Google Reauth Library

0.1.1 · active · verified Tue Apr 14

The Google Reauth Library (version 0.1.1) provides Python utilities to integrate Google's re-authentication challenge flows into web applications. It helps developers prompt users to re-verify their identity for sensitive actions, ensuring enhanced security. The library is actively maintained by Google, with recent releases focusing on initial functionality and coverage. It currently has a stable release cadence.

Warnings

gotcha The library explicitly raises an exception for SAML reauth challenges. This means SAML-based re-authentication flows are not currently supported by this library and attempting to use them will result in an error.
Fix: Avoid using this library for SAML-based re-authentication flows. Look for alternative Google authentication libraries or implement SAML handling separately if support is critical.
gotcha All interactions with the `web_reauth_challenge` and `web_reauth_credential` modules require valid `client_id` and `client_secret` from a Google Cloud Project. Failure to provide these (either directly or via environment variables) will result in `google.auth.exceptions.RefreshError` or similar authentication errors.
Fix: Ensure `GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET` environment variables are correctly set, or pass `client_id` and `client_secret` directly to the relevant function calls (e.g., `start_reauth_challenge_flow`).
gotcha The `redirect_uri` provided to `start_reauth_challenge_flow` and `verify_credential` must EXACTLY match one of the authorized redirect URIs configured in your Google Cloud Project for the given client ID. Mismatches will cause `MismatchError` or similar authentication failures from Google's OAuth services.
Fix: Carefully verify that the `redirect_uri` string used in your code (including scheme, host, port, and path) precisely matches an entry in your Google Cloud Project's OAuth 2.0 Client IDs configuration.

Install

pip install google-reauth Install stable version

Imports

web_reauth_challenge

from google_reauth import web_reauth_challenge

web_reauth_credential

from google_reauth import web_reauth_credential

Quickstart

This quickstart demonstrates the core functions for initiating and verifying a Google re-authentication challenge in a web context. It outlines how to start the reauth flow by generating a redirect URL and how to verify the user's credential once they are redirected back to your application. This setup requires valid Google Cloud Project OAuth 2.0 client credentials (ID and secret) and a correctly configured redirect URI. The verification step is simulated as it requires a live user interaction with Google's authentication system.

import os
from google_reauth import web_reauth_challenge, web_reauth_credential

# --- Configuration ---
# You must obtain these from your Google Cloud Project's OAuth 2.0 Client IDs.
# Set them as environment variables or replace placeholders.
GOOGLE_CLIENT_ID = os.environ.get('GOOGLE_CLIENT_ID', 'YOUR_GOOGLE_CLIENT_ID')
GOOGLE_CLIENT_SECRET = os.environ.get('GOOGLE_CLIENT_SECRET', 'YOUR_GOOGLE_CLIENT_SECRET')

# The URI Google will redirect to after the user completes the reauth challenge.
# This MUST exactly match one of the authorized redirect URIs configured in your
# Google Cloud Project for the given client ID (e.g., http://localhost:5000/verify-reauth).
REDIRECT_URI = "http://localhost:5000/verify-reauth"

# --- Step 1: Start the Reauth Challenge Flow ---
# This typically happens when a user attempts a sensitive action in your web application.
print("\n--- Starting Reauth Challenge ---")
try:
    flow = web_reauth_challenge.start_reauth_challenge_flow(
        client_id=GOOGLE_CLIENT_ID,
        client_secret=GOOGLE_CLIENT_SECRET,
        session_id="user-session-abc-123", # A unique ID for the user's current session
        redirect_uri=REDIRECT_URI,
        scopes=["openid", "email", "profile"], # Scopes for the user's identity
    )
    print(f"User needs to re-authenticate. Redirect them to: {flow.redirect_url}")
    print(f"Store this challenge_id for verification: {flow.challenge_id}")

    # In a real web application, you would:
    # 1. Store `flow.challenge_id` in a session or cookie before redirecting.
    # 2. Redirect the user's browser to `flow.redirect_url`.
    # 3. The user completes the reauth on Google's side.
    # 4. Google redirects the user back to your `REDIRECT_URI` with a `code`
    #    and `state` (or similar) in the URL parameters.

    # --- Step 2: Verify the Credential (Simulated) ---
    print("\n--- Simulating Verification (after user returns from Google) ---")
    print("To run this part, you need a 'code' from Google's redirect.")
    print("Manually complete the reauth flow in a browser using the URL above.")
    print("Then, uncomment and fill in the 'received_code' to verify the credential.")

    # Example of how verification would look (requires a real 'code'):
    # received_code = "_YOUR_AUTH_CODE_FROM_REDIRECT_"
    # received_challenge_id = flow.challenge_id # Use the one from step 1
    #
    # if received_code and received_challenge_id:
    #     credential = web_reauth_credential.verify_credential(
    #         client_id=GOOGLE_CLIENT_ID,
    #         client_secret=GOOGLE_CLIENT_SECRET,
    #         code=received_code,
    #         redirect_uri=REDIRECT_URI,
    #         challenge_id=received_challenge_id,
    #     )
    #     print(f"Re-authentication successful! User sub: {credential.id_token_data.get('sub')}")
    # else:
    #     print("Skipping verification: 'received_code' not set.")

except Exception as e:
    print(f"An error occurred: {e}")
    print("Ensure GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET are set and valid.")
    print("Also, ensure REDIRECT_URI is registered in your Google Cloud Project.")

view raw JSON →