def validate_requested_scope(self):
"""Validate if requested scope is supported by Authorization Server."""
scope = self.request.scope
state = self.request.state
if scope:
allowed = set(
scope_to_list(self.request.client.get_allowed_scope(scope)))
requested = set(scope_to_list(scope))
if not (requested <= allowed):
raise InvalidScopeError(state=state)
return self.server.validate_requested_scope(scope, state)
def save_token(token_data, request):
requested_scopes = set(scope_to_list(token_data.get('scope', '')))
application = OAuthApplication.query.filter_by(
client_id=request.client.client_id).one()
link = OAuthApplicationUserLink.query.with_parent(application).with_parent(
request.user).first()
if link is None:
link = OAuthApplicationUserLink(application=application,
user=request.user,
scopes=requested_scopes)
else:
if not requested_scopes:
# for already-authorized apps not specifying a scope uses all scopes the
# user previously granted to the app
requested_scopes = set(link.scopes)
token_data['scope'] = list_to_scope(requested_scopes)
new_scopes = requested_scopes - set(link.scopes)
if new_scopes:
logger.info('New scopes for %r: %s', link, new_scopes)
link.update_scopes(new_scopes)
link.tokens.append(
OAuthToken(access_token=token_data['access_token'],
scopes=requested_scopes))
# get rid of old tokens if there are too many
q = (db.session.query(OAuthToken.id).with_parent(link).filter_by(
_scopes=db.cast(sorted(requested_scopes), ARRAY(db.String))).order_by(
OAuthToken.created_dt.desc()).offset(
MAX_TOKENS_PER_SCOPE).scalar_subquery())
OAuthToken.query.filter(
OAuthToken.id.in_(q)).delete(synchronize_session='fetch')
def _process_consent(self):
try:
grant = auth_server.get_consent_grant(end_user=session.user)
except OAuth2Error as error:
return render_template('oauth/authorize_errors.html',
error=error.error)
application = grant.client
if request.method == 'POST':
if 'confirm' not in request.form:
return False
logger.info('User %s authorized %s', session.user, application)
return True
elif application.is_trusted:
logger.info('User %s automatically authorized %s', session.user,
application)
return True
link = application.user_links.filter_by(user=session.user).first()
authorized_scopes = set(link.scopes) if link else set()
requested_scopes = set(scope_to_list(
grant.request.scope)) if grant.request.scope else authorized_scopes
if requested_scopes <= authorized_scopes:
return True
new_scopes = requested_scopes - authorized_scopes
return render_template(
'oauth/authorize.html',
application=application,
authorized_scopes=[
_f for _f in [SCOPES.get(s) for s in authorized_scopes] if _f
],
new_scopes=[
_f for _f in [SCOPES.get(s) for s in new_scopes] if _f
])
def is_openid_scope(scope):
scopes = scope_to_list(scope)
return scopes and 'openid' in scopes
def get_allowed_scope(self, scope):
if not scope:
return ''
allowed = set(self.allowed_scopes)
scopes = set(scope_to_list(scope))
return list_to_scope(allowed & scopes)
def get_allowed_scope(self, scope):
if not scope:
return ''
allowed = set(self.scope.split())
scopes = scope_to_list(scope)
return list_to_scope([s for s in scopes if s in allowed])
