.gist width!auto!important!!.gist_file.gist_data maxheight: 500pxmaxwidth: autoThis is the eighth part of a tutorial series by Ben Finkel that addresses the challenges, solutions, as well as the implementation of sound authentication. You will feel confident in your ability implement an authentication system, even if you have little to no background.
We could just quit, as we are now authenticating with Google as our provider. We may not want our users to use Google. We want to offer them options. We could also have used the Google Identity Platform API library if we only wanted to use Google. This would have saved us a lot of time.
Let’s be a little more hip by offering GitHub as an option for authentication. If we have done our work properly, it should be as easy as:
Copy the googleOAuth.py file, and adjust the details to make it work for GitHub.
Adding the function calls at the top of the oAuth.py file.
By the way, here is the starting page for developing on GitHub*: https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start trainingThe GitHub implementation
Let’s take a look at the changes we will need to make in order to implement GitHub. After creating a copy the googleOAuth.py file, and naming it “githubOAuth.py”, we will need to:
1. GitHub allows you to obtain a new client_id or client_secret. These values are unique to the app and provider concerned, so GitHub must provide a way for us to generate them. We can do that by reading the documentation above which leads us here: https://github.com/login.
Note: We still call back to the appspot URL because that’s where our application is running. GitHub will provide a secret and client id once you have completed this process.
2. Next, we will need to update endpoints for GitHub. We know that we will need an access token exchange and grant auth endpoint. We’ll be covering the specifics of obtaining ID information. The endpoints for GitHub are covered at the developer OAuth page we just linked earlier: https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/.
Grant Token: https://github.com/login/oauth/authorize (See Step 1)
Access Token: https://github.com/login/oauth/access_token (See Step 2)
3. This page also outlines the values we must supply for each call. Grant Auth requires a client_id, a redirect_uri, a scope, and optionally -state (which we will use). You can update your query_auth table by removing the response_type’ variables and changing the appropriate scope value. According to GitHub’s scope documentation, “user:email”, will allow access to the user’s email addresses.
We will need to remove the ‘grant_type’ header for access token exchange. Note that we will need to remove ‘grant_type’ in order to get JSON back.
This will be done in the GetAccessToken call later.
4. Next, we will update our calls. SignIn should not be modified, but access token-obtaining function will need to be updated. To get JSON back, we only need to add a header value to the initial call and exchange for access tokens (or adjust to accept a different response according to GitHub). However, GitHub will be the only company that can provide identity information. GitHub details its API reference at this url, and indicates the universal endpoint for its OAuth APIs as: https://api.github.com/.
This URL is appended with the user/emails Endpoint that is documented on that page. As you can see, we have updated our endpoint_email accordingly in the script.
The example user object shows how the JSON will be returned. We will get a list of emails, where one will be identified as the “primary.”
5. Finally, we’ll