????
Your IP : 216.73.216.116
from authlib.common.security import generate_token
from authlib.common.urls import url_decode
from .rfc6749.parameters import (
prepare_grant_uri,
prepare_token_request,
parse_authorization_code_response,
parse_implicit_response,
)
from .rfc7009 import prepare_revoke_token_request
from .rfc7636 import create_s256_code_challenge
from .auth import TokenAuth, ClientAuth
from .base import OAuth2Error
DEFAULT_HEADERS = {
'Accept': 'application/json',
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8'
}
class OAuth2Client:
"""Construct a new OAuth 2 protocol client.
:param session: Requests session object to communicate with
authorization server.
:param client_id: Client ID, which you get from client registration.
:param client_secret: Client Secret, which you get from registration.
:param token_endpoint_auth_method: client authentication method for
token endpoint.
:param revocation_endpoint_auth_method: client authentication method for
revocation endpoint.
:param scope: Scope that you needed to access user resources.
:param state: Shared secret to prevent CSRF attack.
:param redirect_uri: Redirect URI you registered as callback.
:param code_challenge_method: PKCE method name, only S256 is supported.
:param token: A dict of token attributes such as ``access_token``,
``token_type`` and ``expires_at``.
:param token_placement: The place to put token in HTTP request. Available
values: "header", "body", "uri".
:param update_token: A function for you to update token. It accept a
:class:`OAuth2Token` as parameter.
"""
client_auth_class = ClientAuth
token_auth_class = TokenAuth
oauth_error_class = OAuth2Error
EXTRA_AUTHORIZE_PARAMS = (
'response_mode', 'nonce', 'prompt', 'login_hint'
)
SESSION_REQUEST_PARAMS = []
def __init__(self, session, client_id=None, client_secret=None,
token_endpoint_auth_method=None,
revocation_endpoint_auth_method=None,
scope=None, state=None, redirect_uri=None, code_challenge_method=None,
token=None, token_placement='header', update_token=None, **metadata):
self.session = session
self.client_id = client_id
self.client_secret = client_secret
self.state = state
if token_endpoint_auth_method is None:
if client_secret:
token_endpoint_auth_method = 'client_secret_basic'
else:
token_endpoint_auth_method = 'none'
self.token_endpoint_auth_method = token_endpoint_auth_method
if revocation_endpoint_auth_method is None:
if client_secret:
revocation_endpoint_auth_method = 'client_secret_basic'
else:
revocation_endpoint_auth_method = 'none'
self.revocation_endpoint_auth_method = revocation_endpoint_auth_method
self.scope = scope
self.redirect_uri = redirect_uri
self.code_challenge_method = code_challenge_method
self.token_auth = self.token_auth_class(token, token_placement, self)
self.update_token = update_token
token_updater = metadata.pop('token_updater', None)
if token_updater:
raise ValueError('update token has been redesigned, checkout the documentation')
self.metadata = metadata
self.compliance_hook = {
'access_token_response': set(),
'refresh_token_request': set(),
'refresh_token_response': set(),
'revoke_token_request': set(),
'introspect_token_request': set(),
}
self._auth_methods = {}
def register_client_auth_method(self, auth):
"""Extend client authenticate for token endpoint.
:param auth: an instance to sign the request
"""
if isinstance(auth, tuple):
self._auth_methods[auth[0]] = auth[1]
else:
self._auth_methods[auth.name] = auth
def client_auth(self, auth_method):
if isinstance(auth_method, str) and auth_method in self._auth_methods:
auth_method = self._auth_methods[auth_method]
return self.client_auth_class(
client_id=self.client_id,
client_secret=self.client_secret,
auth_method=auth_method,
)
@property
def token(self):
return self.token_auth.token
@token.setter
def token(self, token):
self.token_auth.set_token(token)
def create_authorization_url(self, url, state=None, code_verifier=None, **kwargs):
"""Generate an authorization URL and state.
:param url: Authorization endpoint url, must be HTTPS.
:param state: An optional state string for CSRF protection. If not
given it will be generated for you.
:param code_verifier: An optional code_verifier for code challenge.
:param kwargs: Extra parameters to include.
:return: authorization_url, state
"""
if state is None:
state = generate_token()
response_type = self.metadata.get('response_type', 'code')
response_type = kwargs.pop('response_type', response_type)
if 'redirect_uri' not in kwargs:
kwargs['redirect_uri'] = self.redirect_uri
if 'scope' not in kwargs:
kwargs['scope'] = self.scope
if code_verifier and response_type == 'code' and self.code_challenge_method == 'S256':
kwargs['code_challenge'] = create_s256_code_challenge(code_verifier)
kwargs['code_challenge_method'] = self.code_challenge_method
for k in self.EXTRA_AUTHORIZE_PARAMS:
if k not in kwargs and k in self.metadata:
kwargs[k] = self.metadata[k]
uri = prepare_grant_uri(
url, client_id=self.client_id, response_type=response_type,
state=state, **kwargs)
return uri, state
def fetch_token(self, url=None, body='', method='POST', headers=None,
auth=None, grant_type=None, state=None, **kwargs):
"""Generic method for fetching an access token from the token endpoint.
:param url: Access Token endpoint URL, if not configured,
``authorization_response`` is used to extract token from
its fragment (implicit way).
:param body: Optional application/x-www-form-urlencoded body to add the
include in the token request. Prefer kwargs over body.
:param method: The HTTP method used to make the request. Defaults
to POST, but may also be GET. Other methods should
be added as needed.
:param headers: Dict to default request headers with.
:param auth: An auth tuple or method as accepted by requests.
:param grant_type: Use specified grant_type to fetch token
:return: A :class:`OAuth2Token` object (a dict too).
"""
state = state or self.state
# implicit grant_type
authorization_response = kwargs.pop('authorization_response', None)
if authorization_response and '#' in authorization_response:
return self.token_from_fragment(authorization_response, state)
session_kwargs = self._extract_session_request_params(kwargs)
if authorization_response and 'code=' in authorization_response:
grant_type = 'authorization_code'
params = parse_authorization_code_response(
authorization_response,
state=state,
)
kwargs['code'] = params['code']
if grant_type is None:
grant_type = self.metadata.get('grant_type')
if grant_type is None:
grant_type = _guess_grant_type(kwargs)
self.metadata['grant_type'] = grant_type
body = self._prepare_token_endpoint_body(body, grant_type, **kwargs)
if auth is None:
auth = self.client_auth(self.token_endpoint_auth_method)
if headers is None:
headers = DEFAULT_HEADERS
if url is None:
url = self.metadata.get('token_endpoint')
return self._fetch_token(
url, body=body, auth=auth, method=method,
headers=headers, **session_kwargs
)
def token_from_fragment(self, authorization_response, state=None):
token = parse_implicit_response(authorization_response, state)
if 'error' in token:
raise self.oauth_error_class(
error=token['error'],
description=token.get('error_description')
)
self.token = token
return token
def refresh_token(self, url, refresh_token=None, body='',
auth=None, headers=None, **kwargs):
"""Fetch a new access token using a refresh token.
:param url: Refresh Token endpoint, must be HTTPS.
:param refresh_token: The refresh_token to use.
:param body: Optional application/x-www-form-urlencoded body to add the
include in the token request. Prefer kwargs over body.
:param auth: An auth tuple or method as accepted by requests.
:param headers: Dict to default request headers with.
:return: A :class:`OAuth2Token` object (a dict too).
"""
session_kwargs = self._extract_session_request_params(kwargs)
refresh_token = refresh_token or self.token.get('refresh_token')
if 'scope' not in kwargs and self.scope:
kwargs['scope'] = self.scope
body = prepare_token_request(
'refresh_token', body,
refresh_token=refresh_token, **kwargs
)
if headers is None:
headers = DEFAULT_HEADERS.copy()
for hook in self.compliance_hook['refresh_token_request']:
url, headers, body = hook(url, headers, body)
if auth is None:
auth = self.client_auth(self.token_endpoint_auth_method)
return self._refresh_token(
url, refresh_token=refresh_token, body=body, headers=headers,
auth=auth, **session_kwargs)
def ensure_active_token(self, token):
if not token.is_expired():
return True
refresh_token = token.get('refresh_token')
url = self.metadata.get('token_endpoint')
if refresh_token and url:
self.refresh_token(url, refresh_token=refresh_token)
return True
elif self.metadata.get('grant_type') == 'client_credentials':
access_token = token['access_token']
new_token = self.fetch_token(url, grant_type='client_credentials')
if self.update_token:
self.update_token(new_token, access_token=access_token)
return True
def revoke_token(self, url, token=None, token_type_hint=None,
body=None, auth=None, headers=None, **kwargs):
"""Revoke token method defined via `RFC7009`_.
:param url: Revoke Token endpoint, must be HTTPS.
:param token: The token to be revoked.
:param token_type_hint: The type of the token that to be revoked.
It can be "access_token" or "refresh_token".
:param body: Optional application/x-www-form-urlencoded body to add the
include in the token request. Prefer kwargs over body.
:param auth: An auth tuple or method as accepted by requests.
:param headers: Dict to default request headers with.
:return: Revocation Response
.. _`RFC7009`: https://tools.ietf.org/html/rfc7009
"""
return self._handle_token_hint(
'revoke_token_request', url,
token=token, token_type_hint=token_type_hint,
body=body, auth=auth, headers=headers, **kwargs)
def introspect_token(self, url, token=None, token_type_hint=None,
body=None, auth=None, headers=None, **kwargs):
"""Implementation of OAuth 2.0 Token Introspection defined via `RFC7662`_.
:param url: Introspection Endpoint, must be HTTPS.
:param token: The token to be introspected.
:param token_type_hint: The type of the token that to be revoked.
It can be "access_token" or "refresh_token".
:param body: Optional application/x-www-form-urlencoded body to add the
include in the token request. Prefer kwargs over body.
:param auth: An auth tuple or method as accepted by requests.
:param headers: Dict to default request headers with.
:return: Introspection Response
.. _`RFC7662`: https://tools.ietf.org/html/rfc7662
"""
return self._handle_token_hint(
'introspect_token_request', url,
token=token, token_type_hint=token_type_hint,
body=body, auth=auth, headers=headers, **kwargs)
def register_compliance_hook(self, hook_type, hook):
"""Register a hook for request/response tweaking.
Available hooks are:
* access_token_response: invoked before token parsing.
* refresh_token_request: invoked before refreshing token.
* refresh_token_response: invoked before refresh token parsing.
* protected_request: invoked before making a request.
* revoke_token_request: invoked before revoking a token.
* introspect_token_request: invoked before introspecting a token.
"""
if hook_type == 'protected_request':
self.token_auth.hooks.add(hook)
return
if hook_type not in self.compliance_hook:
raise ValueError('Hook type %s is not in %s.',
hook_type, self.compliance_hook)
self.compliance_hook[hook_type].add(hook)
def parse_response_token(self, resp):
if resp.status_code >= 500:
resp.raise_for_status()
token = resp.json()
if 'error' in token:
raise self.oauth_error_class(
error=token['error'],
description=token.get('error_description')
)
self.token = token
return self.token
def _fetch_token(self, url, body='', headers=None, auth=None,
method='POST', **kwargs):
if method.upper() == 'POST':
resp = self.session.post(
url, data=dict(url_decode(body)),
headers=headers, auth=auth, **kwargs)
else:
if '?' in url:
url = '&'.join([url, body])
else:
url = '?'.join([url, body])
resp = self.session.request(method, url, headers=headers, auth=auth, **kwargs)
for hook in self.compliance_hook['access_token_response']:
resp = hook(resp)
return self.parse_response_token(resp)
def _refresh_token(self, url, refresh_token=None, body='', headers=None,
auth=None, **kwargs):
resp = self._http_post(url, body=body, auth=auth, headers=headers, **kwargs)
for hook in self.compliance_hook['refresh_token_response']:
resp = hook(resp)
token = self.parse_response_token(resp)
if 'refresh_token' not in token:
self.token['refresh_token'] = refresh_token
if callable(self.update_token):
self.update_token(self.token, refresh_token=refresh_token)
return self.token
def _handle_token_hint(self, hook, url, token=None, token_type_hint=None,
body=None, auth=None, headers=None, **kwargs):
if token is None and self.token:
token = self.token.get('refresh_token') or self.token.get('access_token')
if body is None:
body = ''
body, headers = prepare_revoke_token_request(
token, token_type_hint, body, headers)
for hook in self.compliance_hook[hook]:
url, headers, body = hook(url, headers, body)
if auth is None:
auth = self.client_auth(self.revocation_endpoint_auth_method)
session_kwargs = self._extract_session_request_params(kwargs)
return self._http_post(
url, body, auth=auth, headers=headers, **session_kwargs)
def _prepare_token_endpoint_body(self, body, grant_type, **kwargs):
if grant_type == 'authorization_code':
if 'redirect_uri' not in kwargs:
kwargs['redirect_uri'] = self.redirect_uri
return prepare_token_request(grant_type, body, **kwargs)
if 'scope' not in kwargs and self.scope:
kwargs['scope'] = self.scope
return prepare_token_request(grant_type, body, **kwargs)
def _extract_session_request_params(self, kwargs):
"""Extract parameters for session object from the passing ``**kwargs``."""
rv = {}
for k in self.SESSION_REQUEST_PARAMS:
if k in kwargs:
rv[k] = kwargs.pop(k)
return rv
def _http_post(self, url, body=None, auth=None, headers=None, **kwargs):
return self.session.post(
url, data=dict(url_decode(body)),
headers=headers, auth=auth, **kwargs)
def _guess_grant_type(kwargs):
if 'code' in kwargs:
grant_type = 'authorization_code'
elif 'username' in kwargs and 'password' in kwargs:
grant_type = 'password'
else:
grant_type = 'client_credentials'
return grant_type