def post(self): if not self.validate_params(): return # TODO: check for some sort of cross site request forgery? sign the request? if self.request.get('authorize').lower() == 'no': self.authz_error('access_denied', "The user did not allow authorization.") return response_type = self.request.get('response_type') if response_type in ['code', 'code_and_token']: code = OAuth_Authorization( user_id = self.user.user_id(), client_id = self.client.client_id, redirect_uri = self.redirect_uri, ) code.put() code = code.serialize(state=self.request.get('state')) else: code = None if response_type in ['token', 'code_and_token']: token = OAuth_Token( user_id = self.user.user_id(), client_id = self.client.client_id, scope = self.request.get('scope'), ) token.put(can_refresh=False) token = token.serialize(requested_scope=self.request.get('scope')) else: token = None self.authz_redirect(code, token)
def handle_client_credentials(self, client, scope=None): token = OAuth_Token( client_id = client.client_id, scope = scope, ) token.put(can_refresh=False) self.render_response(token)
def handle_client_credentials(self, client, scope=None): token = OAuth_Token( client_id=client.client_id, scope=scope, ) token.put(can_refresh=False) self.render_response(token)
def handle_authorization_code(self, client, scope=None): authorization = OAuth_Authorization.get_by_code(self.request.get('code')) redirect_uri = self.request.get('redirect_uri') if not authorization or not authorization.validate(code, redirect_uri, client.client_id): self.render_error('invalid_grant', "Authorization code expired or invalid.") return token = OAuth_Token( user_id = authorization.user_id, client_id = authorization.client_id, scope = scope, ) token.put() authorization.delete() self.render_response(token)
def handle_authorization_code(self, client, scope=None): authorization = OAuth_Authorization.get_by_code( self.request.get('code')) redirect_uri = self.request.get('redirect_url') if not authorization or not authorization.validate( code, redirect_uri, client.client_id): self.render_error('invalid_grant', "Authorization code expired or invalid.") return token = OAuth_Token( user_id=authorization.user_id, client_id=authorization.client_id, scope=scope, ) token.put() authorization.delete() self.render_response(token)
def handle_refresh_token(self, client, scope=None): token = OAuth_Token.get_by_refresh_token(self.request.get('refresh_token')) if not token or token.client_id != client.client_id: self.render_error('invalid_grant', "Invalid refresh token.") return # TODO: refresh token should expire along with grant according to spec token = token.refresh() self.render_response(token)
def handle_password(self, client, scope=None): # Since App Engine doesn't let you programmatically auth, # and the local SDK environment doesn't need a password, # we just always grant this w/out auth # TODO: something better? username = self.request.get('username') password = self.request.get('password') if not username or not password: self.render_error('invalid_grant', "Invalid end-user credentials.") return token = OAuth_Token( client_id = client.client_id, user_id = username, scope = scope, ) token.put() self.render_response(token)
def handle_refresh_token(self, client, scope=None): token = OAuth_Token.get_by_refresh_token( self.request.get('refresh_token')) if not token or token.client_id != client.client_id: self.render_error('invalid_grant', "Invalid refresh token.") return # TODO: refresh token should expire along with grant according to spec token = token.refresh() self.render_response(token)
def handle_password(self, client, scope=None): # Since App Engine doesn't let you programmatically auth, # and the local SDK environment doesn't need a password, # we just always grant this w/out auth # TODO: something better? username = self.request.get('username') password = self.request.get('password') if not username or not password: self.render_error('invalid_grant', "Invalid end-user credentials.") return token = OAuth_Token( client_id=client.client_id, user_id=username, scope=scope, ) token.put() self.render_response(token)
def post(self): if not self.validate_params(): return # TODO: check for some sort of cross site request forgery? sign the request? if self.request.get('authorize').lower() == 'no': self.authz_error('access_denied', "The user did not allow authorization.") return response_type = self.request.get('response_type') if response_type in ['code', 'code_and_token']: code = OAuth_Authorization( user_id=self.user.user_id(), client_id=self.client.client_id, redirect_uri=self.redirect_uri, ) code.put() code = code.serialize(state=self.request.get('state')) else: code = None if response_type in ['token', 'code_and_token']: token = OAuth_Token( user_id=self.user.user_id(), client_id=self.client.client_id, scope=self.request.get('scope'), ) token.put(can_refresh=False) token = token.serialize(requested_scope=self.request.get('scope')) else: token = None self.authz_redirect(code, token)
def wrapped_f(*args): request = args[0].request response = args[0].response def render_error(error, error_desc, error_uri=None): response.set_status({ 'invalid_request': 400, 'invalid_token': 401, 'expired_token': 401, 'insufficient_scope': 403, }[error]) authenticate_header = 'OAuth realm="%s", error="%s", error_description="%s"' % \ (realm, error, error_desc) if error_uri: authenticate_header += ', error_uri="%s"' % error_uri if scope: authenticate_header += ', scope="%s"' % scope response.headers['WWW-Authenticate'] = authenticate_header response.out.write(error_desc) if request.headers.get('Authorization', '').startswith('OAuth'): token = request.headers['Authorization'].split(' ')[1] else: token = request.get('oauth_token', None) if not token: render_error( 'invalid_request', "Not a valid request for an OAuth protected resource") return token = OAuth_Token.get_by_access_token(token) if token.is_expired(): if token.refresh_token: render_error('expired_token', "This token has expired") else: render_error('invalid_token', "This token is no longer valid") return if scope != token.scope: render_error('insufficient_scope', "This resource requires higher priveleges") return f(*args, token=token)
def wrapped_f(*args): request = args[0].request response = args[0].response def render_error(error, error_desc, error_uri=None): response.set_status({ 'invalid_request': 400, 'invalid_token': 401, 'expired_token': 401, 'insufficient_scope': 403, }[error]) authenticate_header = 'OAuth realm="%s", error="%s", error_description="%s"' % \ (realm, error, error_desc) if error_uri: authenticate_header += ', error_uri="%s"' % error_uri if scope: authenticate_header += ', scope="%s"' % scope response.headers['WWW-Authenticate'] = authenticate_header response.out.write(error_desc) if request.headers.get('Authorization', '').startswith('OAuth'): token = request.headers['Authorization'].split(' ')[1] else: token = request.get('oauth_token', None) if not token: render_error('invalid_request', "Not a valid request for an OAuth protected resource") return token = OAuth_Token.get_by_access_token(token) if not token: render_error('invalid_token', "This token is not valid") return if token.is_expired(): if token.refresh_token: render_error('expired_token', "This token has expired") else: render_error('invalid_token', "This token is no longer valid") return if scope != token.scope: render_error('insufficient_scope', "This resource requires higher priveleges") return f(*args, token=token)