oauth1.0 with username and password in python

Question

I am trying to integrate qwikcilver API in my project. They are using oauth1.0 for authentication. I am using requests-oauthlib python lib for oauth1.0.
Here is my code for authentication.

# Using OAuth1Session
oauth = OAuth1Session(client_key, client_secret=client_secret)
fetch_response = oauth.fetch_request_token(request_token_url)
{
    "oauth_token": "Z6eEdO8MOmk394WozF5oKyuAv855l4Mlqo7hhlSLik",
    "oauth_token_secret": "Kd75W4OQfb2oJTV0vzGzeXftVAwgMnEK9MumzYcM"
}
resource_owner_key = fetch_response.get('oauth_token')
resource_owner_secret = fetch_response.get('oauth_token_secret')

My query is as following,
qwikcilver has username and password. I tried lot to send username and password in code but not working.

How to pass username and password in requests-oauthlib request function?

Answer 1

Im adding an example with a post body. This is a simple example using a request/post with a "Plain Old XML" (POX) pattern:

from requests_oauthlib import OAuth1Session
   
CONSUMER_KEY = "xxxxxxx"
CONSUMER_SECRET = "xxxxxxx"

ourSession = OAuth1Session(CONSUMER_KEY, client_secret=CONSUMER_SECRET, force_include_body=True)

body= '<?xml version="1.0" encoding="UTF-8"?>' \
   '<POXEnvelopeRequest xmlns="http://whateve">' \
   '<POXHeader>' \
   ' <RequestHeaderInfo>' \
      .   .   .   .
   ' </RequestHeaderInfo>' \
   '</POXHeader>'   \
   '</POXEnvelopeRequest>'

clen = str(len(body))

headers = {
 'Accept': '*/*',
 'Accept-Encoding': 'gzip, deflate, br',
 'Host': 'X.Y.com',
 'Content-Type': 'application/xml',
 'Connection': 'keep-alive',
 'Content-Length': clen
}

r = ourSession.post(url, headers=headers, data=body, verify=False)

# DEBUG: Comment out in and out as needed... 
print("===================== B E G I N    R E S P O N S E =======================\n")
print(r)
print(r.text)
print("===================== E N D    of  R E S P O N S E =======================\n")

Answer 2

Check with qwikcilver (whatever that is) if they have provision to generate token and authorize. If so, you can use the token as a part of the header and invoke the APIs. If that is not there, check if they allow 2-legged calls. Such services usually do not allow 2-legged calls for general users however.

For a 3-legged call, you may need a browser to complete Authorization.

In your code, you have invoked Request Token and you are trying to use it to gain access to service. Which will not work. Request Token is just a provisional token which has to be Authorized. Request Tokens cannot be used for such API calls. It will not work. After Authorization, you will need to invoke Access Token API to get your actual token - which can be used to gain access to the services you are authorized to.

In short, this is the process

1) Request Token >> 2) Authorize >> 3) Access Token

This is the flow. A sample in Python

oauth1Session = OAuth1Session(clientKey, clientSecret)

def requestToken(self):
    requestTokenResponse = oauth1Session.fetch_request_token(oauth1RequestTokenUrl, realm)

    token = requestTokenResponse.get('oauth_token')
    secret = requestTokenResponse.get('oauth_token_secret')

    return (token, secret)

def authorize(self, token):
    authUrl = oauth1Session.authorization_url(oauth1AuthorizeUrl, token)
    print (authUrl)

    #########
    # THIS IS WHERE YOU NEED THE BROWSER. 
    # You visit authUrl and login with your Username and Password. 
    # This will complete Authorization

    return authUrl

def accessToken(self):
    accessTokenResponse = oauth1Session.fetch_access_token(oauth1AccessTokenUrl)

    print (accessTokenResponse) 

    #########
    #accessTokenResponse contains your actual token
    #

For the browser part - you can try Chromium bindings for Python (there are few who have tried it before - for example this one https://github.com/cztomczak/cefpython). There are other options such as using your default installed browser and other such. Choose whatever works for you.

Once you have that in place - you may programatically visit the URL (authUrl) and once authorized (login, then 'allow') - you may be redirected to a callback (which you specified in case of OAuth1) with the "code" query string. This is the Authorization Code.

Once you have the authorization code, you may close the browser window and invoke the Get Access Token call (fetch_access_token).

Hope this helps !