What's it all about, Alfie?

OAuth2 Credentials into Google

I'm not a fan of OAuth2... not in the least. It's excessively complicated, it requires call-backs, and in general it's no more secure than anything else, it's just more complicated. Add to that there's no really good library for it as the Google folks keep changing things, and you have something that's always going to require hacks... always going to require fixing, and never going go provide a seamless way to authenticate on a remote system.

But that's just an opinion. I have had to make it work at The Shop, and when I finally got it to work, I wasn't about to let this evaporate into the ether... I needed to make a gist of it, and document what I was doing so that I could come back to this and be able to remember it all at a later date.

The State of OAuth2 Clojure Libraries

The first really depressing thing was that there seemed to be no decent OAuth2 libraries for Clojure. And while there seemed to be a lot of forks of the clj-oauth2 library - but many, like the original, were years old - and they didn't work. Not even close. Now I'm not silly enough to think that the spec changed, but I do believe that Google changed things on it's end to make it more secure, and in so doing, broke all the clj-oauth2 work, and it's derivatives.

Still, there is the code I can look at. And some have pulled in the features that are needed, and so it's not impossible to make this thing work... though it's likely to take a lot of time.

The `project.clj` File

When I was able to get something working, I made a gist of all the important files, so that I could include them here as reference. I also wanted to post the link to the #clojure room in IRC because one of the guys there gave me a hint as to which library to use. He wasn't right, but he was close, and that's all I needed.

The project.clj file has all the versions of the libraries I used:

(defproject bartender "1.0.0" :description "The bartender makes sure that the system is filled with data." :url "https://github.com/drbobbeaty/bartender" :license {:name "Eclipse Public License" :url "http://www.eclipse.org/legal/epl-v10.html"} :plugins [[lein-marginalia "0.7.1"]] :min-lein-version "2.3.4" :source-paths ["src"] :dependencies [[org.clojure/clojure "1.6.0"] ;; nice utilities [clj-time "0.6.0"] [org.clojure/math.numeric-tower "0.0.4"] [org.clojure/core.memoize "0.5.7"] ;; command line option processing [org.clojure/tools.cli "0.2.2"] ;; logging with log4j [log4j/log4j "1.2.16"] [org.clojure/tools.logging "0.2.6"] [robert/hooke "1.3.0"] ;; JSON parsing library [cheshire "5.3.1"] ;; nice HTTP client library [clj-http "1.0.1"] [clj-oauth2-ls "0.3.0"] ;; web server [compojure "1.1.3"] [lib-noir "0.9.5"] [ring/ring-jetty-adapter "1.1.6"] [ring.middleware.jsonp "0.1.1"]] :aot [bartender.main] :uberjar-merge-with {#"\.sql\.Driver$" [#(str (clojure.string/trim (slurp %)) "\n") str spit]} :test-selectors {:default (complement :exercise) :integration :integration :all (constantly true)} :jvm-opts ["-Xmx64m"] :main bartender.main)

What I found was that this version of clj-oauth2 had the most complete mapping of the data coming from Google, which included the expires-in time - which I think I still may be able to put to really good use soon. While it didn't have the functions to renew the access-token, it turns out that it's not hard to write, and I pulled that from another fork of the master project.

The `server.clj` File

OAuth2 still requires that the user go to Google on a redirect, and then the call-back from them is where we get the first bit of the authentication data. I'm not convinced that this is at all necessary, but it's how things are. Given that, we needed to have the server.clj have an endpoint /google that gets redirected to the right place at Google for the user to login and accept the app.

(ns bartender.server "The routes for the web server." (:require [bartender.dcm :as dcm] [bartender.util :as util] [cheshire.core :as json] [clj-time.coerce :refer [to-long from-long]] [clj-time.core :refer [now]] [clojure.tools.logging :refer [infof warn warnf error errorf]] [compojure [core :refer [defroutes GET POST DELETE PUT]] [handler :as handler]] [noir.response :refer [redirect]] [ring.middleware.jsonp :refer [wrap-json-with-padding]] [ring.middleware.params :refer [wrap-params]] [ring.util.io :refer [piped-input-stream]]) (:import [java.io BufferedWriter OutputStreamWriter IOException])) (extend-protocol cheshire.generate/JSONable org.joda.time.DateTime (to-json [t jg] (cheshire.generate/write-string jg (str t)))) (defn return-code "Creates a ring response for returning the given return code." [code] {:status code :headers {"Content-Type" "application/json; charset=UTF-8"}}) (defn return-json "Creates a ring response for returning the given object as JSON." ([ob] (return-json ob (now) 200)) ([ob lastm] (return-json ob lastm 200)) ([ob lastm code] {:status code :headers {"Content-Type" "application/json; charset=UTF-8" "Access-Control-Allow-Origin" "*" "Last-Modified" (str (or lastm (now)))} :body (piped-input-stream (bound-fn [out] (with-open [osw (OutputStreamWriter. out) bw (BufferedWriter. osw)] (let [error-streaming (fn [e] ;; Since the HTTP headers have already been sent, ;; at this point it is too late to report the error ;; as a 500. The best we can do is abruptly print ;; an error and quit. (.write bw "\n\n---BARTENDER SERVER ERROR WHILE STREAMING JSON---\n") (.write bw (str e "\n\n")) (warnf "Streaming exception for JSONP: %s" (.getMessage e)))] (try (json/generate-stream ob bw) ;; Handle "pipe closed" errors (catch IOException e (if (re-find #"Pipe closed" (.getMessage e)) (infof "Pipe Closed exception: %s" (.getMessage e)) (error-streaming e))) (catch Throwable t (error-streaming t)))))))})) (defroutes app-routes "Primary routes for the webserver." (GET "/" [] (return-json {:app "Bartender", :hello? "World!", :code (or (util/git-commit) "unknown commit")})) (GET "/heartbeat" [] (return-code 200)) ;; ;; Authentication Endpoints for DCM (Google) - these are necessary due to ;; Google's OAuth2 implementation. But as soon as we have an access-token, ;; we can use Custos Server to hold this and use it over and over. ;; (GET "/api/integration/google_auth_callback" {params :query-params} (dcm/auth-google params) (return-code 200)) (GET "/google" [] (redirect (:uri dcm/auth-req))) (GET "/token" [] (return-json @dcm/gtoken)) (GET "/re-auth" [] (dcm/re-auth-google) (return-json @dcm/gtoken)) ;; ;; ;; (GET "/cities" [] (return-json (dcm/get-cities))) ) (defn wrap-logging "Ring middleware to log requests and exceptions." [handler] (fn [req] (infof "Handling request: %s" (:uri req)) (try (handler req) (catch Throwable t (error t "Server error!") (throw t))))) (def app "The actual ring handler that is run -- this is the routes above wrapped in various middlewares." (-> app-routes wrap-json-with-padding handler/site wrap-params wrap-logging))

There is also the callback endpoint, and then a few that return the token data, and renew the token. Nothing special, really, but the targets for the OAuth2 are really important, and it's just sad that we have to have them in the first place.

The `dcm.clj` File

The final piece is really the meat of the problem.

(ns bartender.dcm "The DCM-specific functions for loading data. The Google OAuth2 data for the application is obtained from the Developer Console." (:require [bartender.util :refer [parse-json update lcase]] [cheshire.core :as json] [clj-http.client :as http] [clj-oauth2.client :as oauth2] [clj-time.coerce :refer [to-long from-long]] [clj-time.core :refer [now]] [clojure.set :refer [rename-keys]] [clojure.tools.logging :refer [infof warn warnf error errorf]] [clojure.walk :refer [keywordize-keys]] [compojure [core :refer [defroutes GET POST DELETE PUT]] [handler :as handler]] [ring.middleware.jsonp :refer [wrap-json-with-padding]] [ring.middleware.params :refer [wrap-params]] [ring.util.io :refer [piped-input-stream]]) (:import [java.io BufferedWriter OutputStreamWriter IOException])) (declare user-profiles) ;; ;; Missing functions from clj-oauth2 ;; (defn refresh-access-token "Function to take the existing `access-token` and configuration data and refresh this token with Google to make sure that we have a valid token to work with." [refresh-token {:keys [client-id client-secret access-token-uri]}] (let [req (http/post access-token-uri {:form-params {:client_id client-id :client_secret client-secret :refresh_token refresh-token :grant_type "refresh_token"} :as :json :throw-entire-message? true})] (when (= (:status req) 200) (parse-json (:body req))))) ;; ;; Constants from the Google Developer Console as to how to log in using ;; OAuth 2.0 to the site. ;; (def BASE_URI "https://accounts.google.com") (def AUTH_URI (str BASE_URI "/o/oauth2/auth")) (def TOKEN_URI (str BASE_URI "/o/oauth2/token")) (def CLIENT_ID "<my_client_id>") (def CLIENT_SECRET "<my_client_secret>") (def SCOPE "For Google's OAuth2, we need to provide to them the 'scope' of the login - meaning those things that we want to be able to control and call using the `access-token` that Google will return to us. These are all the things we need from DCM." ["https://www.googleapis.com/auth/dfareporting" "https://www.googleapis.com/auth/devstorage.read_only" "https://www.googleapis.com/auth/dfatrafficking"]) (def TRAFFIC_URI "This is the base URI for all the trafficking-related endpoints at Google. This will be appended to in the individual functions make the calling URL but it's nice to have it here at the top to make a global change easier." "https://www.googleapis.com/dfareporting/v2.0") (def REDIRECT_URI "This is the one endpoint that **we** have to implement which will be the target of Google's OAuth2 callback which will contain all that we need to get the access-token and the supporting values." "http://localhost:3000/api/integration/google_auth_callback") (def gconfig "Map of basic config data for successfully hitting Gogle using OAuth2 for the `access-token` to hit the DCM endpoints for all the trafficking data and reporting data." { :authorization-uri AUTH_URI :access-token-uri TOKEN_URI :redirect-uri REDIRECT_URI :client-id CLIENT_ID :client-secret CLIENT_SECRET :access-query-param :access_token :scope SCOPE :grant-type "authorization_code" }) (def auth-req "The clj-oauth2 library needs to use the config to make an 'authorization request' map that will be used in getting the tokens, etc." (oauth2/make-auth-request gconfig)) (def gtoken "This will be the data returned from Google that includes the `access-token`, what we need to refresh it, and all the goodies. This will look something like: { :access-token \"ya29.JAG00FF1ZLK-UuRdK6e7zf5uFBuNdw_X46546536I9dbmKMbGVBSfAl7\" :token-type \"bearer\" :query-param :access_token :expires-in 3600 } " (atom {})) (def gprofile "This will be the user profile for the authenticated user that generated the `access-token` in use. This is obtained by calling the /userprofiles endpoint in the Google API, and then extracting out the first item that will look something like this: { :kind \"dfareporting#userProfile\" :etag \"\"3_UO98K-Piv7TXZrLaOcjWlCRrs/XCU7oULm-5DPoOwijph80\"\" :profileId \"123456890\" :userName \"yo-yo-ma\" :accountId \"1234\" :accountName \"The Account for All\" } " (atom {})) (defn auth-google "Function to do the initial authentication request to Google for the above configuration. This will be called from the `REDIRECT_URI` endpoint, where the argument is the `:query-params` of the compojure route. This will log the response from Google and then save it in the `gtoken` atom for later." [params] (let [pull (fn [m] (assoc m :expires-in (:expires_in (:params m)))) tok (-> (oauth2/get-access-token gconfig (keywordize-keys params) auth-req) (update :token-type lcase) (pull) (dissoc :params))] (infof "token response: %s" tok) (reset! gtoken tok) (infof "loading user profile...") (reset! gprofile (first (user-profiles tok))) tok)) (defn re-auth-google "Function to update the `access-token` for the current session of the authenticated user - which may, in fact, be the exact same token, but Google will let us know either way." [& [token]] (let [tok (-> (refresh-access-token (:access-token (or token @gtoken)) gconfig) (rename-keys {:token_type :token-type :expires_in :expires-in :access_token :access-token}) (update :token-type lcase))] (infof "re-auth token response: %s" tok) (reset! gtoken tok) tok)) ;; ;; Administrative Functions ;; (defn user-profiles "Function to get the complete list of allowed user profiles for the authenticated user in `gtoken`." [& [token]] (let [url (str TRAFFIC_URI "/userprofiles")] (:items (parse-json (:body (oauth2/get url {:oauth2 (or token @gtoken)})))))) ;; ;; Trafficking Functions ;; (defn get-cities "Function to list all the cities for the provided token and profile. The default values are the current profile and token, but these can be passed in if you want to make a special call." [& [token profile]] (let [pid (:profileId (or profile @gprofile)) url (str TRAFFIC_URI "/userprofiles/" pid "/cities")] (parse-json (:body (oauth2/get url {:oauth2 (or token @gtoken)})))))

We start off with the Missing Functions in the clj-oauth2 library, and then jump right into the static config for our application. These are all generated by Google, and you can get them from Google when you register your project/client.

We then have the authentication and re-authentication functions, which took an enormous amount of time to get right, but don't look overly complex in the least. Lovely.

Finally, we have a few calls to test that we got the user profile information properly, and that we can make subsequent calls to Google and get the data requested. It's not a lot, but it works, and it proves that things are working up to that point.

In the end, I'm glad I have it all done, and I'll be integrating the Custos Server in as a secret store of the credentials soon. Then I'll be using redis as the back-end and then pulling data from Google and loading it there. All this is a complete, stand-alone, back-end data collector for the ad messaging data for a client from Google.

Not bad...

This entry was posted on Tuesday, February 24th, 2015 at 3:18 pm and is filed under Clojure Coding, Open Source Software, Vendors. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

OAuth2 Credentials into Google

The State of OAuth2 Clojure Libraries

The `project.clj` File

The `server.clj` File

The `dcm.clj` File

Pages

Archives

Categories

What's it all about, Alfie?

OAuth2 Credentials into Google

The State of OAuth2 Clojure Libraries

The project.clj File

The server.clj File

The dcm.clj File

Pages

Archives

Categories

The `project.clj` File

The `server.clj` File

The `dcm.clj` File