_SYSTEM', None)

+# google
+GOOGLE_CLIENT_ID = get_from_env('GOOGLE_CLIENT_ID', '')
+GOOGLE_CLIENT_SECRET = get_from_env('GOOGLE_CLIENT_SECRET', '')
+
 # facebook
 FACEBOOK_APP_ID = get_from_env('FACEBOOK_APP_ID','')
 FACEBOOK_API_KEY = get_from_env('FACEBOOK_API_KEY','')