Exemplo n.º 1
0
async def validate_userinfo_params(request: Request) -> Dict[str, Any]:
    provider = get_provider(request)

    if request.method == "POST":
        req_dict = request.form
    else:
        req_dict = request.args

    access_token = None
    if "authorization" in request.headers:
        hdr = request.headers["authorization"]
        if "Bearer" in hdr:
            access_token = hdr.split()[-1]
        else:
            raise NotImplementedError(hdr)

    elif "access_token" in req_dict:
        access_token = req_dict.get("access_token")

    if not access_token:
        raise TokenError("invalid_grant")

    token = await provider.tokens.get_token_by_access_token(access_token)
    if not token:
        raise TokenError("invalid_grant")

    result = {
        "token": token,
    }

    return result
Exemplo n.º 2
0
async def well_known_finger_handler(
        request: sanic.request.Request) -> sanic.response.BaseHTTPResponse:
    provider = get_provider(request)
    scheme = get_scheme(request)

    resource = request.args.get("resource")
    rel = request.args.get("rel")
    finger_url = request.app.url_for("well_known_finger_handler",
                                     _scheme=scheme,
                                     _external=True,
                                     _server=request.host)
    issuer = "{0}://{1}".format(scheme, request.host)

    logger.info("finger for resource: {0} rel: {1}".format(resource, rel))

    try:
        resp = provider.handle_finger(resource, rel, issuer, finger_url)
        return sanic.response.json(
            resp,
            content_type="application/jrd+json",
            headers={"Access-Control-Allow-Origin": "*"})
    except Exception as err:
        logger.exception("Caught error whilst handling finger url",
                         exc_info=err)

    return sanic.response.HTTPResponse(status=500)
async def create_refresh_response_dic(
        request: sanic.request.Request, params: Dict[str,
                                                     Any]) -> Dict[str, Any]:
    provider = get_provider(request)
    # See https://tools.ietf.org/html/rfc6749#section-6

    scope_param = params["scope"]
    scope = scope_param if scope_param else params["token_obj"]["scope"]
    unauthorized_scopes = set(scope) - set(params["token_obj"]["scope"])
    if unauthorized_scopes:
        raise TokenError("invalid_scope")

    user = await provider.users.get_user_by_username(
        params["token_obj"]["user"])
    client = params["client"]

    token = provider.tokens.create_token(
        user=user,
        client=client,
        scope=scope,
        auth_time=params["token_obj"]["auth_time"],
        specific_claims=params["specific_claims"],
        expire_delta=provider.token_expire_time,
    )

    scheme = get_scheme(request)
    issuer = "{0}://{1}".format(scheme, request.host)

    # If the Token has an id_token it's an Authentication request.
    if params["token_obj"]["id_token"]:
        id_token_dic = provider.tokens.create_id_token(
            user=user,
            auth_time=token["auth_time"],
            issuer=issuer,
            client=client,
            nonce=None,
            expire_delta=provider.token_expire_time,
            at_hash=token["at_hash"],
            scope=token["scope"],
            specific_claims=token["specific_claims"],
        )
    else:
        id_token_dic = {}

    token["id_token"] = id_token_dic
    await provider.tokens.save_token(token)
    await provider.tokens.delete_token_by_access_token(
        params["token_obj"]["access_token"])

    id_token = await client.sign(id_token_dic, jwk_set=provider.jwk_set)

    dic = {
        "access_token": token["access_token"],
        "refresh_token": token["refresh_token"],
        "token_type": "bearer",
        "expires_in": provider.token_expire_time,
        "id_token": id_token,
    }

    return dic
async def create_code_response_dic(request: sanic.request.Request,
                                   params: Dict[str, Any]) -> Dict[str, Any]:
    provider = get_provider(request)
    # See https://tools.ietf.org/html/rfc6749#section-4.1

    user = await provider.users.get_user_by_username(params["code_obj"]["user"]
                                                     )
    client = params["client"]

    token = provider.tokens.create_token(
        user=user,
        client=client,
        auth_time=params["code_obj"]["auth_time"],
        scope=params["code_obj"]["scope"],
        expire_delta=provider.token_expire_time,
        specific_claims=params["code_obj"]["specific_claims"],
        code=params["code"],
    )

    scheme = get_scheme(request)
    issuer = "{0}://{1}".format(scheme, request.host)

    id_token_dic = provider.tokens.create_id_token(
        user=user,
        auth_time=token["auth_time"],
        client=client,
        issuer=issuer,
        expire_delta=provider.token_expire_time,
        nonce=params["code_obj"]["nonce"],
        at_hash=token["at_hash"],
        scope=token["scope"],
        specific_claims=token["specific_claims"],
    )

    token["id_token"] = id_token_dic
    await provider.tokens.save_token(token)
    await provider.codes.mark_used_by_id(params["code"])

    id_token = await client.sign(id_token_dic, jwk_set=provider.jwk_set)

    dic = {
        "access_token": token["access_token"],
        "refresh_token": token["refresh_token"],
        "token_type": "bearer",
        "expires_in": provider.token_expire_time,
        "id_token": id_token,
    }

    return dic
Exemplo n.º 5
0
async def jwk_handler(
        request: sanic.request.Request) -> sanic.response.BaseHTTPResponse:
    headers = {
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Methods": "GET, OPTIONS"
    }

    if request.method == "OPTIONS":
        return sanic.response.HTTPResponse(headers=headers)

    provider = get_provider(request)
    keys = []

    for key in provider.jwk_set:
        keys.append(key._public_params())  # so we dont get json strings

    async for client in provider.clients.all():
        for key in client.jwk:
            keys.append(key._public_params())  # so we dont get json strings

    return sanic.response.json({"keys": keys})
Exemplo n.º 6
0
async def client_register_handler(
        request: sanic.request.Request) -> sanic.response.BaseHTTPResponse:
    provider = get_provider(request)
    scheme = get_scheme(request)

    if "client_id" in request.args:
        # Client Read, check auth header
        try:
            token = request.headers["Authorization"].split("Bearer ")[-1]
            client = await provider.clients.get_client_by_access_token(token)
        except Exception:
            return sanic.response.text(
                body="",
                status=403,
                headers={"WWW-Authenticate": 'Bearer error="invalid_token"'})

        result = {
            "client_id": client.id,
            "client_secret": client.secret,
            "client_secret_expires_at": client.expires_at,
            "subject_type": client.type,
            "application_type": client.application_type,
            "response_types": client.response_types,
            "redirect_uris": client.callback_urls,
            "grant_types": client.grant_types,
            "contacts": client.contacts,
            "jwks_uri": client.jwks_url,
            "post_logout_redirect_uris": client.post_logout_redirect_urls,
            "request_uris": client.request_urls,
            # 'registration_client_uri': request.app.url_for('client_register_handler', _scheme=scheme,
            #                                                _external=True, _server=request.host,
            #                                                client_id=client_id),
            # 'registration_access_token': client.access_token,
        }
        if client.sector_identifier_uri:
            result["sector_identifier_uri"] = client.sector_identifier_uri
        if client.jwt_algo:
            result["id_token_signed_response_alg"] = client.jwt_algo
        if client.userinfo_signed_response_alg:
            result[
                "userinfo_signed_response_alg"] = client.userinfo_signed_response_alg

        status = 201

    else:
        if not provider.open_client_registration and not await provider.clients.auth_client_registration(
                request):
            return sanic.response.HTTPResponse(status=403)

        if not request.json or "redirect_uris" not in request.json:
            logger.warning("Did not provide any JSON or redirect_uris")
            result = {
                "error": "invalid_client_metadata",
                "error_description": "Invalid metadata"
            }
            return sanic.response.json(result, status=400)

        client_id = uuid.uuid4().hex[:16]
        client_name = request.json.get("client_name", client_id)
        client_secret = uuid.uuid4().hex
        client_secret_expires_at = 1577858400  # 1st jan 2020

        application_type = request.json.get("application_type")
        response_types = request.json.get("response_types",
                                          frozenset(["code"]))
        scopes = request.json.get("scope", ["openid"])
        redirect_uris = request.json.get("redirect_uris", [])
        grant_types = request.json.get("grant_types")
        contacts = request.json.get("contacts")
        jwks_uri = request.json.get("jwks_uri")
        jwks = request.json.get("jwks")
        post_logout_redirect_uris = request.json.get(
            "post_logout_redirect_uris")
        request_uris = request.json.get("request_uris")
        prompt = request.json.get("prompt",
                                  frozenset(["none", "login", "consent"]))
        sector_identifier_uri = request.json.get("sector_identifier_uri")
        subject_type = request.json.get("subject_type", "public")
        logo_uri = request.json.get("logo_uri")
        policy_uri = request.json.get("policy_uri")
        tos_uri = request.json.get("tos_uri")

        if isinstance(scopes, str):
            scopes = set(scopes.split())
        scopes.add("openid")
        # TODO request_object_signing_alg
        #

        require_consent = request.json.get("require_consent") is True
        reuse_consent = request.json.get("reuse_consent") is True
        id_token_signed_response_alg = request.json.get(
            "id_token_signed_response_alg")
        userinfo_signed_response_alg = request.json.get(
            "userinfo_signed_response_alg")
        userinfo_encrypted_response_alg = request.json.get(
            "userinfo_encrypted_response_alg")
        userinfo_encrypted_response_enc = request.json.get(
            "userinfo_encrypted_response_enc")

        for url in redirect_uris:
            if "#" in url:
                # NO BAD, shouldnt have fragments in url
                result = {
                    "error": "invalid_redirect_uri",
                    "error_description": "Bad redirect uri {0}".format(url)
                }
                return sanic.response.json(result, status=400)

        # Validate sector_identifier_uri, must contain a superset of redirect_uris
        if sector_identifier_uri:
            try:
                async with aiohttp.ClientSession() as session:
                    logger.info("Getting Sector Identifier URI {0}".format(
                        sector_identifier_uri))
                    async with session.get(sector_identifier_uri) as resp:
                        sector_json = await resp.json()
                        if not isinstance(sector_json, list):
                            raise Exception(
                                "sector identifier json is not a list")

                        invalid_uris = set(redirect_uris) - set(sector_json)
                        if invalid_uris:
                            raise Exception(
                                "Invalid redirect uris: {0}".format(
                                    invalid_uris))

            except Exception as err:
                logger.warning(
                    "Failed to get sector identifier uri: {0}".format(err))
                result = {
                    "error":
                    "invalid_client_metadata",
                    "error_description":
                    "Failed to validate sector identifier uri, {0}".format(
                        err),
                }
                return sanic.response.json(result, status=400)

        success, data = await provider.clients.add_client(
            id_=client_id,
            name=client_name,
            type_=subject_type,
            secret=client_secret,
            scopes=scopes,
            callback_urls=redirect_uris,
            require_consent=require_consent,
            reuse_consent=reuse_consent,
            response_types=response_types,
            application_type=application_type,
            contacts=contacts,
            expires_at=client_secret_expires_at,
            grant_types=grant_types,
            jwks_url=jwks_uri,
            jwt_algo=id_token_signed_response_alg,
            prompts=prompt,
            post_logout_redirect_urls=post_logout_redirect_uris,
            request_urls=request_uris,
            sector_identifier_uri=sector_identifier_uri,
            userinfo_signed_response_alg=userinfo_signed_response_alg,
            userinfo_encrypted_response_alg=userinfo_encrypted_response_alg,
            userinfo_encrypted_response_enc=userinfo_encrypted_response_enc,
            logo_uri=logo_uri,
            policy_uri=policy_uri,
            tos_uri=tos_uri,
            jwks=jwks,
        )

        if success:
            client: Client = data

            result = {
                "client_id":
                client_id,
                "client_secret":
                client_secret,
                "client_secret_expires_at":
                client_secret_expires_at,
                "subject_type":
                "confidential",
                "application_type":
                application_type,
                "response_types":
                response_types,
                "redirect_uris":
                redirect_uris,
                "grant_types":
                grant_types,
                "contacts":
                contacts,
                "jwks_uri":
                jwks_uri,
                "post_logout_redirect_uris":
                post_logout_redirect_uris,
                "request_uris":
                request_uris,
                "registration_client_uri":
                request.app.url_for("client_register_handler",
                                    _scheme=scheme,
                                    _external=True,
                                    _server=request.host,
                                    client_id=client_id),
                "registration_access_token":
                client.access_token,
                # 'token_endpoint_auth_method': 'client_secret_basic'
            }
            if sector_identifier_uri:
                result["sector_identifier_uri"] = sector_identifier_uri
            if id_token_signed_response_alg:
                result[
                    "id_token_signed_response_alg"] = id_token_signed_response_alg
            if logo_uri:
                result["logo_uri"] = logo_uri
            if tos_uri:
                result["tos_uri"] = tos_uri
            if policy_uri:
                result["policy_uri"] = policy_uri

            status = 201
        else:
            result = {
                "error": "invalid_client_metadata",
                "error_description": data
            }
            status = 500

    return sanic.response.json(result,
                               headers={
                                   "Cache-Control": "no-store",
                                   "Pragma": "no-cache"
                               },
                               status=status)
Exemplo n.º 7
0
async def userinfo_handler(
        request: sanic.request.Request) -> sanic.response.BaseHTTPResponse:
    headers = {
        "Access-Control-Allow-Origin": "*",
        "Access-Control-Allow-Headers": "Authorization",
        "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
    }

    if request.method == "OPTIONS":
        return sanic.response.HTTPResponse(headers=headers)

    provider = get_provider(request)

    try:
        params = await validate_userinfo_params(request)
        token = params["token"]

        client = await provider.clients.get_client_by_id(token["client"])

        if token.get("specific_claims", {}) is None:
            specific_claims = {}
        else:
            specific_claims = token["specific_claims"]

        specific_claims = specific_claims.get("userinfo", {}).keys()
        claims = await provider.users.get_claims_for_user_by_scope(
            token["user"], token["scope"], specific_claims)

        result = {"sub": token["user"]}
        result.update(claims)

        if client.userinfo_signed_response_alg:
            # Sign response
            result = await client.jws_sign(
                result,
                algo=client.userinfo_signed_response_alg,
                jwk_set=provider.jwk_set)

        if client.userinfo_encrypted_response_alg:
            # Encrypt response
            result = await client.jws_encrypt(
                result,
                alg=client.userinfo_encrypted_response_alg,
                enc=client.userinfo_encrypted_response_enc,
                jwk_set=None,
            )

        if isinstance(result, str):
            headers.update({
                "Cache-Control": "no-store",
                "Pragma": "no-cache",
                "Content-Type": "application/jwt"
            })

            # If we no longer have plain json, its most likely a JWT of sorts
            return sanic.response.HTTPResponse(body=result, headers=headers)
        else:
            headers.update({"Cache-Control": "no-store", "Pragma": "no-cache"})

            return sanic.response.json(result, headers=headers)

    except TokenError as error:
        return sanic.response.json(error.create_dict(),
                                   status=400,
                                   headers=headers)
async def create_authorize_response_params(
        request: sanic.request.Request, params: Dict[str, Any],
        user: Dict[str, Any]) -> Tuple[dict, dict]:
    provider = get_provider(request)
    client = params["client"]

    uri = urlsplit(params["redirect_uri"])
    query_params = parse_qs(uri.query)
    query_fragment = {}

    try:
        if params["grant_type"] in ("authorization_code", "hybrid"):
            code = await provider.codes.create_code(
                client=client,
                user=user,
                scopes=params["scopes"],
                code_expire=int(provider.code_expire_time),
                nonce=params["nonce"],
                code_challenge=params["code_challenge"],
                code_challenge_method=params["code_challenge_method"],
                specific_claims=params["specific_claims"],
            )

        if params["grant_type"] == "authorization_code":
            # noinspection PyUnboundLocalVariable
            query_params["code"] = code["code"]
            query_params["state"] = params["state"]

        elif params["grant_type"] in ["implicit", "hybrid"]:
            token = provider.tokens.create_token(
                user=user,
                client=client,
                auth_time=user["auth_time"],
                scope=params["scopes"],
                expire_delta=provider.token_expire_time,
                specific_claims=params["specific_claims"],
            )

            # Check if response_type must include access_token in the response.
            if params["response_type"] in ("id_token token", "token",
                                           "code token",
                                           "code id_token token"):
                query_fragment["access_token"] = token["access_token"]

            # We don't need id_token if it's an OAuth2 request.
            if "openid" in params["scopes"]:
                scheme = get_scheme(request)
                issuer = "{0}://{1}".format(scheme, request.host)

                kwargs = {
                    "auth_time": token["auth_time"],
                    "user": user,
                    "client": client,
                    "issuer": issuer,
                    "expire_delta": provider.token_expire_time,
                    "nonce": params["nonce"],
                    "at_hash": token["at_hash"],
                    "scope": params["scopes"],
                    "specific_claims": params["specific_claims"],
                }
                # Include at_hash when access_token is being returned.
                if "access_token" in query_fragment:
                    kwargs["at_hash"] = token["at_hash"]
                id_token_dic = provider.tokens.create_id_token(**kwargs)

                # Check if response_type must include id_token in the response.
                if params["response_type"] in ("id_token", "id_token token",
                                               "code id_token",
                                               "code id_token token"):

                    query_fragment["id_token"] = await client.sign(
                        id_token_dic, jwk_set=provider.jwk_set)
            else:
                id_token_dic = {}

            # Store the token.
            token["id_token"] = id_token_dic
            await provider.tokens.save_token(token)

            # Code parameter must be present if it's Hybrid Flow.
            if params["grant_type"] == "hybrid":
                # noinspection PyUnboundLocalVariable
                query_fragment["code"] = code["code"]

            query_fragment["token_type"] = "bearer"
            query_fragment["expires_in"] = provider.token_expire_time
            query_fragment["state"] = params["state"]

    except Exception as err:
        logger.exception("Failed whilst creating authorize response",
                         exc_info=err)
        raise AuthorizeError(params["redirect_uri"], "server_error",
                             params["grant_type"])

    query_params = {key: value for key, value in query_params.items() if value}
    query_fragment = {
        key: value
        for key, value in query_fragment.items() if value
    }

    return query_params, query_fragment
async def authorize_handler(
        request: sanic.request.Request) -> sanic.response.BaseHTTPResponse:
    provider = get_provider(request)

    # TODO split out based on response_type

    try:
        params = await validate_authorize_params(request, provider)

        if await provider.users.is_authenticated(request):
            user = await provider.users.get_user(request)

            if "login" in params["prompt"]:
                if "none" in params["prompt"]:
                    # If login and none in prompt arg
                    logger.warning("login prompt along with none prompt")
                    raise AuthorizeError(params["redirect_uri"],
                                         "login_required",
                                         params["grant_type"])
                else:
                    # If login is in prompt arg
                    request.ctx.session.clear()
                    next_page = strip_prompt_login(get_request_url(request))
                    return redirect(
                        request.app.url_for(provider.login_function_name,
                                            next=next_page))

            if "select_account" in params["prompt"]:
                if "none" in params["prompt"]:
                    logger.warning(
                        "select_account prompt along with none prompt")
                    raise AuthorizeError(params["redirect_uri"],
                                         "account_selection_required",
                                         params["grant_type"])
                else:
                    request.ctx.session.clear()
                    return redirect(
                        request.app.url_for(provider.login_function_name,
                                            next=get_request_url(request)))

            if {
                    "none", "consent"
            } <= params["prompt"]:  # Tests if both none and consent in prompt
                logger.warning("consent prompt along with none prompt")
                raise AuthorizeError(params["redirect_uri"],
                                     "consent_required", params["grant_type"])

            implicit_flow_resp_types = {"id_token", "id_token token"}
            allow_skipping_consent = (
                params["client"].type in ("public", "pairwise")
                or params["response_type"] in implicit_flow_resp_types)

            if not params[
                    "client"].require_consent and allow_skipping_consent and "consent" not in params[
                        "prompt"]:
                # If you dont require consent, and consent is allowed to be skipped
                # (aka type=confidential), and consent hasn't been requested
                query_params, query_fragment = await create_authorize_response_params(
                    request, params, user)

                if params["response_mode"] == "form_post":
                    # We've been requested to auto-post form data
                    logger.info(
                        "skipped consent, doing form-autosubmit for {0}".
                        format(params["client"].name))
                    return await request.app.extensions["jinja2"].render_async(
                        provider.autosubmit_html,
                        request,
                        form_url=params["redirect_uri"],
                        query_params=query_params,
                        query_fragment=query_fragment,
                    )
                else:
                    # Standard 302 redirect
                    logger.info(
                        "skipped consent, doing 302 redirect for {0}".format(
                            params["client"].name))
                    return redirect(
                        create_authorize_response_uri(params["redirect_uri"],
                                                      query_params,
                                                      query_fragment))

            # We require consent
            if params["client"].reuse_consent:
                # Allowing prior consent to be reused
                if user["consent"] and allow_skipping_consent and "consent" not in params[
                        "prompt"]:
                    # If user has already given consent, and consent not requested
                    query_params, query_fragment = await create_authorize_response_params(
                        request, params, user)

                    if params["response_mode"] == "form_post":
                        # We've been requested to auto-post form data
                        logger.info(
                            "reusing consent, doing form-autosubmit for {0}".
                            format(params["client"].name))
                        return await request.app.extensions[
                            "jinja2"].render_async(
                                provider.autosubmit_html,
                                request,
                                form_url=params["redirect_uri"],
                                query_params=query_params,
                                query_fragment=query_fragment,
                            )
                    else:
                        # Standard 302 redirect
                        logger.info(
                            "reusing consent, doing 302 redirect for {0}".
                            format(params["client"].name))
                        return redirect(
                            create_authorize_response_uri(
                                params["redirect_uri"], query_params,
                                query_fragment))

            if "none" in params["prompt"]:
                # Return consent_required
                logger.info("none prompt, giving up")
                raise AuthorizeError(params["redirect_uri"],
                                     "consent_required", params["grant_type"])

            # Generate hidden inputs for the form.
            hidden_params = {
                "client_id": params["client"].id,
                "redirect_uri": params["redirect_uri"],
                "grant_type": params["grant_type"],
                "response_type": params["response_type"],
                "scope": params["scopes"],
                "state": params["state"],
                "nonce": params["nonce"],
                "prompt": " ".join(list(params["prompt"])),
            }
            if params["code_challenge"]:
                hidden_params["code_challenge"] = params["code_challenge"]
                hidden_params["code_challenge_method"] = params[
                    "code_challenge_method"]
            if params["response_mode"]:
                hidden_params["response_mode"] = params["response_mode"]
            if params["max_age"]:
                hidden_params["max_age"] = params["max_age"]
            hidden_inputs = await request.app.extensions[
                "jinja2"].render_string_async(provider.hidden_inputs_html,
                                              request,
                                              params=hidden_params)

            # Remove `openid` from scope list since we don't need to print it.
            try:
                params["scopes"].remove("openid")
            except ValueError:
                pass

            context = {
                "client_name": params["client"].name,
                "form_url": request.path,
                "hidden_inputs": hidden_inputs,
                "scopes": params["scopes"],
            }

            # Show authorize html page #TODO allow it to be customised
            logger.info("showing consent for {0}".format(
                params["client"].name))
            return await request.app.extensions["jinja2"].render_async(
                provider.authorize_html, request, **context)

        else:
            # Not logged in
            if "none" in params["prompt"]:
                # Cant prompt, raise error
                logger.warning("Not logged in, prompt=none, error")
                raise AuthorizeError(params["redirect_uri"], "login_required",
                                     params["grant_type"])

            logger.warning("Not logged in, redirecting to login page")

            if "login" in params["prompt"]:
                # Can prompt, redirect them to login page
                next_page = strip_prompt_login(get_request_url(request))
                return redirect(
                    request.app.url_for(provider.login_function_name,
                                        next=next_page))

            # Nothing in prompt, so default to redirecting to login page
            return redirect(
                request.app.url_for(provider.login_function_name,
                                    next=get_request_url(request)))

    except (ClientIdError, RedirectUriError) as err:

        context = {"error": err.error, "description": err.description}
        return await request.app.extensions["jinja2"].render_async(
            provider.error_html, request, **context)

    except AuthorizeError as err:

        if request.method == "POST":
            req_dict = request.form
        else:
            req_dict = request.args

        state = req_dict.get("state")
        response_mode = req_dict.get("response_mode")

        if response_mode == "form_post":
            return await request.app.extensions["jinja2"].render_async(
                provider.autosubmit_html,
                request,
                form_url=err.redirect_uri,
                query_params={
                    "error": err.error,
                    "error_description": err.description
                },
                query_fragment={},
            )
        else:
            uri = err.create_uri(err.redirect_uri, state)
            return redirect(uri)
async def validate_token_params(
        request: sanic.request.Request) -> Dict[str, Any]:
    provider = get_provider(request)

    if request.method == "POST":
        req_dict = request.form
    else:
        req_dict = request.args

    client_assertion_type = req_dict.get("client_assertion_type")
    client_assertion = req_dict.get("client_assertion")

    if client_assertion_type and client_assertion_type == "urn:ietf:params:oauth:client-assertion-type:jwt-bearer":
        header = jwt.get_unverified_header(client_assertion)
        audience = "{0}://{1}{2}".format(get_scheme(request), request.host,
                                         request.path)

        # TODO maintain central collection of client jwts
        if "kid" in header:
            # Asymetric signing
            temp_jwt_token = jwt.decode(client_assertion, verify=False)
            client = await provider.clients.get_client_by_id(
                temp_jwt_token["sub"])
            jwt_key = client.jwk.get_key(header.get("kid"))

            try:
                jwt.decode(client_assertion,
                           jwt_key.export_to_pem(),
                           algorithms=[header["alg"]],
                           audience=audience)
                # By it not erroring, its successfully verified
            except Exception as err:
                logger.exception("Invalid key id", exc_info=err)
                raise TokenError("invalid_client")

        else:
            # HMAC with client secret
            temp_jwt_token = jwt.decode(client_assertion, verify=False)
            client = await provider.clients.get_client_by_id(
                temp_jwt_token["sub"])

            try:
                jwt.decode(client_assertion,
                           client.secret,
                           algorithms=[header["alg"]],
                           audience=audience)
                # By it not erroring, its successfully verified
            except Exception as err:
                logger.exception("Invalid key id", exc_info=err)
                raise TokenError("invalid_client")

    else:
        client_id = req_dict.get("client_id")
        client_secret = req_dict.get("client_secret", "")
        if "authorization" in request.headers and not client_id:
            hdr = request.headers["authorization"]
            if "Basic" in hdr:
                client_id, client_secret = base64.b64decode(
                    hdr.split()[-1].encode()).decode().split(":")
            else:
                raise NotImplementedError(hdr)

        client = await provider.clients.get_client_by_id(client_id)
        if not client_id:
            raise TokenError("invalid_client")

    if not client:
        raise TokenError("invalid_client")

    specific_claims = req_dict.get("claims")
    if specific_claims:
        try:
            specific_claims = json.loads(specific_claims)
        except Exception as err:
            logger.exception("Failed to decode specific claims", exc_info=err)

    result = {
        "client": client,
        "grant_type": req_dict.get("grant_type", ""),
        "code": req_dict.get("code", ""),
        "state": req_dict.get("state", ""),
        "scope": req_dict.get("scope", ""),
        "redirect_uri": req_dict.get("redirect_uri", ""),
        "refresh_token": req_dict.get("refresh_token", ""),
        "code_verifier": req_dict.get("code_verifier"),
        "username": req_dict.get("username", ""),
        "password": req_dict.get("password", ""),
        "specific_claims": specific_claims,
    }

    # if client.type == 'confidential' and client_secret != client.secret:
    #     raise TokenError('invalid_client')

    if result["grant_type"] == "authorization_code":
        if result["redirect_uri"] not in client.callback_urls:
            raise TokenError("invalid_client")

        code = await provider.codes.get_by_id(result["code"])

        if not code:
            raise TokenError("invalid_grant")

        if code["used"]:
            await provider.tokens.delete_token_by_code(result["code"])
            raise TokenError("invalid_grant")

        if code["client"] != client.id:
            raise TokenError("invalid_grant")

        if result["code_verifier"]:
            if code["code_challenge_method"] == "S256":
                new_code_challenge = (base64.urlsafe_b64encode(
                    hashlib.sha256(result["code_verifier"].encode(
                        "ascii")).digest()).decode("utf-8").replace("=", ""))
            else:
                new_code_challenge = result["code_verifier"]

            if new_code_challenge != code["code_challenge"]:
                raise TokenError("invalid_grant")

        result["code_obj"] = code

    elif result["grant_type"] == "password":
        if not provider.allow_grant_type_password:
            raise TokenError("unsupported_grant_type")

        # TODO authenticate username/password
        # result['username'] result['password']
        user = False

        if not user:
            raise UserAuthError()

        result["user_obj"] = user

    elif result["grant_type"] == "client_credentials":
        # TODO not sure about this
        raise NotImplementedError()

    elif result["grant_type"] == "refresh_token":
        if not result["refresh_token"]:
            logger.warning("No refresh token")
            raise TokenError("invalid_grant")

        token = await provider.tokens.get_token_by_refresh_token(
            result["refresh_token"])
        if not token:
            raise TokenError("invalid_grant")

        result["token_obj"] = token

    return result