def server(self):
"""All in one endpoints."""
app = self.get_app()
expires_in = app.config.get('OAUTH_PROVIDER_TOKEN_EXPIRES_IN')
if hasattr(self, '_validator'):
return Server(self._validator, token_expires_in=expires_in)
if hasattr(self, '_clientgetter') and \
hasattr(self, '_tokengetter') and \
hasattr(self, '_tokensetter') and \
hasattr(self, '_grantgetter') and \
hasattr(self, '_grantsetter'):
usergetter = None
if hasattr(self, '_usergetter'):
usergetter = self._usergetter
validator = OAuth2RequestValidator(
clientgetter=self._clientgetter,
tokengetter=self._tokengetter,
grantgetter=self._grantgetter,
usergetter=usergetter,
tokensetter=self._tokensetter,
grantsetter=self._grantsetter,
)
return Server(validator, token_expires_in=expires_in)
raise RuntimeError('application not bound to required getters')
def server(self):
"""
All in one endpoints. This property is created automaticly
if you have implemented all the getters and setters.
However, if you are not satisfied with the getter and setter,
you can create a validator with :class:`OAuth2RequestValidator`::
class MyValidator(OAuth2RequestValidator):
def validate_client_id(self, client_id):
# do something
return True
And assign the validator for the provider::
oauth._validator = MyValidator()
"""
expires_in = self.app.config.get('OAUTH2_PROVIDER_TOKEN_EXPIRES_IN')
token_generator = self.app.config.get(
'OAUTH2_PROVIDER_TOKEN_GENERATOR', None)
if token_generator and not callable(token_generator):
token_generator = import_string(token_generator)
refresh_token_generator = self.app.config.get(
'OAUTH2_PROVIDER_REFRESH_TOKEN_GENERATOR', None)
if refresh_token_generator and not callable(refresh_token_generator):
refresh_token_generator = import_string(refresh_token_generator)
if hasattr(self, '_validator'):
return Server(
self._validator,
token_expires_in=expires_in,
token_generator=token_generator,
refresh_token_generator=refresh_token_generator,
)
if hasattr(self, '_clientgetter') and \
hasattr(self, '_tokengetter') and \
hasattr(self, '_tokensetter') and \
hasattr(self, '_grantgetter') and \
hasattr(self, '_grantsetter'):
usergetter = None
if hasattr(self, '_usergetter'):
usergetter = self._usergetter
validator = OAuth2RequestValidator(
clientgetter=self._clientgetter,
tokengetter=self._tokengetter,
grantgetter=self._grantgetter,
usergetter=usergetter,
tokensetter=self._tokensetter,
grantsetter=self._grantsetter,
)
self._validator = validator
return Server(
validator,
token_expires_in=expires_in,
token_generator=token_generator,
refresh_token_generator=refresh_token_generator,
)
raise RuntimeError('application not bound to required getters')
def test_unavailability(self):
validator = RequestValidator()
server = Server(validator)
server.available = False
h, b, s = server.create_authorization_response('https://example.com')
self.assertIn("temporarily_unavailable", b)
self.assertEqual(s, 503)
def post(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
oauth2 = JSONOAuthLibCore(Server(OAuth2V1Validator()))
uri, headers, body, status = oauth2.create_token_response(request)
return Response(json.loads(body), status=status)
def test_error_catching(self):
validator = RequestValidator()
server = Server(validator)
server.catch_errors = True
h, b, s = server.create_authorization_response('https://example.com')
self.assertIn("server_error", b)
self.assertEqual(s, 500)
def setUp(self):
super().setUp()
self.oauth = BottleOAuth2(self.app)
self.validator = mock.MagicMock()
self.server = Server(self.validator)
self.oauth.initialize(self.server)
self.fake_response = ({}, "", "200 fooOK")
def get_oauthlib_core():
"""
Utility function that take a request and returns an instance of
`oauth2_provider.backends.OAuthLibCore`
"""
from oauthlib.oauth2 import Server
server = Server(oauth2_settings.OAUTH2_VALIDATOR_CLASS())
return OAuthLibCore(server)
def get_oauthlib_core():
"""
Utility function that take a request and returns an instance of `oauth2_provider.backends.OAuthLibCore`
"""
from oauth2_provider.oauth2_validators import OAuth2Validator
from oauthlib.oauth2 import Server
server = Server(OAuth2Validator())
return OAuthLibCore(server)
def _validate(request, *args, **kwargs):
validator = OAuth2Validator()
core = OAuthLibCore(Server(validator))
valid, oauthlib_req = core.verify_request(request, scopes = _scopes)
if valid:
request.client = oauthlib_req.client
request.resource_owner = oauthlib_req.user
return view_func(request, *args, **kwargs)
return HttpResponseForbidden()
def test_error_catching(self):
validator = RequestValidator()
server = Server(validator)
server.catch_errors = True
h, b, s = server.create_token_response(
'https://example.com', body='grant_type=authorization_code&code=abc'
)
self.assertIn("server_error", b)
self.assertEqual(s, 500)
def get_response(self):
oauth2 = JSONOAuthLibCore(Server(OAuth2V1Validator()))
url, headers, body, status = oauth2.create_revocation_response(
self.request)
if status != 200:
result = json.loads(body)
else:
result = {"detail": _("success logout")}
return Response(result, status=status)
def setUp(self):
self.validator = mock.MagicMock(spec=RequestValidator)
self.validator.get_default_redirect_uri.return_value = TestScopeHandling.DEFAULT_REDIRECT_URI
self.validator.authenticate_client.side_effect = self.set_client
self.server = Server(self.validator)
self.web = WebApplicationServer(self.validator)
self.mobile = MobileApplicationServer(self.validator)
self.legacy = LegacyApplicationServer(self.validator)
self.backend = BackendApplicationServer(self.validator)
def setUp(self):
self.validator = mock.MagicMock(spec=RequestValidator)
self.validator.get_default_redirect_uri.return_value = TestClaimsHandling.DEFAULT_REDIRECT_URI
self.validator.authenticate_client.side_effect = self.set_client
self.validator.save_authorization_code.side_effect = self.save_claims_with_code
self.validator.validate_code.side_effect = self.retrieve_claims_saved_with_code
self.validator.save_token.side_effect = self.save_claims_with_bearer_token
self.server = Server(self.validator)
def setUp(self):
super().setUp()
self.oauth = BottleOAuth2(self.app)
self.validator = mock.MagicMock()
self.server = Server(self.validator)
self.oauth.initialize(self.server)
self.fake_response = ({
"Content-Type": "application/x-www-form-urlencoded"
}, "a=b&c=d", "200 FooOK")
def setUp(self):
super().setUp()
self.oauth = BottleOAuth2(self.app)
self.validator = mock.MagicMock()
self.server = Server(self.validator)
self.oauth.initialize(self.server)
self.fake_request = AttrDict(client="foo",
user="******",
scopes=['banana', 'pinapple'])
def _validate(request, *args, **kwargs):
core = OAuthLibCore(Server(OAuth2Validator()))
valid, oauthlib_req = core.verify_request(request, scopes=[])
if valid:
# Note, resource_owner is not a very good name for this
request.resource_owner = oauthlib_req.user
request.oauth = oauthlib_req
return view_func(request, *args, **kwargs)
return build_error_response(401, 'The token authentication failed.')
def setUp(self):
super().setUp()
self.oauth = BottleOAuth2(self.app)
self.validator = mock.MagicMock()
self.server = Server(self.validator)
self.oauth.initialize(self.server)
self.fake_response = ({
"Content-Type": "application/json"
}, "{'valid': true, 'foo': 'bar'}", "200 FooOK")
def authenticate(self, request):
"""
Authenticate the request
"""
server = Server(OAuthValidator())
handler = OAuthHandler(server)
valid, r = handler.verify_request(request, scopes=[])
if valid:
return r.user, r.access_token
else:
return None
def post(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
data = self.request.data
oauth2 = JSONOAuthLibCore(Server(OAuth2V1Validator()))
uri, headers, body, status = oauth2.create_token_response(request)
data = json.loads(body)
if status != 200:
raise ValidationError({'username': [data['error']]})
return Response(data, status=status)
def token_endpoint(request):
validator = RequestValidator()
server = Server(validator)
uri, http_method, body, headers = extract_params(request)
server_response = server.create_token_response(
uri,
http_method,
body,
headers,
{},
)
return create_response(*server_response)
def validator(request, *args, **kwargs):
from oauth2_provider.oauth2_validators import OAuth2Validator
from oauth2_provider.oauth2_backends import OAuthLibCore
from oauthlib.oauth2 import Server
core = OAuthLibCore(Server(OAuth2Validator()))
valid, oauthlib_req = core.verify_request(request, scopes=scopes)
if valid:
request.token = oauthlib_req.access_token
return f(request, *args, **kwargs)
return JsonResponseForbidden({
"error": "invalid token",
"code": "INVALID_TOKEN"
})
def verify_request(request, scopes):
validator = RequestValidator()
server = Server(validator)
uri, http_method, body, headers = extract_params(request)
valid, r = server.verify_request(
uri, http_method, body, headers, scopes,
)
if not valid:
raise HTTPUnauthorized()
return r.user
def test_server_metadata(self):
endpoint = Server(None)
metadata = MetadataEndpoint(
[endpoint], {
"issuer": 'https://foo.bar',
"authorization_endpoint": "https://foo.bar/authorize",
"introspection_endpoint": "https://foo.bar/introspect",
"revocation_endpoint": "https://foo.bar/revoke",
"token_endpoint": "https://foo.bar/token",
"jwks_uri": "https://foo.bar/certs",
"scopes_supported": ["email", "profile"]
})
expected_claims = {
"issuer":
"https://foo.bar",
"authorization_endpoint":
"https://foo.bar/authorize",
"introspection_endpoint":
"https://foo.bar/introspect",
"revocation_endpoint":
"https://foo.bar/revoke",
"token_endpoint":
"https://foo.bar/token",
"jwks_uri":
"https://foo.bar/certs",
"scopes_supported": ["email", "profile"],
"grant_types_supported": [
"authorization_code", "password", "client_credentials",
"refresh_token", "implicit"
],
"token_endpoint_auth_methods_supported":
["client_secret_post", "client_secret_basic"],
"response_types_supported": ["code", "token"],
"response_modes_supported": ["query", "fragment"],
"code_challenge_methods_supported": ["plain", "S256"],
"revocation_endpoint_auth_methods_supported":
["client_secret_post", "client_secret_basic"],
"introspection_endpoint_auth_methods_supported":
["client_secret_post", "client_secret_basic"]
}
def sort_list(claims):
for k in claims.keys():
claims[k] = sorted(claims[k])
sort_list(metadata.claims)
sort_list(expected_claims)
self.assertEqual(sorted(metadata.claims.items()),
sorted(expected_claims.items()))
def server(self):
validator_key = '_validator'
if hasattr(self, validator_key):
return Server(
getattr(self, validator_key),
token_expires_in=self._token_expires_in,
token_generator=self._token_generator,
refresh_token_generator=self._refresh_token_generator,
)
if hasattr(self, '_clientgetter') and \
hasattr(self, '_tokengetter') and \
hasattr(self, '_tokensetter') and \
hasattr(self, '_grantgetter') and \
hasattr(self, '_grantsetter'):
usergetter = None
if hasattr(self, '_usergetter'):
usergetter = self._usergetter
validator = self.oauth_validator(
service=self.service,
clientgetter=getattr(self, '_clientgetter'),
tokengetter=getattr(self, '_tokengetter'),
grantgetter=getattr(self, '_grantgetter'),
usergetter=usergetter,
tokensetter=getattr(self, '_tokensetter'),
grantsetter=getattr(self, '_grantsetter'))
setattr(self, validator_key, validator)
return Server(
validator,
token_expires_in=self._token_expires_in,
token_generator=self._token_generator,
refresh_token_generator=self._refresh_token_generator,
)
raise RuntimeError('application not bound to required getters')
def server(self):
"""
All in one endpoints. This property is created automaticaly
if you have implemented all the getters and setters.
However, if you are not satisfied with the getter and setter,
you can create a validator with :class:`OAuth2RequestValidator`::
class MyValidator(OAuth2RequestValidator):
def validate_client_id(self, client_id):
# do something
return True
And assign the validator for the provider::
oauth._validator = MyValidator()
"""
if not self._server:
if not self._validator:
accessors = [
'_clientgetter', '_tokengetter', '_tokensetter',
'_grantgetter', '_grantsetter'
]
for accessor in accessors:
if not hasattr(self, accessor):
raise RuntimeError(
'Missing required accessor {}'.format(accessor))
self._validator = OAuthValidator(
clientgetter=self._clientgetter,
tokengetter=self._tokengetter,
grantgetter=self._grantgetter,
usergetter=self._usergetter,
tokensetter=self._tokensetter,
grantsetter=self._grantsetter,
)
self._server = Server(
self._validator,
token_expires_in=self._expires_in,
token_generator=self._token_generator,
refresh_token_generator=self._refresh_token_generator,
)
return self._server
def __call__(self, request):
# 正式环境下要检查AccessToken
if not settings.DEBUG:
if "account_spider" in request.path:
authorization = request.META.get("HTTP_AUTHORIZATION", "")
token = request.GET.get("token", "")
authorization_session = request.session.get("authorization")
if token:
request.META["HTTP_AUTHORIZATION"] = "Bearer %s" % token
request.session['authorization'] = "Bearer %s" % token
elif authorization:
request.session['authorization'] = authorization
elif authorization_session:
request.META["HTTP_AUTHORIZATION"] = authorization_session
validator = OAuth2Validator()
core = OAuthLibCore(Server(validator))
valid, oauthlib_req = core.verify_request(request, scopes=[])
if not valid:
return HttpResponseForbidden()
request.resource_owner = oauthlib_req.user
return self.get_response(request)
def server(self):
"""
All in one endpoints. This property is created automatically
if you have implemented all the getters and setters.
However, if you are not satisfied with the getter and setter,
you can create a validator with :class:`OAuth2RequestValidator`::
class MyValidator(OAuth2RequestValidator):
def validate_client_id(self, client_id):
# do something
return True
And assign the validator for the provider::
oauth._validator = MyValidator()
"""
ctx = self.context
cfg = ctx._config
expires_in = cfg.get('OAUTH2_PROVIDER_TOKEN_EXPIRES_IN')
token_generator = cfg.get('OAUTH2_PROVIDER_TOKEN_GENERATOR', None)
if token_generator and not callable(token_generator):
token_generator = import_string(token_generator)
refresh_token_generator = cfg.get(
'OAUTH2_PROVIDER_REFRESH_TOKEN_GENERATOR', None)
if refresh_token_generator and not callable(refresh_token_generator):
refresh_token_generator = import_string(refresh_token_generator)
_validator = ctx.get('_validator', None)
if _validator is not None:
return Server(
_validator,
token_expires_in=expires_in,
token_generator=token_generator,
refresh_token_generator=refresh_token_generator,
)
_clientgetter = ctx.get('_clientgetter', None)
_tokengetter = ctx.get('_tokengetter', None)
_tokensetter = ctx.get('_tokensetter', None)
_grantgetter = ctx.get('_grantgetter', None)
_grantsetter = ctx.get('_grantsetter', None)
if _clientgetter is not None and\
_tokengetter is not None and\
_tokensetter is not None and\
_grantgetter is not None and\
_grantsetter is not None:
usergetter = ctx.get('_usergetter', None)
validator_class = ctx._validator_class
if validator_class is None:
validator_class = OAuth2RequestValidator
validator = validator_class(
clientgetter=_clientgetter,
tokengetter=_tokengetter,
grantgetter=_grantgetter,
usergetter=usergetter,
tokensetter=_tokensetter,
grantsetter=_grantsetter,
)
ctx._validator = validator
return Server(
validator,
token_expires_in=expires_in,
token_generator=token_generator,
refresh_token_generator=refresh_token_generator,
)
raise RuntimeError(
'oauth2 provider plugin not bound to required getters and setters')
def __init__(self, request):
self.request = request
self.validator = RequestValidator()
self.server = Server(self.validator)
def __init__(self, validator: OauthlibRequestValidator):
self._server = Server(validator)
def __init__(self):
validator = DjangoValidator()
# TODO: this should probably be tunable through settings
self._authorization_endpoint = Server(validator)
self._error_uri = reverse('oauth2_error')
