def check_token_endpoint(request):
"""
This endpoint is out of the oAuth 2.0 specification, however it's needed in
order to support total desacoplation of the oAuth server and the resource
servers. When an application (a.k.a. client) impersons the user in order to
access to the user's resources, the resource server needs to check if the
token provided is valid and check if it was issued to the user.
"""
access_token = request.params.get("access_token")
username = request.params.get("username")
scope = request.params.get("scope", None)
if username is None:
return OAuth2ErrorHandler.error_invalid_request("Required parameter username not found in the request")
elif access_token is None:
return OAuth2ErrorHandler.error_invalid_request("Required parameter access_token not found in the request")
elif len(access_token) != ACCESS_TOKEN_LENGTH:
return OAuth2ErrorHandler.error_invalid_request("Required parameter not valid found in the request")
storage = request.registry.osiris_store
token_info = storage.retrieve(token=access_token)
if token_info:
if token_info.get("scope") == scope and token_info.get("username") == username:
return HTTPOk()
else:
return HTTPUnauthorized()
return HTTPUnauthorized()
def check_token_endpoint(request):
"""
This endpoint is out of the oAuth 2.0 specification, however it's needed in
order to support total desacoplation of the oAuth server and the resource
servers. When an application (a.k.a. client) impersons the user in order to
access to the user's resources, the resource server needs to check if the
token provided is valid and check if it was issued to the user.
"""
access_token = request.params.get('access_token')
username = urllib.unquote(request.params.get('username'))
scope = request.params.get('scope', None)
if scope is not None:
scope = urllib.unquote_plus(scope)
if username is None:
return OAuth2ErrorHandler.error_invalid_request(
'Required parameter username not found in the request')
elif access_token is None:
return OAuth2ErrorHandler.error_invalid_request(
'Required parameter access_token not found in the request')
elif len(access_token) != ACCESS_TOKEN_LENGTH:
return OAuth2ErrorHandler.error_invalid_request(
'Required parameter not valid found in the request')
storage = request.registry.osiris_store
token_info = storage.retrieve(token=access_token)
if token_info:
if token_info.get('scope') == scope and token_info.get(
'username') == username:
return HTTPOk()
else:
return HTTPUnauthorized()
return HTTPUnauthorized()
def check_token_endpoint(request):
"""
This endpoint is out of the oAuth 2.0 specification, however it's needed in
order to support total desacoplation of the oAuth server and the resource
servers. When an application (a.k.a. client) impersons the user in order to
access to the user's resources, the resource server needs to check if the
token provided is valid and check if it was issued to the user.
"""
access_token = request.params.get('access_token')
username = request.params.get('username')
if username is None:
return OAuth2ErrorHandler.error_invalid_request(
'Required paramer "username" not found in the request')
elif access_token is None:
return OAuth2ErrorHandler.error_invalid_request(
'Required paramer "access_token" not found in the request')
storage = request.registry.osiris_store
token_info = storage.retrieve(access_token)
if token_info:
if token_info.get('username') == username:
return HTTPOk()
return HTTPUnauthorized()
def password_authorization(request, username, password, scope, expires_in):
ldap_enabled = asbool(request.registry.settings.get('osiris.ldap_enabled'))
ldap_scope_as_group = asbool(
request.registry.settings.get('osiris.ldap_scope_as_group'))
if ldap_enabled:
from osiris import get_ldap_connector
connector = get_ldap_connector(request)
identity = connector.authenticate(username, password)
scopes = scope.split(' ')
if ldap_scope_as_group and scope:
user_groups = connector.user_groups(username)
user_groups = [group[0] for group in user_groups]
user_groups = [
group.split(",")[0].split("=")[1] for group in user_groups
]
for req_scope in scopes:
if req_scope not in user_groups:
return OAuth2ErrorHandler.error_invalid_scope(req_scope)
else:
policy = request.registry.queryUtility(IAuthenticationPolicy)
authapi = policy._getAPI(request)
credentials = {'login': username, 'password': password}
identity, headers = authapi.login(credentials)
user_groups = []
if not identity:
return OAuth2ErrorHandler.error_invalid_grant()
else:
storage = request.registry.osiris_store
# Check if an existing token for the username and scope is already issued
issued = storage.retrieve(username=username, scope=scope)
if issued:
# Return the already issued one
return dict(
access_token=issued.get('token'),
token_type='bearer',
scope=issued.get('scope'),
expires_in=issued.get('expire_time'),
)
else:
# Create and store token
token = generate_token()
stored = storage.store(token, username, scope, expires_in)
# Issue token
if stored:
return dict(access_token=token,
token_type='bearer',
scope=scope,
expires_in=int(expires_in))
else:
# If operation error, return a generic server error
return HTTPInternalServerError()
def password_authorization(request, username, password, scope, expires_in):
ldap_enabled = asbool(request.registry.settings.get('osiris.ldap_enabled'))
ldap_scope_as_group = asbool(
request.registry.settings.get('osiris.ldap_scope_as_group'))
if ldap_enabled:
from osiris import get_ldap_connector
connector = get_ldap_connector(request)
identity = connector.authenticate(username, password)
scopes = scope.split(' ')
if ldap_scope_as_group and scope:
user_groups = connector.user_groups(username)
user_groups = [group[0] for group in user_groups]
user_groups = [group.split(",")[0].split("=")[1]
for group in user_groups]
for req_scope in scopes:
if req_scope not in user_groups:
return OAuth2ErrorHandler.error_invalid_scope(req_scope)
else:
policy = request.registry.queryUtility(IAuthenticationPolicy)
authapi = policy._getAPI(request)
credentials = {'login': username, 'password': password}
identity, headers = authapi.login(credentials)
user_groups = []
if not identity:
return OAuth2ErrorHandler.error_invalid_grant()
else:
storage = request.registry.osiris_store
# Check if an existing token for the username and scope is already issued
issued = storage.retrieve(username=username, scope=scope)
if issued:
# Return the already issued one
return dict(access_token=issued.get('token'),
token_type='bearer',
scope=issued.get('scope'),
expires_in=issued.get('expire_time'),
)
else:
# Create and store token
token = generate_token()
stored = storage.store(token, username, scope, expires_in)
# Issue token
if stored:
return dict(access_token=token,
token_type='bearer',
scope=scope,
expires_in=int(expires_in)
)
else:
# If operation error, return a generic server error
return HTTPInternalServerError()
def password_authorization(request, username, password, scope, expires_in):
policy = request.registry.queryUtility(IAuthenticationPolicy)
authapi = policy._getAPI(request)
credentials = {'login': username, 'password': password}
identity, headers = authapi.login(credentials)
if not identity:
return OAuth2ErrorHandler.error_unauthorized_client()
else:
# Create and store token
storage = request.registry.osiris_store
token = generate_token()
stored = storage.store(token, username, scope, expires_in)
# Issue token
if stored:
return dict(access_token=token,
token_type='bearer',
scope=scope,
expires_in=expires_in)
else:
# If operation error, return a generic server error
return HTTPInternalServerError()
def password_authorization(request, username, password, scope, expires_in):
policy = request.registry.queryUtility(IAuthenticationPolicy)
authapi = policy._getAPI(request)
credentials = {'login': username, 'password': password}
identity, headers = authapi.login(credentials)
if not identity:
return OAuth2ErrorHandler.error_unauthorized_client()
else:
# Create and store token
storage = request.registry.osiris_store
token = generate_token()
stored = storage.store(token, username, scope, expires_in)
# Issue token
if stored:
return dict(
access_token=token,
token_type='bearer',
scope=scope,
expires_in=expires_in
)
else:
# If operation error, return a generic server error
return HTTPInternalServerError()
def token_endpoint(request):
"""
The token endpoint is used by the client to obtain an access token by
presenting its authorization grant or refresh token. The token
endpoint is used with every authorization grant except for the
implicit grant type (since an access token is issued directly).
"""
expires_in = request.registry.settings.get("osiris.tokenexpiry", 0)
grant_type = request.params.get("grant_type")
# Authorization Code Grant
if grant_type == "authorization_code":
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Implicit Grant
elif grant_type == "implicit":
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Client Credentials
elif grant_type == "client_credentials":
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Client Credentials Grant
elif grant_type == "password":
scope = request.params.get("scope", None) # Optional
username = request.params.get("username", None)
password = request.params.get("password", None)
if username is None:
return OAuth2ErrorHandler.error_invalid_request("Required parameter username not found in the request")
elif password is None:
return OAuth2ErrorHandler.error_invalid_request("Required parameter password not found in the request")
else:
return password_authorization(request, username, password, scope, expires_in)
else:
return OAuth2ErrorHandler.error_unsupported_grant_type()
def token_endpoint(request):
"""
The token endpoint is used by the client to obtain an access token by
presenting its authorization grant or refresh token. The token
endpoint is used with every authorization grant except for the
implicit grant type (since an access token is issued directly).
"""
expires_in = request.registry.settings.get('osiris.tokenexpiry', 0)
grant_type = request.params.get('grant_type')
# Authorization Code Grant
if grant_type == 'authorization_code':
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Implicit Grant
elif grant_type == 'implicit':
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Client Credentials
elif grant_type == 'client_credentials':
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Client Credentials Grant
elif grant_type == 'password':
scope = request.params.get('scope', '') # Optional
username = request.params.get('username', None)
password = request.params.get('password', None)
if username is None:
return OAuth2ErrorHandler.error_invalid_request('Required paramer "username" not found in the request')
elif password is None:
return OAuth2ErrorHandler.error_invalid_request('Required paramer "password" not found in the request')
else:
return password_authorization(request, username, password, scope, expires_in)
else:
return OAuth2ErrorHandler.error_unsupported_grant_type()
def check_token_endpoint(request):
"""
This endpoint is out of the oAuth 2.0 specification, however it's needed in
order to support total desacoplation of the oAuth server and the resource
servers. When an application (a.k.a. client) impersons the user in order to
access to the user's resources, the resource server needs to check if the
token provided is valid and check if it was issued to the user.
"""
access_token = request.params.get('access_token')
username = request.params.get('username')
if username is None:
return OAuth2ErrorHandler.error_invalid_request('Required paramer "username" not found in the request')
elif access_token is None:
return OAuth2ErrorHandler.error_invalid_request('Required paramer "access_token" not found in the request')
storage = request.registry.osiris_store
token_info = storage.retrieve(access_token)
if token_info:
if token_info.get('username') == username:
return HTTPOk()
return HTTPUnauthorized()
def token_endpoint(request):
"""
The token endpoint is used by the client to obtain an access token by
presenting its authorization grant or refresh token. The token
endpoint is used with every authorization grant except for the
implicit grant type (since an access token is issued directly).
"""
expires_in = request.registry.settings.get('osiris.tokenexpiry', 0)
grant_type = request.params.get('grant_type')
# Authorization Code Grant
if grant_type == 'authorization_code':
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Implicit Grant
elif grant_type == 'implicit':
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Client Credentials
elif grant_type == 'client_credentials':
return OAuth2ErrorHandler.error_unsupported_grant_type()
# Client Credentials Grant
elif grant_type == 'password':
scope = request.params.get('scope', None) # Optional
username = urllib.unquote(request.params.get('username', None))
password = urllib.unquote(request.params.get('password', None))
if username is None:
return OAuth2ErrorHandler.error_invalid_request(
'Required parameter username not found in the request')
elif password is None:
return OAuth2ErrorHandler.error_invalid_request(
'Required parameter password not found in the request')
else:
return password_authorization(request, username, password, scope,
expires_in)
else:
return OAuth2ErrorHandler.error_unsupported_grant_type()
