Home/ Questions/Q 7744363
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T09:44:59+00:00

My understanding of the difference between oauth_aware and oauth_required is that aware doesn’t force

  • 0

My understanding of the difference between oauth_aware and oauth_required is that aware doesn’t force authorization, while required does, but that’s not what I’m seeing in practice. I have the two webapp RequestHandlers below, one of whose get() method is decorated with decorator.oauth_aware and the other with decorator.oauth_required. However, when I run locally or on App Engine, both immediately redirect to the login flow.

The goal is for SplashHandler to give the user a link to authorize if they aren’t already, and if they are, then forward to /tasks/.

decorator = OAuth2Decorator(
    client_id=settings.CLIENT_ID,
    client_secret=settings.CLIENT_SECRET,
    scope=settings.SCOPE,
    user_agent='mytasks')

class SplashHandler(webapp.RequestHandler):
  @decorator.oauth_aware
  def get(self):
    if not decorator.has_credentials():
      self.response.out.write(template.render('templates/convert.html',
        {'authorize_url': decorator.authorize_url()}))
    else:
      self.redirect('/tasks/')

class TasksHandler(webapp.RequestHandler):
  @decorator.oauth_required
  def get(self):
    tasks = get_tasks()
    tasks.sort(key=lambda x: x['due'])
    self.response.out.write(template.render('templates/index.html',
                                              {'tasks': tasks}))

application = webapp.WSGIApplication(
    [('/', SplashHandler), ('/tasks/', TasksHandler)], debug=True)
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The oauth_aware method aims to be definitive in being able to answer the question ‘Do we have an access token for the current user?’. The only way it can answer this is by knowing who the current user is, and to do that it’s using the app engine users api, which itself requires a permissions prompt to get your email/user-id via the redirects you’re seeing. With oauth_required you actually get 2 redirects, this same app engine one, then then the oauth one asking for permission to G+ or Docs or whatever.

    I happen to think this isn’t particularly useful, I think your use-case is much more common but obviously the library-author disagrees.

    Saying that, the code inside the oauth_aware function isn’t very complicated, you can make your own decorator based on it that doesn’t do the first redirect. The difference will be that in your case the answer to the same question will either be ‘Yes’ or ‘I don’t know’, never a definitive ‘No’.

    • 0