def password_grant_type(self, areq):
"""
Token authorization using Resource owner password credentials.
RFC6749 section 4.3
"""
# `Any` comparison tries a first broker, so we either hit an IndexError or get a method
try:
authn, authn_class_ref = self.pick_auth(areq, "any")
except IndexError:
err = TokenErrorResponse(error="invalid_grant")
return Unauthorized(err.to_json(), content="application/json")
identity, _ts = authn.authenticated_as(
username=areq["username"], password=areq["password"]
)
if identity is None:
err = TokenErrorResponse(error="invalid_grant")
return Unauthorized(err.to_json(), content="application/json")
# We are returning a token
areq["response_type"] = ["token"]
authn_event = AuthnEvent(
identity["uid"],
identity.get("salt", ""),
authn_info=authn_class_ref,
time_stamp=_ts,
)
sid = self.setup_session(areq, authn_event, self.cdb[areq["client_id"]])
_at = self.sdb.upgrade_to_token(self.sdb[sid]["code"], issue_refresh=True)
atr_class = self.server.message_factory.get_response_type("token_endpoint")
atr = atr_class(**by_schema(atr_class, **_at))
return Response(
atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS
)
def refresh_token_grant_type(self, areq):
at = self.token_handler.refresh_access_token(self.baseurl,
areq['access_token'],
'refresh_token')
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **at))
return Response(atr.to_json(), content="application/json")
def token_endpoint(self, authn="", **kwargs):
"""
This is where clients come to get their access tokens
"""
_sdb = self.sdb
logger.debug("- token -")
body = kwargs["request"]
logger.debug("body: %s" % sanitize(body))
areq = AccessTokenRequest().deserialize(body, "urlencoded")
try:
self.client_authn(self, areq, authn)
except FailedAuthentication as err:
logger.error(err)
err = TokenErrorResponse(error="unauthorized_client",
error_description="%s" % err)
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
logger.debug("AccessTokenRequest: %s" % sanitize(areq))
try:
assert areq["grant_type"] == "authorization_code"
except AssertionError:
err = TokenErrorResponse(error="invalid_request",
error_description="Wrong grant type")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
# assert that the code is valid
_info = _sdb[areq["code"]]
resp = self.token_scope_check(areq, _info)
if resp:
return resp
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _info:
assert areq["redirect_uri"] == _info["redirect_uri"]
try:
_tinfo = _sdb.upgrade_to_token(areq["code"], issue_refresh=True)
except AccessCodeUsed:
err = TokenErrorResponse(error="invalid_grant",
error_description="Access grant used")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
logger.debug("_tinfo: %s" % sanitize(_tinfo))
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
logger.debug("AccessTokenResponse: %s" % sanitize(atr))
return Response(atr.to_json(), content="application/json")
def code_grant_type(self, areq):
# assert that the code is valid
try:
_info = self.sdb[areq["code"]]
except KeyError:
err = TokenErrorResponse(error="invalid_grant",
error_description="Unknown access grant")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
authzreq = json.loads(_info['authzreq'])
if 'code_verifier' in areq:
try:
_method = authzreq['code_challenge_method']
except KeyError:
_method = 'S256'
resp = self.verify_code_challenge(areq['code_verifier'],
authzreq['code_challenge'],
_method)
if resp:
return resp
if 'state' in areq:
if self.sdb[areq['code']]['state'] != areq['state']:
logger.error('State value mismatch')
err = TokenErrorResponse(error="unauthorized_client")
return Unauthorized(err.to_json(), content="application/json")
resp = self.token_scope_check(areq, _info)
if resp:
return resp
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _info:
assert areq["redirect_uri"] == _info["redirect_uri"]
issue_refresh = False
if 'scope' in authzreq and 'offline_access' in authzreq['scope']:
if authzreq['response_type'] == 'code':
issue_refresh = True
try:
_tinfo = self.sdb.upgrade_to_token(areq["code"],
issue_refresh=issue_refresh)
except AccessCodeUsed:
err = TokenErrorResponse(error="invalid_grant",
error_description="Access grant used")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
logger.debug("_tinfo: %s" % _tinfo)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
logger.debug("AccessTokenResponse: %s" % atr)
return Response(atr.to_json(), content="application/json")
def refresh_token_grant_type(self, areq):
at = self.token_handler.refresh_access_token(
self.baseurl, areq["access_token"], "refresh_token"
)
atr_class = self.server.message_factory.get_response_type("token_endpoint")
atr = atr_class(**by_schema(atr_class, **at))
return Response(atr.to_json(), content="application/json")
def token_endpoint(self, authn="", **kwargs):
"""
This is where clients come to get their access tokens
"""
_sdb = self.sdb
LOG_DEBUG("- token -")
body = kwargs["request"]
LOG_DEBUG("body: %s" % body)
areq = AccessTokenRequest().deserialize(body, "urlencoded")
try:
client = self.client_authn(self, areq, authn)
except FailedAuthentication as err:
err = TokenErrorResponse(error="unauthorized_client",
error_description="%s" % err)
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
LOG_DEBUG("AccessTokenRequest: %s" % areq)
try:
assert areq["grant_type"] == "authorization_code"
except AssertionError:
err = TokenErrorResponse(error="invalid_request",
error_description="Wrong grant type")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
# assert that the code is valid
_info = _sdb[areq["code"]]
resp = self.token_scope_check(areq, _info)
if resp:
return resp
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _info:
assert areq["redirect_uri"] == _info["redirect_uri"]
try:
_tinfo = _sdb.upgrade_to_token(areq["code"], issue_refresh=True)
except AccessCodeUsed:
err = TokenErrorResponse(error="invalid_grant",
error_description="Access grant used")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
LOG_DEBUG("_tinfo: %s" % _tinfo)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
LOG_DEBUG("AccessTokenResponse: %s" % atr)
return Response(atr.to_json(), content="application/json")
def token_endpoint(self, authn="", **kwargs):
"""
This is where clients come to get their access tokens
"""
_sdb = self.sdb
logger.debug("- token -")
body = kwargs["request"]
logger.debug("body: %s" % sanitize(body))
areq = AccessTokenRequest().deserialize(body, "urlencoded")
try:
self.client_authn(self, areq, authn)
except FailedAuthentication as err:
logger.error(err)
err = TokenErrorResponse(error="unauthorized_client",
error_description="%s" % err)
return Response(err.to_json(), content="application/json", status_code=401)
logger.debug("AccessTokenRequest: %s" % sanitize(areq))
if areq["grant_type"] != "authorization_code":
err = TokenErrorResponse(error="invalid_request", error_description="Wrong grant type")
return Response(err.to_json(), content="application/json", status="401 Unauthorized")
# assert that the code is valid
_info = _sdb[areq["code"]]
resp = self.token_scope_check(areq, _info)
if resp:
return resp
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _info and areq["redirect_uri"] != _info["redirect_uri"]:
logger.error('Redirect_uri mismatch')
err = TokenErrorResponse(error="unauthorized_client")
return Unauthorized(err.to_json(), content="application/json")
try:
_tinfo = _sdb.upgrade_to_token(areq["code"], issue_refresh=True)
except AccessCodeUsed:
err = TokenErrorResponse(error="invalid_grant",
error_description="Access grant used")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
logger.debug("_tinfo: %s" % sanitize(_tinfo))
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
logger.debug("AccessTokenResponse: %s" % sanitize(atr))
return Response(atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS)
def authorization_endpoint(self, query):
req = self.parse_authorization_request(query=query)
aevent = AuthnEvent("user", "salt", authn_info="acr")
sid = self.sdb.create_authz_session(aevent, areq=req)
self.sdb.do_sub(sid, 'client_salt')
_info = self.sdb[sid]
if "code" in req["response_type"]:
if "token" in req["response_type"]:
grant = _info["code"]
_dict = self.sdb.upgrade_to_token(grant)
_dict["oauth_state"] = "authz",
_dict = by_schema(AuthorizationResponse(), **_dict)
resp = AuthorizationResponse(**_dict)
# resp.code = grant
else:
_state = req["state"]
resp = AuthorizationResponse(state=_state, code=_info["code"])
else: # "implicit" in req.response_type:
grant = _info["code"]
params = AccessTokenResponse.c_param.keys()
if "token" in req["response_type"]:
_dict = dict([
(k, v)
for k, v in self.sdb.upgrade_to_token(grant).items()
if k in params
])
try:
del _dict["refresh_token"]
except KeyError:
pass
else:
_dict = {"state": req["state"]}
if "id_token" in req["response_type"]:
_idt = self.make_id_token(_info, issuer=self.name)
alg = "RS256"
ckey = self.keyjar.get_signing_key(alg2keytype(alg),
_info["client_id"])
_signed_jwt = _idt.to_jwt(key=ckey, algorithm=alg)
p = _signed_jwt.split(".")
p[2] = "aaa"
_dict["id_token"] = ".".join(p)
resp = AuthorizationResponse(**_dict)
location = resp.request(req["redirect_uri"])
response = Response()
response.headers = {"location": location}
response.status_code = 302
response.text = ""
return response
def token_response(**kwargs):
_areq = kwargs["areq"]
_scode = kwargs["scode"]
_sdb = kwargs["sdb"]
_dic = _sdb.upgrade_to_token(_scode, issue_refresh=False)
aresp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_dic))
if "state" in _areq:
aresp["state"] = _areq["state"]
return aresp
def token_response(**kwargs):
_areq = kwargs["areq"]
_scode = kwargs["scode"]
_sdb = kwargs["sdb"]
_dic = _sdb.update_to_token(_scode, issue_refresh=False)
aresp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_dic))
if "state" in _areq:
aresp["state"] = _areq["state"]
return aresp
def authorization_endpoint(self, query):
req = self.parse_authorization_request(query=query)
aevent = AuthnEvent("user", authn_info="acr")
sid = self.sdb.create_authz_session(aevent, areq=req)
_ = self.sdb.do_sub(sid)
_info = self.sdb[sid]
if "code" in req["response_type"]:
if "token" in req["response_type"]:
grant = _info["code"]
_dict = self.sdb.upgrade_to_token(grant)
_dict["oauth_state"] = "authz",
_dict = by_schema(AuthorizationResponse(), **_dict)
resp = AuthorizationResponse(**_dict)
# resp.code = grant
else:
_state = req["state"]
resp = AuthorizationResponse(state=_state,
code=_info["code"])
else: # "implicit" in req.response_type:
grant = _info["code"]
params = AccessTokenResponse.c_param.keys()
if "token" in req["response_type"]:
_dict = dict([(k, v) for k, v in
self.sdb.upgrade_to_token(grant).items() if k in
params])
try:
del _dict["refresh_token"]
except KeyError:
pass
else:
_dict = {"state": req["state"]}
if "id_token" in req["response_type"]:
_idt = self.make_id_token(_info, issuer=self.name)
alg = "RS256"
ckey = self.keyjar.get_signing_key(alg2keytype(alg),
_info["client_id"])
_signed_jwt = _idt.to_jwt(key=ckey, algorithm=alg)
p = _signed_jwt.split(".")
p[2] = "aaa"
_dict["id_token"] = ".".join(p)
resp = AuthorizationResponse(**_dict)
location = resp.request(req["redirect_uri"])
response = Response()
response.headers = {"location": location}
response.status_code = 302
response.text = ""
return response
def do_access_token_response(self, access_token, atinfo, state,
refresh_token=None):
_tinfo = {'access_token': access_token, 'expires_in': atinfo['exp'],
'token_type': 'bearer', 'state': state}
try:
_tinfo['scope'] = atinfo['scope']
except KeyError:
pass
if refresh_token:
_tinfo['refresh_token'] = refresh_token
return AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
def do_access_token_response(self, access_token, atinfo, state,
refresh_token=None):
_tinfo = {'access_token': access_token, 'expires_in': atinfo['exp'],
'token_type': 'bearer', 'state': state}
try:
_tinfo['scope'] = atinfo['scope']
except KeyError:
pass
if refresh_token:
_tinfo['refresh_token'] = refresh_token
return AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
def token_response(**kwargs):
_areq = kwargs["areq"]
_scode = kwargs["scode"]
_sdb = kwargs["sdb"]
_dic = _sdb.upgrade_to_token(_scode, issue_refresh=False)
aresp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_dic))
try:
aresp["state"] = _areq["state"]
except KeyError:
pass
add_non_standard(_areq, aresp)
return aresp
def token_response(**kwargs):
_areq = kwargs["areq"]
_scode = kwargs["scode"]
_sdb = kwargs["sdb"]
_dic = _sdb.upgrade_to_token(_scode, issue_refresh=False)
aresp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_dic))
try:
aresp["state"] = _areq["state"]
except KeyError:
pass
add_non_standard(_areq, aresp)
return aresp
def authorization_endpoint(self, query):
req = self.parse_authorization_request(query=query)
sid = self.sdb.create_authz_session(sub="user", areq=req)
_info = self.sdb[sid]
_info["sub"] = _info["local_sub"]
if "code" in req["response_type"]:
if "token" in req["response_type"]:
grant = _info["code"]
_dict = self.sdb.upgrade_to_token(grant)
_dict["oauth_state"] = "authz",
_dict = by_schema(AuthorizationResponse(), **_dict)
resp = AuthorizationResponse(**_dict)
#resp.code = grant
else:
resp = AuthorizationResponse(state=req["state"],
code=_info["code"])
else: # "implicit" in req.response_type:
grant = _info["code"]
params = AccessTokenResponse.c_param.keys()
_dict = dict([(k, v)
for k, v in self.sdb.upgrade_to_token(grant).items()
if k in params])
try:
del _dict["refresh_token"]
except KeyError:
pass
if "id_token" in req["response_type"]:
_idt = self.make_id_token(_info,
issuer=self.name,
access_token=_dict["access_token"])
alg = "RS256"
ckey = self.keyjar.get_signing_key(alg2keytype(alg),
_info["client_id"])
_dict["id_token"] = _idt.to_jwt(key=ckey, algorithm=alg)
resp = AccessTokenResponse(**_dict)
location = resp.request(req["redirect_uri"])
response = Response()
response.headers = {"location": location}
response.status_code = 302
response.text = ""
return response
def userinfo_in_id_token_claims(self, session):
"""
Put userinfo claims in the id token
:param session:
:return:
"""
itc = self.server.id_token_claims(session)
if not itc:
return None
_claims = by_schema(OpenIDSchema, **itc)
if _claims:
return self._collect_user_info(session, {"claims": _claims})
else:
return None
def token_endpoint(self, data):
if "grant_type=refresh_token" in data:
req = self.parse_refresh_token_request(body=data)
_info = self.sdb.refresh_token(req["refresh_token"])
elif "grant_type=authorization_code":
req = self.parse_token_request(body=data)
_info = self.sdb.upgrade_to_token(req["code"])
else:
response = TokenErrorResponse(error="unsupported_grant_type")
return response, ""
resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info))
response = Response()
response.headers = {"content-type": "application/json"}
response.text = resp.to_json()
return response
def do_access_token_response(self, access_token, atinfo, state, refresh_token=None):
_tinfo = {
"access_token": access_token,
"expires_in": atinfo["exp"],
"token_type": "bearer",
"state": state,
}
try:
_tinfo["scope"] = atinfo["scope"]
except KeyError:
pass
if refresh_token:
_tinfo["refresh_token"] = refresh_token
atr_class = self.server.message_factory.get_response_type("token_endpoint")
return atr_class(**by_schema(atr_class, **_tinfo))
def token_endpoint(self, environ, start_response):
"""
This is where clients come to get their access tokens
"""
_sdb = self.sdb
LOG_DEBUG("- token -")
body = get_post(environ)
LOG_DEBUG("body: %s" % body)
areq = AccessTokenRequest().deserialize(body, "urlencoded")
# Client is from basic auth or ...
client = None
try:
client = self.function["verify_client"](environ, client, self.cdb)
except (KeyError, AttributeError):
err = TokenErrorResponse(error="unathorized_client",
error_description="client_id:%s" % client)
resp = Response(err.to_json(), content="application/json",
status="401 Unauthorized")
return resp(environ, start_response)
LOG_DEBUG("AccessTokenRequest: %s" % areq)
assert areq["grant_type"] == "authorization_code"
# assert that the code is valid
_info = _sdb[areq["code"]]
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _info:
assert areq["redirect_uri"] == _info["redirect_uri"]
_tinfo = _sdb.update_to_token(areq["code"])
LOG_DEBUG("_tinfo: %s" % _tinfo)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
LOG_DEBUG("AccessTokenResponse: %s" % atr)
resp = Response(atr.to_json(), content="application/json")
return resp(environ, start_response)
def token_endpoint(self, data):
if "grant_type=refresh_token" in data:
req = self.parse_refresh_token_request(body=data)
_info = self.sdb.refresh_token(req["refresh_token"])
elif "grant_type=authorization_code":
req = self.parse_token_request(body=data)
_info = self.sdb.upgrade_to_token(req["code"])
else:
response = TokenErrorResponse(error="unsupported_grant_type")
return response, ""
resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info))
response = Response()
response.headers = {"content-type": "application/json"}
response.text = resp.to_json()
return response
def authorization_endpoint(self, query):
req = self.parse_authorization_request(query=query)
sid = self.sdb.create_authz_session(user_id="user", areq=req)
_info = self.sdb[sid]
if "code" in req["response_type"]:
if "token" in req["response_type"]:
grant = _info["code"]
_dict = self.sdb.update_to_token(grant)
_dict["oauth_state"]="authz",
_dict = by_schema(AuthorizationResponse(), **_dict)
resp = AuthorizationResponse(**_dict)
#resp.code = grant
else:
resp = AuthorizationResponse(state=req["state"],
code=_info["code"])
else: # "implicit" in req.response_type:
grant = _info["code"]
params = AccessTokenResponse.c_param.keys()
_dict = dict([(k,v) for k,
v in self.sdb.update_to_token(grant).items() if k in
params])
try:
del _dict["refresh_token"]
except KeyError:
pass
if "id_token" in req["response_type"]:
_dict["id_token"] = self.make_id_token(_info, issuer=self.name,
access_token=_dict["access_token"])
resp = AccessTokenResponse(**_dict)
location = resp.request(req["redirect_uri"])
response= Response()
response.headers = {"location":location}
response.status_code = 302
response.text = ""
return response
def token_endpoint(self, data):
if "grant_type=refresh_token" in data:
req = self.parse_refresh_token_request(body=data)
_info = self.sdb.refresh_token(req["refresh_token"],
req['client_id'])
elif "grant_type=authorization_code" in data:
req = self.parse_token_request(body=data)
if 'offline_access' in self.sdb[req['code']]['scope']:
_info = self.sdb.upgrade_to_token(req["code"],
issue_refresh=True)
else:
_info = self.sdb.upgrade_to_token(req["code"])
else:
response = TokenErrorResponse(error="unsupported_grant_type")
return response, ""
resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info))
response2 = Response()
response2.headers = {"content-type": "application/json"}
response2.text = resp.to_json()
return response2
def code_grant_type(self, areq):
"""
Token authorization using Code Grant.
RFC6749 section 4.1
"""
try:
_tinfo = self.sdb.upgrade_to_token(areq["code"],
issue_refresh=True)
except AccessCodeUsed:
error = TokenErrorResponse(error="invalid_grant",
error_description="Access grant used")
return Unauthorized(error.to_json(), content="application/json")
logger.debug("_tinfo: %s" % sanitize(_tinfo))
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
logger.debug("AccessTokenResponse: %s" % sanitize(atr))
return Response(atr.to_json(),
content="application/json",
headers=OAUTH2_NOCACHE_HEADERS)
def _refresh_access_token_endpoint(self, req, **kwargs):
_sdb = self.sdb
_log_debug = logger.debug
client_info = self.cdb[req["client_id"]]
assert req["grant_type"] == "refresh_token"
rtoken = req["refresh_token"]
_info = _sdb.refresh_token(rtoken)
if "openid" in _info["scope"]:
userinfo = self.userinfo_in_id_token_claims(_info)
_idtoken = self.sign_encrypt_id_token(_info, client_info, req,
user_info=userinfo)
sid = _sdb.token.get_key(rtoken)
_sdb.update(sid, "id_token", _idtoken)
_log_debug("_info: %s" % _info)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info))
_log_debug("access_token_response: %s" % atr.to_dict())
return Response(atr.to_json(), content="application/json")
LOG_DEBUG("- authenticated -")
try:
result = self.authn_intro(environ, start_response)
except Exception, err:
resp = ServiceError("%s" % err)
return resp(environ, start_response)
if isinstance(result, Response):
return result(environ, start_response)
else:
areq, session = result
try:
aresp = self.authn_response(areq, **by_schema(AuthorizationResponse, **session))
except KeyError, err: # Don't know what to do raise an exception
resp = BadRequest("Unknown response type (%s)" % err)
return resp(environ, start_response)
add_non_standard(aresp, areq)
return self.authn_reply(areq, aresp, environ, start_response)
def authorization_endpoint(self, environ, start_response, **kwargs):
# The AuthorizationRequest endpoint
_sdb = self.sdb
LOG_DEBUG("- authorization -")
# verify that the one given here is the correct one.
if "redirect_uri" in _info:
assert areq["redirect_uri"] == _info["redirect_uri"]
try:
_tinfo = _sdb.upgrade_to_token(areq["code"])
except AccessCodeUsed:
err = TokenErrorResponse(error="invalid_grant",
error_description="Access grant used")
return Response(err.to_json(),
content="application/json",
status="401 Unauthorized")
LOG_DEBUG("_tinfo: %s" % _tinfo)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
LOG_DEBUG("AccessTokenResponse: %s" % atr)
return Response(atr.to_json(), content="application/json")
def verify_endpoint(self, request="", cookie=None, **kwargs):
_req = urlparse.parse_qs(request)
try:
areq = urlparse.parse_qs(_req["query"][0])
except KeyError:
return BadRequest()
authn, acr = self.pick_auth(areq=areq)
kwargs["cookie"] = cookie
return authn.verify(_req, **kwargs)
def code_grant_type(self, areq):
# assert that the code is valid
try:
_info = self.sdb[areq["code"]]
except KeyError:
err = TokenErrorResponse(error="invalid_grant",
error_description="Unknown access grant")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
authzreq = json.loads(_info['authzreq'])
if 'code_verifier' in areq:
try:
_method = authzreq['code_challenge_method']
except KeyError:
_method = 'S256'
resp = self.verify_code_challenge(areq['code_verifier'],
authzreq['code_challenge'],
_method)
if resp:
return resp
if 'state' in areq:
if self.sdb[areq['code']]['state'] != areq['state']:
logger.error('State value mismatch')
err = TokenErrorResponse(error="unauthorized_client")
return Unauthorized(err.to_json(), content="application/json")
resp = self.token_scope_check(areq, _info)
if resp:
return resp
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _info and areq["redirect_uri"] != _info["redirect_uri"]:
logger.error('Redirect_uri mismatch')
err = TokenErrorResponse(error="unauthorized_client")
return Unauthorized(err.to_json(), content="application/json")
issue_refresh = False
if 'scope' in authzreq and 'offline_access' in authzreq['scope']:
if authzreq['response_type'] == 'code':
issue_refresh = True
try:
_tinfo = self.sdb.upgrade_to_token(areq["code"],
issue_refresh=issue_refresh)
except AccessCodeUsed:
err = TokenErrorResponse(error="invalid_grant",
error_description="Access grant used")
return Response(err.to_json(), content="application/json",
status="401 Unauthorized")
logger.debug("_tinfo: %s" % _tinfo)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
logger.debug("AccessTokenResponse: %s" % atr)
return Response(atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS)
def refresh_token_grant_type(self, areq):
at = self.token_handler.refresh_access_token(
self.baseurl, areq['access_token'], 'refresh_token')
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **at))
return Response(atr.to_json(), content="application/json")
LOG_DEBUG("- authenticated -")
try:
result = self.authn_intro(environ, start_response)
except Exception, err:
resp = ServiceError("%s" % err)
return resp(environ, start_response)
if isinstance(result, Response):
return result(environ, start_response)
else:
areq, session = result
try:
aresp = self.authn_response(areq,
**by_schema(AuthorizationResponse,
**session))
except KeyError, err: # Don't know what to do raise an exception
resp = BadRequest("Unknown response type (%s)" % err)
return resp(environ, start_response)
add_non_standard(aresp, areq)
return self.authn_reply(areq, aresp, environ, start_response)
def authorization_endpoint(self, environ, start_response, **kwargs):
# The AuthorizationRequest endpoint
_sdb = self.sdb
LOG_DEBUG("- authorization -")
bsid = base64.b64encode(sid)
session = _sdb[sid]
# Do the authorization
try:
permission = self.authz(session["sub"], session)
_sdb.update(sid, "permission", permission)
except Exception:
raise
grant = session["code"]
LOG_DEBUG("code: '%s'" % grant)
try:
aresp = self.authn_response(areq,
**by_schema(AuthorizationResponse,
**session))
except KeyError, err: # Don't know what to do raise an exception
return BadRequest("Unknown response type (%s)" % err)
add_non_standard(aresp, areq)
return self.authn_reply(areq, aresp, bsid)
def token_endpoint(self, auth_header="", **kwargs):
"""
This is where clients come to get their access tokens
"""
_sdb = self.sdb
LOG_DEBUG("- token -")
def code_grant_type(self, areq):
# assert that the code is valid
try:
_info = self.sdb[areq["code"]]
except KeyError:
err = TokenErrorResponse(
error="invalid_grant", error_description="Unknown access grant"
)
return Response(
err.to_json(), content="application/json", status="401 Unauthorized"
)
authzreq = json.loads(_info["authzreq"])
if "code_verifier" in areq:
try:
_method = authzreq["code_challenge_method"]
except KeyError:
_method = "S256"
resp = self.verify_code_challenge(
areq["code_verifier"], authzreq["code_challenge"], _method
)
if resp:
return resp
if "state" in areq:
if self.sdb[areq["code"]]["state"] != areq["state"]:
logger.error("State value mismatch")
err = TokenErrorResponse(error="unauthorized_client")
return Unauthorized(err.to_json(), content="application/json")
resp = self.token_scope_check(areq, _info)
if resp:
return resp
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _info and areq["redirect_uri"] != _info["redirect_uri"]:
logger.error("Redirect_uri mismatch")
err = TokenErrorResponse(error="unauthorized_client")
return Unauthorized(err.to_json(), content="application/json")
issue_refresh = False
if "scope" in authzreq and "offline_access" in authzreq["scope"]:
if authzreq["response_type"] == "code":
issue_refresh = True
try:
_tinfo = self.sdb.upgrade_to_token(
areq["code"], issue_refresh=issue_refresh
)
except AccessCodeUsed:
err = TokenErrorResponse(
error="invalid_grant", error_description="Access grant used"
)
return Response(
err.to_json(), content="application/json", status="401 Unauthorized"
)
logger.debug("_tinfo: %s" % _tinfo)
atr_class = self.server.message_factory.get_response_type("token_endpoint")
atr = atr_class(**by_schema(atr_class, **_tinfo))
logger.debug("AccessTokenResponse: %s" % atr)
return Response(
atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS
)
_sdb.revoke_all_tokens(_access_code)
return self._error(environ, start_response,
error="access_denied", descr= "%s" % err)
if "openid" in _info["scope"]:
try:
_idtoken = self._id_token(_info)
except AccessDenied:
return self._error(environ, start_response,
error="access_denied")
_sdb.update_by_token(_access_code, "id_token", _idtoken)
_log_debug("_tinfo: %s" % _tinfo)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
if self.test_mode:
_log_info("access_token_response: %s" % atr.to_dict())
resp = Response(atr.to_json(), content="application/json")
return resp(environ, start_response)
def _bearer_auth(self, environ):
#'HTTP_AUTHORIZATION': 'Bearer pC7efiVgbI8UASlolltdh76DrTZ2BQJQXFhVvwWlKekFvWCcdMTmNCI/BCSCxQiG'
try:
authn = environ["HTTP_AUTHORIZATION"]
try:
assert authn[:6].lower() == "bearer"
_token = authn[7:]
except AssertionError:
