{"componentChunkName":"component---src-pages-markdown-remark-fields-slug-js","path":"/engineering/guest-post/user-authentication-in-python/","result":{"data":{"markdownRemark":{"id":"b187fd34-4497-550b-af19-25792fd842f8","excerpt":"Authentication and user identity management are challenging tasks you are bound to run into when building applications. For example, you will need to create…","html":"

Authentication and user identity management are challenging tasks you are bound to run into when building applications. For example, you will need to create profiles for users, validate provided passwords, implement a password reset functionalities, manage user sessions (sometimes on multiple devices), manage social media authentication, and many others.

\n

You still have to work on other parts of your application, and you might not have a lot of time. A lot of developers might hack their way through authentication, but that could lead to improper implementations. It is not advisable to do this as you can create doorways for cyber-related attacks in your application.

\n

In this tutorial, you will learn how to properly implement user authentication and identity management in a Flask application.

\n
\n

Here for the code alone? Head over to the implementation section of this article or visit this GitHub gist to browse demo code.

\n
\n

Introduction

\n

What Is User Authentication?

\n

User authentication is the process of validating a person’s identity to ascertain that they are who they claim to be. Authentication is achievable using passwords, one-time pins (OTP), biometrics, authentication apps, access tokens, certificates, and many more.

\n

What Is User Identity?

\n

User identity is an entity used to identify a user of an application uniquely. Forms of user identifiers include full names, email addresses, system-generated values, and UUIDs.

\n

What Is an Identity Provider?

\n

An identity provider is a system that helps create, maintain, and manage user identity information. It also provides authentication services to external applications to ease their authentication flow and make it seamless.

\n

What Is Authentication in Python?

\n

When referring to authentication in Python, we talk about user authentication concerning web applications built with it. Python is actively used in making web applications with many supporting frameworks, including but not limited to Flask, Django, FastAPI, Bottle, and Hug.

\n

Every web application built with Python at one point or another would need to implement user authentication features. This article will cover implementing authentication and proper handling of user identity information using LoginRadius and Flask.

\n

Getting Started with LoginRadius

\n

What Is LoginRadius?

\n

LoginRadius is a cloud-based consumer identity and access management (CIAM) platform that allows seamless user authentication and SSO integration into your application. LoginRadius is simple to use, completely secure, and highly customizable.

\n

To proceed with this tutorial, you will need an account with LoginRadius. If you have not created one before now, create one on the LoginRadius website.

\n

Benefits of Using LoginRadius

\n\n

Integrating LoginRadius with Python and Flask

\n\n

Acquiring LoginRadius API Credentials

\n

Login to your LoginRadius dashboard, then navigate to the app you want to integrate with Python (LoginRadius will set up a free app for you when you create an account).

\n

\n \n \n

\n

Next, head over to the Configuration tab on the LoginRadius sidebar (left side of the screen).

\n

\n \n \n

\n

Your API credentials are located under the API Key And Secret section. Once you have retrieved this, copy the APP Name, API Key, and API Secret and store them somewhere secure and easily retrievable.

\n

\n \n \n

\n

Whitelisting Your Domains

\n

LoginRadius requires you to whitelist domains you will be integrating with your app. To whitelist, a domain, scroll down to the Whitelist Your Domain section in the Configuration tab of your app dashboard and add it.

\n

\n \n \n

\n
\n

By default, LoginRadius whitelists your local computer (localhost).

\n
\n

Installing LoginRadius Python SDK

\n

We need to install the LoginRadius Python SDK. It provides functionalities that allow Python programs to communicate with LoginRadius APIs.

\n

In the terminal, type:

\n
pip install LoginRadius-v2 requests cryptography pbkdf2
\n

Setting up Our Flask Server

\n

First, we need to install the Flask framework from PyPI. In the terminal, type:

\n
pip install flask
\n

After that, create a file named server.py and save the following code in it:

\n
from flask import *\n\napp = Flask(__name__)\napp.config["SECRET_KEY"] = "SECRET_KEY"\n\n\n@app.route("/")\ndef index():\n    return "Hello World!"\n\n\nif __name__ == "__main__":\n    app.run(debug=True)
\n

When you run the server.py script and open your browser, you will get a response similar to the image below:

\n

\n \n \n

\n
\n

NOTE: Don’t forget to replace the <APP_NAME> placeholder with your LoginRadius app name we saved earlier.

\n
\n

Authenticating Registered Users (User Login)

\n

To authenticate registered users, you have to redirect them to your IDX page, passing “login” as the AUTH_ACTION.

\n

Update the server.py file with the code below:

\n
@app.route("/login/")\ndef login():\n    access_token = request.args.get("token")\n    if access_token is None:\n        # redirect the user to our LoginRadius login URL if no access token is provided\n        return redirect(LR_AUTH_PAGE.format("login", request.base_url))\n\n    return "You have successfully logged in!"
\n
\n

When LoginRadius successfully authenticates a user, it attaches a token parameter to the REDIRECT_URL before redirecting your user there. This parameter contains the access token of the user that we authenticated.

\n
\n

In the code above, we redirect users to our LoginRadius login IDX if the token parameter is absent (this means LoginRadius did not redirect the user here). We also set our AUTH_ACTION to “login” and our RETURN_URL to our login page.

\n

\n \n \n

\n

\n \n \n

\n

Fetching User Profiles From Access Tokens

\n

We also want to fetch user profiles from the access token given by LoginRadius. It comes in handy when we want to verify if a given access token is valid (or has expired) or just fetch information about the current user.

\n

Update the login route with the code below. We also added a dashboard route where we will redirect users after successful authentication.

\n
@app.route("/login/")\ndef login():\n    access_token = request.args.get("token")\n    if access_token is None:\n        # redirect the user to our LoginRadius login URL if no access token is provided\n        return redirect(LR_AUTH_PAGE.format("login", request.base_url))\n\n    # fetch the user profile details with their access tokens\n    result = loginradius.authentication.get_profile_by_access_token(\n        access_token)\n\n    if result.get("ErrorCode") is not None:\n        # redirect the user to our login URL if there was an error\n        return redirect(url_for("login"))\n\n    session["user_acccess_token"] = access_token\n\n    return redirect(url_for("dashboard"))\n\n\n@app.route("/dashboard/")\ndef dashboard():\n    return "You have successfully logged in!"
\n

In the code above, we used the authentication.get_profile_by_access_token method from the LoginRadius SDK to fetch our user’s details. If the request was successful and the result does not contain an ErrorCode parameter, we save the access token in the user’s session and redirect them to the dashboard route. But if an error occurs somewhere, e.g., the access token is invalid/expired, we redirect the user back to the login route.

\n

\n \n \n

\n

Next, we want to add more functionality to the dashboard route. Instead of just displaying a dummy text, let it show the user information we fetched earlier. Update the dashboard route with the code below:

\n
@app.route("/dashboard/")\ndef dashboard():\n    access_token = session.get("user_acccess_token")\n    if access_token is None:\n        return redirect(url_for("login"))\n\n    # fetch the user profile details with their access tokens\n    result = loginradius.authentication.get_profile_by_access_token(\n        access_token)\n\n    if result.get("ErrorCode") is not None:\n        # redirect the user to our login URL if there was an error\n        return redirect(url_for("login"))\n\n    return jsonify(result)
\n

Here, we fetched the access token stored in the user’s session earlier, used it to get their details, and rendered the result.

\n

\n \n \n

\n

Invalidating Access Tokens (User Logout)

\n

Invalidating access tokens means rendering particular access tokens useless and unusable. It comes in handy when we log out users. The LoginRadius SDK provides an auth_in_validate_access_token method that takes in an access token to be invalidated.

\n

To add this to our server, create a logout route with the code below:

\n
@app.route("/logout/")\ndef logout():\n    access_token = session.get("user_acccess_token")\n    if access_token is None:\n        return redirect(url_for("login"))\n\n    # invalidate the access token with LoginRadius API\n    loginradius.authentication.auth_in_validate_access_token(access_token)\n    session.clear()\n\n    return "You have successfully logged out!"
\n

\n \n \n

\n

Conclusion

\n

This article taught us about user authentication, user identity management, and implementing it correctly. In addition, we saw how easy it is to integrate LoginRadius services into a Python application to ease the implementation of authentication and user identity management.

\n

The source code of the demo application is available as a GitHub gist. You can learn more about the LoginRadius Python SDK features from the official documentation.

\n","headings":[{"value":"Introduction","depth":2},{"value":"What Is User Authentication?","depth":3},{"value":"What Is User Identity?","depth":3},{"value":"What Is an Identity Provider?","depth":3},{"value":"What Is Authentication in Python?","depth":2},{"value":"Getting Started with LoginRadius","depth":2},{"value":"What Is LoginRadius?","depth":3},{"value":"Benefits of Using LoginRadius","depth":3},{"value":"Acquiring LoginRadius API Credentials","depth":3},{"value":"Whitelisting Your Domains","depth":3},{"value":"Installing LoginRadius Python SDK","depth":3},{"value":"Setting up Our Flask Server","depth":3},{"value":"Initializing the LoginRadius SDK","depth":3},{"value":"Setting up User Registration","depth":2},{"value":"Authenticating Registered Users (User Login)","depth":3},{"value":"Fetching User Profiles From Access Tokens","depth":2},{"value":"Invalidating Access Tokens (User Logout)","depth":3},{"value":"Conclusion","depth":2}],"fields":{"slug":"/engineering/guest-post/user-authentication-in-python/"},"frontmatter":{"metatitle":null,"metadescription":null,"description":"Learn about user authentication, user identity management, and implementing it correctly into a Python application using LoginRadius.","title":"Implementing User Authentication in a Python Application","canonical":null,"date":"July 07, 2021","updated_date":null,"tags":["Python","Authentication","Flask"],"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/9c74b4b9c19fc76911f54b82e0cceb74/701ee/coverImage.jpg","srcSet":"/static/9c74b4b9c19fc76911f54b82e0cceb74/3dcee/coverImage.jpg 200w,\n/static/9c74b4b9c19fc76911f54b82e0cceb74/ae6ae/coverImage.jpg 400w,\n/static/9c74b4b9c19fc76911f54b82e0cceb74/701ee/coverImage.jpg 800w,\n/static/9c74b4b9c19fc76911f54b82e0cceb74/8c3c2/coverImage.jpg 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Solomon Esenyi","github":"LordGhostX","bio":"Python Developer and Technical Writer with a passion for open-source, cryptography, and serverless technologies.","avatar":null}}}},"pageContext":{"id":"b187fd34-4497-550b-af19-25792fd842f8","fields__slug":"/engineering/guest-post/user-authentication-in-python/","__params":{"fields__slug":"engineering"}}},"staticQueryHashes":["1171199041","1384082988","1711371485","1753898100","2100481360","229320306","23180105","528864852"]}