Exemple #1
0
    def _get_access_token_jwt(self, request, content):
        extra_data = {}
        issuer = settings.JWT_ISSUER
        payload_enricher = getattr(settings, 'JWT_PAYLOAD_ENRICHER', None)
        if payload_enricher:
            request.user = get_access_token_model().objects.get(
                token=content['access_token']).user
            fn = import_string(payload_enricher)
            extra_data = fn(request)

        if 'scope' in content:
            extra_data['scope'] = content['scope']

        id_attribute = getattr(settings, 'JWT_ID_ATTRIBUTE', None)
        if id_attribute:
            token = get_access_token_model().objects.get(
                token=content['access_token'])
            if token.application.authorization_grant_type != 'client-credentials':
                id_value = getattr(token.user, id_attribute, None)
                if not id_value:
                    raise MissingIdAttribute()
                extra_data[id_attribute] = str(id_value)

        payload = generate_payload(issuer, content['expires_in'], **extra_data)
        token = encode_jwt(payload)
        return token
Exemple #2
0
    def _get_access_token_jwt(self, request, content):
        extra_data = {}
        issuer_shortname = settings.JWT_ISSUER
        issuer = settings.JWT_ISSUER_DOMAIN
        payload_enricher = getattr(settings, 'JWT_PAYLOAD_ENRICHER', None)
        request_params = list(request.POST.keys())
        
        if payload_enricher:
            fn = import_string(payload_enricher)
            extra_data = fn(request)
            
        if 'scope' in content:
            extra_data['scope'] = content['scope']
            extra_data['typ'] = "Bearer"
            extra_data['issuer_shortname'] = issuer_shortname
        
        if 'audience' in request_params: 
            requested_audience = request.POST['audience']    
            token = get_access_token_model().objects.get(
                token=content['access_token']
            )            
            audience_query = token.application.audience.all().only('identifier')
            all_audience = [audience.identifier for audience in audience_query]
            
            try: 
                assert requested_audience in all_audience
            except AssertionError as ae:
                raise IncorrectAudience()
            else:                
                extra_data['aud'] = requested_audience
                

        id_attribute = getattr(settings, 'JWT_ID_ATTRIBUTE', None)
        
        if id_attribute:
            token = get_access_token_model().objects.get(token=content['access_token'])
            
            token_user = token.user
            ## check the allowed scopes for user and content scopes 
            try: 
                assert token_user is not None
                id_value = getattr(token_user, id_attribute, None)
                if not id_value:
                    raise MissingIdAttribute()
            except AssertionError as ae: 
                id_value = token.application.client_id + "@clients"
            
            extra_data['sub'] = str(id_value)
        

        payload = generate_payload(issuer, content['expires_in'], **extra_data)
        headers = {'kid': settings.JWKS_KEY_ID}
        token = encode_jwt(payload, headers= headers)
        
        return token
Exemple #3
0
 def get_token_response(token_value=None):
     try:
         token = get_access_token_model().objects.get(token=token_value)
     except ObjectDoesNotExist:
         return HttpResponse(
             content=json.dumps({"active": False}),
             status=401,
             content_type="application/json",
         )
     else:
         if token.is_valid():
             data = {
                 "active": True,
                 "scope": token.scope,
                 "exp": int(calendar.timegm(token.expires.timetuple())),
             }
             if token.application:
                 data["client_id"] = token.application.client_id
             if token.user:
                 data["username"] = token.user.get_username()
                 data["role"] = token.user.role
                 data["courses"] = list(
                     token.user.courses.values_list("course_id", flat=True))
             return HttpResponse(
                 content=json.dumps(data),
                 status=200,
                 content_type="application/json",
             )
         else:
             return HttpResponse(
                 content=json.dumps({"active": False}),
                 status=200,
                 content_type="application/json",
             )
Exemple #4
0
 def get_userinfo_response(token_value=None):
     try:
         token = get_access_token_model().objects.get(token=token_value)
     except ObjectDoesNotExist:
         log.debug("Token not found for token_value %s" % token_value)
         return HttpResponse(content=json.dumps({"error": "invalid_token"}),
                             status=401,
                             content_type="application/json")
     else:
         if token.is_valid():
             data = {
                 'provider': 'SciPost',
                 'uid': str(token.user.id),
                 'info': {
                     'name': token.user.get_full_name(),
                     'email': token.user.email,
                     'nickname': token.user.get_username(),
                     'first_name': token.user.get_short_name(),
                     'last_name': token.user.last_name,
                 }
             }
             log.debug("Response for token %s:\n\t%s" % (token_value, data))
             return HttpResponse(content=json.dumps(data),
                                 status=200,
                                 content_type="application/json")
         else:
             log.debug("Token %s is invalid" % token_value)
             return HttpResponse(content=json.dumps(
                 {"error": "invalid_token"}),
                                 status=200,
                                 content_type="application/json")
Exemple #5
0
 def post(self, request, format=None):
     serializer = serializers.RefreshTokenSerializer(data=request.data)
     if serializer.is_valid():
         if hasattr(request.data, "_mutable"):
             request.data._mutable = True
         app = Application.objects.all()[0]
         request.data.update({
             "grant_type": "refresh_token",
             "client_id": app.client_id,
             "client_secret": app.client_secret
         })
         url, headers, body, status = self.create_token_response(request)
         if status == 200:
             access_token = json.loads(body).get("access_token")
             if access_token is not None:
                 token = get_access_token_model().objects.get(
                     token=access_token)
                 app_authorized.send(sender=self,
                                     request=request,
                                     token=token)
         response = HttpResponse(content=body, status=status)
         for k, v in headers.items():
             response[k] = v
         return Response(json.loads(body), status=200)
     return Response(serializer.errors, status=400)
Exemple #6
0
    def post(self, request, *args, **kwargs):
        url, headers, body, status = self.create_token_response(request)
        if status == 200:
            body = json.loads(body)
            access_token = body.get("access_token")
            if access_token is not None:
                token = get_access_token_model().objects.get(
                    token=access_token)
                app_authorized.send(sender=self, request=request, token=token)
                body = CustomResponse.build_response(True, body)
                body = json.dumps(body)
                response = HttpResponse(content=body, status=200)
                for k, v in headers.items():
                    response[k] = v
                return response
        else:
            body = json.loads(body)
            body['error'] = 'Username or Password is incorrect'
            body = CustomResponse.build_response(False, [body['error']])
            body = json.dumps(body)

            response = HttpResponse(content=body, status=422)
            for k, v in headers.items():
                response[k] = v
            return response
def access_token(application, scopes):
    AccessToken = get_access_token_model()
    return AccessToken.objects.create(scope=' '.join(scopes),
                                      expires=timezone.now() +
                                      timedelta(seconds=300),
                                      token='secret-access-token-key',
                                      application=application)
    def generate_ats_from_at(self, request, access_token):
        code = self.find_code(request)

        grant = PaipassGrant.objects.all().get(code=code)

        prev_at_scopes = self.get_prev_access_token_scopes(
            request.client, request.user)

        # reassign all previous scopes to the new token.
        for prev_at_scope in prev_at_scopes:
            try:
                tmp_access_token = prev_at_scope.access_token
            except get_access_token_model().DoesNotExist:
                tmp_access_token = None
            prev_at_scope.access_token = access_token
            prev_at_scope.status = ATS_StatusChoices.APPROVED
            prev_at_scope.save()
            if tmp_access_token is not None:
                tmp_access_token.delete()

        apprs = AttributeApproval.objects.all().filter(grant=grant)

        for appr in apprs:
            qs_ats = AccessTokenScopes.objects.all().filter(
                access_token=access_token, attribute=appr.attribute)
            if qs_ats.count() < 1:
                ats = AccessTokenScopes.objects.create(
                    access_token=access_token,
                    attribute=appr.attribute,
                    max_perms=appr.max_perms,
                    status=ATS_StatusChoices.APPROVED,
                    user=request.user)
                ats.save()
 def setUp(self):
     oauth2_settings._SCOPES = {"read": "ler", "write": "escrever"}
     oauth2_settings.SCOPES = {"read": "ler", "write": "escrever"}
     oauth2_settings._DEFAULT_SCOPES = ['read']
     self.dev_user = User.objects.create_user('dev_user', '*****@*****.**')
     self.test_user = User.objects.create_user('test_user', '*****@*****.**')
     self.app1 = Application.objects.create(
         name="meu app",
         description="minha descrição",
         user=self.dev_user,
         scope="read",
         redirect_uris="http://localhost.com http://test.com"
     )
     self.app2 = Application.objects.create(
         name="meu app 2",
         description="minha descrição",
         user=self.dev_user,
         scope="write"
     )
     self.tok1 = get_access_token_model().objects.create(
         user=self.test_user, token="1234567890",
         application=self.app2,
         expires=timezone.now() + datetime.timedelta(days=1),
         scope="read write"
     )
Exemple #10
0
    def setUp(self):
        self.userinfo = {
            'username': '******',
            'email': '*****@*****.**',
            'password': '******',
        }
        self.user = User.objects.create_user(*self.userinfo.values())
        self.profile = models.Profile.objects.create(user=self.user,
                                                     age=19,
                                                     gender='male')

        App, Token = get_application_model(), get_access_token_model()
        self.app = App.objects.create(
            client_type=App.CLIENT_PUBLIC,
            user=self.user,
            name="test_client_credentials_app",
            authorization_grant_type=App.GRANT_CLIENT_CREDENTIALS,
        )

        self.token = Token.objects.create(
            user=self.user,
            scope="read write",
            expires=timezone.now() + timedelta(seconds=300),
            token="secret-access-token-key",
            application=self.app,
        )

        self.client = Client()
Exemple #11
0
 def get_token_response(token_value=None):
     try:
         token = get_access_token_model().objects.get(token=token_value)
     except ObjectDoesNotExist:
         return HttpResponse(content=json.dumps({"active": False}),
                             status=401,
                             content_type="application/json")
     else:
         if token.is_valid():
             data = {
                 "active": True,
                 "scope": token.scope,
                 "exp": int(calendar.timegm(token.expires.timetuple())),
             }
             if token.application:
                 data["client_id"] = token.application.client_id
             if token.user:
                 data["user"] = UserSerializer(token.user).data
             return HttpResponse(content=json.dumps(data),
                                 status=200,
                                 content_type="application/json")
         else:
             return HttpResponse(
                 content=json.dumps({"active": False}),
                 status=200,
                 content_type="application/json",
             )
Exemple #12
0
    def setUp(self):
        # TODO: usar factories con los modelos de auth
        Application = get_application_model()
        UserModel = get_user_model()
        AccessToken = get_access_token_model()
        oauth2_settings._SCOPES = [
            "read", "write", "scope1", "scope2", "resource1"
        ]

        self.test_user = UserModel.objects.create_user("test_user",
                                                       "*****@*****.**",
                                                       "123456")
        self.dev_user = UserModel.objects.create_user("dev_user",
                                                      "*****@*****.**",
                                                      "123456")

        self.application = Application.objects.create(
            name="Test Application",
            redirect_uris="http://tests.com",
            user=self.dev_user,
            client_type=Application.CLIENT_CONFIDENTIAL,
            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
        )

        self.access_token = AccessToken.objects.create(
            user=self.test_user,
            scope="read write",
            expires=datetime.datetime.now() + datetime.timedelta(seconds=300),
            token="secret-access-token-key",
            application=self.application)
        self.auth = self._create_authorization_header(self.access_token.token)
def collection_access(user):
	Application = get_application_model()
	application = Application.objects.create(
		name="Collection Test Access",
		allowed_scopes="collection:write",
	)

	AccessToken = get_access_token_model()
	token = AccessToken.objects.create(
		user=user,
		scope="collection:write",
		expires=datetime.now() + timedelta(days=365),
		token=generate_token(),
		application=application,
	)
	access_token = token.token

	blizzard_account = BlizzardAccount.objects.create(
		account_lo=123456789,
		account_hi=144115198130930503,
		region=BnetRegion.REGION_EU,
		user=user
	)
	account_lo = blizzard_account.account_lo
	region = blizzard_account.region

	return account_lo, region, access_token
Exemple #14
0
    def test_get_queryset_should_return_an_access_token_queryset(
        self,
        validator,
    ):
        queryset = validator.get_queryset()

        assert isinstance(queryset, QuerySet)
        assert queryset.model == get_access_token_model()
    def test_get_queryset_should_return_an_access_token_queryset(
        self,
        validator,
    ):
        queryset = validator.get_queryset()

        assert isinstance(queryset, QuerySet)
        assert queryset.model == get_access_token_model()
Exemple #16
0
    def get_relevant_models(self, request, pk):
        ApplicationModel = get_application_model()
        app = ApplicationModel.objects.all().get(id=pk)

        AccessTokenModel = get_access_token_model()
        access_token_qs = AccessTokenModel.objects.all().filter(application=app,
                                                                user=request.user)
        return app, access_token_qs
Exemple #17
0
 def delete(self, request, *args, **kwargs):
     data = {}
     AccessToken = get_access_token_model()
     pk = kwargs['pk']
     app = get_application_model().objects.all().get(id=pk)
     at = AccessToken.objects.all().get(application=app,
                                        user=request.user)
     at.delete()
     return Response(data, status=status.HTTP_200_OK)
Exemple #18
0
 def revoke(self, request, pk=None):
     access_tokens = get_access_token_model().objects.filter(application=pk)
     refresh_tokens = get_refresh_token_model().objects.filter(
         application=pk)
     for access_token in access_tokens:
         access_token.revoke()
     for refresh_token in refresh_tokens:
         refresh_token.revoke()
     return Response(status=status.HTTP_204_NO_CONTENT)
Exemple #19
0
def access_token(test_user, application):
    AccessToken = get_access_token_model()
    token = AccessToken.objects.create(user=test_user,
                                       token="secret-access-token-key",
                                       expires=timezone.now() +
                                       timedelta(seconds=300),
                                       application=application)

    return token
Exemple #20
0
 def post(self, request):
     AccessToken = get_access_token_model()
     token = request.POST.get("token")
     if token:
         obj = get_object_or_404(AccessToken,
                                 token=token,
                                 user=self.request.user)
         obj.delete()
         messages.info(self.request, _("Access has been revoked."))
     return redirect(self.next)
Exemple #21
0
    def get_valid_apps(self, user):
        access_tokens = get_access_token_model().objects.filter(user=user)
        valid_access_tokens = [
            token for token in access_tokens
            if token.allow_scopes(self.permissions)
        ]

        return get_application_model().objects.exclude(
            webhook_url__isnull=True).exclude(webhook_url__exact='').filter(
                accesstoken__in=valid_access_tokens).distinct()
Exemple #22
0
def check_grants():
    AccessToken = get_access_token_model()
    token_count = AccessToken.objects.filter(
        expires__gt=timezone.now(), ).values('user',
                                             'application').distinct().count()
    grant_count = DataAccessGrant.objects.all().count()
    return {
        "unique_tokens": token_count,
        "grants": grant_count,
    }
Exemple #23
0
def update_grants(*args, **kwargs):
    AccessToken = get_access_token_model()
    # inefficient version
    tokens = AccessToken.objects.all()
    for token in tokens:
        if token.is_valid():
            DataAccessGrant.objects.get_or_create(
                beneficiary=token.user,
                application=token.application,
            )
Exemple #24
0
class DebugToken(generics.RetrieveAPIView):
    """Debug Token
    Returns useful info about the token
    """
    versioning_class = None
    authentication_classes = []
    permission_classes = [IsAdminUser]
    queryset = get_access_token_model().objects.all()
    lookup_field = 'token'
    lookup_url_kwarg = 'input_token'
    serializer_class = DebugTokenSerializer
Exemple #25
0
class SSOAccessViewSet(viewsets.ReadOnlyModelViewSet):
    """
    An `Access Token` is issued on successfull login and grants access to our API endpoints.
    """

    serializer_class = SSOAccessReadOwnSerializer
    queryset = get_access_token_model().objects.all()
    permission_classes = [TokenHasScopeOrSuperUser]

    @action(detail=False, methods=["GET"])
    def get_own(self, request):
        return get_access_token_model().objects.filter(user=request.user)
Exemple #26
0
 def approved_scopes(self, user):
     """
     Returns the set of approved scopes by the user
     Represents the set that contains all scopes ever approved by the user to this app
     """
     tokens = omodels.get_access_token_model().objects.filter(
         user=user, application=self)
     scopes = {}
     for token in tokens:
         for key, value in token.scopes.items():
             scopes[key] = value
     return scopes
Exemple #27
0
def get_user(request, *args, **kwargs):
    token_value = request.GET['access_token']
    token = get_access_token_model().objects.get(token=token_value)
    user = token.user
    return HttpResponse(json.dumps({
        'id': user.id,
        'username': user.username,
        'first_name': user.first_name,
        'last_name': user.last_name,
        'email': user.email
    }),
                        content_type='application/json')
Exemple #28
0
def revoke_tokens(app_id, user_id):
    app = get_application_model().objects.filter(id=app_id)
    user = User.objects.get(pk=user_id)
    if app.exists():
        app = app.first()
        refresh_tokens = get_refresh_token_model().objects.filter(
            user=user, application=app)
        for token in refresh_tokens:
            token.revoke()
        access_tokens = get_access_token_model().objects.filter(
            user=user, application=app)
        for token in access_tokens:
            token.revoke()
Exemple #29
0
 def get(self, request):
     import json
     token_value = request.headers['Authorization'][7:]  # Bearer ****
     # token_value = request.META.get("HTTP_AUTHORIZATION")[7:]  # tong shang
     from oauth2_provider.models import get_access_token_model
     token = (get_access_token_model().objects.select_related(
         "user", "application").get(token=token_value))
     return HttpResponse(
         json.dumps({
             "name": token.user.username,
             "username": token.user.username,
             "email": token.user.email
         }))
Exemple #30
0
def create_access_token(user):
    token_expiration_time = timezone.now() + timedelta(minutes=60)
    token = get_access_token_model().objects.create(
        user=user,
        scope='read write packages',
        token='test{}{}'.format(
            user.id,
            int(token_expiration_time.timestamp()),
        ),
        application=get_application_model().objects.first(),
        expires=token_expiration_time,
    )
    return token
Exemple #31
0
    def form_valid(self, form):
        user = self.request.user
        app_id = form.cleaned_data['app_id']
        self.log.info('Revoking all oauth tokens for user %s, application %d',
                      user, app_id)

        rt_model = oauth2_models.get_refresh_token_model()
        at_model = oauth2_models.get_access_token_model()
        gr_model = oauth2_models.get_grant_model()

        rt_model.objects.filter(user=user, application=app_id).delete()
        at_model.objects.filter(user=user, application=app_id).delete()
        gr_model.objects.filter(user=user, application=app_id).delete()

        return super().form_valid(form)
import datetime
from urllib.parse import urlencode

from django.contrib.auth import get_user_model
from django.test import RequestFactory, TestCase
from django.urls import reverse
from django.utils import timezone

from oauth2_provider.models import (
    get_access_token_model, get_application_model, get_refresh_token_model
)
from oauth2_provider.settings import oauth2_settings


Application = get_application_model()
AccessToken = get_access_token_model()
RefreshToken = get_refresh_token_model()
UserModel = get_user_model()


class BaseTest(TestCase):
    def setUp(self):
        self.factory = RequestFactory()
        self.test_user = UserModel.objects.create_user("test_user", "*****@*****.**", "123456")
        self.dev_user = UserModel.objects.create_user("dev_user", "*****@*****.**", "123456")

        self.application = Application(
            name="Test Application",
            redirect_uris="http://localhost http://example.com http://example.org",
            user=self.dev_user,
            client_type=Application.CLIENT_CONFIDENTIAL,
Exemple #33
0
    def get(self, request, *args, **kwargs):
        # Note: This code is copied from https://github.com/evonove/django-oauth-toolkit/blob/34f3b7b3511c15686039079026165feaadb1b87d/oauth2_provider/views/base.py#L111
        # Places that we have changed are noted with ***.
        application = None
        try:
            # *** Moved code to get the require_approval value earlier on so we can
            # circumvent our custom code in the case when auto_even_if_expired
            # isn't required.
            require_approval = request.GET.get(
                "approval_prompt",
                oauth2_settings.REQUEST_APPROVAL_PROMPT,
            )
            if require_approval != 'auto_even_if_expired':
                return super(EdxOAuth2AuthorizationView, self).get(request, *args, **kwargs)

            scopes, credentials = self.validate_authorization_request(request)
            all_scopes = get_scopes_backend().get_all_scopes()
            kwargs["scopes_descriptions"] = [all_scopes[scope] for scope in scopes]
            kwargs['scopes'] = scopes

            # at this point we know an Application instance with such client_id exists in the database
            application = get_application_model().objects.get(client_id=credentials['client_id'])
            content_orgs = ApplicationOrganization.get_related_org_names(
                application,
                relation_type=ApplicationOrganization.RELATION_TYPE_CONTENT_ORG
            )
            kwargs['application'] = application
            kwargs['content_orgs'] = content_orgs
            kwargs['client_id'] = credentials['client_id']
            kwargs['redirect_uri'] = credentials['redirect_uri']
            kwargs['response_type'] = credentials['response_type']
            kwargs['state'] = credentials['state']

            self.oauth2_data = kwargs
            # following two loc are here only because of https://code.djangoproject.com/ticket/17795
            form = self.get_form(self.get_form_class())
            kwargs['form'] = form

            # If skip_authorization field is True, skip the authorization screen even
            # if this is the first use of the application and there was no previous authorization.
            # This is useful for in-house applications-> assume an in-house applications
            # are already approved.
            if application.skip_authorization:
                uri, headers, body, status = self.create_authorization_response(
                    request=self.request, scopes=" ".join(scopes),
                    credentials=credentials, allow=True)
                return HttpResponseUriRedirect(uri, application.get_allowed_schemes())

            # *** Changed the if statement that checked for require_approval to an assert.
            assert require_approval == 'auto_even_if_expired'
            tokens = get_access_token_model().objects.filter(
                user=request.user,
                application=kwargs['application'],
                # *** Purposefully keeping this commented out code to highlight that
                # our version of the implementation does NOT filter by expiration date.
                # expires__gt=timezone.now(),
            ).all()

            # check past authorizations regarded the same scopes as the current one
            for token in tokens:
                if token.allow_scopes(scopes):
                    uri, headers, body, status = self.create_authorization_response(
                        request=self.request, scopes=" ".join(scopes),
                        credentials=credentials, allow=True)
                    return HttpResponseUriRedirect(uri, application.get_allowed_schemes())

            # render an authorization prompt so the user can approve
            # the application's requested scopes
            return self.render_to_response(self.get_context_data(**kwargs))

        except OAuthToolkitError as error:
            return self.error_response(error, application)
from django.contrib.auth import get_user_model
from django.contrib.auth.models import AnonymousUser
from django.http import HttpResponse
from django.test import RequestFactory, TestCase
from django.test.utils import modify_settings, override_settings
from django.utils.timezone import now, timedelta

from oauth2_provider.backends import OAuth2Backend
from oauth2_provider.middleware import OAuth2TokenMiddleware
from oauth2_provider.models import get_access_token_model, get_application_model


UserModel = get_user_model()
ApplicationModel = get_application_model()
AccessTokenModel = get_access_token_model()


class BaseTest(TestCase):
    """
    Base class for cases in this module
    """
    def setUp(self):
        self.user = UserModel.objects.create_user("user", "*****@*****.**", "123456")
        self.app = ApplicationModel.objects.create(
            name="app",
            client_type=ApplicationModel.CLIENT_CONFIDENTIAL,
            authorization_grant_type=ApplicationModel.GRANT_CLIENT_CREDENTIALS,
            user=self.user
        )
        self.token = AccessTokenModel.objects.create(
            user=self.user, token="tokstr", application=self.app,
    def get(self, request, *args, **kwargs):
        # Copy/Pasta'd from oauth2_provider.views.BaseAuthorizationView.get
        try:
            scopes, credentials = self.validate_authorization_request(request)
            # all_scopes = get_scopes_backend().get_all_scopes()
            # kwargs["scopes"] = scopes
            # kwargs["scopes_descriptions"] = [all_scopes[scope] for scope in scopes]
            # at this point we know an Application instance with such client_id exists in the database

            # TODO: Cache this!
            application = get_application_model().objects.get(client_id=credentials["client_id"])

            kwargs["client_id"] = credentials["client_id"]
            kwargs["redirect_uri"] = credentials["redirect_uri"]
            kwargs["response_type"] = credentials["response_type"]
            kwargs["state"] = credentials["state"]
            try:
                kwargs["application"] = {
                    "name": application.applicationinfo.get_visible_name(),
                }
                if application.applicationinfo.icon:
                    kwargs["application"]['image'] = application.applicationinfo.icon.url
                if application.applicationinfo.website_url:
                    kwargs["application"]["url"] = application.applicationinfo.website_url
                app_scopes = [s for s in re.split(r'[\s\n]+', application.applicationinfo.allowed_scopes) if s]
            except ApplicationInfo.DoesNotExist:
                app_scopes = ["r:profile"]
                kwargs["application"] = dict(
                    name=application.name,
                    scopes=app_scopes
                )

            filtered_scopes = set(app_scopes) & set(scopes)
            kwargs['scopes'] = list(filtered_scopes)
            all_scopes = get_scopes_backend().get_all_scopes()
            kwargs['scopes_descriptions'] = {scope: all_scopes[scope] for scope in scopes}

            self.oauth2_data = kwargs

            # Check to see if the user has already granted access and return
            # a successful response depending on "approval_prompt" url parameter
            require_approval = request.GET.get("approval_prompt", oauth2_settings.REQUEST_APPROVAL_PROMPT)

            # If skip_authorization field is True, skip the authorization screen even
            # if this is the first use of the application and there was no previous authorization.
            # This is useful for in-house applications-> assume an in-house applications
            # are already approved.
            if application.skip_authorization:
                success_url = self.get_authorization_redirect_url(" ".join(kwargs['scopes']), credentials)
                return Response({ 'success_url': success_url })

            elif require_approval == "auto" and not request.user.is_anonymous:
                tokens = get_access_token_model().objects.filter(
                    user=request.user,
                    application=application,
                    expires__gt=timezone.now()
                ).all()

                # check past authorizations regarded the same scopes as the current one
                for token in tokens:
                    if token.allow_scopes(scopes):
                        success_url = self.get_authorization_redirect_url(" ".join(kwargs['scopes']), credentials)
                        return Response({ 'success_url': success_url })

            return Response(kwargs)

        except OAuthToolkitError as error:
            return Response({
                'error': error.oauthlib_error.description
            }, status=HTTP_400_BAD_REQUEST)