示例#1
0
def oauth2_authorize():
    client_id = request.args.get('client_id')
    redirect_uri = request.args.get('redirect_uri')
    response_type = request.args.get('response_type')
    scope = [scope.strip() for scope in request.args.get('scope', '').split(',')]

    if not (client_id and redirect_uri and response_type):
        return jsonify({'error': 'invalid_request'}), 400

    try:
        client = ApplicationOAuth2Client.objects(id=client_id).get()
    except ApplicationOAuth2Client.DoesNotExist:
        return jsonify({'error': 'unauthorized_client'}), 400

    check_redirect_uri = False
    for accept_redirect_uri in client.redirect_uris:
        if redirect_uri.startswith(accept_redirect_uri):
            check_redirect_uri = True

    if not check_redirect_uri:
        return 'redirect_uri error', 400

    if not session.get_account():
        if request.method == 'GET':
            return render_template('api/oauth2/login.html')
        else:
            account_id = request.form.get('account_id')
            account_pw = request.form.get('account_pw')

            from opencampus.module.account.models import Account
            try:
                Account.login(account_id, account_pw)
            except:
                return render_template('api/oauth2/login.html')

    check_accept = True
    try:
        accept = OAuth2AccountAccept.objects(client_id=client_id, account_id=session.get_account().id).get()
        for s in scope:
            if accept and s not in accept.scope:
                check_accept = False

    except OAuth2AccountAccept.DoesNotExist:
        check_accept = False
        accept = None

    if not check_accept:
        if request.method == 'GET':
            return render_template('api/oauth2/permission.html',
                                   app=Application.objects(id=client.application_id).get(),
                                   scope=scope,
                                   scope_name=SCOPE)
        elif request.method == 'POST':
            token = session.get('csrf_token')
            if not token or token != request.form.get('csrf_token'):
                return abort(403)

            if not accept:
                accept = OAuth2AccountAccept()
                accept.client_id = client_id
                accept.account_id = session.get_account().id
                accept.created_at = datetime.utcnow()

            accept.scope = scope
            accept.save()

    if response_type == 'token':
        token = OAuth2AccessToken.create_token('account', session.get_account().id, client_id=client.id, scope=accept.scope)
        token.save()
        return redirect(redirect_uri + '?access_token=' + token.access_token)
    elif response_type == 'code':
        code = OAuth2AuthorizationCode.create_code(client.id, session.get_account().id, scope=accept.scope)
        return redirect(redirect_uri + '?code=' + code.code)
    else:
        return jsonify({'error': 'unsupported_response_type'}), 400
示例#2
0
def oauth2_token():
    grant_type = request.form.get('grant_type')

    if grant_type == 'authorization_code':
        """
        일반 사용자가 앱에서 토큰을 획득할 때 사용
        """
        client_id = request.form.get('client_id')
        client_secret = request.form.get('client_secret')
        redirect_uri = request.form.get('redirect_uri')     # TODO
        code = request.form.get('code')

        try:
            code = OAuth2AuthorizationCode.objects(code=code, client_id=client_id).get()
        except OAuth2AuthorizationCode.DoesNotExist:
            return jsonify({'error': 'invalid_request'}), 400

        try:
            client = ApplicationOAuth2Client.objects(id=code.client_id).get()
        except ApplicationOAuth2Client.DoesNotExist:
            return jsonify({'error': 'unauthorized_client'}), 400

        if client_secret != client.secret_key:
            return jsonify({'error': 'unauthorized_client'}), 400

        token = OAuth2AccessToken.create_token('account', code.account_id, scope=code.scope)
        token.client_id = client.id
        token.save()
        code.delete()

        expires_in = token.expires_at - datetime.utcnow()
        expires_in = expires_in.days * 86400 + expires_in.seconds
        return jsonify({
            'access_token': token.access_token,
            'expires_in': expires_in,
            'token_type': 'Bearer',
            'refresh_token': token.refresh_token
        })

    elif grant_type == 'client_credentials':
        """
        게이트웨이에서 토큰 획득 용으로 사용
        """
        client_id = request.form.get('client_id')
        client_secret = request.form.get('client_secret')
        try:
            gateway = CampusGateway.objects(id=client_id, secret_key=client_secret).get()
            token = OAuth2AccessToken.create_token('gateway', gateway.id)
            expires_in = token.expires_at - datetime.utcnow()
            expires_in = expires_in.days * 86400 + expires_in.seconds
            return jsonify({
                'access_token': token.access_token,
                'expires_in': expires_in,
                'token_type': 'Bearer',
                'refresh_token': token.refresh_token
            })
        except CampusGateway.DoesNotExist:
            pass
        return jsonify({'error': 'invalid_request'}), 400
    elif grant_type == 'refresh_token':
        return jsonify({'error': 'unsupported_response_type'}), 400
    else:
        return jsonify({'error': 'unsupported_grant_type'}), 400