Tornado – 3rd Party Authentication – OpenID and OAuth


You might have observed and experienced so many Website or Web APIs that let authenticate an user with their Google, Facebook or Twitter accounts. Well, this possible because of third party authentication (or a concept that I like referring as ‘Authentication As A Service’). With the open standards (also referred as protocols) authentication like OpenID and OAuth (latest being OAuth2), authentication can treated as an independent entity apart from services a web API or Website provides. Not only does it eschews the users from creating login accounts for all websites but also the website developer’s effort in proving authentication service is saved.

OpenID and OAuth provides a framework in which users can register with OpenID provider (like Google)¬† or OAuth provider (like Github, Facebook) and then use Google or Facebook accounts to login to other sites that provide third party authentication. As a web developer providing third party authentication requires you to create a web application with the service providers. For instance, using OAuth2 authentication of Facebook, requires you to register your app (for API Key and Application Secret) with Facebook at their developers page. Google provides both OpenID and OAuth authentication, but registration is not required…

Web application based on Tornado can leverage these open standards for authenticating a user with help of Tornado’s abstraction for OpenID and OAuth with tornado.auth.OpenIDMixin, tornado.auth.OAuthMixin and tornado.auth.OAuth2Mixin. Methods that are used by these classes are

  • authenticate_redirect(), authorize_redirect(): To redirect the user to appropriate service providers authentication page¬† and
  • get_authenticated_user(): To get the user information as provided by service provider

Tornado also provides abstraction for authenticating users with Facebook, Twitter with tornado.auth.FacebookMixin (Facebook OAuth authentication) and tornado.auth.TwitterMixin (Twitter OAuth authentication) and tornado.auth.GoogleMixin (works for both Google OpenID and OAuth authentication).

Let’s understand more with an example.

import tornado.auth
import tornado.escape
import tornado.httpserver
import tornado.ioloop
import tornado.web
class BaseHandler(tornado.web.RequestHandler):
def get_current_user(self):
user_json = self.get_secure_cookie("user")
return tornado.escape.json_decode(user_json)
class MainHandler(BaseHandler):
def get(self):
name = tornado.escape.xhtml_escape(self.current_user["name"])
self.write("Hello, " + name)
class AuthHandler(BaseHandler, tornado.auth.GoogleMixin):
def get(self):
if self.get_argument("openid.mode", None):
def _on_auth(self, user):
if not user:
self.set_secure_cookie("user", tornado.escape.json_encode(user))
application = tornado.web.Application([
(r"/", MainHandler),
(r"/login", AuthHandler)],
if __name__ == '__main__':

Above example is similar to one we used for Tornado – Authentication blog.. It’s important note the usage of self.get_argument(“openid.mode”) – which signifies using OpenID Authentication.



One thought on “Tornado – 3rd Party Authentication – OpenID and OAuth

  1. Very true most of the websites uses twitter, facebook and google and not openid which I preferred using most of the time when commenting. Especially that I use keywords for my websites such as the best bar, restaurant cafe in miami. Thisu helps me better than logging in through different accounts. Thank you for such a great article.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.