Notes on Google Authentication with Flask

There are many ways to set up Google Authentication with Flask. I found 3 self-contained guides using completely different methods, and I played with all 3 to find their strong points and problems. This blog documents those observations:
    1. Create a Flask Application With Google Login
      • Why you should try this:
        • good explanations that help you understand the OAuth workflow
        • part of Real Python's larger Flask tutorial. Although I did not use it, it might be good to see how it fits into the larger framework
        • uses [flask-login](https://github.com/maxcountryman/flask-login) module which counts Flask personalities like David Baumgold and Miguel Grinberg as contributors, so current implementation as well as future developments are/will be tightly integrated with the Flask framework
      • Why you might not end up using this implementation:
        • simpler than Matt Button's implementation (the next option) but still complicated
        • use of custom database classes (instead of Flask's models.py framework) adds to loose ends you have tidy up when using in your own project
    2. Google Authentication with Python and Flask
      • Why you should try this:
        • written for applications that use the larger Google API ecosystem using Google Drive as example. So if (1) your requirement is specifically Flask-Google interoperability or if you (2) just want to learn more than just OAuth, then this tutorial is made for you
      • Why you might not end up using this implementation:
        • this is the most complex implementation out of these three guides, even though it uses Authlib, which, as you will see in the next point, is a breeze even compared to other Flask plugins/extensions. Perhaps it's not the implementation but the tutorial that is not well composed
        • does not touch upon database/model integration
        • steps are clearly enunciated, but there are no explanations or discussions around what is being done. If you like mechanical step-by-step guides (I do sometimes, when I already understand the larger idea and want to know the specifics)
    3. Hsiaoming Yang's Authlib project This is not a tutorial or guide at all! There are no instructions, no discussions, and no larger context or project which add color to this guide. It's just one file of code, that too just 33 sloc (plus a config file) But ...
      • Why you should try this:
        • Pythonic Code - crisply written python code that speaks so clearly for itself that you don't even need comments
        • it shows exactly what needs to be done how, without any distraction
        • minimalism of the code makes it a cake to insert the right pieces in the right places of an existing project
      • Why you might not end up using this should also read the above implementations:
        • you will probably use this code, even if you follow Matt Button's tutorial, since that too uses Authlib
        • but you should read and try out the first two tutorials first. It's always better to learn about a concept in certain contexts, so that not only is adapting them to your immediate needs is easy, but also if a related context arises in the future, you will be more likely to recall the concept, and thus the solution.


    IMPORTANT

    1. If you have a bevy of users for different processes, especially in production (as you should), you might face some trouble storing security codes as environment variables. For example, you may commit GOOGLE_CLIENT_SECRET as environment variable from terminal manually, but the project runs as a different user, and therefore doesn't have access to os.environ.get("GOOGLE_CLIENT_SECRET", None).

    2. None of the guides emphasise on the importance of secret keys for Flask sessions. Do NOT forget to use a foolproof method of generating the secret key (like the subheading *How to generate good secret keys* on this page: https://flask.palletsprojects.com/en/1.0.x/quickstart/#sessions), and read this blog by Martin Fowler to understand why session secrets are so critical.

    Location: Gurugram, Haryana, India

    Comments

    Post a Comment

    Popular posts from this blog

    Hello Website

    This entry is relevant to the older method of hosting this blog. I have moved to Blogger.com since then, but keeping this note just in case/archival purposes. This website is a Lektor creation. It was created by Armin Ronacher, and you can read more about the anecdote for it here . My own personal website has been vagrant, sometimes a plain HTML sitting in Web 1.0 hosting service, just a sandbox for AJAX/MySQL scripts. The last avatar was a Gatsby (nodejs) static website served out of this very GitHub. But given my aversion to all forms and manners of JS frameworks, I went looking for the following: a simple site that can be regularly updated but doesn't need a complex CMS and can be hosted for free bonus marks if interesting to use Lektor checks all the boxes since it spins out a static site that has a simple blogging feature but works from my laptop (pseudo CMS) and saves output to GitHub bonus marks since it's a nifty use of Python Flask The author of...
    Read more

    Notes on Flask

    Flask with AJAX For those well versed with Flask and AJAX this is nothing new, but for newcomers to both/either, the following code snippet is a quick start introduction to using AJAX with Flask on their websites. Python Flask + JavaScript XMLHttpRequest. There are a large number of tutorials and examples out there, but this one helped me the most because of its simplicity. It uses plain JavaScript instead of JQuery or any other framework, and given my incremental style of development, and "Mistake Driven Learning" style of learning, this was my starting point for the MarketDB project. Eschewing JSON In the current stage, I am avoiding using JSON as much as possible for three conscious reasons: (1) less learning required to handle JSON in JavaScript and Python. I know this is just laziness, and I already do know the basics of JSON in both languages, but using it in a production project requires deeper dive into the standards, which is really not necessary. Lists suffice for ...
    Read more

    Why B̶l̶o̶g̶ Write?

    Was reading Sharma Radhakrishna Venkataramanan's blog and in one entry he asks "why Blog?" His answer is that "writing is a window to the workings of a person's mind," drawing on a few anecdotes. One of the anecdotes is about rediscovering something about his grandfather that his 7 year old self could never have. This threw me on a tangent and I pieced together something my Cousins' Grandfather told me. (As a child he had run away from his village home in pre-independence India, lived on the footpaths of Lucknow while attending school, and -- to cut a long story short -- ended up a professor of literature at Kanpur University. We all looked up to him.) Only times when I met him would be if our visits to that Aunt's home coincided. For a short period the frequency was enough to allow one routine: he would give me one life lesson or instruction. One, and no more. Of these, there's one that stands out and hasn't faded with memory. He said: Writ...
    Read more