def collectMetadata(issuer=None, ignoreErrors=False):
"""Collect metadata for DIRAC Authorization Server(DAS), a metadata format defined by the IETF specification:
https://datatracker.ietf.org/doc/html/rfc8414#section-2
:param str issuer: issuer to set
:return: dict -- dictionary is the AuthorizationServerMetadata object in the same time
"""
result = getAuthorizationServerMetadata(issuer, ignoreErrors=ignoreErrors)
if not result["OK"]:
raise Exception("Cannot prepare authorization server metadata. %s" %
result["Message"])
metadata = result["Value"]
for name, endpoint in [
("jwks_uri", "jwk"),
("token_endpoint", "token"),
("userinfo_endpoint", "userinfo"),
("revocation_endpoint", "revoke"),
("redirect_uri", "redirect"),
("authorization_endpoint", "authorization"),
("device_authorization_endpoint", "device"),
]:
metadata[name] = metadata["issuer"].strip("/") + "/" + endpoint
metadata["scopes_supported"] = ["g:", "proxy", "lifetime:"]
metadata["grant_types_supported"] = [
"code",
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
]
metadata["response_types_supported"] = ["code", "device", "token"]
metadata["code_challenge_methods_supported"] = ["S256"]
return AuthorizationServerMetadata(metadata)
def _process(self):
metadata = AuthorizationServerMetadata(
authorization_endpoint=url_for('.oauth_authorize', _external=True),
token_endpoint=url_for('.oauth_token', _external=True),
introspection_endpoint=url_for('.oauth_introspect',
_external=True),
revocation_endpoint=url_for('.oauth_revoke', _external=True),
issuer=config.BASE_URL,
response_types_supported=['code'],
response_modes_supported=['query'],
grant_types_supported=['authorization_code'],
scopes_supported=list(SCOPES),
token_endpoint_auth_methods_supported=list(
IndicoAuthorizationCodeGrant.TOKEN_ENDPOINT_AUTH_METHODS),
introspection_endpoint_auth_methods_supported=list(
IndicoIntrospectionEndpoint.CLIENT_AUTH_METHODS),
revocation_endpoint_auth_methods_supported=list(
IndicoRevocationEndpoint.CLIENT_AUTH_METHODS),
code_challenge_methods_supported=list(
IndicoCodeChallenge.SUPPORTED_CODE_CHALLENGE_METHOD),
)
metadata.validate()
return jsonify(metadata)
def test_validate_token_endpoint(self):
# implicit
metadata = AuthorizationServerMetadata(
{'grant_types_supported': ['implicit']})
metadata.validate_token_endpoint()
# missing
metadata = AuthorizationServerMetadata()
with self.assertRaises(ValueError) as cm:
metadata.validate_token_endpoint()
self.assertIn('required', str(cm.exception))
# https
metadata = AuthorizationServerMetadata(
{'token_endpoint': 'http://authlib.org/'})
with self.assertRaises(ValueError) as cm:
metadata.validate_token_endpoint()
self.assertIn('https', str(cm.exception))
# valid
metadata = AuthorizationServerMetadata(
{'token_endpoint': 'https://authlib.org/'})
metadata.validate_token_endpoint()
def test_validate_code_challenge_methods_supported(self):
metadata = AuthorizationServerMetadata()
metadata.validate_code_challenge_methods_supported()
# not array
metadata = AuthorizationServerMetadata(
{'code_challenge_methods_supported': 'S256'})
with self.assertRaises(ValueError) as cm:
metadata.validate_code_challenge_methods_supported()
self.assertIn('JSON array', str(cm.exception))
# valid
metadata = AuthorizationServerMetadata(
{'code_challenge_methods_supported': ['S256']})
metadata.validate_code_challenge_methods_supported()
def test_validate_introspection_endpoint_auth_signing_alg_values_supported(
self):
metadata = AuthorizationServerMetadata()
metadata.validate_introspection_endpoint_auth_signing_alg_values_supported(
)
metadata = AuthorizationServerMetadata({
'introspection_endpoint_auth_methods_supported':
['client_secret_jwt']
})
with self.assertRaises(ValueError) as cm:
metadata.validate_introspection_endpoint_auth_signing_alg_values_supported(
)
self.assertIn('required', str(cm.exception))
metadata = AuthorizationServerMetadata({
'introspection_endpoint_auth_signing_alg_values_supported':
'RS256'
})
with self.assertRaises(ValueError) as cm:
metadata.validate_introspection_endpoint_auth_signing_alg_values_supported(
)
self.assertIn('JSON array', str(cm.exception))
metadata = AuthorizationServerMetadata({
'introspection_endpoint_auth_methods_supported':
['client_secret_jwt'],
'introspection_endpoint_auth_signing_alg_values_supported':
['RS256', 'none']
})
with self.assertRaises(ValueError) as cm:
metadata.validate_introspection_endpoint_auth_signing_alg_values_supported(
)
self.assertIn('none', str(cm.exception))
def test_validate_introspection_endpoint_auth_methods_supported(self):
metadata = AuthorizationServerMetadata()
metadata.validate_introspection_endpoint_auth_methods_supported()
# not array
metadata = AuthorizationServerMetadata({
'introspection_endpoint_auth_methods_supported':
'client_secret_basic'
})
with self.assertRaises(ValueError) as cm:
metadata.validate_introspection_endpoint_auth_methods_supported()
self.assertIn('JSON array', str(cm.exception))
# valid
metadata = AuthorizationServerMetadata({
'introspection_endpoint_auth_methods_supported':
['client_secret_basic']
})
metadata.validate_introspection_endpoint_auth_methods_supported()
def test_validate_introspection_endpoint(self):
metadata = AuthorizationServerMetadata()
metadata.validate_introspection_endpoint()
# https
metadata = AuthorizationServerMetadata(
{'introspection_endpoint': 'http://authlib.org/'})
with self.assertRaises(ValueError) as cm:
metadata.validate_introspection_endpoint()
self.assertIn('https', str(cm.exception))
# valid
metadata = AuthorizationServerMetadata(
{'introspection_endpoint': 'https://authlib.org/'})
metadata.validate_introspection_endpoint()
def test_validate_issuer(self):
#: missing
metadata = AuthorizationServerMetadata({})
with self.assertRaises(ValueError) as cm:
metadata.validate()
self.assertEqual('"issuer" is required', str(cm.exception))
#: https
metadata = AuthorizationServerMetadata(
{'issuer': 'http://authlib.org/'})
with self.assertRaises(ValueError) as cm:
metadata.validate_issuer()
self.assertIn('https', str(cm.exception))
#: query
metadata = AuthorizationServerMetadata(
{'issuer': 'https://authlib.org/?a=b'})
with self.assertRaises(ValueError) as cm:
metadata.validate_issuer()
self.assertIn('query', str(cm.exception))
#: fragment
metadata = AuthorizationServerMetadata(
{'issuer': 'https://authlib.org/#a=b'})
with self.assertRaises(ValueError) as cm:
metadata.validate_issuer()
self.assertIn('fragment', str(cm.exception))
metadata = AuthorizationServerMetadata(
{'issuer': 'https://authlib.org/'})
metadata.validate_issuer()
def test_validate_op_tos_uri(self):
metadata = AuthorizationServerMetadata()
metadata.validate_op_tos_uri()
metadata = AuthorizationServerMetadata({'op_tos_uri': 'invalid'})
with self.assertRaises(ValueError) as cm:
metadata.validate_op_tos_uri()
self.assertIn('MUST be a URL', str(cm.exception))
metadata = AuthorizationServerMetadata(
{'op_tos_uri': 'https://authlib.org/'})
metadata.validate_op_tos_uri()
def test_validate_ui_locales_supported(self):
metadata = AuthorizationServerMetadata()
metadata.validate_ui_locales_supported()
# not array
metadata = AuthorizationServerMetadata({'ui_locales_supported': 'en'})
with self.assertRaises(ValueError) as cm:
metadata.validate_ui_locales_supported()
self.assertIn('JSON array', str(cm.exception))
# valid
metadata = AuthorizationServerMetadata(
{'ui_locales_supported': ['en']})
metadata.validate_ui_locales_supported()
def test_validate_grant_types_supported(self):
metadata = AuthorizationServerMetadata()
metadata.validate_grant_types_supported()
# not array
metadata = AuthorizationServerMetadata(
{'grant_types_supported': 'password'})
with self.assertRaises(ValueError) as cm:
metadata.validate_grant_types_supported()
self.assertIn('JSON array', str(cm.exception))
# valid
metadata = AuthorizationServerMetadata(
{'grant_types_supported': ['password']})
metadata.validate_grant_types_supported()
def test_validate_response_modes_supported(self):
metadata = AuthorizationServerMetadata()
metadata.validate_response_modes_supported()
# not array
metadata = AuthorizationServerMetadata(
{'response_modes_supported': 'query'})
with self.assertRaises(ValueError) as cm:
metadata.validate_response_modes_supported()
self.assertIn('JSON array', str(cm.exception))
# valid
metadata = AuthorizationServerMetadata(
{'response_modes_supported': ['query']})
metadata.validate_response_modes_supported()
def test_validate_response_types_supported(self):
# missing
metadata = AuthorizationServerMetadata()
with self.assertRaises(ValueError) as cm:
metadata.validate_response_types_supported()
self.assertIn('required', str(cm.exception))
# not array
metadata = AuthorizationServerMetadata(
{'response_types_supported': 'code'})
with self.assertRaises(ValueError) as cm:
metadata.validate_response_types_supported()
self.assertIn('JSON array', str(cm.exception))
# valid
metadata = AuthorizationServerMetadata(
{'response_types_supported': ['code']})
metadata.validate_response_types_supported()
def test_validate_jwks_uri(self):
# can missing
metadata = AuthorizationServerMetadata()
metadata.validate_jwks_uri()
metadata = AuthorizationServerMetadata(
{'jwks_uri': 'http://authlib.org/jwks.json'})
with self.assertRaises(ValueError) as cm:
metadata.validate_jwks_uri()
self.assertIn('https', str(cm.exception))
metadata = AuthorizationServerMetadata(
{'jwks_uri': 'https://authlib.org/jwks.json'})
metadata.validate_jwks_uri()
from authlib.integrations.django_oauth2 import AuthorizationServer
from authlib.oauth2 import HttpRequest
from authlib.oauth2.rfc6749 import TokenMixin
from authlib.oauth2.rfc6750 import BearerToken
from authlib.oauth2.rfc8414 import AuthorizationServerMetadata
from oauth2_server.models import (
OAuth2Client,
OAuth2Token,
expires_generator,
refresh_token_generator,
access_token_generator,
)
class MyAuthorizationServer(AuthorizationServer):
def save_oauth2_token(self, token: dict, request: HttpRequest) -> TokenMixin:
return OAuth2Token.new(request.client, **token)
server: AuthorizationServer = MyAuthorizationServer(
client_model=OAuth2Client,
token_model=OAuth2Token,
generate_token=BearerToken(
access_token_generator=access_token_generator,
refresh_token_generator=refresh_token_generator,
expires_generator=expires_generator,
),
metadata=AuthorizationServerMetadata({}),
)