This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Using PKCE for OAuth With the Looker API

a week ago Edited a week ago

Dr__Strangelove
Staff
1 1 189

Gemini_Generated_Image_f7ynihf7ynihf7yn.pngIn most cases applications that use the Looker API authenticate with a client_id and client_secret. These are randomly generated strings provided by Looker, not traditional user names and passwords that can be easily remembered. Thus users who rely on API access need to keep these values recorded somewhere, for instance a .netrc file or a looker.ini file.

Looker does offer another option, however. Looker itself can act as an authorization server for a PKCE style OAuth2 authorization flow. When authenticating with this flow, Looker issues the client a short lived token and a refresh code that can be used to get another token when the short lived token expires.

Sample code for using this option is available here. The sample code uses the well known oauth_requests library.

To use this sample, first use the API Explorer to go to the path /extensions/marketplace_extension_api_explorer::api-explorer/4.0/methods/Auth/register_oauth_client_app on your Looker instance and press the “Run It” button. Set the client_guid to oauth2python and set the body of the request like this:

{
  "redirect_uri": "http://localhost:8080/callback",
  "display_name": "OAuth2 Python Sample App",
  "description": "OAuth2 Python Sample App",
  "enabled": true
}
 
 

Check the box labeled “I understand that this API endpoint will change data.” and press the “Run” button.

Register OAuth Client App in API ExplorerRegister OAuth Client App in API Explorer

Next, setup a python virtual environment. In Linux and MacOS you will do something like this:

mkdir oauth-python
python -m venv oauth-python
cd oauth-python
source bin/activate

Copy oauth.py and requirements.txt there. Run `pip install -r requirements.txt` to install the required libraries.

Now edit oauth.py and set LOOKER_URL and LOOKER_API_URL to their appropriate values. They may be the same, or they may have different port values.

Finally, run the program with the command `python oauth.py`. The program will construct a PKCE style auth request and open it in your browser. You will log into Looker and be asked if you authorize the application. Authorize it and you will be forwarded to a local web server which will receive the authorization code. Next the authorization code will be exchanged for a session token which can be used to run API requests.

In this sample the API is used to fetch the current user’s name, email, and id. But it can be easily modified to do whatever is needed.

Hopefully this introduction will assist you in using this capability with your own scripts.

Topic Labels
Contributors
Comments
Dr__Strangelove
Staff
a week ago

A ruby version of this app is available here.

Version history
Last update:
a week ago
Updated by: