NickolausDS/client_server_auth.py

## client_server_auth.py
"""
The following shows how the scope created in the earlier example can be used between a
client and a server. First the client needs to login with the custom scope defined earlier.
Globus Auth then issues the client an access token which can only be used with the service
that owns the scope.

When a client sends a request to the service, the server does two things:
1. introspects the token to ensure the request is valid (in scope, user has permission, etc)
2. Uses the Dependent Token Grant to get user access tokens.
The access tokens procured in step 2 can be used for actions on behalf of the user.
"""
import os
import pprint
import globus_sdk
# pip install fair-research-login
import fair_research_login


client_id = os.getenv('CLIENT_ID')
client_secret = os.getenv('CLIENT_SECRET')
if not client_id or not client_secret:
    raise Exception('You need to set your client id and secret. Use the following: \n'
                    'export CLIENT_ID=my-client-id\n'
                    'export CLIENT_SECRET=my-secret')

"""
CLIENT CODE

This is an example of a Gloubs Client using the scope created in the previous example
"""
my_scope = f'https://auth.globus.org/scopes/{client_id}/genepattern_transfer'
# Note the different client ID. This is a separate Globus App requesting a scope from another
# Globus App. The client may *only* send tokens to services which own the corresponding scope.
# Apps *must not* share tokens with resource servers that are not the scope owners.
client = fair_research_login.NativeClient(client_id='7414f0b4-7d05-4bb6-bb00-076fa3f17cf5')
tokens = client.login(requested_scopes=my_scope)
client_access_token = tokens[client_id]["access_token"]
print(f'User acccess token is: {client_access_token}')


"""
SERVICE CODE

The client will use the bearer token above in a request to the service. The service will
introspect the token to ensure validity, then use the dependent token grant to get a user
transfer token.
"""
server_client = globus_sdk.ConfidentialAppAuthClient(client_id, client_secret)
# Server should verify the token information with Gloubs Auth
introspection = server_client.oauth2_token_introspect(client_access_token)
pprint.pprint(introspection.data)
# Server can then get dependent tokens from Gloubs Auth for other Gloubs Services
dependent_tokens = server_client.oauth2_get_dependent_tokens(client_access_token)
pprint.pprint(dependent_tokens.data)
# Server can now proceed with server-related activity:
authorizer = globus_sdk.AccessTokenAuthorizer(dependent_tokens[0]['access_token'])
transfer_client = globus_sdk.TransferClient(authorizer=authorizer)
transfer_data = globus_sdk.TransferData(
    transfer_client,
    'ddb59aef-6d04-11e5-ba46-22000b92c6ec', # Tutorial collection 1
    'ddb59af0-6d04-11e5-ba46-22000b92c6ec', # Tutorial collection 2
)
# This transfer takes place as the 'user', and will show up in their activity page
transfer_data.add_item('/share/godata', '~/', recursive=True)
response = transfer_client.submit_transfer(transfer_data)
pprint.pprint(response.data)
	"""
	The following shows how the scope created in the earlier example can be used between a
	client and a server. First the client needs to login with the custom scope defined earlier.
	Globus Auth then issues the client an access token which can only be used with the service
	that owns the scope.

	When a client sends a request to the service, the server does two things:
	1. introspects the token to ensure the request is valid (in scope, user has permission, etc)
	2. Uses the Dependent Token Grant to get user access tokens.
	The access tokens procured in step 2 can be used for actions on behalf of the user.
	"""
	import os
	import pprint
	import globus_sdk
	# pip install fair-research-login
	import fair_research_login


	client_id = os.getenv('CLIENT_ID')
	client_secret = os.getenv('CLIENT_SECRET')
	if not client_id or not client_secret:
	raise Exception('You need to set your client id and secret. Use the following: \n'
	'export CLIENT_ID=my-client-id\n'
	'export CLIENT_SECRET=my-secret')

	"""
	CLIENT CODE

	This is an example of a Gloubs Client using the scope created in the previous example
	"""
	my_scope = f'https://auth.globus.org/scopes/{client_id}/genepattern_transfer'
	# Note the different client ID. This is a separate Globus App requesting a scope from another
	# Globus App. The client may only send tokens to services which own the corresponding scope.
	# Apps must not share tokens with resource servers that are not the scope owners.
	client = fair_research_login.NativeClient(client_id='7414f0b4-7d05-4bb6-bb00-076fa3f17cf5')
	tokens = client.login(requested_scopes=my_scope)
	client_access_token = tokens[client_id]["access_token"]
	print(f'User acccess token is: {client_access_token}')


	"""
	SERVICE CODE

	The client will use the bearer token above in a request to the service. The service will
	introspect the token to ensure validity, then use the dependent token grant to get a user
	transfer token.
	"""
	server_client = globus_sdk.ConfidentialAppAuthClient(client_id, client_secret)
	# Server should verify the token information with Gloubs Auth
	introspection = server_client.oauth2_token_introspect(client_access_token)
	pprint.pprint(introspection.data)
	# Server can then get dependent tokens from Gloubs Auth for other Gloubs Services
	dependent_tokens = server_client.oauth2_get_dependent_tokens(client_access_token)
	pprint.pprint(dependent_tokens.data)
	# Server can now proceed with server-related activity:
	authorizer = globus_sdk.AccessTokenAuthorizer(dependent_tokens[0]['access_token'])
	transfer_client = globus_sdk.TransferClient(authorizer=authorizer)
	transfer_data = globus_sdk.TransferData(
	transfer_client,
	'ddb59aef-6d04-11e5-ba46-22000b92c6ec', # Tutorial collection 1
	'ddb59af0-6d04-11e5-ba46-22000b92c6ec', # Tutorial collection 2
	)
	# This transfer takes place as the 'user', and will show up in their activity page
	transfer_data.add_item('/share/godata', '~/', recursive=True)
	response = transfer_client.submit_transfer(transfer_data)
	pprint.pprint(response.data)