def validate_token_request(self, request):
# REQUIRED. Value MUST be set to "refresh_token".
if request.grant_type != 'refresh_token':
raise errors.UnsupportedGrantTypeError()
if request.refresh_token is None:
raise errors.InvalidRequestError(
description='Missing refresh token parameter.')
# Because refresh tokens are typically long-lasting credentials used to
# request additional access tokens, the refresh token is bound to the
# client to which it was issued. If the client type is confidential or
# the client was issued client credentials (or assigned other
# authentication requirements), the client MUST authenticate with the
# authorization server as described in Section 3.2.1.
# http://tools.ietf.org/html/rfc6749#section-3.2.1
if not self.request_validator.authenticate_client(request):
raise errors.AccessDeniedError()
# OPTIONAL. The scope of the access request as described by
# Section 3.3. The requested scope MUST NOT include any scope
# not originally granted by the resource owner, and if omitted is
# treated as equal to the scope originally granted by the
# resource owner.
if not self.request_validator.confirm_scopes(request.refresh_token,
request.scopes):
raise errors.InvalidScopeError(state=request.state)
# REQUIRED. The refresh token issued to the client.
if not self.request_validator.validate_refresh_token(
request.refresh_token, request.client):
raise errors.InvalidRequestError()
def create_token_response(self,
uri,
http_method='GET',
body=None,
headers=None):
"""Extract grant_type and route to the designated handler."""
request = Request(uri,
http_method=http_method,
body=body,
headers=headers)
query_params = params_from_uri(request.uri)
body_params = self.request.decoded_body
# Prioritize grant_type defined as body param over those in uri.
# Chosen because all three core grant types supply this parameter
# in the body. However it is not specified explicitely in RFC 6748.
if 'grant_type' in body_params:
request.grant_type = query_params.get('grant_type')
elif 'grant_type' in query_params:
request.grant_type = body_params.get('grant_type')
else:
raise errors.InvalidRequestError(
description='The grant_type parameter is missing.')
if not request.grant_type in self.grant_types:
raise errors.UnsupportedGrantTypeError(
description='Invalid response type')
return self.grant_types.get(request.grant_type).create_token_response(
request, self.default_token)
def create_authorization_response(self,
uri,
http_method='GET',
body=None,
headers=None):
"""Extract response_type and route to the designated handler."""
request = Request(uri,
http_method=http_method,
body=body,
headers=headers)
query_params = params_from_uri(request.uri)
body_params = request.decoded_body
# Prioritize response_type defined as query param over those in body.
# Chosen because the two core grant types utilizing the response type
# parameter both supply it in the uri. However it is not specified
# explicitely in RFC 6748.
if 'response_type' in query_params:
request.response_type = query_params.get('response_type')
elif 'response_type' in body_params:
request.response_type = body_params.get('response_type')
else:
raise errors.InvalidRequestError(
description='The response_type parameter is missing.')
if not request.response_type in self.response_types:
raise errors.UnsupportedResponseTypeError(
description='Invalid response type')
return self.response_types.get(
request.response_type).create_authorization_response(
request, self.default_token)
def validate_token_request(self, request):
if not getattr(request, 'grant_type'):
raise errors.InvalidRequestError('Request is issing grant type.')
if not request.grant_type == 'client_credentials':
raise errors.UnsupportedGrantTypeError()
self.request_validator.validate_request_scopes(request)
def test_missing_type(self):
uri = 'http://i.b/l?client_id=me&scope=all+of+them'
uri += '&redirect_uri=http%3A%2F%2Fback.to%2Fme'
self.mock_validator.validate_request = mock.MagicMock(
side_effect=errors.InvalidRequestError())
uri, headers, body, status_code = self.endpoint.create_authorization_response(
uri, scopes=['all', 'of', 'them'])
self.assertURLEqual(
uri,
'http://back.to/me?error=invalid_request&error_description=Missing+response_type+parameter.'
)
def validate_request(self, request, response_types=None):
request.state = getattr(request, 'state', None)
response_types = response_types or self.response_types or []
if not request.client_id:
raise errors.InvalidRequestError(
state=request.state,
description='Missing client_id parameter.')
if not request.response_type:
raise errors.InvalidRequestError(
state=request.state,
description='Missing response_type parameter.')
if not self.validate_client(request.client_id):
raise errors.UnauthorizedClientError(state=request.state)
if not request.response_type in response_types:
raise errors.UnsupportedResponseTypeError(state=request.state)
self.validate_request_scopes(request)
if getattr(request, 'redirect_uri', None):
if not is_absolute_uri(request.redirect_uri):
raise errors.InvalidRequestError(
state=request.state,
description='Non absolute redirect URI. See RFC3986')
if not self.validate_redirect_uri(request.client_id,
request.redirect_uri):
raise errors.AccessDeniedError(state=request.state)
else:
request.redirect_uri = self.get_default_redirect_uri(
request.client_id)
if not request.redirect_uri:
raise errors.AccessDeniedError(state=request.state)
return True
def validate_token_request(self, request):
for param in ('grant_type', 'username', 'password'):
if not getattr(request, param):
raise errors.InvalidRequestError(
'Request is missing %s parameter.' % param)
# This error should rarely (if ever) occur if requests are routed to
# grant type handlers based on the grant_type parameter.
if not request.grant_type == 'password':
raise errors.UnsupportedGrantTypeError()
# request.client is populated during client authentication
client = request.client if getattr(request, 'client') else None
if not self.request_validator.validate_user(
request.username, request.password, client=client):
raise errors.InvalidGrantError('Invalid credentials given.')
self.request_validator.validate_request_scopes(request)
def validate_token_request(self, request):
if getattr(request, 'grant_type', '') != 'authorization_code':
raise errors.UnsupportedGrantTypeError()
if not getattr(request, 'code', None):
raise errors.InvalidRequestError(
description='Missing code parameter.')
# TODO: document diff client & client_id, former is authenticated
# outside spec, i.e. http basic
if (not hasattr(request, 'client')
or not self.request_validator.validate_client(
request.client, request.grant_type)):
raise errors.UnauthorizedClientError()
if not self.request_validator.validate_code(request.client,
request.code):
raise errors.InvalidGrantError()
def validate_token_request(self, request):
# REQUIRED. Value MUST be set to "authorization_code".
if request.grant_type != 'authorization_code':
raise errors.UnsupportedGrantTypeError()
if request.code is None:
raise errors.InvalidRequestError(
description='Missing code parameter.')
# If the client type is confidential or the client was issued client
# credentials (or assigned other authentication requirements), the
# client MUST authenticate with the authorization server as described
# in Section 3.2.1.
# http://tools.ietf.org/html/rfc6749#section-3.2.1
if not self.request_validator.authenticate_client(request):
raise errors.AccessDeniedError()
# REQUIRED, if the client is not authenticating with the
# authorization server as described in Section 3.2.1.
# http://tools.ietf.org/html/rfc6749#section-3.2.1
if not self.request_validator.validate_client(
request.client_id, request.grant_type, request.client):
raise errors.UnauthorizedClientError()
# REQUIRED. The authorization code received from the
# authorization server.
if not self.request_validator.validate_code(
request.client_id, request.code, request.client):
raise errors.InvalidGrantError()
# REQUIRED, if the "redirect_uri" parameter was included in the
# authorization request as described in Section 4.1.1, and their
# values MUST be identical.
if not self.request_validator.confirm_redirect_uri(
request.client_id, request.code, request.redirect_uri,
request.client):
raise errors.AccessDeniedError()
return True
def validate_token_request(self, request):
"""Check the token request for normal and fatal errors.
This method is very similar to validate_authorization_request in
the AuthorizationCodeGrant but differ in a few subtle areas.
A normal error could be a missing response_type parameter or the client
attempting to access scope it is not allowed to ask authorization for.
Normal errors can safely be included in the redirection URI and
sent back to the client.
Fatal errors occur when the client_id or redirect_uri is invalid or
missing. These must be caught by the provider and handled, how this
is done is outside of the scope of OAuthLib but showing an error
page describing the issue is a good idea.
"""
# First check for fatal errors
# If the request fails due to a missing, invalid, or mismatching
# redirection URI, or if the client identifier is missing or invalid,
# the authorization server SHOULD inform the resource owner of the
# error and MUST NOT automatically redirect the user-agent to the
# invalid redirection URI.
# REQUIRED. The client identifier as described in Section 2.2.
# http://tools.ietf.org/html/rfc6749#section-2.2
if not request.client_id:
raise errors.MissingClientIdError(state=request.state)
if not self.request_validator.validate_client_id(request.client_id):
raise errors.InvalidClientIdError(state=request.state)
# OPTIONAL. As described in Section 3.1.2.
# http://tools.ietf.org/html/rfc6749#section-3.1.2
if request.redirect_uri is not None:
if not is_absolute_uri(request.redirect_uri):
raise errors.InvalidRedirectURIError(state=request.state)
# The authorization server MUST verify that the redirection URI
# to which it will redirect the access token matches a
# redirection URI registered by the client as described in
# Section 3.1.2.
# http://tools.ietf.org/html/rfc6749#section-3.1.2
if not self.request_validator.validate_redirect_uri(
request.client_id, request.redirect_uri):
raise errors.MismatchingRedirectURIError(state=request.state)
else:
request.redirect_uri = self.request_validator.get_default_redirect_uri(
request.client_id)
if not request.redirect_uri:
raise errors.MissingRedirectURIError(state=request.state)
# Then check for normal errors.
# If the resource owner denies the access request or if the request
# fails for reasons other than a missing or invalid redirection URI,
# the authorization server informs the client by adding the following
# parameters to the fragment component of the redirection URI using the
# "application/x-www-form-urlencoded" format, per Appendix B.
# http://tools.ietf.org/html/rfc6749#appendix-B
# Note that the correct parameters to be added are automatically
# populated through the use of specific exceptions.
if request.response_type is None:
raise errors.InvalidRequestError(
state=request.state,
description='Missing response_type parameter.')
# REQUIRED. Value MUST be set to "token".
if request.response_type != 'token':
raise errors.UnsupportedResponseTypeError(state=request.state)
# OPTIONAL. The scope of the access request as described by Section 3.3
# http://tools.ietf.org/html/rfc6749#section-3.3
if not self.request_validator.validate_scopes(request):
raise errors.InvalidScopeError(state=request.state)