gvsig-scripting / org.gvsig.scripting / trunk / org.gvsig.scripting / org.gvsig.scripting.app / org.gvsig.scripting.app.mainplugin / src / main / resources-plugin / scripting / lib / oauthlib / oauth2 / rfc6749 / grant_types / client_credentials.py @ 564
History | View | Annotate | Download (4.62 KB)
1 |
# -*- coding: utf-8 -*-
|
---|---|
2 |
"""
|
3 |
oauthlib.oauth2.rfc6749.grant_types
|
4 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
5 |
"""
|
6 |
from __future__ import unicode_literals, absolute_import |
7 |
|
8 |
import json |
9 |
import logging |
10 |
|
11 |
from .base import GrantTypeBase |
12 |
from .. import errors
|
13 |
from ..request_validator import RequestValidator |
14 |
|
15 |
log = logging.getLogger(__name__) |
16 |
|
17 |
|
18 |
class ClientCredentialsGrant(GrantTypeBase): |
19 |
|
20 |
"""`Client Credentials Grant`_
|
21 |
|
22 |
The client can request an access token using only its client
|
23 |
credentials (or other supported means of authentication) when the
|
24 |
client is requesting access to the protected resources under its
|
25 |
control, or those of another resource owner that have been previously
|
26 |
arranged with the authorization server (the method of which is beyond
|
27 |
the scope of this specification).
|
28 |
|
29 |
The client credentials grant type MUST only be used by confidential
|
30 |
clients::
|
31 |
|
32 |
+---------+ +---------------+
|
33 |
: : : :
|
34 |
: :>-- A - Client Authentication --->: Authorization :
|
35 |
: Client : : Server :
|
36 |
: :<-- B ---- Access Token ---------<: :
|
37 |
: : : :
|
38 |
+---------+ +---------------+
|
39 |
|
40 |
Figure 6: Client Credentials Flow
|
41 |
|
42 |
The flow illustrated in Figure 6 includes the following steps:
|
43 |
|
44 |
(A) The client authenticates with the authorization server and
|
45 |
requests an access token from the token endpoint.
|
46 |
|
47 |
(B) The authorization server authenticates the client, and if valid,
|
48 |
issues an access token.
|
49 |
|
50 |
.. _`Client Credentials Grant`: http://tools.ietf.org/html/rfc6749#section-4.4
|
51 |
"""
|
52 |
|
53 |
def __init__(self, request_validator=None): |
54 |
self.request_validator = request_validator or RequestValidator() |
55 |
|
56 |
def create_token_response(self, request, token_handler): |
57 |
"""Return token or error in JSON format.
|
58 |
|
59 |
If the access token request is valid and authorized, the
|
60 |
authorization server issues an access token as described in
|
61 |
`Section 5.1`_. A refresh token SHOULD NOT be included. If the request
|
62 |
failed client authentication or is invalid, the authorization server
|
63 |
returns an error response as described in `Section 5.2`_.
|
64 |
|
65 |
.. _`Section 5.1`: http://tools.ietf.org/html/rfc6749#section-5.1
|
66 |
.. _`Section 5.2`: http://tools.ietf.org/html/rfc6749#section-5.2
|
67 |
"""
|
68 |
headers = { |
69 |
'Content-Type': 'application/json', |
70 |
'Cache-Control': 'no-store', |
71 |
'Pragma': 'no-cache', |
72 |
} |
73 |
try:
|
74 |
log.debug('Validating access token request, %r.', request)
|
75 |
self.validate_token_request(request)
|
76 |
except errors.OAuth2Error as e: |
77 |
log.debug('Client error in token request. %s.', e)
|
78 |
return headers, e.json, e.status_code
|
79 |
|
80 |
token = token_handler.create_token(request, refresh_token=False)
|
81 |
log.debug('Issuing token to client id %r (%r), %r.',
|
82 |
request.client_id, request.client, token) |
83 |
return headers, json.dumps(token), 200 |
84 |
|
85 |
def validate_token_request(self, request): |
86 |
if not getattr(request, 'grant_type', None): |
87 |
raise errors.InvalidRequestError('Request is missing grant type.', |
88 |
request=request) |
89 |
|
90 |
if not request.grant_type == 'client_credentials': |
91 |
raise errors.UnsupportedGrantTypeError(request=request)
|
92 |
|
93 |
for param in ('grant_type', 'scope'): |
94 |
if param in request.duplicate_params: |
95 |
raise errors.InvalidRequestError(description='Duplicate %s parameter.' % param, |
96 |
request=request) |
97 |
|
98 |
log.debug('Authenticating client, %r.', request)
|
99 |
if not self.request_validator.authenticate_client(request): |
100 |
log.debug('Client authentication failed, %r.', request)
|
101 |
raise errors.InvalidClientError(request=request)
|
102 |
else:
|
103 |
if not hasattr(request.client, 'client_id'): |
104 |
raise NotImplementedError('Authenticate client must set the ' |
105 |
'request.client.client_id attribute '
|
106 |
'in authenticate_client.')
|
107 |
# Ensure client is authorized use of this grant type
|
108 |
self.validate_grant_type(request)
|
109 |
|
110 |
log.debug('Authorizing access to user %r.', request.user)
|
111 |
request.client_id = request.client_id or request.client.client_id
|
112 |
self.validate_scopes(request)
|