def password_grant_type(self, areq): """ Token authorization using Resource owner password credentials. RFC6749 section 4.3 """ # `Any` comparison tries a first broker, so we either hit an IndexError or get a method try: authn, authn_class_ref = self.pick_auth(areq, "any") except IndexError: err = TokenErrorResponse(error="invalid_grant") return Unauthorized(err.to_json(), content="application/json") identity, _ts = authn.authenticated_as( username=areq["username"], password=areq["password"] ) if identity is None: err = TokenErrorResponse(error="invalid_grant") return Unauthorized(err.to_json(), content="application/json") # We are returning a token areq["response_type"] = ["token"] authn_event = AuthnEvent( identity["uid"], identity.get("salt", ""), authn_info=authn_class_ref, time_stamp=_ts, ) sid = self.setup_session(areq, authn_event, self.cdb[areq["client_id"]]) _at = self.sdb.upgrade_to_token(self.sdb[sid]["code"], issue_refresh=True) atr_class = self.server.message_factory.get_response_type("token_endpoint") atr = atr_class(**by_schema(atr_class, **_at)) return Response( atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS )
def refresh_token_grant_type(self, areq): at = self.token_handler.refresh_access_token(self.baseurl, areq['access_token'], 'refresh_token') atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **at)) return Response(atr.to_json(), content="application/json")
def token_endpoint(self, authn="", **kwargs): """ This is where clients come to get their access tokens """ _sdb = self.sdb logger.debug("- token -") body = kwargs["request"] logger.debug("body: %s" % sanitize(body)) areq = AccessTokenRequest().deserialize(body, "urlencoded") try: self.client_authn(self, areq, authn) except FailedAuthentication as err: logger.error(err) err = TokenErrorResponse(error="unauthorized_client", error_description="%s" % err) return Response(err.to_json(), content="application/json", status="401 Unauthorized") logger.debug("AccessTokenRequest: %s" % sanitize(areq)) try: assert areq["grant_type"] == "authorization_code" except AssertionError: err = TokenErrorResponse(error="invalid_request", error_description="Wrong grant type") return Response(err.to_json(), content="application/json", status="401 Unauthorized") # assert that the code is valid _info = _sdb[areq["code"]] resp = self.token_scope_check(areq, _info) if resp: return resp # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _info: assert areq["redirect_uri"] == _info["redirect_uri"] try: _tinfo = _sdb.upgrade_to_token(areq["code"], issue_refresh=True) except AccessCodeUsed: err = TokenErrorResponse(error="invalid_grant", error_description="Access grant used") return Response(err.to_json(), content="application/json", status="401 Unauthorized") logger.debug("_tinfo: %s" % sanitize(_tinfo)) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) logger.debug("AccessTokenResponse: %s" % sanitize(atr)) return Response(atr.to_json(), content="application/json")
def code_grant_type(self, areq): # assert that the code is valid try: _info = self.sdb[areq["code"]] except KeyError: err = TokenErrorResponse(error="invalid_grant", error_description="Unknown access grant") return Response(err.to_json(), content="application/json", status="401 Unauthorized") authzreq = json.loads(_info['authzreq']) if 'code_verifier' in areq: try: _method = authzreq['code_challenge_method'] except KeyError: _method = 'S256' resp = self.verify_code_challenge(areq['code_verifier'], authzreq['code_challenge'], _method) if resp: return resp if 'state' in areq: if self.sdb[areq['code']]['state'] != areq['state']: logger.error('State value mismatch') err = TokenErrorResponse(error="unauthorized_client") return Unauthorized(err.to_json(), content="application/json") resp = self.token_scope_check(areq, _info) if resp: return resp # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _info: assert areq["redirect_uri"] == _info["redirect_uri"] issue_refresh = False if 'scope' in authzreq and 'offline_access' in authzreq['scope']: if authzreq['response_type'] == 'code': issue_refresh = True try: _tinfo = self.sdb.upgrade_to_token(areq["code"], issue_refresh=issue_refresh) except AccessCodeUsed: err = TokenErrorResponse(error="invalid_grant", error_description="Access grant used") return Response(err.to_json(), content="application/json", status="401 Unauthorized") logger.debug("_tinfo: %s" % _tinfo) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) logger.debug("AccessTokenResponse: %s" % atr) return Response(atr.to_json(), content="application/json")
def refresh_token_grant_type(self, areq): at = self.token_handler.refresh_access_token( self.baseurl, areq["access_token"], "refresh_token" ) atr_class = self.server.message_factory.get_response_type("token_endpoint") atr = atr_class(**by_schema(atr_class, **at)) return Response(atr.to_json(), content="application/json")
def token_endpoint(self, authn="", **kwargs): """ This is where clients come to get their access tokens """ _sdb = self.sdb LOG_DEBUG("- token -") body = kwargs["request"] LOG_DEBUG("body: %s" % body) areq = AccessTokenRequest().deserialize(body, "urlencoded") try: client = self.client_authn(self, areq, authn) except FailedAuthentication as err: err = TokenErrorResponse(error="unauthorized_client", error_description="%s" % err) return Response(err.to_json(), content="application/json", status="401 Unauthorized") LOG_DEBUG("AccessTokenRequest: %s" % areq) try: assert areq["grant_type"] == "authorization_code" except AssertionError: err = TokenErrorResponse(error="invalid_request", error_description="Wrong grant type") return Response(err.to_json(), content="application/json", status="401 Unauthorized") # assert that the code is valid _info = _sdb[areq["code"]] resp = self.token_scope_check(areq, _info) if resp: return resp # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _info: assert areq["redirect_uri"] == _info["redirect_uri"] try: _tinfo = _sdb.upgrade_to_token(areq["code"], issue_refresh=True) except AccessCodeUsed: err = TokenErrorResponse(error="invalid_grant", error_description="Access grant used") return Response(err.to_json(), content="application/json", status="401 Unauthorized") LOG_DEBUG("_tinfo: %s" % _tinfo) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) LOG_DEBUG("AccessTokenResponse: %s" % atr) return Response(atr.to_json(), content="application/json")
def token_endpoint(self, authn="", **kwargs): """ This is where clients come to get their access tokens """ _sdb = self.sdb logger.debug("- token -") body = kwargs["request"] logger.debug("body: %s" % sanitize(body)) areq = AccessTokenRequest().deserialize(body, "urlencoded") try: self.client_authn(self, areq, authn) except FailedAuthentication as err: logger.error(err) err = TokenErrorResponse(error="unauthorized_client", error_description="%s" % err) return Response(err.to_json(), content="application/json", status_code=401) logger.debug("AccessTokenRequest: %s" % sanitize(areq)) if areq["grant_type"] != "authorization_code": err = TokenErrorResponse(error="invalid_request", error_description="Wrong grant type") return Response(err.to_json(), content="application/json", status="401 Unauthorized") # assert that the code is valid _info = _sdb[areq["code"]] resp = self.token_scope_check(areq, _info) if resp: return resp # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _info and areq["redirect_uri"] != _info["redirect_uri"]: logger.error('Redirect_uri mismatch') err = TokenErrorResponse(error="unauthorized_client") return Unauthorized(err.to_json(), content="application/json") try: _tinfo = _sdb.upgrade_to_token(areq["code"], issue_refresh=True) except AccessCodeUsed: err = TokenErrorResponse(error="invalid_grant", error_description="Access grant used") return Response(err.to_json(), content="application/json", status="401 Unauthorized") logger.debug("_tinfo: %s" % sanitize(_tinfo)) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) logger.debug("AccessTokenResponse: %s" % sanitize(atr)) return Response(atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS)
def authorization_endpoint(self, query): req = self.parse_authorization_request(query=query) aevent = AuthnEvent("user", "salt", authn_info="acr") sid = self.sdb.create_authz_session(aevent, areq=req) self.sdb.do_sub(sid, 'client_salt') _info = self.sdb[sid] if "code" in req["response_type"]: if "token" in req["response_type"]: grant = _info["code"] _dict = self.sdb.upgrade_to_token(grant) _dict["oauth_state"] = "authz", _dict = by_schema(AuthorizationResponse(), **_dict) resp = AuthorizationResponse(**_dict) # resp.code = grant else: _state = req["state"] resp = AuthorizationResponse(state=_state, code=_info["code"]) else: # "implicit" in req.response_type: grant = _info["code"] params = AccessTokenResponse.c_param.keys() if "token" in req["response_type"]: _dict = dict([ (k, v) for k, v in self.sdb.upgrade_to_token(grant).items() if k in params ]) try: del _dict["refresh_token"] except KeyError: pass else: _dict = {"state": req["state"]} if "id_token" in req["response_type"]: _idt = self.make_id_token(_info, issuer=self.name) alg = "RS256" ckey = self.keyjar.get_signing_key(alg2keytype(alg), _info["client_id"]) _signed_jwt = _idt.to_jwt(key=ckey, algorithm=alg) p = _signed_jwt.split(".") p[2] = "aaa" _dict["id_token"] = ".".join(p) resp = AuthorizationResponse(**_dict) location = resp.request(req["redirect_uri"]) response = Response() response.headers = {"location": location} response.status_code = 302 response.text = "" return response
def token_response(**kwargs): _areq = kwargs["areq"] _scode = kwargs["scode"] _sdb = kwargs["sdb"] _dic = _sdb.upgrade_to_token(_scode, issue_refresh=False) aresp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_dic)) if "state" in _areq: aresp["state"] = _areq["state"] return aresp
def token_response(**kwargs): _areq = kwargs["areq"] _scode = kwargs["scode"] _sdb = kwargs["sdb"] _dic = _sdb.update_to_token(_scode, issue_refresh=False) aresp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_dic)) if "state" in _areq: aresp["state"] = _areq["state"] return aresp
def authorization_endpoint(self, query): req = self.parse_authorization_request(query=query) aevent = AuthnEvent("user", authn_info="acr") sid = self.sdb.create_authz_session(aevent, areq=req) _ = self.sdb.do_sub(sid) _info = self.sdb[sid] if "code" in req["response_type"]: if "token" in req["response_type"]: grant = _info["code"] _dict = self.sdb.upgrade_to_token(grant) _dict["oauth_state"] = "authz", _dict = by_schema(AuthorizationResponse(), **_dict) resp = AuthorizationResponse(**_dict) # resp.code = grant else: _state = req["state"] resp = AuthorizationResponse(state=_state, code=_info["code"]) else: # "implicit" in req.response_type: grant = _info["code"] params = AccessTokenResponse.c_param.keys() if "token" in req["response_type"]: _dict = dict([(k, v) for k, v in self.sdb.upgrade_to_token(grant).items() if k in params]) try: del _dict["refresh_token"] except KeyError: pass else: _dict = {"state": req["state"]} if "id_token" in req["response_type"]: _idt = self.make_id_token(_info, issuer=self.name) alg = "RS256" ckey = self.keyjar.get_signing_key(alg2keytype(alg), _info["client_id"]) _signed_jwt = _idt.to_jwt(key=ckey, algorithm=alg) p = _signed_jwt.split(".") p[2] = "aaa" _dict["id_token"] = ".".join(p) resp = AuthorizationResponse(**_dict) location = resp.request(req["redirect_uri"]) response = Response() response.headers = {"location": location} response.status_code = 302 response.text = "" return response
def do_access_token_response(self, access_token, atinfo, state, refresh_token=None): _tinfo = {'access_token': access_token, 'expires_in': atinfo['exp'], 'token_type': 'bearer', 'state': state} try: _tinfo['scope'] = atinfo['scope'] except KeyError: pass if refresh_token: _tinfo['refresh_token'] = refresh_token return AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
def token_response(**kwargs): _areq = kwargs["areq"] _scode = kwargs["scode"] _sdb = kwargs["sdb"] _dic = _sdb.upgrade_to_token(_scode, issue_refresh=False) aresp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_dic)) try: aresp["state"] = _areq["state"] except KeyError: pass add_non_standard(_areq, aresp) return aresp
def authorization_endpoint(self, query): req = self.parse_authorization_request(query=query) sid = self.sdb.create_authz_session(sub="user", areq=req) _info = self.sdb[sid] _info["sub"] = _info["local_sub"] if "code" in req["response_type"]: if "token" in req["response_type"]: grant = _info["code"] _dict = self.sdb.upgrade_to_token(grant) _dict["oauth_state"] = "authz", _dict = by_schema(AuthorizationResponse(), **_dict) resp = AuthorizationResponse(**_dict) #resp.code = grant else: resp = AuthorizationResponse(state=req["state"], code=_info["code"]) else: # "implicit" in req.response_type: grant = _info["code"] params = AccessTokenResponse.c_param.keys() _dict = dict([(k, v) for k, v in self.sdb.upgrade_to_token(grant).items() if k in params]) try: del _dict["refresh_token"] except KeyError: pass if "id_token" in req["response_type"]: _idt = self.make_id_token(_info, issuer=self.name, access_token=_dict["access_token"]) alg = "RS256" ckey = self.keyjar.get_signing_key(alg2keytype(alg), _info["client_id"]) _dict["id_token"] = _idt.to_jwt(key=ckey, algorithm=alg) resp = AccessTokenResponse(**_dict) location = resp.request(req["redirect_uri"]) response = Response() response.headers = {"location": location} response.status_code = 302 response.text = "" return response
def userinfo_in_id_token_claims(self, session): """ Put userinfo claims in the id token :param session: :return: """ itc = self.server.id_token_claims(session) if not itc: return None _claims = by_schema(OpenIDSchema, **itc) if _claims: return self._collect_user_info(session, {"claims": _claims}) else: return None
def token_endpoint(self, data): if "grant_type=refresh_token" in data: req = self.parse_refresh_token_request(body=data) _info = self.sdb.refresh_token(req["refresh_token"]) elif "grant_type=authorization_code": req = self.parse_token_request(body=data) _info = self.sdb.upgrade_to_token(req["code"]) else: response = TokenErrorResponse(error="unsupported_grant_type") return response, "" resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) response = Response() response.headers = {"content-type": "application/json"} response.text = resp.to_json() return response
def do_access_token_response(self, access_token, atinfo, state, refresh_token=None): _tinfo = { "access_token": access_token, "expires_in": atinfo["exp"], "token_type": "bearer", "state": state, } try: _tinfo["scope"] = atinfo["scope"] except KeyError: pass if refresh_token: _tinfo["refresh_token"] = refresh_token atr_class = self.server.message_factory.get_response_type("token_endpoint") return atr_class(**by_schema(atr_class, **_tinfo))
def token_endpoint(self, environ, start_response): """ This is where clients come to get their access tokens """ _sdb = self.sdb LOG_DEBUG("- token -") body = get_post(environ) LOG_DEBUG("body: %s" % body) areq = AccessTokenRequest().deserialize(body, "urlencoded") # Client is from basic auth or ... client = None try: client = self.function["verify_client"](environ, client, self.cdb) except (KeyError, AttributeError): err = TokenErrorResponse(error="unathorized_client", error_description="client_id:%s" % client) resp = Response(err.to_json(), content="application/json", status="401 Unauthorized") return resp(environ, start_response) LOG_DEBUG("AccessTokenRequest: %s" % areq) assert areq["grant_type"] == "authorization_code" # assert that the code is valid _info = _sdb[areq["code"]] # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _info: assert areq["redirect_uri"] == _info["redirect_uri"] _tinfo = _sdb.update_to_token(areq["code"]) LOG_DEBUG("_tinfo: %s" % _tinfo) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) LOG_DEBUG("AccessTokenResponse: %s" % atr) resp = Response(atr.to_json(), content="application/json") return resp(environ, start_response)
def authorization_endpoint(self, query): req = self.parse_authorization_request(query=query) sid = self.sdb.create_authz_session(user_id="user", areq=req) _info = self.sdb[sid] if "code" in req["response_type"]: if "token" in req["response_type"]: grant = _info["code"] _dict = self.sdb.update_to_token(grant) _dict["oauth_state"]="authz", _dict = by_schema(AuthorizationResponse(), **_dict) resp = AuthorizationResponse(**_dict) #resp.code = grant else: resp = AuthorizationResponse(state=req["state"], code=_info["code"]) else: # "implicit" in req.response_type: grant = _info["code"] params = AccessTokenResponse.c_param.keys() _dict = dict([(k,v) for k, v in self.sdb.update_to_token(grant).items() if k in params]) try: del _dict["refresh_token"] except KeyError: pass if "id_token" in req["response_type"]: _dict["id_token"] = self.make_id_token(_info, issuer=self.name, access_token=_dict["access_token"]) resp = AccessTokenResponse(**_dict) location = resp.request(req["redirect_uri"]) response= Response() response.headers = {"location":location} response.status_code = 302 response.text = "" return response
def token_endpoint(self, data): if "grant_type=refresh_token" in data: req = self.parse_refresh_token_request(body=data) _info = self.sdb.refresh_token(req["refresh_token"], req['client_id']) elif "grant_type=authorization_code" in data: req = self.parse_token_request(body=data) if 'offline_access' in self.sdb[req['code']]['scope']: _info = self.sdb.upgrade_to_token(req["code"], issue_refresh=True) else: _info = self.sdb.upgrade_to_token(req["code"]) else: response = TokenErrorResponse(error="unsupported_grant_type") return response, "" resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) response2 = Response() response2.headers = {"content-type": "application/json"} response2.text = resp.to_json() return response2
def code_grant_type(self, areq): """ Token authorization using Code Grant. RFC6749 section 4.1 """ try: _tinfo = self.sdb.upgrade_to_token(areq["code"], issue_refresh=True) except AccessCodeUsed: error = TokenErrorResponse(error="invalid_grant", error_description="Access grant used") return Unauthorized(error.to_json(), content="application/json") logger.debug("_tinfo: %s" % sanitize(_tinfo)) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) logger.debug("AccessTokenResponse: %s" % sanitize(atr)) return Response(atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS)
def _refresh_access_token_endpoint(self, req, **kwargs): _sdb = self.sdb _log_debug = logger.debug client_info = self.cdb[req["client_id"]] assert req["grant_type"] == "refresh_token" rtoken = req["refresh_token"] _info = _sdb.refresh_token(rtoken) if "openid" in _info["scope"]: userinfo = self.userinfo_in_id_token_claims(_info) _idtoken = self.sign_encrypt_id_token(_info, client_info, req, user_info=userinfo) sid = _sdb.token.get_key(rtoken) _sdb.update(sid, "id_token", _idtoken) _log_debug("_info: %s" % _info) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) _log_debug("access_token_response: %s" % atr.to_dict()) return Response(atr.to_json(), content="application/json")
LOG_DEBUG("- authenticated -") try: result = self.authn_intro(environ, start_response) except Exception, err: resp = ServiceError("%s" % err) return resp(environ, start_response) if isinstance(result, Response): return result(environ, start_response) else: areq, session = result try: aresp = self.authn_response(areq, **by_schema(AuthorizationResponse, **session)) except KeyError, err: # Don't know what to do raise an exception resp = BadRequest("Unknown response type (%s)" % err) return resp(environ, start_response) add_non_standard(aresp, areq) return self.authn_reply(areq, aresp, environ, start_response) def authorization_endpoint(self, environ, start_response, **kwargs): # The AuthorizationRequest endpoint _sdb = self.sdb LOG_DEBUG("- authorization -")
# verify that the one given here is the correct one. if "redirect_uri" in _info: assert areq["redirect_uri"] == _info["redirect_uri"] try: _tinfo = _sdb.upgrade_to_token(areq["code"]) except AccessCodeUsed: err = TokenErrorResponse(error="invalid_grant", error_description="Access grant used") return Response(err.to_json(), content="application/json", status="401 Unauthorized") LOG_DEBUG("_tinfo: %s" % _tinfo) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) LOG_DEBUG("AccessTokenResponse: %s" % atr) return Response(atr.to_json(), content="application/json") def verify_endpoint(self, request="", cookie=None, **kwargs): _req = urlparse.parse_qs(request) try: areq = urlparse.parse_qs(_req["query"][0]) except KeyError: return BadRequest() authn, acr = self.pick_auth(areq=areq) kwargs["cookie"] = cookie return authn.verify(_req, **kwargs)
def code_grant_type(self, areq): # assert that the code is valid try: _info = self.sdb[areq["code"]] except KeyError: err = TokenErrorResponse(error="invalid_grant", error_description="Unknown access grant") return Response(err.to_json(), content="application/json", status="401 Unauthorized") authzreq = json.loads(_info['authzreq']) if 'code_verifier' in areq: try: _method = authzreq['code_challenge_method'] except KeyError: _method = 'S256' resp = self.verify_code_challenge(areq['code_verifier'], authzreq['code_challenge'], _method) if resp: return resp if 'state' in areq: if self.sdb[areq['code']]['state'] != areq['state']: logger.error('State value mismatch') err = TokenErrorResponse(error="unauthorized_client") return Unauthorized(err.to_json(), content="application/json") resp = self.token_scope_check(areq, _info) if resp: return resp # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _info and areq["redirect_uri"] != _info["redirect_uri"]: logger.error('Redirect_uri mismatch') err = TokenErrorResponse(error="unauthorized_client") return Unauthorized(err.to_json(), content="application/json") issue_refresh = False if 'scope' in authzreq and 'offline_access' in authzreq['scope']: if authzreq['response_type'] == 'code': issue_refresh = True try: _tinfo = self.sdb.upgrade_to_token(areq["code"], issue_refresh=issue_refresh) except AccessCodeUsed: err = TokenErrorResponse(error="invalid_grant", error_description="Access grant used") return Response(err.to_json(), content="application/json", status="401 Unauthorized") logger.debug("_tinfo: %s" % _tinfo) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) logger.debug("AccessTokenResponse: %s" % atr) return Response(atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS)
def refresh_token_grant_type(self, areq): at = self.token_handler.refresh_access_token( self.baseurl, areq['access_token'], 'refresh_token') atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **at)) return Response(atr.to_json(), content="application/json")
bsid = base64.b64encode(sid) session = _sdb[sid] # Do the authorization try: permission = self.authz(session["sub"], session) _sdb.update(sid, "permission", permission) except Exception: raise grant = session["code"] LOG_DEBUG("code: '%s'" % grant) try: aresp = self.authn_response(areq, **by_schema(AuthorizationResponse, **session)) except KeyError, err: # Don't know what to do raise an exception return BadRequest("Unknown response type (%s)" % err) add_non_standard(aresp, areq) return self.authn_reply(areq, aresp, bsid) def token_endpoint(self, auth_header="", **kwargs): """ This is where clients come to get their access tokens """ _sdb = self.sdb LOG_DEBUG("- token -")
def code_grant_type(self, areq): # assert that the code is valid try: _info = self.sdb[areq["code"]] except KeyError: err = TokenErrorResponse( error="invalid_grant", error_description="Unknown access grant" ) return Response( err.to_json(), content="application/json", status="401 Unauthorized" ) authzreq = json.loads(_info["authzreq"]) if "code_verifier" in areq: try: _method = authzreq["code_challenge_method"] except KeyError: _method = "S256" resp = self.verify_code_challenge( areq["code_verifier"], authzreq["code_challenge"], _method ) if resp: return resp if "state" in areq: if self.sdb[areq["code"]]["state"] != areq["state"]: logger.error("State value mismatch") err = TokenErrorResponse(error="unauthorized_client") return Unauthorized(err.to_json(), content="application/json") resp = self.token_scope_check(areq, _info) if resp: return resp # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _info and areq["redirect_uri"] != _info["redirect_uri"]: logger.error("Redirect_uri mismatch") err = TokenErrorResponse(error="unauthorized_client") return Unauthorized(err.to_json(), content="application/json") issue_refresh = False if "scope" in authzreq and "offline_access" in authzreq["scope"]: if authzreq["response_type"] == "code": issue_refresh = True try: _tinfo = self.sdb.upgrade_to_token( areq["code"], issue_refresh=issue_refresh ) except AccessCodeUsed: err = TokenErrorResponse( error="invalid_grant", error_description="Access grant used" ) return Response( err.to_json(), content="application/json", status="401 Unauthorized" ) logger.debug("_tinfo: %s" % _tinfo) atr_class = self.server.message_factory.get_response_type("token_endpoint") atr = atr_class(**by_schema(atr_class, **_tinfo)) logger.debug("AccessTokenResponse: %s" % atr) return Response( atr.to_json(), content="application/json", headers=OAUTH2_NOCACHE_HEADERS )
_sdb.revoke_all_tokens(_access_code) return self._error(environ, start_response, error="access_denied", descr= "%s" % err) if "openid" in _info["scope"]: try: _idtoken = self._id_token(_info) except AccessDenied: return self._error(environ, start_response, error="access_denied") _sdb.update_by_token(_access_code, "id_token", _idtoken) _log_debug("_tinfo: %s" % _tinfo) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) if self.test_mode: _log_info("access_token_response: %s" % atr.to_dict()) resp = Response(atr.to_json(), content="application/json") return resp(environ, start_response) def _bearer_auth(self, environ): #'HTTP_AUTHORIZATION': 'Bearer pC7efiVgbI8UASlolltdh76DrTZ2BQJQXFhVvwWlKekFvWCcdMTmNCI/BCSCxQiG' try: authn = environ["HTTP_AUTHORIZATION"] try: assert authn[:6].lower() == "bearer" _token = authn[7:] except AssertionError: