def config_oauth(app):
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization.init_app(app,
query_client=query_client,
save_token=save_token)
# support all openid grants
authorization.register_grant(AuthorizationCodeGrant, [
OpenIDCode(require_nonce=True),
])
#authorization.register_grant(ImplicitGrant)
#authorization.register_grant(OpenIDImplicitGrant)
#authorization.register_grant(HybridGrant)
#authorization.register_grant(grants.ClientCredentialsGrant)
#authorization.register_grant(RefreshTokenGrant)
#authorization.register_grant(PasswordGrant)
# protect resource
bearer_cls = create_bearer_token_validator(db.session, OAuth2Token)
require_oauth.register_token_validator(bearer_cls())
# support revocation
revocation_cls = create_revocation_endpoint(db.session, OAuth2Token)
authorization.register_endpoint(revocation_cls)
def create_authorization_server(app, lazy=False):
query_client = create_query_client_func(db.session, Client)
save_token = create_save_token_func(db.session, Token)
if lazy:
server = AuthorizationServer()
server.init_app(app, query_client, save_token)
else:
server = AuthorizationServer(app, query_client, save_token)
@app.route('/oauth/authorize', methods=['GET', 'POST'])
def authorize():
if request.method == 'GET':
user_id = request.args.get('user_id')
if user_id:
end_user = User.query.get(int(user_id))
else:
end_user = None
try:
grant = server.get_consent_grant(end_user=end_user)
return grant.prompt or 'ok'
except OAuth2Error as error:
return url_encode(error.get_body())
user_id = request.form.get('user_id')
if user_id:
grant_user = User.query.get(int(user_id))
else:
grant_user = None
return server.create_authorization_response(grant_user=grant_user)
@app.route('/oauth/token', methods=['GET', 'POST'])
def issue_token():
return server.create_token_response()
return server
def init_app(app, db):
query_client = create_query_client_func(db.session, Client)
save_token = create_save_token_func(db.session, Token)
server.init_app(app, query_client=query_client, save_token=save_token)
import logging
import sys
log = logging.getLogger('authlib')
log.addHandler(logging.StreamHandler(sys.stdout))
log.setLevel(logging.DEBUG)
# Register grants
server.register_grant(grants.ImplicitGrant)
server.register_grant(PasswordGrant)
server.register_grant(AuthorizationCodeGrant)
def config_oauth(app):
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization.init_app(app,
query_client=query_client,
save_token=save_token)
# support all openid grants
authorization.register_grant(AuthorizationCodeGrant, [
OpenIDCode(require_nonce=True),
])
authorization.register_grant(ImplicitGrant)
authorization.register_grant(HybridGrant)
# protect resource
bearer_cls = create_bearer_token_validator(db.session, OAuth2Token)
require_oauth.register_token_validator(bearer_cls())
def __init__(self, app=None):
super().__init__(app,
query_client=create_query_client_func(db.session, Client),
save_token=create_save_token_func(db.session, Token))
# register it to grant endpoint
self.register_grant(AuthorizationCodeGrant, [
OpenIDCode(require_nonce=True),
CodeChallenge(required=True)
])
# register it to grant endpoint
self.register_grant(grants.ImplicitGrant)
# register it to grant endpoint
self.register_grant(PasswordGrant)
# register it to grant endpoint
self.register_grant(ClientCredentialsGrant)
# register it to grant endpoint
self.register_grant(RefreshTokenGrant)
def config_oauth(app):
'''Setup the application configuration'''
query_client = create_query_client_func(db, OAuth2Client)
save_token = create_save_token_func(db, OAuth2Token)
authorization.init_app(app,
query_client=query_client,
save_token=save_token)
authorization.register_grant(AuthorizationCodeGrant, [
OpenIDCode(require_nonce=True),
])
authorization.register_grant(RefreshTokenGrant)
authorization.register_endpoint(IntrospectionEndpoint)
revocation_cls = create_revocation_endpoint(db, OAuth2Token)
authorization.register_endpoint(revocation_cls)
bearer_cls = create_bearer_token_validator(db, OAuth2Token)
require_oauth.register_token_validator(bearer_cls())
def config_oauth(app):
require_oauth = ResourceProtector()
authorization = AuthorizationServer()
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization.init_app(app,
query_client=query_client,
save_token=save_token)
# support all openid grants
authorization.register_grant(AuthorizationCodeGrant, [
OpenIDCode(require_nonce=True, **app.config['OAUTH_JWT_CONFIG']),
])
authorization.register_grant(HybridGrant)
# protect resource
bearer_cls = create_bearer_token_validator(db.session, OAuth2Token)
require_oauth.register_token_validator(bearer_cls())
register_as_extension(app, 'authorization', authorization)
register_as_extension(app, 'require_oauth', require_oauth)
def config_oauth(app):
"""
configure all grants we have (namely open id and oauth2) in authlib
"""
query_client = create_query_client_func(database.session, OAuth2Client)
save_token = create_save_token_func(database.session, OAuth2Token)
authorization.init_app(app,
query_client=query_client,
save_token=save_token)
# support all openid grants
authorization.register_grant(AuthorizationCodeGrant, [
OpenIDCode(),
])
authorization.register_grant(ImplicitGrant)
authorization.register_grant(HybridGrant)
# protect resource
bearer_cls = create_bearer_token_validator(database.session, OAuth2Token)
require_oauth.register_token_validator(bearer_cls())
def config_oauth(app):
"""Initialize authorization server, and register suportted authorization grant types
For more information, please refer to https://docs.authlib.org/en/latest/flask/2/authorization-server.html#server
"""
query_client = create_query_client_func(auth_db.session, OAuth2Client)
save_token = save_token = create_save_token_func(auth_db.session,
OAuth2Token)
authorization.init_app(app,
query_client=query_client,
save_token=save_token)
# Register Authorization code grant types
authorization.register_grant(AuthorizationCodeGrant, [
OpenIDCode(require_nonce=False),
])
# protect resource
bearer_cls = create_bearer_token_validator(auth_db.session, OAuth2Token)
require_oauth.register_token_validator(bearer_cls())
current_app.logger.debug("refresh token grant")
token = OAuth2Token.query.filter_by(refresh_token=refresh_token).first()
if token and not token.revoked and not token.is_refresh_token_expired():
return token
def authenticate_user(self, credential):
current_app.logger.debug("auth user grant user")
return User.query.get(credential.user_id)
class ClientCredentialsGrant(grants.ClientCredentialsGrant):
TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_basic", "client_secret_post"]
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization = AuthorizationServer(query_client=query_client, save_token=save_token)
require_oauth = ResourceProtector()
def config_oauth(app):
print(" * OAuth init")
authorization.init_app(app)
# support all grants
authorization.register_grant(grants.ImplicitGrant)
authorization.register_grant(ClientCredentialsGrant)
authorization.register_grant(AuthorizationCodeGrant)
authorization.register_grant(PasswordGrant)
authorization.register_grant(RefreshTokenGrant)
from auth import AuthorizationCodeGrant, OpenIDCode
app = Flask(__name__)
# Load configuration--default, then custom. Path to latter set in Dockerfile.
app.config.from_object('default_settings')
app.config.from_envvar('PATH_TO_APP_CONFIG')
# Configure app to work with SQLAlchemy
db.init_app(app)
# Create tables.
# SQLAlchemy object not bound to app, so pass in app as arg.
# Alternatively could push an app context.
db.create_all(app=app)
query_client = create_query_client_func(db.session, Client)
save_token = create_save_token_func(db.session, Token)
server = AuthorizationServer(app,
query_client=query_client,
save_token=save_token)
# register AuthorizationCodeGrant to grant endpoint
server.register_grant(AuthorizationCodeGrant,
[OpenIDCode(require_nonce=False)])
def get_or_create_shib_user():
if request.remote_user:
user = User.query.filter(
User.shib_id == request.remote_user).one_or_none()
def create_authorization_server(app):
query_client = create_query_client_func(db, Client)
save_token = create_save_token_func(db, Token)
server = AuthorizationServer()
server.init_app(app, query_client, save_token)
@app.get("/oauth/authorize")
def authorize_get(request: Request):
user_id = request.query_params.get("user_id")
request.body = {}
if user_id:
end_user = db.query(User).filter(User.id == int(user_id)).first()
else:
end_user = None
try:
grant = server.validate_consent_request(request=request,
end_user=end_user)
return grant.prompt or "ok"
except OAuth2Error as error:
return url_encode(error.get_body())
@app.post("/oauth/authorize")
def authorize_post(
request: Request,
response_type: str = Form(None),
client_id: str = Form(None),
state: str = Form(None),
scope: str = Form(None),
nonce: str = Form(None),
redirect_uri: str = Form(None),
response_mode: str = Form(None),
user_id: str = Form(None),
):
if not user_id:
user_id = request.query_params.get("user_id")
request.body = {"user_id": user_id}
if response_type:
request.body.update({"response_type": response_type})
if client_id:
request.body.update({"client_id": client_id})
if state:
request.body.update({"state": state})
if nonce:
request.body.update({"nonce": nonce})
if scope:
request.body.update({"scope": scope})
if redirect_uri:
request.body.update({"redirect_uri": redirect_uri})
if response_mode:
request.body.update({"response_mode": response_mode})
if user_id:
grant_user = db.query(User).filter(User.id == int(user_id)).first()
else:
grant_user = None
return server.create_authorization_response(request=request,
grant_user=grant_user)
@app.api_route("/oauth/token", methods=["GET", "POST"])
def issue_token(
request: Request,
grant_type: str = Form(None),
scope: str = Form(None),
code: str = Form(None),
refresh_token: str = Form(None),
code_verifier: str = Form(None),
client_id: str = Form(None),
client_secret: str = Form(None),
device_code: str = Form(None),
client_assertion_type: str = Form(None),
client_assertion: str = Form(None),
assertion: str = Form(None),
username: str = Form(None),
password: str = Form(None),
redirect_uri: str = Form(None),
):
request.body = {
"grant_type": grant_type,
"scope": scope,
}
if not grant_type:
grant_type = request.query_params.get("grant_type")
request.body.update({"grant_type": grant_type})
if grant_type == "authorization_code":
request.body.update({"code": code})
elif grant_type == "refresh_token":
request.body.update({"refresh_token": refresh_token})
if code_verifier:
request.body.update({"code_verifier": code_verifier})
if client_id:
request.body.update({"client_id": client_id})
if client_secret:
request.body.update({"client_secret": client_secret})
if device_code:
request.body.update({"device_code": device_code})
if client_assertion_type:
request.body.update(
{"client_assertion_type": client_assertion_type})
if client_assertion:
request.body.update({"client_assertion": client_assertion})
if assertion:
request.body.update({"assertion": assertion})
if redirect_uri:
request.body.update({"redirect_uri": redirect_uri})
if username:
request.body.update({"username": username})
if password:
request.body.update({"password": password})
return server.create_token_response(request=request)
return server
