def validate_registration_endpoint(self): """OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. """ url = self.get('registration_endpoint') if url and not is_secure_transport(url): raise ValueError('"registration_endpoint" MUST use "https" scheme')
def validate_introspection_endpoint(self): """OPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662]. """ url = self.get('introspection_endpoint') if url and not is_secure_transport(url): raise ValueError( '"introspection_endpoint" MUST use "https" scheme')
def validate_jwks_uri(self): """OPTIONAL. URL of the authorization server's JWK Set [JWK] document. The referenced document contains the signing key(s) the client uses to validate signatures from the authorization server. This URL MUST use the "https" scheme. The JWK Set MAY also contain the server's encryption key or keys, which are used by clients to encrypt requests to the server. When both signing and encryption keys are made available, a "use" (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. """ url = self.get('jwks_uri') if url and not is_secure_transport(url): raise ValueError('"jwks_uri" MUST use "https" scheme')
def validate_token_endpoint(self): """URL of the authorization server's token endpoint [RFC6749]. This is REQUIRED unless only the implicit grant type is supported. """ grant_types_supported = self.get('grant_types_supported') if grant_types_supported and len(grant_types_supported) == 1 and \ grant_types_supported[0] == 'implicit': return url = self.get('token_endpoint') if not url: raise ValueError('"token_endpoint" is required') if not is_secure_transport(url): raise ValueError('"token_endpoint" MUST use "https" scheme')
def validate_authorization_endpoint(self): """URL of the authorization server's authorization endpoint [RFC6749]. This is REQUIRED unless no grant types are supported that use the authorization endpoint. """ url = self.get('authorization_endpoint') if url: if not is_secure_transport(url): raise ValueError( '"authorization_endpoint" MUST use "https" scheme') return grant_types_supported = set(self.grant_types_supported) authorization_grant_types = {'authorization_code', 'implicit'} if grant_types_supported & authorization_grant_types: raise ValueError('"authorization_endpoint" is required')
def validate_issuer(self): """REQUIRED. The authorization server's issuer identifier, which is a URL that uses the "https" scheme and has no query or fragment components. """ issuer = self.get('issuer') #: 1. REQUIRED if not issuer: raise ValueError('"issuer" is required') parsed = urlparse.urlparse(issuer) #: 2. uses the "https" scheme if not is_secure_transport(issuer): raise ValueError('"issuer" MUST use "https" scheme') #: 3. has no query or fragment if parsed.query or parsed.fragment: raise ValueError('"issuer" has no query or fragment')
def check(cls, uri): """Check and raise InsecureTransportError with the given URI.""" if not is_secure_transport(uri): raise cls()
def check(cls, url): if not is_secure_transport(url): raise cls()