Created
March 24, 2022 15:51
-
-
Save NickolausDS/c7ab78f324b3c05a6a270f37c626580b to your computer and use it in GitHub Desktop.
A demonstration of a client requesting a token, and the resource server consuming it
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
The following shows how the scope created in the earlier example can be used between a | |
client and a server. First the client needs to login with the custom scope defined earlier. | |
Globus Auth then issues the client an access token which can only be used with the service | |
that owns the scope. | |
When a client sends a request to the service, the server does two things: | |
1. introspects the token to ensure the request is valid (in scope, user has permission, etc) | |
2. Uses the Dependent Token Grant to get user access tokens. | |
The access tokens procured in step 2 can be used for actions on behalf of the user. | |
""" | |
import os | |
import pprint | |
import globus_sdk | |
# pip install fair-research-login | |
import fair_research_login | |
client_id = os.getenv('CLIENT_ID') | |
client_secret = os.getenv('CLIENT_SECRET') | |
if not client_id or not client_secret: | |
raise Exception('You need to set your client id and secret. Use the following: \n' | |
'export CLIENT_ID=my-client-id\n' | |
'export CLIENT_SECRET=my-secret') | |
""" | |
CLIENT CODE | |
This is an example of a Gloubs Client using the scope created in the previous example | |
""" | |
my_scope = f'https://auth.globus.org/scopes/{client_id}/genepattern_transfer' | |
# Note the different client ID. This is a separate Globus App requesting a scope from another | |
# Globus App. The client may *only* send tokens to services which own the corresponding scope. | |
# Apps *must not* share tokens with resource servers that are not the scope owners. | |
client = fair_research_login.NativeClient(client_id='7414f0b4-7d05-4bb6-bb00-076fa3f17cf5') | |
tokens = client.login(requested_scopes=my_scope) | |
client_access_token = tokens[client_id]["access_token"] | |
print(f'User acccess token is: {client_access_token}') | |
""" | |
SERVICE CODE | |
The client will use the bearer token above in a request to the service. The service will | |
introspect the token to ensure validity, then use the dependent token grant to get a user | |
transfer token. | |
""" | |
server_client = globus_sdk.ConfidentialAppAuthClient(client_id, client_secret) | |
# Server should verify the token information with Gloubs Auth | |
introspection = server_client.oauth2_token_introspect(client_access_token) | |
pprint.pprint(introspection.data) | |
# Server can then get dependent tokens from Gloubs Auth for other Gloubs Services | |
dependent_tokens = server_client.oauth2_get_dependent_tokens(client_access_token) | |
pprint.pprint(dependent_tokens.data) | |
# Server can now proceed with server-related activity: | |
authorizer = globus_sdk.AccessTokenAuthorizer(dependent_tokens[0]['access_token']) | |
transfer_client = globus_sdk.TransferClient(authorizer=authorizer) | |
transfer_data = globus_sdk.TransferData( | |
transfer_client, | |
'ddb59aef-6d04-11e5-ba46-22000b92c6ec', # Tutorial collection 1 | |
'ddb59af0-6d04-11e5-ba46-22000b92c6ec', # Tutorial collection 2 | |
) | |
# This transfer takes place as the 'user', and will show up in their activity page | |
transfer_data.add_item('/share/godata', '~/', recursive=True) | |
response = transfer_client.submit_transfer(transfer_data) | |
pprint.pprint(response.data) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment