gvsig-scripting / org.gvsig.scripting / trunk / org.gvsig.scripting / org.gvsig.scripting.app / org.gvsig.scripting.app.mainplugin / src / main / resources-plugin / scripting / lib / oauthlib / oauth2 / rfc6749 / grant_types / client_credentials.py @ 564
History | View | Annotate | Download (4.62 KB)
| 1 |
# -*- coding: utf-8 -*-
|
|---|---|
| 2 |
"""
|
| 3 |
oauthlib.oauth2.rfc6749.grant_types
|
| 4 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| 5 |
"""
|
| 6 |
from __future__ import unicode_literals, absolute_import |
| 7 |
|
| 8 |
import json |
| 9 |
import logging |
| 10 |
|
| 11 |
from .base import GrantTypeBase |
| 12 |
from .. import errors
|
| 13 |
from ..request_validator import RequestValidator |
| 14 |
|
| 15 |
log = logging.getLogger(__name__) |
| 16 |
|
| 17 |
|
| 18 |
class ClientCredentialsGrant(GrantTypeBase): |
| 19 |
|
| 20 |
"""`Client Credentials Grant`_
|
| 21 |
|
| 22 |
The client can request an access token using only its client
|
| 23 |
credentials (or other supported means of authentication) when the
|
| 24 |
client is requesting access to the protected resources under its
|
| 25 |
control, or those of another resource owner that have been previously
|
| 26 |
arranged with the authorization server (the method of which is beyond
|
| 27 |
the scope of this specification).
|
| 28 |
|
| 29 |
The client credentials grant type MUST only be used by confidential
|
| 30 |
clients::
|
| 31 |
|
| 32 |
+---------+ +---------------+
|
| 33 |
: : : :
|
| 34 |
: :>-- A - Client Authentication --->: Authorization :
|
| 35 |
: Client : : Server :
|
| 36 |
: :<-- B ---- Access Token ---------<: :
|
| 37 |
: : : :
|
| 38 |
+---------+ +---------------+
|
| 39 |
|
| 40 |
Figure 6: Client Credentials Flow
|
| 41 |
|
| 42 |
The flow illustrated in Figure 6 includes the following steps:
|
| 43 |
|
| 44 |
(A) The client authenticates with the authorization server and
|
| 45 |
requests an access token from the token endpoint.
|
| 46 |
|
| 47 |
(B) The authorization server authenticates the client, and if valid,
|
| 48 |
issues an access token.
|
| 49 |
|
| 50 |
.. _`Client Credentials Grant`: http://tools.ietf.org/html/rfc6749#section-4.4
|
| 51 |
"""
|
| 52 |
|
| 53 |
def __init__(self, request_validator=None): |
| 54 |
self.request_validator = request_validator or RequestValidator() |
| 55 |
|
| 56 |
def create_token_response(self, request, token_handler): |
| 57 |
"""Return token or error in JSON format.
|
| 58 |
|
| 59 |
If the access token request is valid and authorized, the
|
| 60 |
authorization server issues an access token as described in
|
| 61 |
`Section 5.1`_. A refresh token SHOULD NOT be included. If the request
|
| 62 |
failed client authentication or is invalid, the authorization server
|
| 63 |
returns an error response as described in `Section 5.2`_.
|
| 64 |
|
| 65 |
.. _`Section 5.1`: http://tools.ietf.org/html/rfc6749#section-5.1
|
| 66 |
.. _`Section 5.2`: http://tools.ietf.org/html/rfc6749#section-5.2
|
| 67 |
"""
|
| 68 |
headers = {
|
| 69 |
'Content-Type': 'application/json', |
| 70 |
'Cache-Control': 'no-store', |
| 71 |
'Pragma': 'no-cache', |
| 72 |
} |
| 73 |
try:
|
| 74 |
log.debug('Validating access token request, %r.', request)
|
| 75 |
self.validate_token_request(request)
|
| 76 |
except errors.OAuth2Error as e: |
| 77 |
log.debug('Client error in token request. %s.', e)
|
| 78 |
return headers, e.json, e.status_code
|
| 79 |
|
| 80 |
token = token_handler.create_token(request, refresh_token=False)
|
| 81 |
log.debug('Issuing token to client id %r (%r), %r.',
|
| 82 |
request.client_id, request.client, token) |
| 83 |
return headers, json.dumps(token), 200 |
| 84 |
|
| 85 |
def validate_token_request(self, request): |
| 86 |
if not getattr(request, 'grant_type', None): |
| 87 |
raise errors.InvalidRequestError('Request is missing grant type.', |
| 88 |
request=request) |
| 89 |
|
| 90 |
if not request.grant_type == 'client_credentials': |
| 91 |
raise errors.UnsupportedGrantTypeError(request=request)
|
| 92 |
|
| 93 |
for param in ('grant_type', 'scope'): |
| 94 |
if param in request.duplicate_params: |
| 95 |
raise errors.InvalidRequestError(description='Duplicate %s parameter.' % param, |
| 96 |
request=request) |
| 97 |
|
| 98 |
log.debug('Authenticating client, %r.', request)
|
| 99 |
if not self.request_validator.authenticate_client(request): |
| 100 |
log.debug('Client authentication failed, %r.', request)
|
| 101 |
raise errors.InvalidClientError(request=request)
|
| 102 |
else:
|
| 103 |
if not hasattr(request.client, 'client_id'): |
| 104 |
raise NotImplementedError('Authenticate client must set the ' |
| 105 |
'request.client.client_id attribute '
|
| 106 |
'in authenticate_client.')
|
| 107 |
# Ensure client is authorized use of this grant type
|
| 108 |
self.validate_grant_type(request)
|
| 109 |
|
| 110 |
log.debug('Authorizing access to user %r.', request.user)
|
| 111 |
request.client_id = request.client_id or request.client.client_id
|
| 112 |
self.validate_scopes(request)
|