def validate_requested_scope(self): """Validate if requested scope is supported by Authorization Server.""" scope = self.request.scope state = self.request.state if scope: allowed = set( scope_to_list(self.request.client.get_allowed_scope(scope))) requested = set(scope_to_list(scope)) if not (requested <= allowed): raise InvalidScopeError(state=state) return self.server.validate_requested_scope(scope, state)
def save_token(token_data, request): requested_scopes = set(scope_to_list(token_data.get('scope', ''))) application = OAuthApplication.query.filter_by( client_id=request.client.client_id).one() link = OAuthApplicationUserLink.query.with_parent(application).with_parent( request.user).first() if link is None: link = OAuthApplicationUserLink(application=application, user=request.user, scopes=requested_scopes) else: if not requested_scopes: # for already-authorized apps not specifying a scope uses all scopes the # user previously granted to the app requested_scopes = set(link.scopes) token_data['scope'] = list_to_scope(requested_scopes) new_scopes = requested_scopes - set(link.scopes) if new_scopes: logger.info('New scopes for %r: %s', link, new_scopes) link.update_scopes(new_scopes) link.tokens.append( OAuthToken(access_token=token_data['access_token'], scopes=requested_scopes)) # get rid of old tokens if there are too many q = (db.session.query(OAuthToken.id).with_parent(link).filter_by( _scopes=db.cast(sorted(requested_scopes), ARRAY(db.String))).order_by( OAuthToken.created_dt.desc()).offset( MAX_TOKENS_PER_SCOPE).scalar_subquery()) OAuthToken.query.filter( OAuthToken.id.in_(q)).delete(synchronize_session='fetch')
def _process_consent(self): try: grant = auth_server.get_consent_grant(end_user=session.user) except OAuth2Error as error: return render_template('oauth/authorize_errors.html', error=error.error) application = grant.client if request.method == 'POST': if 'confirm' not in request.form: return False logger.info('User %s authorized %s', session.user, application) return True elif application.is_trusted: logger.info('User %s automatically authorized %s', session.user, application) return True link = application.user_links.filter_by(user=session.user).first() authorized_scopes = set(link.scopes) if link else set() requested_scopes = set(scope_to_list( grant.request.scope)) if grant.request.scope else authorized_scopes if requested_scopes <= authorized_scopes: return True new_scopes = requested_scopes - authorized_scopes return render_template( 'oauth/authorize.html', application=application, authorized_scopes=[ _f for _f in [SCOPES.get(s) for s in authorized_scopes] if _f ], new_scopes=[ _f for _f in [SCOPES.get(s) for s in new_scopes] if _f ])
def is_openid_scope(scope): scopes = scope_to_list(scope) return scopes and 'openid' in scopes
def get_allowed_scope(self, scope): if not scope: return '' allowed = set(self.allowed_scopes) scopes = set(scope_to_list(scope)) return list_to_scope(allowed & scopes)
def get_allowed_scope(self, scope): if not scope: return '' allowed = set(self.scope.split()) scopes = scope_to_list(scope) return list_to_scope([s for s in scopes if s in allowed])