def wrap_action(self, action_, *args, **kwargs):
"""
Wrap the controller action ``action_``.
:param action_: The controller action to be wrapped.
``args`` and ``kwargs`` are the positional and named arguments which
will be passed to ``action_`` when called.
"""
try:
# get token
# from header information
request = RequestOAuth(args[0].R)
with ResponseHTTP(response=request.response) as t:
_in = u'Failed'
# handle token
token = request.access_token
if token:
oauth_context = TokenManager.get_token_context(token.get('token'))
if oauth_context.valid:
args[0].__dict__.update(R=request)
kwargs.update(dict(oauth_context=oauth_context))
# not mandatory use of oauth, but valid token
if self.anon:
LOG.debug(oauth_context.valid)
return action_(*args, **kwargs)
# validate scope
elif TokenManager.has_valid_scope(oauth_context.scopes, self.allowed_scopes):
LOG.debug(oauth_context.scopes)
# kwargs.update(dict(oauth_context=oauth_context))
return action_(*args, **kwargs)
else:
if self.anon:
return action_(*args, **kwargs)
# api_key = request.matchdict.get(self.api_field, None)
# otherwise, we're done, you're not allowed
message = 'Not authorized for request.'
code, status = ResponseHTTP.FORBIDDEN
return t.to_json(_in,
message=message,
code=code, status=status)
except ValueError as e:
LOG.debug(e.message)
def client_credentials_authorization(auth_credentials, scopes=[]):
"""
The client can request an access token using only its client
credentials (or other supported means of authentication) when the
client is requesting access to the protected resources under its
control, or those of another resource owner which has been previously
arranged with the authorization server (the method of which is beyond
the scope of this specification).
The client credentials grant type MUST only be used by private
clients.
+---------+ +---------------+
| | | |
| |>--(A)- Client Authentication --->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | | |
+---------+ +---------------+
Figure 6: Client Credentials Flow
The flow illustrated in Figure 6 includes the following steps:
(A) The client authenticates with the authorization server and
requests an access token from the token endpoint.
(B) The authorization server authenticates the client, and if valid
issues an access token.
Authorization Request and Response
----------------------------------
Since the client authentication is used as the authorization grant,
no additional authorization request is needed.
"""
# Authentication
LOG.debug("Starting client_credentials workflow")
LOG.debug("Requested scopes: %s" % scopes)
if auth_credentials is None:
return AuthErrorHandling.error_unauthorized_client()
authenticated, client_id = TokenManager.authenticate(auth_credentials.get('client_key'),
auth_credentials.get('client_secret'))
if authenticated:
# Validate allowed
allowed = TokenManager.can_request_scope(client_id, scopes)
LOG.debug(allowed)
if allowed:
LOG.debug("Authentication allowed, issueing token.")
access_token = TokenManager.issue_access_token(client_id=client_id,
allowed_scopes=scopes,
refreshable=False)
response = dict(access_token=access_token.token,
token_type="bearer",
expires_in=access_token.expires_at.isoformat())
transaction.commit()
return response
else:
LOG.debug("One or more scopes were not allowed: %s" % scopes)
# Scope was not allowed
return AuthErrorHandling.error_invalid_scope()
else:
LOG.debug("Client is not authorized to ask tokens.")
# Client not authorized
return AuthErrorHandling.error_unauthorized_client()
def get_token_context(token):
return TokenManager.get_token_context(token)
def validate_access_token(access_token, allowed_scopes):
return TokenManager.is_valid_access_token(access_token, allowed_scopes)