Python OAuth_Token Examples

Example #1

File: handlers.py Project: ratio/oauth2-appengine

 def post(self):
     if not self.validate_params():
         return
     
     # TODO: check for some sort of cross site request forgery? sign the request?
     
     if self.request.get('authorize').lower() == 'no':
         self.authz_error('access_denied', "The user did not allow authorization.")
         return
     
     response_type = self.request.get('response_type')
     
     if response_type in ['code', 'code_and_token']:
         code = OAuth_Authorization(
             user_id         = self.user.user_id(),
             client_id       = self.client.client_id,
             redirect_uri    = self.redirect_uri, )
         code.put()
         code = code.serialize(state=self.request.get('state'))
     else:
         code = None
     
     if response_type in ['token', 'code_and_token']:
         token = OAuth_Token(
             user_id     = self.user.user_id(),
             client_id   = self.client.client_id,
             scope       = self.request.get('scope'), )
         token.put(can_refresh=False)
         token = token.serialize(requested_scope=self.request.get('scope'))
     else:
         token = None
     
     self.authz_redirect(code, token)

Example #2

File: handlers.py Project: ratio/oauth2-appengine

 def handle_client_credentials(self, client, scope=None):
     token = OAuth_Token(
         client_id   = client.client_id, 
         scope       = scope, )
     token.put(can_refresh=False)
     
     self.render_response(token)

Example #3

File: handlers.py Project: cobjet-lessions/1000

    def handle_client_credentials(self, client, scope=None):
        token = OAuth_Token(
            client_id=client.client_id,
            scope=scope,
        )
        token.put(can_refresh=False)

        self.render_response(token)

Example #4

File: handlers.py Project: ratio/oauth2-appengine

 def handle_authorization_code(self, client, scope=None):
     authorization   = OAuth_Authorization.get_by_code(self.request.get('code'))
     redirect_uri    = self.request.get('redirect_uri')
     
     if not authorization or not authorization.validate(code, redirect_uri, client.client_id):
         self.render_error('invalid_grant', "Authorization code expired or invalid.")
         return
     
     token = OAuth_Token(
         user_id     = authorization.user_id,
         client_id   = authorization.client_id,
         scope       = scope, )
     token.put()
     authorization.delete()
     
     self.render_response(token)

Example #5

File: handlers.py Project: cobjet-lessions/1000

    def handle_authorization_code(self, client, scope=None):
        authorization = OAuth_Authorization.get_by_code(
            self.request.get('code'))
        redirect_uri = self.request.get('redirect_url')

        if not authorization or not authorization.validate(
                code, redirect_uri, client.client_id):
            self.render_error('invalid_grant',
                              "Authorization code expired or invalid.")
            return

        token = OAuth_Token(
            user_id=authorization.user_id,
            client_id=authorization.client_id,
            scope=scope,
        )
        token.put()
        authorization.delete()

        self.render_response(token)

Example #6

File: handlers.py Project: ratio/oauth2-appengine

 def handle_refresh_token(self, client, scope=None):
     token = OAuth_Token.get_by_refresh_token(self.request.get('refresh_token'))
     
     if not token or token.client_id != client.client_id:
         self.render_error('invalid_grant', "Invalid refresh token.")
         return
         
     # TODO: refresh token should expire along with grant according to spec
     token = token.refresh()
     
     self.render_response(token)

Example #7

File: handlers.py Project: ratio/oauth2-appengine

 def handle_password(self, client, scope=None):
     # Since App Engine doesn't let you programmatically auth,
     # and the local SDK environment doesn't need a password,
     # we just always grant this w/out auth
     # TODO: something better?
     
     username = self.request.get('username')
     password = self.request.get('password')
     
     if not username or not password:
         self.render_error('invalid_grant', "Invalid end-user credentials.")
         return
     
     token = OAuth_Token(
         client_id   = client.client_id, 
         user_id     = username, 
         scope       = scope, )
     token.put()
     
     self.render_response(token)

Example #8

File: handlers.py Project: cobjet-lessions/1000

    def handle_refresh_token(self, client, scope=None):
        token = OAuth_Token.get_by_refresh_token(
            self.request.get('refresh_token'))

        if not token or token.client_id != client.client_id:
            self.render_error('invalid_grant', "Invalid refresh token.")
            return

        # TODO: refresh token should expire along with grant according to spec
        token = token.refresh()

        self.render_response(token)

Example #9

File: handlers.py Project: cobjet-lessions/1000

    def handle_password(self, client, scope=None):
        # Since App Engine doesn't let you programmatically auth,
        # and the local SDK environment doesn't need a password,
        # we just always grant this w/out auth
        # TODO: something better?

        username = self.request.get('username')
        password = self.request.get('password')

        if not username or not password:
            self.render_error('invalid_grant', "Invalid end-user credentials.")
            return

        token = OAuth_Token(
            client_id=client.client_id,
            user_id=username,
            scope=scope,
        )
        token.put()

        self.render_response(token)

Example #10

File: handlers.py Project: cobjet-lessions/1000

    def post(self):
        if not self.validate_params():
            return

        # TODO: check for some sort of cross site request forgery? sign the request?

        if self.request.get('authorize').lower() == 'no':
            self.authz_error('access_denied',
                             "The user did not allow authorization.")
            return

        response_type = self.request.get('response_type')

        if response_type in ['code', 'code_and_token']:
            code = OAuth_Authorization(
                user_id=self.user.user_id(),
                client_id=self.client.client_id,
                redirect_uri=self.redirect_uri,
            )
            code.put()
            code = code.serialize(state=self.request.get('state'))
        else:
            code = None

        if response_type in ['token', 'code_and_token']:
            token = OAuth_Token(
                user_id=self.user.user_id(),
                client_id=self.client.client_id,
                scope=self.request.get('scope'),
            )
            token.put(can_refresh=False)
            token = token.serialize(requested_scope=self.request.get('scope'))
        else:
            token = None

        self.authz_redirect(code, token)

Example #11

        def wrapped_f(*args):
            request = args[0].request
            response = args[0].response

            def render_error(error, error_desc, error_uri=None):
                response.set_status({
                    'invalid_request': 400,
                    'invalid_token': 401,
                    'expired_token': 401,
                    'insufficient_scope': 403,
                }[error])
                authenticate_header = 'OAuth realm="%s", error="%s", error_description="%s"' % \
                    (realm, error, error_desc)
                if error_uri:
                    authenticate_header += ', error_uri="%s"' % error_uri
                if scope:
                    authenticate_header += ', scope="%s"' % scope
                response.headers['WWW-Authenticate'] = authenticate_header
                response.out.write(error_desc)

            if request.headers.get('Authorization', '').startswith('OAuth'):
                token = request.headers['Authorization'].split(' ')[1]
            else:
                token = request.get('oauth_token', None)

            if not token:
                render_error(
                    'invalid_request',
                    "Not a valid request for an OAuth protected resource")
                return

            token = OAuth_Token.get_by_access_token(token)
            if token.is_expired():
                if token.refresh_token:
                    render_error('expired_token', "This token has expired")
                else:
                    render_error('invalid_token',
                                 "This token is no longer valid")
                return

            if scope != token.scope:
                render_error('insufficient_scope',
                             "This resource requires higher priveleges")
                return

            f(*args, token=token)

Example #12

File: utils.py Project: ratio/oauth2-appengine

 def wrapped_f(*args):
     request     = args[0].request
     response    = args[0].response
     
     def render_error(error, error_desc, error_uri=None):
         response.set_status({
             'invalid_request':      400,
             'invalid_token':        401,
             'expired_token':        401,
             'insufficient_scope':   403, }[error])
         authenticate_header = 'OAuth realm="%s", error="%s", error_description="%s"' % \
             (realm, error, error_desc)
         if error_uri:
             authenticate_header += ', error_uri="%s"' % error_uri
         if scope:
             authenticate_header += ', scope="%s"' % scope
         response.headers['WWW-Authenticate'] = authenticate_header
         response.out.write(error_desc)
     
     if request.headers.get('Authorization', '').startswith('OAuth'):
         token = request.headers['Authorization'].split(' ')[1]
     else:
         token = request.get('oauth_token', None)
     
     if not token:
         render_error('invalid_request', "Not a valid request for an OAuth protected resource")
         return
     
     token = OAuth_Token.get_by_access_token(token)
     if not token:
         render_error('invalid_token', "This token is not valid")
         return
     if token.is_expired():
         if token.refresh_token:
             render_error('expired_token', "This token has expired")
         else:
             render_error('invalid_token', "This token is no longer valid")
         return
     
     if scope != token.scope:
         render_error('insufficient_scope', "This resource requires higher priveleges")
         return
     
     f(*args, token=token)