def __init__(self, client_register, authorizer, client_authenticator,
resource_register, resource_authenticator,
access_token_generator, config):
self.client_register = client_register
self.authorizer = authorizer
self.client_authenticator = client_authenticator
self.resource_register = resource_register
self.resource_authenticator = resource_authenticator
self.access_token_generator = access_token_generator
self.access_token_register = AccessTokenRegister(config)
self.authorization_grant_register = AuthorizationGrantRegister(config)
def __init__(self, client_register, authorizer, client_authenticator,
resource_register, resource_authenticator,
access_token_generator, config):
"""Initialise the all the settings for an Authorisation server instance
"""
self.client_register = client_register
self.authorizer = authorizer
self.client_authenticator = client_authenticator
self.resource_register = resource_register
self.resource_authenticator = resource_authenticator
self.access_token_generator = access_token_generator
self.access_token_register = AccessTokenRegister(config)
self.authorization_grant_register = AuthorizationGrantRegister(config)
def __init__(self, client_register, authorizer, client_authenticator,
resource_register, resource_authenticator,
access_token_generator, config):
self.client_register = client_register
self.authorizer = authorizer
self.client_authenticator = client_authenticator
self.resource_register = resource_register
self.resource_authenticator = resource_authenticator
self.access_token_generator = access_token_generator
self.access_token_register = AccessTokenRegister(config)
self.authorization_grant_register = AuthorizationGrantRegister(config)
def __init__(self, client_register, authorizer, client_authenticator,
resource_register, resource_authenticator,
access_token_generator, config):
"""Initialise the all the settings for an Authorisation server instance
"""
self.client_register = client_register
self.authorizer = authorizer
self.client_authenticator = client_authenticator
self.resource_register = resource_register
self.resource_authenticator = resource_authenticator
self.access_token_generator = access_token_generator
self.access_token_register = AccessTokenRegister(config)
self.authorization_grant_register = AuthorizationGrantRegister(config)
class AuthorizationServer(object):
"""
Provides the core OAuth 2.0 server functions.
"""
AUTHZ_HDR_ENV_KEYNAME = 'HTTP_AUTHORIZATION'
BEARER_TOK_ID = 'Bearer'
MAC_TOK_ID = 'MAC'
TOKEN_TYPES = (BEARER_TOK_ID, MAC_TOK_ID)
def __init__(self, client_register, authorizer, client_authenticator,
resource_register, resource_authenticator,
access_token_generator, config):
self.client_register = client_register
self.authorizer = authorizer
self.client_authenticator = client_authenticator
self.resource_register = resource_register
self.resource_authenticator = resource_authenticator
self.access_token_generator = access_token_generator
self.access_token_register = AccessTokenRegister(config)
self.authorization_grant_register = AuthorizationGrantRegister(config)
def authorize(self, request, client_authorized):
"""Handle an authorization request.
It is assumed that the caller has checked whether the user is
authenticated and that the user has authorised the client and scope.
Request query parameters (from
http://tools.ietf.org/html/draft-ietf-oauth-v2-22):
response_type
REQUIRED. Value MUST be set to "code".
client_id
REQUIRED. The client identifier as described in Section 2.2.
redirect_uri
OPTIONAL, as described in Section 3.1.2.
scope
OPTIONAL. The scope of the access request as described by
Section 3.3.
state
RECOMMENDED. An opaque value used by the client to maintain
state between the request and callback. The authorization
server includes this value when redirecting the user-agent back
to the client. The parameter SHOULD be used for preventing
cross-site request forgery as described in Section 10.12.
Response:
application/x-www-form-urlencoded format:
code
REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED. The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
attempt to revoke all tokens previously issued based on that
authorization code. The authorization code is bound to the
client identifier and redirection URI.
state
REQUIRED if the "state" parameter was present in the client
authorization request. The exact value received from the
client.
@type request: webob.Request
@param request: HTTP request object
@type client_authorized: bool
@param client_authorized: True if resource owner has authorized client
@rtype: tuple: (str, int, str)
@return: tuple (
redirect_uri
HTTP status if error
error description
)
"""
log.debug("Starting authorization request")
# Parameters should only be taken from the query string.
params = request.GET
auth_request = AuthorizeRequest(params.get('response_type', None),
params.get('client_id', None),
params.get('redirect_uri', None),
params.get('scope', None),
params.get('state', None))
try:
self.check_request(request, params, post_only=False)
# Check for required parameters.
required_parameters = ['response_type', 'client_id']
for param in required_parameters:
if param not in params:
log.error("Missing request parameter %s from params: %s",
param, params)
raise OauthException('invalid_request',
"Missing request parameter: %s" % param)
if not client_authorized:
raise OauthException('access_denied',
'User has declined authorization')
response_type = params.get('response_type', None)
if response_type != 'code':
raise OauthException('unsupported_response_type',
"Response type %s not supported" %
response_type)
client_error = self.client_register.is_valid_client(
auth_request.client_id,
auth_request.redirect_uri)
if client_error:
log.error("Invalid client: %s", client_error)
return (None, httplib.BAD_REQUEST, client_error)
# redirect_uri must be included in the request if the client has
# more than one registered.
client = self.client_register.register[auth_request.client_id]
if len(client.redirect_uris) != 1 and not auth_request.redirect_uri:
log.error("An authorization request has been made without a "
"return URI")
return (None,
httplib.BAD_REQUEST,
('An authorization request has been made without a '
'return URI.'))
# Preconditions satisfied - generate grant.
(grant, code) = self.authorizer.generate_authorization_grant(
auth_request,
request)
auth_response = AuthorizeResponse(code, auth_request.state)
if not self.authorization_grant_register.add_grant(grant):
log.error('Registering grant failed')
raise OauthException('server_error',
'Authorization grant could not be created')
except OauthException, exc:
log.error("Redirecting back after error: %s - %s",
exc.error, exc.error_description)
return self._redirect_after_authorize(auth_request, None, exc.error,
exc.error_description)
log.debug("Redirecting back after successful authorization.")
return self._redirect_after_authorize(auth_request, auth_response)
class AuthorizationServer(object):
"""
Provides the core OAuth 2.0 server functions.
"""
AUTHZ_HDR_ENV_KEYNAME = 'HTTP_AUTHORIZATION'
BEARER_TOK_ID = 'Bearer'
MAC_TOK_ID = 'MAC'
TOKEN_TYPES = (BEARER_TOK_ID, MAC_TOK_ID)
def __init__(self, client_register, authorizer, client_authenticator,
resource_register, resource_authenticator,
access_token_generator, config):
self.client_register = client_register
self.authorizer = authorizer
self.client_authenticator = client_authenticator
self.resource_register = resource_register
self.resource_authenticator = resource_authenticator
self.access_token_generator = access_token_generator
self.access_token_register = AccessTokenRegister(config)
self.authorization_grant_register = AuthorizationGrantRegister(config)
def authorize(self, request, client_authorized):
"""Handle an authorization request.
It is assumed that the caller has checked whether the user is
authenticated and that the user has authorised the client and scope.
Request query parameters (from
http://tools.ietf.org/html/draft-ietf-oauth-v2-22):
response_type
REQUIRED. Value MUST be set to "code".
client_id
REQUIRED. The client identifier as described in Section 2.2.
redirect_uri
OPTIONAL, as described in Section 3.1.2.
scope
OPTIONAL. The scope of the access request as described by
Section 3.3.
state
RECOMMENDED. An opaque value used by the client to maintain
state between the request and callback. The authorization
server includes this value when redirecting the user-agent back
to the client. The parameter SHOULD be used for preventing
cross-site request forgery as described in Section 10.12.
Response:
application/x-www-form-urlencoded format:
code
REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED. The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
attempt to revoke all tokens previously issued based on that
authorization code. The authorization code is bound to the
client identifier and redirection URI.
state
REQUIRED if the "state" parameter was present in the client
authorization request. The exact value received from the
client.
@type request: webob.Request
@param request: HTTP request object
@type client_authorized: bool
@param client_authorized: True if resource owner has authorized client
@rtype: tuple: (str, int, str)
@return: tuple (
redirect_uri
HTTP status if error
error description
)
"""
log.debug("Starting authorization request")
# Parameters should only be taken from the query string.
params = request.GET
auth_request = AuthorizeRequest(params.get('response_type', None),
params.get('client_id', None),
params.get('redirect_uri', None),
params.get('scope', None),
params.get('state', None))
try:
self.check_request(request, params, post_only=False)
# Check for required parameters.
required_parameters = ['response_type', 'client_id']
for param in required_parameters:
if param not in params:
log.error("Missing request parameter %s from params: %s",
param, params)
raise OauthException(
'invalid_request',
"Missing request parameter: %s" % param)
if not client_authorized:
raise OauthException('access_denied',
'User has declined authorization')
response_type = params.get('response_type', None)
if response_type != 'code':
raise OauthException(
'unsupported_response_type',
"Response type %s not supported" % response_type)
client_error = self.client_register.is_valid_client(
auth_request.client_id, auth_request.redirect_uri)
if client_error:
log.error("Invalid client: %s", client_error)
return (None, httplib.BAD_REQUEST, client_error)
# redirect_uri must be included in the request if the client has
# more than one registered.
client = self.client_register.register[auth_request.client_id]
if len(client.redirect_uris
) != 1 and not auth_request.redirect_uri:
log.error("An authorization request has been made without a "
"return URI")
return (None, httplib.BAD_REQUEST,
('An authorization request has been made without a '
'return URI.'))
# Preconditions satisfied - generate grant.
(grant, code) = self.authorizer.generate_authorization_grant(
auth_request, request)
auth_response = AuthorizeResponse(code, auth_request.state)
if not self.authorization_grant_register.add_grant(grant):
log.error('Registering grant failed')
raise OauthException(
'server_error', 'Authorization grant could not be created')
except OauthException, exc:
log.error("Redirecting back after error: %s - %s", exc.error,
exc.error_description)
return self._redirect_after_authorize(auth_request, None,
exc.error,
exc.error_description)
log.debug("Redirecting back after successful authorization.")
return self._redirect_after_authorize(auth_request, auth_response)
