Metadata-Version: 2.1
Name: alf-auth0
Version: 0.8.1
Summary: OAuth Client adapted to work with Auth0
Home-page: https://github.com/globocom/alf
Author: Globo.com
Author-email: timecore@corp.globo.com
License: MIT
Keywords: oauth client client_credentials requests auth0
Platform: UNKNOWN
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.3
Requires-Dist: requests (>=1.2.3)

alf-auth0  
===

.. image:: https://travis-ci.org/globocom/alf.svg?branch=master
    :target: https://travis-ci.org/globocom/alf

Python OAuth 2 Client
---------------------

`alf` is an OAuth 2 Client based on `requests.Session
<http://docs.python-requests.org/en/latest/user/advanced/#session-objects>`_
with seamless support for the `Client Credentials Flow
<http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-1.3.4>`_.

.. image:: /assets/alf.jpeg?raw=true

Features
--------

* Automatic token retrieving and renewing
* Token expiration control
* Automatic token storage
* Automatic retry on status 401 (UNAUTHORIZED)
* Works with Auth0 Client Credentials Flow

Usage
-----

Initialize the client and use it as a `requests.Session
<http://docs.python-requests.org/en/latest/user/advanced/#session-objects>`_
object.

.. code-block:: python

    from alf.client import Client

    alf = Client(
        token_endpoint='http://example.com/token',
        client_id='client-id',
        client_secret='secret')

    resource_uri = 'http://example.com/resource'

    alf.put(
        resource_uri, data='{"name": "alf"}',
        headers={'Content-Type': 'application/json'})

    alf.get(resource_uri)

    alf.delete(resource_uri)

Using your custom token storage
-------------------------------

Now passing an object with get and set attributes you can store or retrieve a token.

This object can be a Redis, Memcache or your custom object.

.. code-block:: python

    from alf.client import Client
    from redis import StrictRedis

    redis = StrictRedis(host='localhost', port=6379, db=0)

    alf = Client(
        token_endpoint='http://example.com/token',
        client_id='client-id',
        client_secret='secret',
        token_storage=redis)

    resource_uri = 'http://example.com/resource'

    alf.put(
        resource_uri, data='{"name": "alf"}',
        headers={'Content-Type': 'application/json'})

    alf.get(resource_uri)

    alf.delete(resource_uri)


Using alf with Auth0
-------------------------------

For the Client to work with Auth0 you need to initialize it with
``audience`` and ``token_default_expire_in``.  

Auth0 is not returning ``expires_in`` when you call authentication endpoint. As a result you should
set ``token_default_expire_in`` as the same value (or a bit smaller, to be safe) that you 
have set it in Auth0 management console > APIs > <your_api_name> > Settings > 
Token Expiration (Seconds) field   

``Audience`` should be set as your API Identifier in Auth0.

.. code-block:: python

    from alf.client import Client

    alf = Client(
        token_endpoint='http://example.com/token',
        audience='http://api.example.com/my-api/',
        token_default_expire_in=86400
        client_id='client-id',
        client_secret='secret')

    resource_uri = 'http://example.com/resource'


How does it work?
-----------------

Before the request, a token will be requested on the authentication endpoint
and a JSON response with the ``access_token`` and ``expires_in`` keys will be
expected.

Multiple attempts will be issued after an error response from the endpoint if
the ``token_retries`` argument is used. Check `token-retrying`_ for more info.

``alf`` keeps the token until it is expired according to the ``expires_in``
value.

The token will be used on a `Bearer authorization
header <http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-7.1>`_ for
the original request.

.. code-block::

    GET /resource/1 HTTP/1.1
    Host: example.com
    Authorization: Bearer token-12312

If the request fails with a 401 (UNAUTHORIZED) status, a new token is retrieved
from the endpoint and the request is retried. This happens only once, if it
fails again the error response is returned.

The token will be reused for every following request until it is expired.


.. _token-retrying:

Token Retrying
--------------

The client supports the `retry interface from urllib3 <https://urllib3.readthedocs.org/en/latest/helpers.html?highlight=retry#module-urllib3.util.retry>`_ to repeat attempts to
retrieve the token from the endpoint.

The following code will retry the token request 5 times when the response status
is 500 and it will wait 0.3 seconds longer after each error (known as
`backoff <https://en.wikipedia.org/wiki/Exponential_backoff>`_).

.. code-block:: python

    from requests.packages.urllib3.util import Retry
    from alf.client import Client

    alf = Client(
        token_endpoint='http://example.com/token',
        client_id='client-id',
        client_secret='secret',
        token_retry=Retry(total=5, status_forcelist=[500], backoff_factor=0.3))

Workflow
--------

.. image:: /assets/workflow.png?raw=true

Troubleshooting
---------------

In case of an error retrieving a token, the error response will be returned,
the real request won't happen.


Related projects
----------------

`djalf <https://github.com/viniciuschagas/djalf>`_
''''''''''''''''''''''''''''''''''''''''''''''''''

An extended client that uses Django's cache backend to share tokens between
server instances.


`tornado-alf <https://github.com/globocom/tornado-alf>`_
''''''''''''''''''''''''''''''''''''''''''''''''''''''''

A port of the `alf` client using tornado's `AsyncHTTPClient`.


