gvsig-scripting / org.gvsig.scripting / trunk / org.gvsig.scripting / org.gvsig.scripting.app / org.gvsig.scripting.app.mainplugin / src / main / resources-plugin / scripting / lib / oauthlib / oauth2 / rfc6749 / grant_types / refresh_token.py @ 564
History | View | Annotate | Download (5.12 KB)
| 1 |
# -*- coding: utf-8 -*-
|
|---|---|
| 2 |
"""
|
| 3 |
oauthlib.oauth2.rfc6749.grant_types
|
| 4 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| 5 |
"""
|
| 6 |
from __future__ import unicode_literals, absolute_import |
| 7 |
|
| 8 |
import json |
| 9 |
import logging |
| 10 |
|
| 11 |
from .base import GrantTypeBase |
| 12 |
from .. import errors, utils
|
| 13 |
from ..request_validator import RequestValidator |
| 14 |
|
| 15 |
log = logging.getLogger(__name__) |
| 16 |
|
| 17 |
|
| 18 |
class RefreshTokenGrant(GrantTypeBase): |
| 19 |
|
| 20 |
"""`Refresh token grant`_
|
| 21 |
|
| 22 |
.. _`Refresh token grant`: http://tools.ietf.org/html/rfc6749#section-6
|
| 23 |
"""
|
| 24 |
|
| 25 |
@property
|
| 26 |
def issue_new_refresh_tokens(self): |
| 27 |
return True |
| 28 |
|
| 29 |
def __init__(self, request_validator=None, issue_new_refresh_tokens=True): |
| 30 |
self.request_validator = request_validator or RequestValidator() |
| 31 |
|
| 32 |
def create_token_response(self, request, token_handler): |
| 33 |
"""Create a new access token from a refresh_token.
|
| 34 |
|
| 35 |
If valid and authorized, the authorization server issues an access
|
| 36 |
token as described in `Section 5.1`_. If the request failed
|
| 37 |
verification or is invalid, the authorization server returns an error
|
| 38 |
response as described in `Section 5.2`_.
|
| 39 |
|
| 40 |
The authorization server MAY issue a new refresh token, in which case
|
| 41 |
the client MUST discard the old refresh token and replace it with the
|
| 42 |
new refresh token. The authorization server MAY revoke the old
|
| 43 |
refresh token after issuing a new refresh token to the client. If a
|
| 44 |
new refresh token is issued, the refresh token scope MUST be
|
| 45 |
identical to that of the refresh token included by the client in the
|
| 46 |
request.
|
| 47 |
|
| 48 |
.. _`Section 5.1`: http://tools.ietf.org/html/rfc6749#section-5.1
|
| 49 |
.. _`Section 5.2`: http://tools.ietf.org/html/rfc6749#section-5.2
|
| 50 |
"""
|
| 51 |
headers = {
|
| 52 |
'Content-Type': 'application/json', |
| 53 |
'Cache-Control': 'no-store', |
| 54 |
'Pragma': 'no-cache', |
| 55 |
} |
| 56 |
try:
|
| 57 |
log.debug('Validating refresh token request, %r.', request)
|
| 58 |
self.validate_token_request(request)
|
| 59 |
except errors.OAuth2Error as e: |
| 60 |
return headers, e.json, e.status_code
|
| 61 |
|
| 62 |
token = token_handler.create_token(request, |
| 63 |
refresh_token=self.issue_new_refresh_tokens)
|
| 64 |
log.debug('Issuing new token to client id %r (%r), %r.',
|
| 65 |
request.client_id, request.client, token) |
| 66 |
return headers, json.dumps(token), 200 |
| 67 |
|
| 68 |
def validate_token_request(self, request): |
| 69 |
# REQUIRED. Value MUST be set to "refresh_token".
|
| 70 |
if request.grant_type != 'refresh_token': |
| 71 |
raise errors.UnsupportedGrantTypeError(request=request)
|
| 72 |
|
| 73 |
if request.refresh_token is None: |
| 74 |
raise errors.InvalidRequestError(
|
| 75 |
description='Missing refresh token parameter.',
|
| 76 |
request=request) |
| 77 |
|
| 78 |
# Because refresh tokens are typically long-lasting credentials used to
|
| 79 |
# request additional access tokens, the refresh token is bound to the
|
| 80 |
# client to which it was issued. If the client type is confidential or
|
| 81 |
# the client was issued client credentials (or assigned other
|
| 82 |
# authentication requirements), the client MUST authenticate with the
|
| 83 |
# authorization server as described in Section 3.2.1.
|
| 84 |
# http://tools.ietf.org/html/rfc6749#section-3.2.1
|
| 85 |
if self.request_validator.client_authentication_required(request): |
| 86 |
log.debug('Authenticating client, %r.', request)
|
| 87 |
if not self.request_validator.authenticate_client(request): |
| 88 |
log.debug('Invalid client (%r), denying access.', request)
|
| 89 |
raise errors.InvalidClientError(request=request)
|
| 90 |
elif not self.request_validator.authenticate_client_id(request.client_id, request): |
| 91 |
log.debug('Client authentication failed, %r.', request)
|
| 92 |
raise errors.InvalidClientError(request=request)
|
| 93 |
|
| 94 |
# Ensure client is authorized use of this grant type
|
| 95 |
self.validate_grant_type(request)
|
| 96 |
|
| 97 |
# REQUIRED. The refresh token issued to the client.
|
| 98 |
log.debug('Validating refresh token %s for client %r.',
|
| 99 |
request.refresh_token, request.client) |
| 100 |
if not self.request_validator.validate_refresh_token( |
| 101 |
request.refresh_token, request.client, request): |
| 102 |
log.debug('Invalid refresh token, %s, for client %r.',
|
| 103 |
request.refresh_token, request.client) |
| 104 |
raise errors.InvalidGrantError(request=request)
|
| 105 |
|
| 106 |
original_scopes = utils.scope_to_list( |
| 107 |
self.request_validator.get_original_scopes(
|
| 108 |
request.refresh_token, request)) |
| 109 |
|
| 110 |
if request.scope:
|
| 111 |
request.scopes = utils.scope_to_list(request.scope) |
| 112 |
if (not all((s in original_scopes for s in request.scopes)) |
| 113 |
and not self.request_validator.is_within_original_scope( |
| 114 |
request.scopes, request.refresh_token, request)): |
| 115 |
log.debug('Refresh token %s lack requested scopes, %r.',
|
| 116 |
request.refresh_token, request.scopes) |
| 117 |
raise errors.InvalidScopeError(request=request)
|
| 118 |
else:
|
| 119 |
request.scopes = original_scopes |