There is a standalone desktop application for vk. Authorization takes place according to the method of Implicit flow using OAuth 2.0 protocol. After successful authorization, I get access_token in the URL fragment of the link. At the moment, after each authorization or after the access_token expiration date, I copy the token from the url manually, that is, users will also have to do this. For me, the task is to implement this authorization method in my program, but in an automated form (automatic extraction of the token for the application user), but retrieving the token directly from the link due to a multitude of restrictions is difficult and incomprehensible to me. One of these difficulties is that you need to use some kind of environment, within which there is a browser component.

I found on the Internet methods of extracting access_token by pretending to be a browser ( https://github.com/dzhioev/vk_api_auth ), but this method requires manual input of a password and login, and authorization is not using OAuth protocol (Another question for me is whether to save the data entered by the user for authorization).

I also found another module for authorization ( https://github.com/dimka665/vk ), but for me, as a beginner, it’s complicated and I don’t understand how it works (how authorization happens) and how to use it in my program. If possible, please explain how it can be applied in practice.

The following module is described on the habre - https://habrahabr.ru/post/201074/ . It is ideal for me, but it is written for C # in MS Visual Studio, and I am writing a program in Python 3.5. This module uses WebAuthenticationBroker (a special class that launches a standard window that opens a link for authorization) (Figure 1). Is there an analogue of something similar in Python 3.5?

Picture 1

Tell me, please, how to solve this problem and what are your thoughts on this issue.

1 answer 1

Unfortunately, I can't advise anything in the Python world, but I also encountered the need to log in to VK using OAuth2 from a desktop (in my case, a console) application, but written in Java. Decided as follows:

  1. For authorization, the path of mimicry under the web application is chosen, therefore, at https:// vk.com/apps?act=manage created a web application and copied it with App ID and Secret Key.
  2. I pass these parameters on the command line during the console application launch. It, in turn, starts a simple lightweight HTTP server with a random port. The task of this server is to process the callback request from oauth.vk.com and accept the authorization code, which, using the VK SDK, will need to be exchanged for a token.

  3. Open the system's default web browser and send it to the authorization server by passing the address of the local callback server and the application parameters from the command line (request scope for the application rights, for example, photos,audio :

    https:// oauth.vk.com/authorize?client_id=app_id&display=page&scope=<scopes_list>&redirect_uri=http:// localhost:39893/callback&response_type=code&v=5.52

  4. The browser window displays the application authorization dialog, and then the transition to the local server takes place:

    http:// localhost:39893/callback?code=0d2dfec6f27514bb17

  5. the request handler retrieves the request parameter code and passes it to the authorization client to get the token.

  6. The HTTP server continues to work, because another handler /captcha registered in it for possible processing of the captcha requested by the VK API.

The result is a very easy for the end user authorization in VK and there is no compromise of account data.

The sources of the described full Java authorization cycle (if they can be useful) are here - https://github.com/axsy/vkdump , the screencast of the authorization process described here is https://www.youtube.com/watch?v= 9VAWSWPKQYM .

  • Thanks, I will try to implement the MB as free time appears and as I pick up the experience, at the moment I have implemented the authorization method described in the first link of my question. I am new to programming, so this way I do not know how to put into practice. - Ramil
  • The idea seemed interesting to me, but what if the site does not allow using HTTP in redirect_uri , but only HTTP S ? - MrModest