def validate_registration_endpoint(self):
"""OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic
Client Registration endpoint [RFC7591].
"""
url = self.get('registration_endpoint')
if url and not is_secure_transport(url):
raise ValueError('"registration_endpoint" MUST use "https" scheme')
def validate_introspection_endpoint(self):
"""OPTIONAL. URL of the authorization server's OAuth 2.0
introspection endpoint [RFC7662].
"""
url = self.get('introspection_endpoint')
if url and not is_secure_transport(url):
raise ValueError(
'"introspection_endpoint" MUST use "https" scheme')
def validate_jwks_uri(self):
"""OPTIONAL. URL of the authorization server's JWK Set [JWK]
document. The referenced document contains the signing key(s) the
client uses to validate signatures from the authorization server.
This URL MUST use the "https" scheme. The JWK Set MAY also
contain the server's encryption key or keys, which are used by
clients to encrypt requests to the server. When both signing and
encryption keys are made available, a "use" (public key use)
parameter value is REQUIRED for all keys in the referenced JWK Set
to indicate each key's intended usage.
"""
url = self.get('jwks_uri')
if url and not is_secure_transport(url):
raise ValueError('"jwks_uri" MUST use "https" scheme')
def validate_token_endpoint(self):
"""URL of the authorization server's token endpoint [RFC6749]. This
is REQUIRED unless only the implicit grant type is supported.
"""
grant_types_supported = self.get('grant_types_supported')
if grant_types_supported and len(grant_types_supported) == 1 and \
grant_types_supported[0] == 'implicit':
return
url = self.get('token_endpoint')
if not url:
raise ValueError('"token_endpoint" is required')
if not is_secure_transport(url):
raise ValueError('"token_endpoint" MUST use "https" scheme')
def validate_authorization_endpoint(self):
"""URL of the authorization server's authorization endpoint
[RFC6749]. This is REQUIRED unless no grant types are supported
that use the authorization endpoint.
"""
url = self.get('authorization_endpoint')
if url:
if not is_secure_transport(url):
raise ValueError(
'"authorization_endpoint" MUST use "https" scheme')
return
grant_types_supported = set(self.grant_types_supported)
authorization_grant_types = {'authorization_code', 'implicit'}
if grant_types_supported & authorization_grant_types:
raise ValueError('"authorization_endpoint" is required')
def validate_issuer(self):
"""REQUIRED. The authorization server's issuer identifier, which is
a URL that uses the "https" scheme and has no query or fragment
components.
"""
issuer = self.get('issuer')
#: 1. REQUIRED
if not issuer:
raise ValueError('"issuer" is required')
parsed = urlparse.urlparse(issuer)
#: 2. uses the "https" scheme
if not is_secure_transport(issuer):
raise ValueError('"issuer" MUST use "https" scheme')
#: 3. has no query or fragment
if parsed.query or parsed.fragment:
raise ValueError('"issuer" has no query or fragment')
def check(cls, uri):
"""Check and raise InsecureTransportError with the given URI."""
if not is_secure_transport(uri):
raise cls()
def check(cls, url):
if not is_secure_transport(url):
raise cls()