def check_token_endpoint(request): """ This endpoint is out of the oAuth 2.0 specification, however it's needed in order to support total desacoplation of the oAuth server and the resource servers. When an application (a.k.a. client) impersons the user in order to access to the user's resources, the resource server needs to check if the token provided is valid and check if it was issued to the user. """ access_token = request.params.get("access_token") username = request.params.get("username") scope = request.params.get("scope", None) if username is None: return OAuth2ErrorHandler.error_invalid_request("Required parameter username not found in the request") elif access_token is None: return OAuth2ErrorHandler.error_invalid_request("Required parameter access_token not found in the request") elif len(access_token) != ACCESS_TOKEN_LENGTH: return OAuth2ErrorHandler.error_invalid_request("Required parameter not valid found in the request") storage = request.registry.osiris_store token_info = storage.retrieve(token=access_token) if token_info: if token_info.get("scope") == scope and token_info.get("username") == username: return HTTPOk() else: return HTTPUnauthorized() return HTTPUnauthorized()
def check_token_endpoint(request): """ This endpoint is out of the oAuth 2.0 specification, however it's needed in order to support total desacoplation of the oAuth server and the resource servers. When an application (a.k.a. client) impersons the user in order to access to the user's resources, the resource server needs to check if the token provided is valid and check if it was issued to the user. """ access_token = request.params.get('access_token') username = urllib.unquote(request.params.get('username')) scope = request.params.get('scope', None) if scope is not None: scope = urllib.unquote_plus(scope) if username is None: return OAuth2ErrorHandler.error_invalid_request( 'Required parameter username not found in the request') elif access_token is None: return OAuth2ErrorHandler.error_invalid_request( 'Required parameter access_token not found in the request') elif len(access_token) != ACCESS_TOKEN_LENGTH: return OAuth2ErrorHandler.error_invalid_request( 'Required parameter not valid found in the request') storage = request.registry.osiris_store token_info = storage.retrieve(token=access_token) if token_info: if token_info.get('scope') == scope and token_info.get( 'username') == username: return HTTPOk() else: return HTTPUnauthorized() return HTTPUnauthorized()
def check_token_endpoint(request): """ This endpoint is out of the oAuth 2.0 specification, however it's needed in order to support total desacoplation of the oAuth server and the resource servers. When an application (a.k.a. client) impersons the user in order to access to the user's resources, the resource server needs to check if the token provided is valid and check if it was issued to the user. """ access_token = request.params.get('access_token') username = request.params.get('username') if username is None: return OAuth2ErrorHandler.error_invalid_request( 'Required paramer "username" not found in the request') elif access_token is None: return OAuth2ErrorHandler.error_invalid_request( 'Required paramer "access_token" not found in the request') storage = request.registry.osiris_store token_info = storage.retrieve(access_token) if token_info: if token_info.get('username') == username: return HTTPOk() return HTTPUnauthorized()
def password_authorization(request, username, password, scope, expires_in): ldap_enabled = asbool(request.registry.settings.get('osiris.ldap_enabled')) ldap_scope_as_group = asbool( request.registry.settings.get('osiris.ldap_scope_as_group')) if ldap_enabled: from osiris import get_ldap_connector connector = get_ldap_connector(request) identity = connector.authenticate(username, password) scopes = scope.split(' ') if ldap_scope_as_group and scope: user_groups = connector.user_groups(username) user_groups = [group[0] for group in user_groups] user_groups = [ group.split(",")[0].split("=")[1] for group in user_groups ] for req_scope in scopes: if req_scope not in user_groups: return OAuth2ErrorHandler.error_invalid_scope(req_scope) else: policy = request.registry.queryUtility(IAuthenticationPolicy) authapi = policy._getAPI(request) credentials = {'login': username, 'password': password} identity, headers = authapi.login(credentials) user_groups = [] if not identity: return OAuth2ErrorHandler.error_invalid_grant() else: storage = request.registry.osiris_store # Check if an existing token for the username and scope is already issued issued = storage.retrieve(username=username, scope=scope) if issued: # Return the already issued one return dict( access_token=issued.get('token'), token_type='bearer', scope=issued.get('scope'), expires_in=issued.get('expire_time'), ) else: # Create and store token token = generate_token() stored = storage.store(token, username, scope, expires_in) # Issue token if stored: return dict(access_token=token, token_type='bearer', scope=scope, expires_in=int(expires_in)) else: # If operation error, return a generic server error return HTTPInternalServerError()
def password_authorization(request, username, password, scope, expires_in): ldap_enabled = asbool(request.registry.settings.get('osiris.ldap_enabled')) ldap_scope_as_group = asbool( request.registry.settings.get('osiris.ldap_scope_as_group')) if ldap_enabled: from osiris import get_ldap_connector connector = get_ldap_connector(request) identity = connector.authenticate(username, password) scopes = scope.split(' ') if ldap_scope_as_group and scope: user_groups = connector.user_groups(username) user_groups = [group[0] for group in user_groups] user_groups = [group.split(",")[0].split("=")[1] for group in user_groups] for req_scope in scopes: if req_scope not in user_groups: return OAuth2ErrorHandler.error_invalid_scope(req_scope) else: policy = request.registry.queryUtility(IAuthenticationPolicy) authapi = policy._getAPI(request) credentials = {'login': username, 'password': password} identity, headers = authapi.login(credentials) user_groups = [] if not identity: return OAuth2ErrorHandler.error_invalid_grant() else: storage = request.registry.osiris_store # Check if an existing token for the username and scope is already issued issued = storage.retrieve(username=username, scope=scope) if issued: # Return the already issued one return dict(access_token=issued.get('token'), token_type='bearer', scope=issued.get('scope'), expires_in=issued.get('expire_time'), ) else: # Create and store token token = generate_token() stored = storage.store(token, username, scope, expires_in) # Issue token if stored: return dict(access_token=token, token_type='bearer', scope=scope, expires_in=int(expires_in) ) else: # If operation error, return a generic server error return HTTPInternalServerError()
def password_authorization(request, username, password, scope, expires_in): policy = request.registry.queryUtility(IAuthenticationPolicy) authapi = policy._getAPI(request) credentials = {'login': username, 'password': password} identity, headers = authapi.login(credentials) if not identity: return OAuth2ErrorHandler.error_unauthorized_client() else: # Create and store token storage = request.registry.osiris_store token = generate_token() stored = storage.store(token, username, scope, expires_in) # Issue token if stored: return dict(access_token=token, token_type='bearer', scope=scope, expires_in=expires_in) else: # If operation error, return a generic server error return HTTPInternalServerError()
def password_authorization(request, username, password, scope, expires_in): policy = request.registry.queryUtility(IAuthenticationPolicy) authapi = policy._getAPI(request) credentials = {'login': username, 'password': password} identity, headers = authapi.login(credentials) if not identity: return OAuth2ErrorHandler.error_unauthorized_client() else: # Create and store token storage = request.registry.osiris_store token = generate_token() stored = storage.store(token, username, scope, expires_in) # Issue token if stored: return dict( access_token=token, token_type='bearer', scope=scope, expires_in=expires_in ) else: # If operation error, return a generic server error return HTTPInternalServerError()
def token_endpoint(request): """ The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly). """ expires_in = request.registry.settings.get("osiris.tokenexpiry", 0) grant_type = request.params.get("grant_type") # Authorization Code Grant if grant_type == "authorization_code": return OAuth2ErrorHandler.error_unsupported_grant_type() # Implicit Grant elif grant_type == "implicit": return OAuth2ErrorHandler.error_unsupported_grant_type() # Client Credentials elif grant_type == "client_credentials": return OAuth2ErrorHandler.error_unsupported_grant_type() # Client Credentials Grant elif grant_type == "password": scope = request.params.get("scope", None) # Optional username = request.params.get("username", None) password = request.params.get("password", None) if username is None: return OAuth2ErrorHandler.error_invalid_request("Required parameter username not found in the request") elif password is None: return OAuth2ErrorHandler.error_invalid_request("Required parameter password not found in the request") else: return password_authorization(request, username, password, scope, expires_in) else: return OAuth2ErrorHandler.error_unsupported_grant_type()
def token_endpoint(request): """ The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly). """ expires_in = request.registry.settings.get('osiris.tokenexpiry', 0) grant_type = request.params.get('grant_type') # Authorization Code Grant if grant_type == 'authorization_code': return OAuth2ErrorHandler.error_unsupported_grant_type() # Implicit Grant elif grant_type == 'implicit': return OAuth2ErrorHandler.error_unsupported_grant_type() # Client Credentials elif grant_type == 'client_credentials': return OAuth2ErrorHandler.error_unsupported_grant_type() # Client Credentials Grant elif grant_type == 'password': scope = request.params.get('scope', '') # Optional username = request.params.get('username', None) password = request.params.get('password', None) if username is None: return OAuth2ErrorHandler.error_invalid_request('Required paramer "username" not found in the request') elif password is None: return OAuth2ErrorHandler.error_invalid_request('Required paramer "password" not found in the request') else: return password_authorization(request, username, password, scope, expires_in) else: return OAuth2ErrorHandler.error_unsupported_grant_type()
def check_token_endpoint(request): """ This endpoint is out of the oAuth 2.0 specification, however it's needed in order to support total desacoplation of the oAuth server and the resource servers. When an application (a.k.a. client) impersons the user in order to access to the user's resources, the resource server needs to check if the token provided is valid and check if it was issued to the user. """ access_token = request.params.get('access_token') username = request.params.get('username') if username is None: return OAuth2ErrorHandler.error_invalid_request('Required paramer "username" not found in the request') elif access_token is None: return OAuth2ErrorHandler.error_invalid_request('Required paramer "access_token" not found in the request') storage = request.registry.osiris_store token_info = storage.retrieve(access_token) if token_info: if token_info.get('username') == username: return HTTPOk() return HTTPUnauthorized()
def token_endpoint(request): """ The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly). """ expires_in = request.registry.settings.get('osiris.tokenexpiry', 0) grant_type = request.params.get('grant_type') # Authorization Code Grant if grant_type == 'authorization_code': return OAuth2ErrorHandler.error_unsupported_grant_type() # Implicit Grant elif grant_type == 'implicit': return OAuth2ErrorHandler.error_unsupported_grant_type() # Client Credentials elif grant_type == 'client_credentials': return OAuth2ErrorHandler.error_unsupported_grant_type() # Client Credentials Grant elif grant_type == 'password': scope = request.params.get('scope', None) # Optional username = urllib.unquote(request.params.get('username', None)) password = urllib.unquote(request.params.get('password', None)) if username is None: return OAuth2ErrorHandler.error_invalid_request( 'Required parameter username not found in the request') elif password is None: return OAuth2ErrorHandler.error_invalid_request( 'Required parameter password not found in the request') else: return password_authorization(request, username, password, scope, expires_in) else: return OAuth2ErrorHandler.error_unsupported_grant_type()