def _get_expected_claims(self, access_token, nonce):
client = access_token.client
# Basic OpenID Connect ID token claims
expected = {
'iss': settings.OAUTH_OIDC_ISSUER,
'sub': None,
'aud': client.client_id,
'iat': 0,
'exp': 30,
'nonce': nonce
}
# Add profile scope claims
if check(constants.PROFILE_SCOPE, access_token.scope):
user = access_token.user
expected.update({
'name': user.get_full_name(),
'given_name': user.first_name,
'family_name': user.last_name,
'preferred_username': user.username
})
# Add email scope claims
if check(constants.EMAIL_SCOPE, access_token.scope):
user = access_token.user
expected.update({
'email': user.email,
})
return expected
def _get_expected_claims(self, access_token, nonce):
client = access_token.client
# Basic OpenID Connect ID token claims
expected = {
'iss': settings.OAUTH_OIDC_ISSUER,
'sub': None,
'aud': client.client_id,
'iat': 0,
'exp': 30,
'nonce': nonce
}
# Add profile scope claims
if check(constants.PROFILE_SCOPE, access_token.scope):
user = access_token.user
expected.update({
'name': user.get_full_name(),
'given_name': user.first_name,
'family_name': user.last_name,
'preferred_username': user.username
})
# Add email scope claims
if check(constants.EMAIL_SCOPE, access_token.scope):
user = access_token.user
expected.update({
'email': user.email,
})
return expected
def check_scope(self, token, request):
http_method = request.method
if not hasattr(self, http_method):
raise OAuthError("HTTP method is not recognized")
required_scopes = getattr(self, http_method)
# a None scope means always allowed
if required_scopes is None:
return True
model = settings.OAUTH_ACCESS_TOKEN_MODEL
if model.startswith("provider"): # oauth2-provider
from provider.scope import check
check_method = lambda scope: check(scope, token.scope)
elif model.startswith("oauth2_provider"): # oauth toolkit
check_method = lambda scope: token.allow_scopes(scope.split())
else:
raise Exception("oauth provider is not found")
"""
The required scope is either a string(oauth2 toolkit),
int(oauth2-provider) or an iterable. If string or int, check if it is
allowed for our access token otherwise, iterate through the
required_scopes to see which scopes are allowed
"""
# for non iterable types
if isinstance(required_scopes, six.string_types) or \
isinstance(required_scopes, six.integer_types):
return [required_scopes] if check_method(required_scopes) else []
allowed_scopes = []
try:
for scope in required_scopes:
if check_method(scope):
allowed_scopes.append(scope)
except:
raise Exception('Invalid required scope values')
else:
return allowed_scopes
def access_token_response_data(self, access_token):
# Include username along the access token response if requested in the scope.
response_data = super(AccessTokenView, self).access_token_response_data(access_token)
if scope.check(constants.USERNAME_SCOPE, access_token.scope):
response_data.update({'preferred_username': access_token.user.username})
return response_data
def has_scope(self, required):
"""
Return `True` if the token satisfies the required scope.
`required` may be provided as either the integer or string representation.
"""
if not isinstance(required, int):
required = scopes.SCOPE_NAME_DICT[required]
return scope.check(required, self.scope)
def clean(self):
"""
Make sure that the scope is less or equal to the previous scope!
"""
data = self.cleaned_data
if 'scope' in data and not scope.check(data.get('scope'), data.get('refresh_token').access_token.scope):
raise OAuthValidationError({'error': 'invalid_scope'})
return data
def clean(self):
"""
Make sure that the scope is less or equal to the previous scope!
"""
data = self.cleaned_data
if 'scope' in data and not scope.check(
data.get('scope'),
data.get('refresh_token').access_token.scope):
raise OAuthValidationError({'error': 'invalid_scope'})
return data
def clean(self):
"""
Make sure that the scope is less or equal to the scope allowed on the
grant!
"""
data = self.cleaned_data
# Only check if we've actually got a scope in the data
# (read: All fields have been cleaned)
if 'scope' in data and not scope.check(data.get('scope'), data.get('grant').scope):
raise OAuthValidationError({'error': 'invalid_scope'})
return data
def clean(self):
"""
Make sure that the scope is less or equal to the scope allowed on the
grant!
"""
data = self.cleaned_data
# Only check if we've actually got a scope in the data
# (read: All fields have been cleaned)
if 'scope' in data and not scope.check(data.get('scope'),
data.get('grant').scope):
raise OAuthValidationError({'error': 'invalid_scope'})
return data
def clean(self):
"""
Make sure that the scope is less or equal to the scope allowed on the
grant!
"""
data = self.cleaned_data
want_scope = data.get('scope') or 0
grant = data.get('grant')
has_scope = grant.scope if grant else 0
# Only check if we've actually got a scope in the data
# (read: All fields have been cleaned)
if want_scope is not 0 and not scope.check(want_scope, has_scope):
raise OAuthValidationError({'error': 'invalid_scope'})
return data
def has_permission(self, request, view):
token = request.auth
read_only = request.method in SAFE_METHODS
if not token:
return False
if hasattr(token, 'resource'): # OAuth 1
return read_only or not request.auth.resource.is_readonly
elif hasattr(token, 'scope'): # OAuth 2
required = oauth2_constants.READ if read_only else oauth2_constants.WRITE
return oauth2_provider_scope.check(required, request.auth.scope)
assert False, (
'TokenHasReadWriteScope requires either the'
'`OAuthAuthentication` or `OAuth2Authentication` authentication '
'class to be used.')
def clean(self):
"""
Make sure that the scope is less or equal to the previous scope!
"""
data = self.cleaned_data
want_scope = data.get('scope') or 0
refresh_token = data.get('refresh_token')
access_token = getattr(refresh_token, 'access_token', None) if \
refresh_token else \
None
has_scope = access_token.scope if access_token else 0
# Only check if we've actually got a scope in the data
# (read: All fields have been cleaned)
if want_scope is not 0 and not scope.check(want_scope, has_scope):
raise OAuthValidationError({'error': 'invalid_scope'})
return data
def has_permission(self, request, view):
token = request.auth
read_only = request.method in SAFE_METHODS
if not token:
return False
if hasattr(token, 'resource'): # OAuth 1
return read_only or not request.auth.resource.is_readonly
elif hasattr(token, 'scope'): # OAuth 2
required = oauth2_constants.READ if read_only else oauth2_constants.WRITE
return oauth2_provider_scope.check(required, request.auth.scope)
assert False, (
'TokenHasReadWriteScope requires either the'
'`OAuthAuthentication` or `OAuth2Authentication` authentication '
'class to be used.'
)
