Chapter 7. Authenticating with External Services
The example in Chapter 6 showed how to
use secure cookies and the tornado.web.authenticated decorator to implement a
simple user authentication form. In this chapter, we will look at how to
authenticate against third-party services. Popular web APIs like Facebook’s
and Twitter’s use the OAuth protocol to securely verify someone’s identity
while allowing their users to maintain control over third-party access to
their personal information. Tornado offers a number of Python mix-ins that
help developers authenticate with external services, either with explicit
support for popular services, or through general OAuth support. In this
chapter, we’ll explore two example applications that use Tornado’s auth module: one that connects to Twitter and
another that connects to Facebook.
The Tornado auth Module
As a web application developer, you might want to allow your users
to post updates to Twitter or read recent Facebook statuses directly
through your application. Most social network and single sign-on APIs
provide a standard workflow for authorizing users on your application. The
Tornado auth module provides classes
for OpenID, OAuth, OAuth 2.0, Twitter, FriendFeed, Google OpenID, the
Facebook REST API, and the Facebook Graph API. Although you could
implement handlers for a particular external service’s authorization
process on your own, Tornado’s auth module provides a simplified workflow for developing applications that connect to any of ...