gvsig-scripting / org.gvsig.scripting / trunk / org.gvsig.scripting / org.gvsig.scripting.app / org.gvsig.scripting.app.mainplugin / src / main / resources-plugin / scripting / lib / oauthlib / oauth2 / rfc6749 / endpoints / resource.py @ 564
History | View | Annotate | Download (3.24 KB)
1 |
# -*- coding: utf-8 -*-
|
---|---|
2 |
"""
|
3 |
oauthlib.oauth2.rfc6749
|
4 |
~~~~~~~~~~~~~~~~~~~~~~~
|
5 |
|
6 |
This module is an implementation of various logic needed
|
7 |
for consuming and providing OAuth 2.0 RFC6749.
|
8 |
"""
|
9 |
from __future__ import absolute_import, unicode_literals |
10 |
|
11 |
import logging |
12 |
|
13 |
from oauthlib.common import Request |
14 |
|
15 |
from .base import BaseEndpoint, catch_errors_and_unavailability |
16 |
|
17 |
log = logging.getLogger(__name__) |
18 |
|
19 |
|
20 |
class ResourceEndpoint(BaseEndpoint): |
21 |
|
22 |
"""Authorizes access to protected resources.
|
23 |
|
24 |
The client accesses protected resources by presenting the access
|
25 |
token to the resource server. The resource server MUST validate the
|
26 |
access token and ensure that it has not expired and that its scope
|
27 |
covers the requested resource. The methods used by the resource
|
28 |
server to validate the access token (as well as any error responses)
|
29 |
are beyond the scope of this specification but generally involve an
|
30 |
interaction or coordination between the resource server and the
|
31 |
authorization server::
|
32 |
|
33 |
# For most cases, returning a 403 should suffice.
|
34 |
|
35 |
The method in which the client utilizes the access token to
|
36 |
authenticate with the resource server depends on the type of access
|
37 |
token issued by the authorization server. Typically, it involves
|
38 |
using the HTTP "Authorization" request header field [RFC2617] with an
|
39 |
authentication scheme defined by the specification of the access
|
40 |
token type used, such as [RFC6750]::
|
41 |
|
42 |
# Access tokens may also be provided in query and body
|
43 |
https://example.com/protected?access_token=kjfch2345sdf # Query
|
44 |
access_token=sdf23409df # Body
|
45 |
"""
|
46 |
|
47 |
def __init__(self, default_token, token_types): |
48 |
BaseEndpoint.__init__(self)
|
49 |
self._tokens = token_types
|
50 |
self._default_token = default_token
|
51 |
|
52 |
@property
|
53 |
def default_token(self): |
54 |
return self._default_token |
55 |
|
56 |
@property
|
57 |
def default_token_type_handler(self): |
58 |
return self.tokens.get(self.default_token) |
59 |
|
60 |
@property
|
61 |
def tokens(self): |
62 |
return self._tokens |
63 |
|
64 |
@catch_errors_and_unavailability
|
65 |
def verify_request(self, uri, http_method='GET', body=None, headers=None, |
66 |
scopes=None):
|
67 |
"""Validate client, code etc, return body + headers"""
|
68 |
request = Request(uri, http_method, body, headers) |
69 |
request.token_type = self.find_token_type(request)
|
70 |
request.scopes = scopes |
71 |
token_type_handler = self.tokens.get(request.token_type,
|
72 |
self.default_token_type_handler)
|
73 |
log.debug('Dispatching token_type %s request to %r.',
|
74 |
request.token_type, token_type_handler) |
75 |
return token_type_handler.validate_request(request), request
|
76 |
|
77 |
def find_token_type(self, request): |
78 |
"""Token type identification.
|
79 |
|
80 |
RFC 6749 does not provide a method for easily differentiating between
|
81 |
different token types during protected resource access. We estimate
|
82 |
the most likely token type (if any) by asking each known token type
|
83 |
to give an estimation based on the request.
|
84 |
"""
|
85 |
estimates = sorted(((t.estimate_type(request), n)
|
86 |
for n, t in self.tokens.items())) |
87 |
return estimates[0][1] if len(estimates) else None |