Fully authorize a local application using OAuth for tumblr

Question

I'm trying to write a program that runs only locally and that interacts with the tumblr-API, including the parts that require OAuth.

I thought about letting the user authorizing my application by opening a webbrowser (with pythons webbrowser-package) with the authorization page of tumblr in it. Problem is that the validation-key, a key part in the OAuth-process that I need to have access to in my application, is passed as an argument in the URL where the user is redirected to after he grants my application access.

Of course I don't have access to a url inside a webbrowser in my application, so my question is: Is there any way I can grant my application access in another way, or will I have to run a webserver just so I can store my validation key temporarily and then pass it to my application? Maybe embed the site using an iframe on a site that is stored on a hard drive? I'm not a webdev, I can't tell.

I have seen this and this answer which both suggest to let the callback-url (=redirection-url) be "localhost/whatever" so the user can copy the URL of that and insert it back into the application. I am wondering if there is another solution to this?

Answer 1

One option, addmitedly a very dirty one, would be to temporarily run a server on a local IP adress and then let the tumblr authentication page redirect to that address.

Probably the easiest way to do this would be with Flask:

from flask import Flask, request

app = Flask(__name__)
oauth_verifier = [''] # A list so it survives the garbage collector of handle_oauth_verifier():
@app.route('/')
def handle_oauth_verifier():
    # Catch oauth_verifier
    oauth_verifier[0] = request.args.get('oauth_verifier')
    # Shutdown server:
    request.environ.get('werkzeug.server.shutdown')()
    return("<p>Application succesfully authorized. You can close this tab now.</p>")
# Run server
app.run()

Just FYI, to change the callback URL of the tumblr user authorisation page, the URL has to be passed using POST when the request-tokens are fetched, not when fetching the authorized tokens! Example for the oauth2 library:

resp, content = client.request(request_token_url,"POST", 
    body=urllib.urlencode({"oauth_callback": oauth_verifier_fetch_url}))

Hope this helps someone somewhere out there.