def init_oauth(app):
"""OAuth配置app"""
# 认证服务器的配置
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization.init_app(app,
query_client=query_client,
save_token=save_token)
# support all grants
authorization.register_grant(grants.ImplicitGrant)
authorization.register_grant(grants.ClientCredentialsGrant)
authorization.register_grant(AuthorizationCodeGrant) # 注册 code 授权
authorization.register_grant(PasswordGrant) # 注册密码授权
authorization.register_grant(RefreshTokenGrant) # 注册 refresh token 授权
# support revocation
revocation_cls = create_revocation_endpoint(db.session, OAuth2Token)
authorization.register_endpoint(revocation_cls)
# 资源服务器的配置
# protect resource
# only bearer token is supported currently
require_oauth.register_token_validator(MyBearerTokenValidator())
def create_authorization_server(app):
query_client = create_query_client_func(db.session, Client)
save_token = create_save_token_func(db.session, Token)
def exists_nonce(nonce, req):
exists = AuthorizationCode.query.filter_by(client_id=req.client_id,
nonce=nonce).first()
return bool(exists)
server = AuthorizationServer(
app,
query_client=query_client,
save_token=save_token,
)
server.register_hook('exists_nonce', exists_nonce)
@app.route('/oauth/authorize', methods=['GET', 'POST'])
def authorize():
if request.method == 'GET':
user_id = request.args.get('user_id')
if user_id:
end_user = User.query.get(int(user_id))
else:
end_user = None
try:
grant = server.validate_consent_request(end_user=end_user)
return grant.prompt or 'ok'
except OAuth2Error as error:
return error.error
user_id = request.form.get('user_id')
if user_id:
grant_user = User.query.get(int(user_id))
else:
grant_user = None
return server.create_authorization_response(grant_user=grant_user)
@app.route('/oauth/token', methods=['GET', 'POST'])
def issue_token():
return server.create_token_response()
@app.route('/oauth/revoke', methods=['POST'])
def revoke_token():
return server.create_endpoint_response('revocation')
@app.route('/oauth/introspect', methods=['POST'])
def introspect_token():
return server.create_endpoint_response('introspection')
return server
def create_authorization_server(app, lazy=False):
query_client = create_query_client_func(db.session, Client)
save_token = create_save_token_func(db.session, Token)
if lazy:
server = AuthorizationServer()
server.init_app(app, query_client, save_token)
else:
server = AuthorizationServer(app, query_client, save_token)
server.register_hook('exists_nonce', exists_nonce)
@app.route('/oauth/authorize', methods=['GET', 'POST'])
def authorize():
if request.method == 'GET':
user_id = request.args.get('user_id')
if user_id:
end_user = User.query.get(int(user_id))
else:
end_user = None
try:
grant = server.validate_consent_request(end_user=end_user)
return grant.prompt or 'ok'
except OAuth2Error as error:
return url_encode(error.get_body())
user_id = request.form.get('user_id')
if user_id:
grant_user = User.query.get(int(user_id))
else:
grant_user = None
return server.create_authorization_response(grant_user=grant_user)
@app.route('/oauth/token', methods=['GET', 'POST'])
def issue_token():
return server.create_token_response()
@app.route('/oauth/revoke', methods=['POST'])
def revoke_token():
return server.create_endpoint_response('revocation')
@app.route('/oauth/introspect', methods=['POST'])
def introspect_token():
return server.create_endpoint_response('introspection')
return server
def config_oauth(app):
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization.init_app(
app,
query_client=query_client,
save_token=save_token
)
# support all openid grants
authorization.register_grant(AuthorizationCodeGrant, [
OpenIDCode(required_nonce=True),
])
authorization.register_grant(ImplicitGrant)
authorization.register_grant(HybridGrant)
# protect resource
bearer_cls = create_bearer_token_validator(db.session, OAuth2Token)
require_oauth.register_token_validator(bearer_cls())
def config_oauth(app):
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization.init_app(app,
query_client=query_client,
save_token=save_token)
# support all grants
authorization.register_grant(grants.ImplicitGrant)
authorization.register_grant(grants.ClientCredentialsGrant)
authorization.register_grant(AuthorizationCodeGrant)
authorization.register_grant(PasswordGrant)
authorization.register_grant(RefreshTokenGrant)
# support revocation
revocation_cls = create_revocation_endpoint(db.session, OAuth2Token)
authorization.register_endpoint(revocation_cls)
# protect resource
bearer_cls = create_bearer_token_validator(db.session, OAuth2Token)
require_oauth.register_token_validator(bearer_cls())
def init_app(self, app, query_client=None, save_token=None):
from app.extensions import db
if query_client is None:
query_client = create_query_client_func(db.session, OAuth2Client)
if save_token is None:
save_token = create_save_token_func(db.session, OAuth2Token)
super().init_app(app, query_client=query_client, save_token=save_token)
# support all grants
self.register_grant(grants.ImplicitGrant)
self.register_grant(grants.ClientCredentialsGrant)
self.register_grant(AuthorizationCodeGrant)
self.register_grant(PasswordGrant)
self.register_grant(RefreshTokenGrant)
# support revocation
revocation_cls = create_revocation_endpoint(db.session, OAuth2Token)
self.register_endpoint(revocation_cls)
# protect resource
bearer_cls = create_bearer_token_validator(db.session, OAuth2Token)
OAuth2ResourceProtector.register_token_validator(bearer_cls())
self._require_oauth = OAuth2ResourceProtector()
if user.check_password(password):
return user
class RefreshTokenGrant(grants.RefreshTokenGrant):
def authenticate_refresh_token(self, refresh_token):
token = OAuth2Token.query.filter_by(refresh_token=refresh_token).first()
if token and not token.revoked and not token.is_refresh_token_expired():
return token
def authenticate_user(self, credential):
return User.query.get(credential.user_id)
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization = AuthorizationServer(
query_client=query_client,
save_token=save_token,
)
require_oauth = ResourceProtector()
def config_oauth(app):
authorization.init_app(app)
# support all grants
authorization.register_grant(grants.ImplicitGrant)
authorization.register_grant(grants.ClientCredentialsGrant)
authorization.register_grant(AuthorizationCodeGrant)
authorization.register_grant(PasswordGrant)
if user.check_password(password):
return user
class RefreshTokenGrant(grants.RefreshTokenGrant):
def authenticate_refresh_token(self, refresh_token):
item = OAuth2Token.query.filter_by(refresh_token=refresh_token).first()
if item and not item.is_refresh_token_expired():
return item
def authenticate_user(self, credential):
return User.query.get(credential.user_id)
query_client = create_query_client_func(db.session, OAuth2Client)
save_token = create_save_token_func(db.session, OAuth2Token)
authorization = AuthorizationServer(
query_client=query_client,
save_token=save_token,
)
require_oauth = ResourceProtector()
def config_oauth(app):
authorization.init_app(app)
# support all grants
authorization.register_grant(grants.ImplicitGrant)
authorization.register_grant(grants.ClientCredentialsGrant)
authorization.register_grant(AuthorizationCodeGrant)
authorization.register_grant(PasswordGrant)
)
from authlib.specs.rfc6749 import grants
from app import db
from app.models import Client, Token, User
from authlib.flask.oauth2.sqla import create_bearer_token_validator
class PasswordGrant(grants.ResourceOwnerPasswordCredentialsGrant):
def authenticate_user(self, username, password):
user = User.query.filter_by(username=username).first()
if user:
if user.check_password(password):
return user
query_client = create_query_client_func(db.session, Client)
save_token = create_save_token_func(db.session, Token)
authorization = AuthorizationServer()
require_oauth = ResourceProtector()
def config_oauth(app):
authorization.init_app(app, query_client=query_client,
save_token=save_token)
authorization.register_grant(PasswordGrant)
revocation_cls = create_revocation_endpoint(db.session, Token)
authorization.register_endpoint(revocation_cls)
# protect resource
bearer_cls = create_bearer_token_validator(db.session, Token)
require_oauth.register_token_validator(bearer_cls())
