def config_oauth(app): query_client = create_query_client_func(db.session, OAuth2Client) save_token = create_save_token_func(db.session, OAuth2Token) authorization.init_app(app, query_client=query_client, save_token=save_token) # support all openid grants authorization.register_grant(AuthorizationCodeGrant, [ OpenIDCode(require_nonce=True), ]) #authorization.register_grant(ImplicitGrant) #authorization.register_grant(OpenIDImplicitGrant) #authorization.register_grant(HybridGrant) #authorization.register_grant(grants.ClientCredentialsGrant) #authorization.register_grant(RefreshTokenGrant) #authorization.register_grant(PasswordGrant) # protect resource bearer_cls = create_bearer_token_validator(db.session, OAuth2Token) require_oauth.register_token_validator(bearer_cls()) # support revocation revocation_cls = create_revocation_endpoint(db.session, OAuth2Token) authorization.register_endpoint(revocation_cls)
def create_authorization_server(app, lazy=False): query_client = create_query_client_func(db.session, Client) save_token = create_save_token_func(db.session, Token) if lazy: server = AuthorizationServer() server.init_app(app, query_client, save_token) else: server = AuthorizationServer(app, query_client, save_token) @app.route('/oauth/authorize', methods=['GET', 'POST']) def authorize(): if request.method == 'GET': user_id = request.args.get('user_id') if user_id: end_user = User.query.get(int(user_id)) else: end_user = None try: grant = server.get_consent_grant(end_user=end_user) return grant.prompt or 'ok' except OAuth2Error as error: return url_encode(error.get_body()) user_id = request.form.get('user_id') if user_id: grant_user = User.query.get(int(user_id)) else: grant_user = None return server.create_authorization_response(grant_user=grant_user) @app.route('/oauth/token', methods=['GET', 'POST']) def issue_token(): return server.create_token_response() return server
def init_app(app, db): query_client = create_query_client_func(db.session, Client) save_token = create_save_token_func(db.session, Token) server.init_app(app, query_client=query_client, save_token=save_token) import logging import sys log = logging.getLogger('authlib') log.addHandler(logging.StreamHandler(sys.stdout)) log.setLevel(logging.DEBUG) # Register grants server.register_grant(grants.ImplicitGrant) server.register_grant(PasswordGrant) server.register_grant(AuthorizationCodeGrant)
def config_oauth(app): query_client = create_query_client_func(db.session, OAuth2Client) save_token = create_save_token_func(db.session, OAuth2Token) authorization.init_app(app, query_client=query_client, save_token=save_token) # support all openid grants authorization.register_grant(AuthorizationCodeGrant, [ OpenIDCode(require_nonce=True), ]) authorization.register_grant(ImplicitGrant) authorization.register_grant(HybridGrant) # protect resource bearer_cls = create_bearer_token_validator(db.session, OAuth2Token) require_oauth.register_token_validator(bearer_cls())
def __init__(self, app=None): super().__init__(app, query_client=create_query_client_func(db.session, Client), save_token=create_save_token_func(db.session, Token)) # register it to grant endpoint self.register_grant(AuthorizationCodeGrant, [ OpenIDCode(require_nonce=True), CodeChallenge(required=True) ]) # register it to grant endpoint self.register_grant(grants.ImplicitGrant) # register it to grant endpoint self.register_grant(PasswordGrant) # register it to grant endpoint self.register_grant(ClientCredentialsGrant) # register it to grant endpoint self.register_grant(RefreshTokenGrant)
def config_oauth(app): '''Setup the application configuration''' query_client = create_query_client_func(db, OAuth2Client) save_token = create_save_token_func(db, OAuth2Token) authorization.init_app(app, query_client=query_client, save_token=save_token) authorization.register_grant(AuthorizationCodeGrant, [ OpenIDCode(require_nonce=True), ]) authorization.register_grant(RefreshTokenGrant) authorization.register_endpoint(IntrospectionEndpoint) revocation_cls = create_revocation_endpoint(db, OAuth2Token) authorization.register_endpoint(revocation_cls) bearer_cls = create_bearer_token_validator(db, OAuth2Token) require_oauth.register_token_validator(bearer_cls())
def config_oauth(app): require_oauth = ResourceProtector() authorization = AuthorizationServer() query_client = create_query_client_func(db.session, OAuth2Client) save_token = create_save_token_func(db.session, OAuth2Token) authorization.init_app(app, query_client=query_client, save_token=save_token) # support all openid grants authorization.register_grant(AuthorizationCodeGrant, [ OpenIDCode(require_nonce=True, **app.config['OAUTH_JWT_CONFIG']), ]) authorization.register_grant(HybridGrant) # protect resource bearer_cls = create_bearer_token_validator(db.session, OAuth2Token) require_oauth.register_token_validator(bearer_cls()) register_as_extension(app, 'authorization', authorization) register_as_extension(app, 'require_oauth', require_oauth)
def config_oauth(app): """ configure all grants we have (namely open id and oauth2) in authlib """ query_client = create_query_client_func(database.session, OAuth2Client) save_token = create_save_token_func(database.session, OAuth2Token) authorization.init_app(app, query_client=query_client, save_token=save_token) # support all openid grants authorization.register_grant(AuthorizationCodeGrant, [ OpenIDCode(), ]) authorization.register_grant(ImplicitGrant) authorization.register_grant(HybridGrant) # protect resource bearer_cls = create_bearer_token_validator(database.session, OAuth2Token) require_oauth.register_token_validator(bearer_cls())
def config_oauth(app): """Initialize authorization server, and register suportted authorization grant types For more information, please refer to https://docs.authlib.org/en/latest/flask/2/authorization-server.html#server """ query_client = create_query_client_func(auth_db.session, OAuth2Client) save_token = save_token = create_save_token_func(auth_db.session, OAuth2Token) authorization.init_app(app, query_client=query_client, save_token=save_token) # Register Authorization code grant types authorization.register_grant(AuthorizationCodeGrant, [ OpenIDCode(require_nonce=False), ]) # protect resource bearer_cls = create_bearer_token_validator(auth_db.session, OAuth2Token) require_oauth.register_token_validator(bearer_cls())
current_app.logger.debug("refresh token grant") token = OAuth2Token.query.filter_by(refresh_token=refresh_token).first() if token and not token.revoked and not token.is_refresh_token_expired(): return token def authenticate_user(self, credential): current_app.logger.debug("auth user grant user") return User.query.get(credential.user_id) class ClientCredentialsGrant(grants.ClientCredentialsGrant): TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_basic", "client_secret_post"] query_client = create_query_client_func(db.session, OAuth2Client) save_token = create_save_token_func(db.session, OAuth2Token) authorization = AuthorizationServer(query_client=query_client, save_token=save_token) require_oauth = ResourceProtector() def config_oauth(app): print(" * OAuth init") authorization.init_app(app) # support all grants authorization.register_grant(grants.ImplicitGrant) authorization.register_grant(ClientCredentialsGrant) authorization.register_grant(AuthorizationCodeGrant) authorization.register_grant(PasswordGrant) authorization.register_grant(RefreshTokenGrant)
from auth import AuthorizationCodeGrant, OpenIDCode app = Flask(__name__) # Load configuration--default, then custom. Path to latter set in Dockerfile. app.config.from_object('default_settings') app.config.from_envvar('PATH_TO_APP_CONFIG') # Configure app to work with SQLAlchemy db.init_app(app) # Create tables. # SQLAlchemy object not bound to app, so pass in app as arg. # Alternatively could push an app context. db.create_all(app=app) query_client = create_query_client_func(db.session, Client) save_token = create_save_token_func(db.session, Token) server = AuthorizationServer(app, query_client=query_client, save_token=save_token) # register AuthorizationCodeGrant to grant endpoint server.register_grant(AuthorizationCodeGrant, [OpenIDCode(require_nonce=False)]) def get_or_create_shib_user(): if request.remote_user: user = User.query.filter( User.shib_id == request.remote_user).one_or_none()
def create_authorization_server(app): query_client = create_query_client_func(db, Client) save_token = create_save_token_func(db, Token) server = AuthorizationServer() server.init_app(app, query_client, save_token) @app.get("/oauth/authorize") def authorize_get(request: Request): user_id = request.query_params.get("user_id") request.body = {} if user_id: end_user = db.query(User).filter(User.id == int(user_id)).first() else: end_user = None try: grant = server.validate_consent_request(request=request, end_user=end_user) return grant.prompt or "ok" except OAuth2Error as error: return url_encode(error.get_body()) @app.post("/oauth/authorize") def authorize_post( request: Request, response_type: str = Form(None), client_id: str = Form(None), state: str = Form(None), scope: str = Form(None), nonce: str = Form(None), redirect_uri: str = Form(None), response_mode: str = Form(None), user_id: str = Form(None), ): if not user_id: user_id = request.query_params.get("user_id") request.body = {"user_id": user_id} if response_type: request.body.update({"response_type": response_type}) if client_id: request.body.update({"client_id": client_id}) if state: request.body.update({"state": state}) if nonce: request.body.update({"nonce": nonce}) if scope: request.body.update({"scope": scope}) if redirect_uri: request.body.update({"redirect_uri": redirect_uri}) if response_mode: request.body.update({"response_mode": response_mode}) if user_id: grant_user = db.query(User).filter(User.id == int(user_id)).first() else: grant_user = None return server.create_authorization_response(request=request, grant_user=grant_user) @app.api_route("/oauth/token", methods=["GET", "POST"]) def issue_token( request: Request, grant_type: str = Form(None), scope: str = Form(None), code: str = Form(None), refresh_token: str = Form(None), code_verifier: str = Form(None), client_id: str = Form(None), client_secret: str = Form(None), device_code: str = Form(None), client_assertion_type: str = Form(None), client_assertion: str = Form(None), assertion: str = Form(None), username: str = Form(None), password: str = Form(None), redirect_uri: str = Form(None), ): request.body = { "grant_type": grant_type, "scope": scope, } if not grant_type: grant_type = request.query_params.get("grant_type") request.body.update({"grant_type": grant_type}) if grant_type == "authorization_code": request.body.update({"code": code}) elif grant_type == "refresh_token": request.body.update({"refresh_token": refresh_token}) if code_verifier: request.body.update({"code_verifier": code_verifier}) if client_id: request.body.update({"client_id": client_id}) if client_secret: request.body.update({"client_secret": client_secret}) if device_code: request.body.update({"device_code": device_code}) if client_assertion_type: request.body.update( {"client_assertion_type": client_assertion_type}) if client_assertion: request.body.update({"client_assertion": client_assertion}) if assertion: request.body.update({"assertion": assertion}) if redirect_uri: request.body.update({"redirect_uri": redirect_uri}) if username: request.body.update({"username": username}) if password: request.body.update({"password": password}) return server.create_token_response(request=request) return server