def post(self): if not self.validate_params(): return # TODO: check for some sort of cross site request forgery? sign the request? if self.request.get('authorize').lower() == 'no': self.authz_error('access_denied', "The user did not allow authorization.") return response_type = self.request.get('response_type') if response_type in ['code', 'code_and_token']: code = OAuth_Authorization( ## TODO update getting the user_id user_id = self.user_id, client_id = self.client.client_id, redirect_uri = self.redirect_uri, ) code.put() code = code.serialize(state=self.request.get('state')) else: code = None if response_type in ['token', 'code_and_token']: token = OAuth_Token( user_id = self.user.user_id(), client_id = self.client.client_id, scope = self.request.get('scope'), ) token.put(can_refresh=False) token = token.serialize(requested_scope=self.request.get('scope')) else: token = None self.authz_redirect(code, token)
def handle_client_credentials(self, client, scope=None): token = OAuth_Token( client_id = client.client_id, \ scope = scope, \ realm = 'portal',) token.put(can_refresh=False) self.render_response(token)
def wrap(handler): def check_token(self, *args, **kwargs): try: if self.request.headers.get('Authorization', '').startswith('OAuth'): token = self.request.headers['Authorization'].split(' ')[1] else: token = self.request.get('oauth_token', None) logging.debug("token = " + str(token)) if not token: self.render_error(int(400), 'invalid_request(1)', 'Not a valid request for an OAuth protected resource, missing TOKEN') return except Exception, e: self.render_error(int(400), 'invalid_request(2)', 'Not a valid request for an OAuth protected resource, missing TOKEN - %s' % str(e)) return token = OAuth_Token.get_by_access_token(token) if token: if token.is_expired(): if token.refresh_token: self.render_error(int(400), 'expired_token', 'This token has expired, use refresh token to renew.') return else: self.render_error(int(400), 'invalid_token', 'This token is no longer valid') return if scope != token.scope: self.render_error(int(400), 'insufficient_scope', "This resource requires higher priveleges") return else: self.render_error(int(400), 'invalid_token', "This token sent is not a valid token") return return handler(self, token=token, *args, **kwargs)
def handle_authorization_code(self, client, scope=None): code = self.request.get('code') authorization = OAuth_Authorization.get_by_code(code) logging.info(code) redirect_uri = self.request.get('redirect_uri') if not authorization or not authorization.validate(code, redirect_uri, client.client_id): self.render_error('invalid_grant', "Authorization code expired or invalid.") return token = OAuth_Token( user_id = authorization.user_id, \ client_id = authorization.client_id, \ scope = scope, \ realm = 'user', \ ) token.put() authorization.delete() self.render_response(token)
def handle_refresh_token(self, client, scope=None): token = OAuth_Token.get_by_refresh_token(self.request.get('refresh_token')) if not token or token.client_id != client.client_id: self.render_error('invalid_grant', "Invalid refresh token.") return # TODO: refresh token should expire along with grant according to spec token = token.refresh() self.render_response(token)
def handle_password(self, client, scope=None): # Since App Engine doesn't let you programmatically auth, # and the local SDK environment doesn't need a password, # we just always grant this w/out auth # TODO: something better? username = self.request.get('username') password = self.request.get('password') if not username or not password: self.render_error('invalid_grant', "Invalid end-user credentials.") return token = OAuth_Token( client_id = client.client_id, user_id = username, scope = scope, ) token.put() self.render_response(token)