I Tried Adding Google Auth To a Python Web App | ft. Streamlit

00:00

it's been a month since I started

00:02

researching for this video and I built

00:04

seven to eight different streamid apps

00:06

with various Google art methods but

00:08

after testing all of the solutions none

00:11

felt truly satisfying data fans I find

00:15

it hard to recommend a one- siize fitall

00:17

solution that doesn't involve digging

00:19

into the authentication workflow so

00:21

instead let me walk you through the

00:23

solutions I tried so you understand the

00:26

Google authentication workflow and can

00:28

confidently work you those libraries

00:31

yourself but before trying any Google

00:33

signin Technique we need to create the

00:36

keys to access the Google Kingdom in a

00:38

dedicated Google Cloud project head to

00:40

the credentials page under apis and

00:42

services to access user data like the

00:45

name gmail profile picture and Google

00:47

resources like calendar meetings you

00:50

first need to configure the consent

00:51

window to access the resources find the

00:54

oot consent screen edit your apps

00:57

metadata the name website developer

00:59

email and logo on the next page click

01:03

add Scopes and select the resources you

01:05

want the app to access it would be the

01:08

open ID user info email and profile

01:11

Scopes and if you enable the calendar

01:13

API beforehand you can also scroll to

01:16

select the Google calendar events read

01:19

only

01:20

scope Scopes are categorized by

01:23

sensitivity it doesn't matter for local

01:25

testing but if you release your app to

01:27

the world it needs to go through a

01:29

Google very ification process first

01:31

which will be more difficult depending

01:34

on how many sensitive Scopes you are

01:35

asking

01:36

for while you are in testing mode you

01:39

can add friends and family Google emails

01:41

as beta testers to log your

01:44

app next create a new o client ID

01:47

credential for our web

01:49

application the Google authorization

01:51

server needs a path back to your

01:53

extremely app to send back a code for

01:56

now provide HTTP Local Host 9000 as a

01:59

call back address we will think later

02:01

about how to listen to it a new client

02:04

ID and secret will be created copy those

02:08

into streamlet secret TL file then

02:11

download the Json secret file to the

02:13

root of your project it will act as our

02:16

passport to the Google Gates we are

02:18

ready to

02:22

authenticate four weeks ago I looked for

02:25

python authentication libraries and I

02:28

found options like request Quest o or

02:31

off Li for building o 2/ open ID connect

02:34

clients at this point I kept reading

02:37

those two terms everywhere we just set o

02:40

to keys with open ID Scopes platforms

02:42

like GitHub Twitter and Google provide o

02:44

to endpoints to let python apps securely

02:47

access user data tools like Solara and

02:50

panel simplify OD to configuration for

02:52

their developers it's like if your

02:54

python web app has to access user info

02:57

from a website without manipulating p

02:59

password you should look into o 2/ oidc

03:04

documentation i p installed the Google o

03:07

o Library it includes the get user

03:09

credentials method taking as input the

03:11

client ID client secret and a subset of

03:14

access copes we defined in the consent

03:16

screen earlier you can also indicate a

03:19

minimum and maximum port for demo

03:21

purposes I limited to Port

03:24

9,000 I trust you remember where we

03:27

configured local lost 9,000

03:30

when I click the login button streamly

03:33

calls get user credentials and opens a

03:35

new browser tab for me there's the

03:38

authorization URL it opened for me data

03:41

fans we are not on my Stream app anymore

03:44

we are interacting with Google's

03:46

authorization server if I'm not signed

03:48

in with a Google account it displays a

03:50

new Google signin window let me enter my

03:53

Gmail

03:55

credentials I am the only test user that

03:58

can authenticate with this clent ID

04:00

anyway I added myself as the only beta

04:02

tester while this app is not verified

04:05

then on the next window the Google

04:07

authorization server asks me the user to

04:10

confirm the app can access the resources

04:12

from the subset of Scopes like my name

04:14

or my Google Calendar oh yes I I accept

04:18

authentication flow

04:21

successful and I receive a credentials

04:23

object back in Python without ever

04:26

handling Google passwords in my code I'm

04:29

I am not a hacker who tries to steal

04:31

your Google

04:33

passwords the credential contains a few

04:36

interesting objects but right now I only

04:38

need user information provided by the

04:40

open ID connect scope so I extract the

04:43

ID token from the

04:45

credentials there is a procedure to

04:47

decode and verify the authenticity of

04:49

the token just in case someone corrupted

04:52

it with a scam

04:54

email and now I have access to my user's

04:57

name my verified Gmail address and my L

05:00

to my profile picture which are pretty

05:02

easy to display in My Stream app and

05:04

store in a database for future

05:07

usage since the Google Calendar read

05:09

scope is included in the flow I can even

05:12

use the access token in the credentials

05:15

as an ID card to read the user's Google

05:19

Calendar this is the easiest solution to

05:22

authenticate with Google and access your

05:24

Google resources from streamlet

05:27

unfortunately it won't work on streamid

05:31

cloud the process looks a bit opaque at

05:34

first but under the hood get user

05:36

credential runs a local flash server

05:39

that listens on local

05:42

9000 however the docker image for stream

05:45

cloud has three limitations first I

05:47

cannot spawn new processors to M Bitcoin

05:50

I mean I cannot spawn a new flask server

05:52

that listens to Port 9000 second the

05:55

remote streamit app cannot access my

05:57

local browser to open a new tab and

06:00

third the port 9000 isn't exposed by the

06:03

container if you really need this

06:05

solution you're better off deploying

06:07

your own Docker image in another cloud

06:10

service can't I just use streamlets

06:12

tornado server instead unfortunately as

06:16

of this videoos released there is no

06:18

native way to get the tornado instance

06:21

and tell it to listen to another

06:23

endpoint so maybe I should just spin you

06:26

know my own python server to listen to

06:28

Port 9,000

06:33

right so I install fast API why fast API

06:38

instead of flask no reason just because

06:40

no reason fast API opens on Port 8,000

06:43

by default I could have changed the

06:45

command line to run on Port 9,000 but

06:48

instead I added Local Host 8000 sl/ code

06:51

as a new callback URL for my o clients I

06:55

don't think it's a good practice to

06:56

stuff many up callbacks in a o clients

07:00

it could crumble under so many

07:02

responsibilities anyway I Define a new

07:05

get/ out/ code and point in fast API and

07:09

run the app next to streamlit to catch

07:11

any call back to local lost

07:14

8000

07:16

code back to my streamit app I create a

07:18

new o flow to generate a Google

07:21

authorization URL and states it is a

07:24

randomly generated ID that is baked into

07:27

the authorization URL and and sent to

07:30

Google's authorization

07:31

server I kind of consider this as the ID

07:35

of the current authentication flow and I

07:38

expect the authorization server to keep

07:40

it in mind then I embed the

07:42

authorization URL into a link button

07:45

which redirects the user to Google's old

07:47

servers on a click so far we're in known

07:51

territory as always I input my Gmail

07:53

account consent to let it use my profile

07:56

info press okay then

07:59

instead of the authentication is a

08:01

success text I'm getting back the hello

08:04

world from Fast

08:06

API so after the logging and consent

08:09

screen the Google authorization server

08:12

sends back a response to the Callback

08:14

URL which fast API catches you know

08:17

might as well play with this call back I

08:20

add a state and code argument to fast

08:22

API so it parses them out of the request

08:26

and then I just display them in HTML

08:28

response

08:30

and look at this the state and code gets

08:32

passed into my

08:34

HTML

08:36

nice let's try a new authentication flow

08:39

in streamlet and see F API catch the

08:42

authorization call

08:47

back you can use this code to get your

08:50

credentials from the Google resource

08:51

server but be quick agent fan this code

08:55

will self-destruct in 5 minutes I create

08:57

a new form in streamlit to copy paste

08:59

the state and code back from Fast API if

09:03

the state ID from the origin stream need

09:05

and the Google authorization server

09:06

called back to fast API match I know

09:09

they come from the same flow so this

09:12

temporary authorization code is for me

09:15

and I can use it to Ping the Google

09:16

resource server for user credentials

09:19

using the fetch token

09:21

method and then like last time I extract

09:24

and verify the ID token from the

09:26

credentials to get the logged in user

09:28

yada yada

09:30

yep that's the full a to workflow

09:34

breakdown behind get user credentials

09:36

this is the most common authentication

09:39

flow on the web it's called the web

09:41

application flow or authorization code

09:43

Grant type flow it's the default flow in

09:46

any python o web library but I I still

09:50

have a few questions for for example

09:53

what do I do with those credentials

09:54

after reading user info from the ID

09:56

should I like store the credentials

09:58

somewhere so I can reload them when the

10:00

user comes back to the session and if a

10:03

hacker steals the access token can they

10:05

read my Google Calendar for secret

10:07

meetings with my manager to answer those

10:11

questions I pushed my MVP a little

10:14

further maybe too much so I won't show

10:17

the full code but the project is in the

10:19

description

10:21

[Music]

10:23

below I added a/ session endpoint in

10:26

fast API that creates a new autois ation

10:29

URL and state ID I store this state in a

10:33

local SQL light or a remote fir store

10:35

database stream L calls this to create a

10:38

session on Fast API and in the database

10:41

and get the authorization URL with a

10:44

button click and a redir hack I push the

10:46

user to the Google authorization URL for

10:49

login and

10:51

consent the Google OD server calls back

10:54

fast API which passes the call back URL

10:57

for the state and authorization code

10:59

and if the state ID is in the database

11:02

it uses the code to fetch the access and

11:05

ID tokens from the resource

11:07

server finally fast API sends a redirect

11:11

response back to streamlets and stores

11:13

the state ID in an HTTP only secure

11:17

cookie on my

11:18

browser cookies well since stre 1.37

11:23

streamlet can read cookies with the St

11:25

context cookies method so on each return

11:27

to streamlet I can read the state from

11:30

the cookie send it to fast API to check

11:33

if there's a matching session and if one

11:35

exists reuse the tokens from the session

11:37

in the database to get back calendar and

11:40

profile

11:41

information that way sensitive tokens

11:44

are never sent to the client

11:47

browser I later discovered that this is

11:49

called session based authentication it's

11:52

fun to implement once in your life but

11:55

uh it just opens a new batch of troubles

11:58

if backend development is not your

12:00

specialty for example because this

12:03

access token has so much power in

12:05

accessing user resources it has a very

12:08

short lifespan in case it gets stolen at

12:11

least we are lucky since those tokens

12:13

stay on the backend tornado server side

12:16

in stream we don't display them in any

12:18

front end code and actually because of

12:21

the short lifespan of an access token

12:23

there is a third token in the

12:25

credentials objects that I didn't talk

12:27

about it's called the refresh token in

12:30

case the access token expires I should

12:32

use the refresh token to renew the

12:35

access token instead of going through a

12:37

new login flow speaking of login flows

12:40

and cookies you know gdpr privacy don't

12:44

track people putting a cookie is

12:46

considered browser tracking and if I

12:48

deploy my app to the world I am supposed

12:51

to ask for consent to store the cookie

12:53

on the user's browser and I'm sure I

12:56

will forget to do it yep anyway as a

13:00

data expert that's a lot of tokens

13:03

sessions and cookies to deal

13:08

with this video is sponsored by myself

13:12

if you want to support me researching

13:14

editing and showcasing the latest data

13:17

and web practices for data fans consider

13:19

buying me a coffee to stay awake or

13:22

offer a super tanks after I show you the

13:25

next authentication technique that

13:26

doesn't require fast API let's go if we

13:31

have a hard time doing back and forth

13:33

server side interaction in streamlet why

13:36

not do everything on the front and side

13:40

that's when it appeared to me the

13:42

ultimate Google widgets I found a Google

13:46

signin button that could be embedded in

13:48

HTML JavaScript

13:52

code elegant fact by using a stream

13:55

component I can embed the HTML Google

13:58

sign in button in my web app catch the

14:01

Google token in the JavaScript call back

14:04

and push the token back into server side

14:07

tornado python code then finally I use

14:10

Google o o off slip whatever verify

14:14

token to extract the token

14:19

ID it works as long as I add the Streit

14:23

locost 8501 URL to the list of

14:27

authorized origins in my o credentials

14:30

on the Google console no fast API server

14:32

needed no back and forth between the

14:35

authorization and the resource no

14:37

storing and comparing session tokens

14:40

Google does all of the hard stuff for

14:42

you actually if you look into your local

14:45

cookies you will find out a new sidcc

14:49

cookie from a Google origin sidcc

14:53

for session ID secure HTTP only cross

14:57

site

14:57

cookie if if you're interested I'm using

15:00

this component template from Thiago one

15:03

of the streid founders and you can find

15:05

the source code in the description below

15:07

again okay does it work on streamid

15:11

cloud well the logging and consant

15:14

Screen don't

15:16

load see if I check the web def tools

15:19

console it tells me the given origin is

15:22

not allowed for the given client ID let

15:25

me add the URL to the list of JavaScript

15:29

Origins and wait a few minutes again

15:33

okay uh let's try

15:36

again

15:41

yep we've seen three different

15:44

techniques to do Google authentication

15:46

that work well in low stakes

15:48

environments I personally use the get

15:51

user credentials locally or on an on

15:53

premise server for quick login for

15:55

example for my YouTube analytics

15:57

dashboard

15:59

it sounds like the signin button

16:02

component is a better beginner friendly

16:04

solution especially if you have access

16:06

to the HTML CSS JavaScript which is not

16:09

really the case in streamlit and I know

16:12

I'm too lazy to maintain JavaScript

16:14

logic in the long run so I tend to stick

16:17

with python based server side solutions

16:20

for more flexibility or fine-tuning

16:23

deploying your own fast API server to

16:25

catch the authentication flow is a nice

16:28

setup as long as you to put https

16:30

everywhere there are two more solutions

16:32

that didn't make it in this video

16:34

because it's already too long but do

16:36

tell me in the comments if you want a

16:38

second one the first one is the

16:39

authentication as a service path you can

16:42

use o providers like o zero Fire based

16:45

authentication or super based to manage

16:47

a unique single sign on with multiple

16:49

identity providers use the data and

16:52

session cookie management for you they

16:54

even have their dedicated UI for example

16:57

here's Solara o method redirecting to an

17:00

old zero logging and streamid Cloud

17:03

redirects you to Old kits

17:05

UI a second ID commonly used in

17:08

production settings it's even

17:10

recommended as a best practice in the

17:13

Unicorn documentation for deploying

17:15

flask is to put your streamit app behind

17:18

a reverse proxy like engine INX or caddy

17:21

the reverse proxy handles load balancing

17:24

caches static files and most importantly

17:28

manages our authentication via Solutions

17:30

like authentic aelia or keycloak it then

17:34

redirects the logged in user to the

17:36

Stream It app with a HTTP header to

17:39

identify them just like cookies starting

17:43

version

17:44

1.37 streamlet can access headers

17:46

through the St context headers method to

17:49

access user information passed by the

17:51

reverse proxy so we're good nope

18:00

now I'm off to play with caddy as a

18:01

reverse proxy for streamlit and if it

18:04

goes well maybe I should plan a video

18:06

about hosting streamit apps in pseudo

18:09

production settings with caddy so you

18:11

know I'll see you

18:13

around bye