mirror of
https://github.com/Tautulli/Tautulli.git
synced 2025-08-20 13:23:24 -07:00
Bump requests-oauthlib from 1.3.1 to 2.0.0 (#2293)
* Bump requests-oauthlib from 1.3.1 to 2.0.0 Bumps [requests-oauthlib](https://github.com/requests/requests-oauthlib) from 1.3.1 to 2.0.0. - [Release notes](https://github.com/requests/requests-oauthlib/releases) - [Changelog](https://github.com/requests/requests-oauthlib/blob/master/HISTORY.rst) - [Commits](https://github.com/requests/requests-oauthlib/compare/v1.3.1...v2.0.0) --- updated-dependencies: - dependency-name: requests-oauthlib dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Update requests-oauthlib==2.0.0 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: JonnyWong16 <9099342+JonnyWong16@users.noreply.github.com> [skip ci]
This commit is contained in:
dependabot[bot]
GitHub
parent
452a4afdcf
commit
0d1d2a3e6b
60 changed files with 2414 additions and 2291 deletions
|
|
@ -12,7 +12,7 @@ import logging
|
|||
from logging import NullHandler
|
||||
|
||||
__author__ = 'The OAuthlib Community'
|
||||
__version__ = '3.2.0'
|
||||
__version__ = '3.2.2'
|
||||
|
||||
logging.getLogger('oauthlib').addHandler(NullHandler())
|
||||
|
||||
|
|
|
|||
|
|
@ -18,11 +18,9 @@ from urllib.parse import (
|
|||
from . import get_debug
|
||||
|
||||
try:
|
||||
from secrets import randbits
|
||||
from secrets import SystemRandom
|
||||
from secrets import SystemRandom, randbits
|
||||
except ImportError:
|
||||
from random import getrandbits as randbits
|
||||
from random import SystemRandom
|
||||
from random import SystemRandom, getrandbits as randbits
|
||||
|
||||
UNICODE_ASCII_CHARACTER_SET = ('abcdefghijklmnopqrstuvwxyz'
|
||||
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
|
||||
|
|
|
|||
|
|
@ -5,24 +5,19 @@ oauthlib.oauth1
|
|||
This module is a wrapper for the most recent implementation of OAuth 1.0 Client
|
||||
and Server classes.
|
||||
"""
|
||||
from .rfc5849 import Client
|
||||
from .rfc5849 import (SIGNATURE_HMAC,
|
||||
SIGNATURE_HMAC_SHA1,
|
||||
SIGNATURE_HMAC_SHA256,
|
||||
SIGNATURE_HMAC_SHA512,
|
||||
SIGNATURE_RSA,
|
||||
SIGNATURE_RSA_SHA1,
|
||||
SIGNATURE_RSA_SHA256,
|
||||
SIGNATURE_RSA_SHA512,
|
||||
SIGNATURE_PLAINTEXT)
|
||||
from .rfc5849 import SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_QUERY
|
||||
from .rfc5849 import SIGNATURE_TYPE_BODY
|
||||
from .rfc5849 import (
|
||||
SIGNATURE_HMAC, SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256,
|
||||
SIGNATURE_HMAC_SHA512, SIGNATURE_PLAINTEXT, SIGNATURE_RSA,
|
||||
SIGNATURE_RSA_SHA1, SIGNATURE_RSA_SHA256, SIGNATURE_RSA_SHA512,
|
||||
SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_BODY, SIGNATURE_TYPE_QUERY,
|
||||
Client,
|
||||
)
|
||||
from .rfc5849.endpoints import (
|
||||
AccessTokenEndpoint, AuthorizationEndpoint, RequestTokenEndpoint,
|
||||
ResourceEndpoint, SignatureOnlyEndpoint, WebApplicationServer,
|
||||
)
|
||||
from .rfc5849.errors import (
|
||||
InsecureTransportError, InvalidClientError, InvalidRequestError,
|
||||
InvalidSignatureMethodError, OAuth1Error,
|
||||
)
|
||||
from .rfc5849.request_validator import RequestValidator
|
||||
from .rfc5849.endpoints import RequestTokenEndpoint, AuthorizationEndpoint
|
||||
from .rfc5849.endpoints import AccessTokenEndpoint, ResourceEndpoint
|
||||
from .rfc5849.endpoints import SignatureOnlyEndpoint, WebApplicationServer
|
||||
from .rfc5849.errors import (InsecureTransportError,
|
||||
InvalidClientError,
|
||||
InvalidRequestError,
|
||||
InvalidSignatureMethodError,
|
||||
OAuth1Error)
|
||||
|
|
|
|||
|
|
@ -11,12 +11,11 @@ import time
|
|||
from oauthlib.common import CaseInsensitiveDict, Request, generate_token
|
||||
|
||||
from .. import (
|
||||
CONTENT_TYPE_FORM_URLENCODED,
|
||||
SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256, SIGNATURE_HMAC_SHA512,
|
||||
SIGNATURE_RSA_SHA1, SIGNATURE_RSA_SHA256, SIGNATURE_RSA_SHA512,
|
||||
SIGNATURE_PLAINTEXT,
|
||||
SIGNATURE_TYPE_AUTH_HEADER, SIGNATURE_TYPE_BODY,
|
||||
SIGNATURE_TYPE_QUERY, errors, signature, utils)
|
||||
CONTENT_TYPE_FORM_URLENCODED, SIGNATURE_HMAC_SHA1, SIGNATURE_HMAC_SHA256,
|
||||
SIGNATURE_HMAC_SHA512, SIGNATURE_PLAINTEXT, SIGNATURE_RSA_SHA1,
|
||||
SIGNATURE_RSA_SHA256, SIGNATURE_RSA_SHA512, SIGNATURE_TYPE_AUTH_HEADER,
|
||||
SIGNATURE_TYPE_BODY, SIGNATURE_TYPE_QUERY, errors, signature, utils,
|
||||
)
|
||||
|
||||
|
||||
class BaseEndpoint:
|
||||
|
|
|
|||
|
|
@ -152,7 +152,7 @@ class RequestTokenEndpoint(BaseEndpoint):
|
|||
request.client_key = self.request_validator.dummy_client
|
||||
|
||||
# Note that `realm`_ is only used in authorization headers and how
|
||||
# it should be interepreted is not included in the OAuth spec.
|
||||
# it should be interpreted is not included in the OAuth spec.
|
||||
# However they could be seen as a scope or realm to which the
|
||||
# client has access and as such every client should be checked
|
||||
# to ensure it is authorized access to that scope or realm.
|
||||
|
|
@ -164,7 +164,7 @@ class RequestTokenEndpoint(BaseEndpoint):
|
|||
# workflow where a client requests access to a specific realm.
|
||||
# This first step (obtaining request token) need not require a realm
|
||||
# and can then be identified by checking the require_resource_owner
|
||||
# flag and abscence of realm.
|
||||
# flag and absence of realm.
|
||||
#
|
||||
# Clients obtaining an access token will not supply a realm and it will
|
||||
# not be checked. Instead the previously requested realm should be
|
||||
|
|
|
|||
|
|
@ -113,7 +113,7 @@ class ResourceEndpoint(BaseEndpoint):
|
|||
request.resource_owner_key = self.request_validator.dummy_access_token
|
||||
|
||||
# Note that `realm`_ is only used in authorization headers and how
|
||||
# it should be interepreted is not included in the OAuth spec.
|
||||
# it should be interpreted is not included in the OAuth spec.
|
||||
# However they could be seen as a scope or realm to which the
|
||||
# client has access and as such every client should be checked
|
||||
# to ensure it is authorized access to that scope or realm.
|
||||
|
|
@ -125,7 +125,7 @@ class ResourceEndpoint(BaseEndpoint):
|
|||
# workflow where a client requests access to a specific realm.
|
||||
# This first step (obtaining request token) need not require a realm
|
||||
# and can then be identified by checking the require_resource_owner
|
||||
# flag and abscence of realm.
|
||||
# flag and absence of realm.
|
||||
#
|
||||
# Clients obtaining an access token will not supply a realm and it will
|
||||
# not be checked. Instead the previously requested realm should be
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ class RequestValidator:
|
|||
Methods used to check the format of input parameters. Common tests include
|
||||
length, character set, membership, range or pattern. These tests are
|
||||
referred to as `whitelisting or blacklisting`_. Whitelisting is better
|
||||
but blacklisting can be usefull to spot malicious activity.
|
||||
but blacklisting can be useful to spot malicious activity.
|
||||
The following have methods a default implementation:
|
||||
|
||||
- check_client_key
|
||||
|
|
@ -443,7 +443,7 @@ class RequestValidator:
|
|||
:type request: oauthlib.common.Request
|
||||
:returns: None
|
||||
|
||||
Per `Section 2.3`__ of the spec:
|
||||
Per `Section 2.3`_ of the spec:
|
||||
|
||||
"The server MUST (...) ensure that the temporary
|
||||
credentials have not expired or been used before."
|
||||
|
|
@ -831,7 +831,7 @@ class RequestValidator:
|
|||
"""Associate an authorization verifier with a request token.
|
||||
|
||||
:param token: A request token string.
|
||||
:param verifier A dictionary containing the oauth_verifier and
|
||||
:param verifier: A dictionary containing the oauth_verifier and
|
||||
oauth_token
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
|
|
|
|||
|
|
@ -37,15 +37,15 @@ should have no impact on properly behaving programs.
|
|||
import binascii
|
||||
import hashlib
|
||||
import hmac
|
||||
import ipaddress
|
||||
import logging
|
||||
import urllib.parse as urlparse
|
||||
import warnings
|
||||
|
||||
from oauthlib.common import extract_params, safe_string_equals, urldecode
|
||||
import urllib.parse as urlparse
|
||||
|
||||
from . import utils
|
||||
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
|
||||
|
|
@ -131,7 +131,12 @@ def base_string_uri(uri: str, host: str = None) -> str:
|
|||
raise ValueError('uri must be a string.')
|
||||
|
||||
# FIXME: urlparse does not support unicode
|
||||
scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri)
|
||||
output = urlparse.urlparse(uri)
|
||||
scheme = output.scheme
|
||||
hostname = output.hostname
|
||||
port = output.port
|
||||
path = output.path
|
||||
params = output.params
|
||||
|
||||
# The scheme, authority, and path of the request resource URI `RFC3986`
|
||||
# are included by constructing an "http" or "https" URI representing
|
||||
|
|
@ -153,13 +158,22 @@ def base_string_uri(uri: str, host: str = None) -> str:
|
|||
|
||||
# 1. The scheme and host MUST be in lowercase.
|
||||
scheme = scheme.lower()
|
||||
netloc = netloc.lower()
|
||||
# Note: if ``host`` is used, it will be converted to lowercase below
|
||||
if hostname is not None:
|
||||
hostname = hostname.lower()
|
||||
|
||||
# 2. The host and port values MUST match the content of the HTTP
|
||||
# request "Host" header field.
|
||||
if host is not None:
|
||||
netloc = host.lower() # override value in uri with provided host
|
||||
# NOTE: override value in uri with provided host
|
||||
# Host argument is equal to netloc. It means it's missing scheme.
|
||||
# Add it back, before parsing.
|
||||
|
||||
host = host.lower()
|
||||
host = f"{scheme}://{host}"
|
||||
output = urlparse.urlparse(host)
|
||||
hostname = output.hostname
|
||||
port = output.port
|
||||
|
||||
# 3. The port MUST be included if it is not the default port for the
|
||||
# scheme, and MUST be excluded if it is the default. Specifically,
|
||||
|
|
@ -170,33 +184,28 @@ def base_string_uri(uri: str, host: str = None) -> str:
|
|||
# .. _`RFC2616`: https://tools.ietf.org/html/rfc2616
|
||||
# .. _`RFC2818`: https://tools.ietf.org/html/rfc2818
|
||||
|
||||
if ':' in netloc:
|
||||
# Contains a colon ":", so try to parse as "host:port"
|
||||
if hostname is None:
|
||||
raise ValueError('missing host')
|
||||
|
||||
hostname, port_str = netloc.split(':', 1)
|
||||
# NOTE: Try guessing if we're dealing with IP or hostname
|
||||
try:
|
||||
hostname = ipaddress.ip_address(hostname)
|
||||
except ValueError:
|
||||
pass
|
||||
|
||||
if len(hostname) == 0:
|
||||
raise ValueError('missing host') # error: netloc was ":port" or ":"
|
||||
if isinstance(hostname, ipaddress.IPv6Address):
|
||||
hostname = f"[{hostname}]"
|
||||
elif isinstance(hostname, ipaddress.IPv4Address):
|
||||
hostname = f"{hostname}"
|
||||
|
||||
if len(port_str) == 0:
|
||||
netloc = hostname # was "host:", so just use the host part
|
||||
else:
|
||||
try:
|
||||
port_num = int(port_str) # try to parse into an integer number
|
||||
except ValueError:
|
||||
raise ValueError('port is not an integer')
|
||||
|
||||
if port_num <= 0 or 65535 < port_num:
|
||||
raise ValueError('port out of range') # 16-bit unsigned ints
|
||||
if (scheme, port_num) in (('http', 80), ('https', 443)):
|
||||
netloc = hostname # default port for scheme: exclude port num
|
||||
else:
|
||||
netloc = hostname + ':' + str(port_num) # use hostname:port
|
||||
if port is not None and not (0 < port <= 65535):
|
||||
raise ValueError('port out of range') # 16-bit unsigned ints
|
||||
if (scheme, port) in (('http', 80), ('https', 443)):
|
||||
netloc = hostname # default port for scheme: exclude port num
|
||||
elif port:
|
||||
netloc = f"{hostname}:{port}" # use hostname:port
|
||||
else:
|
||||
# Does not contain a colon, so entire value must be the hostname
|
||||
|
||||
if len(netloc) == 0:
|
||||
raise ValueError('missing host') # error: netloc was empty string
|
||||
netloc = hostname
|
||||
|
||||
v = urlparse.urlunparse((scheme, netloc, path, params, '', ''))
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ class BackendApplicationClient(Client):
|
|||
format per `Appendix B`_ in the HTTP request entity-body:
|
||||
|
||||
:param body: Existing request body (URL encoded string) to embed parameters
|
||||
into. This may contain extra paramters. Default ''.
|
||||
into. This may contain extra parameters. Default ''.
|
||||
:param scope: The scope of the access request as described by
|
||||
`Section 3.3`_.
|
||||
|
||||
|
|
|
|||
|
|
@ -6,12 +6,12 @@ oauthlib.oauth2.rfc6749
|
|||
This module is an implementation of various logic needed
|
||||
for consuming OAuth 2.0 RFC6749.
|
||||
"""
|
||||
import base64
|
||||
import hashlib
|
||||
import re
|
||||
import secrets
|
||||
import time
|
||||
import warnings
|
||||
import secrets
|
||||
import re
|
||||
import hashlib
|
||||
import base64
|
||||
|
||||
from oauthlib.common import generate_token
|
||||
from oauthlib.oauth2.rfc6749 import tokens
|
||||
|
|
@ -228,26 +228,21 @@ class Client:
|
|||
required parameters to the authorization URL.
|
||||
|
||||
:param authorization_url: Provider authorization endpoint URL.
|
||||
|
||||
:param state: CSRF protection string. Will be automatically created if
|
||||
not provided. The generated state is available via the ``state``
|
||||
attribute. Clients should verify that the state is unchanged and
|
||||
present in the authorization response. This verification is done
|
||||
automatically if using the ``authorization_response`` parameter
|
||||
with ``prepare_token_request``.
|
||||
|
||||
not provided. The generated state is available via the ``state``
|
||||
attribute. Clients should verify that the state is unchanged and
|
||||
present in the authorization response. This verification is done
|
||||
automatically if using the ``authorization_response`` parameter
|
||||
with ``prepare_token_request``.
|
||||
:param redirect_url: Redirect URL to which the user will be returned
|
||||
after authorization. Must be provided unless previously setup with
|
||||
the provider. If provided then it must also be provided in the
|
||||
token request.
|
||||
|
||||
after authorization. Must be provided unless previously setup with
|
||||
the provider. If provided then it must also be provided in the
|
||||
token request.
|
||||
:param scope: List of scopes to request. Must be equal to
|
||||
or a subset of the scopes granted when obtaining the refresh
|
||||
token. If none is provided, the ones provided in the constructor are
|
||||
used.
|
||||
|
||||
or a subset of the scopes granted when obtaining the refresh
|
||||
token. If none is provided, the ones provided in the constructor are
|
||||
used.
|
||||
:param kwargs: Additional parameters to included in the request.
|
||||
|
||||
:returns: The prepared request tuple with (url, headers, body).
|
||||
"""
|
||||
if not is_secure_transport(authorization_url):
|
||||
|
|
@ -271,22 +266,16 @@ class Client:
|
|||
credentials.
|
||||
|
||||
:param token_url: Provider token creation endpoint URL.
|
||||
|
||||
:param authorization_response: The full redirection URL string, i.e.
|
||||
the location to which the user was redirected after successfull
|
||||
authorization. Used to mine credentials needed to obtain a token
|
||||
in this step, such as authorization code.
|
||||
|
||||
the location to which the user was redirected after successful
|
||||
authorization. Used to mine credentials needed to obtain a token
|
||||
in this step, such as authorization code.
|
||||
:param redirect_url: The redirect_url supplied with the authorization
|
||||
request (if there was one).
|
||||
|
||||
request (if there was one).
|
||||
:param state:
|
||||
|
||||
:param body: Existing request body (URL encoded string) to embed parameters
|
||||
into. This may contain extra paramters. Default ''.
|
||||
|
||||
into. This may contain extra parameters. Default ''.
|
||||
:param kwargs: Additional parameters to included in the request.
|
||||
|
||||
:returns: The prepared request tuple with (url, headers, body).
|
||||
"""
|
||||
if not is_secure_transport(token_url):
|
||||
|
|
@ -312,19 +301,14 @@ class Client:
|
|||
obtain a new access token, and possibly a new refresh token.
|
||||
|
||||
:param token_url: Provider token refresh endpoint URL.
|
||||
|
||||
:param refresh_token: Refresh token string.
|
||||
|
||||
:param body: Existing request body (URL encoded string) to embed parameters
|
||||
into. This may contain extra paramters. Default ''.
|
||||
|
||||
into. This may contain extra parameters. Default ''.
|
||||
:param scope: List of scopes to request. Must be equal to
|
||||
or a subset of the scopes granted when obtaining the refresh
|
||||
token. If none is provided, the ones provided in the constructor are
|
||||
used.
|
||||
|
||||
or a subset of the scopes granted when obtaining the refresh
|
||||
token. If none is provided, the ones provided in the constructor are
|
||||
used.
|
||||
:param kwargs: Additional parameters to included in the request.
|
||||
|
||||
:returns: The prepared request tuple with (url, headers, body).
|
||||
"""
|
||||
if not is_secure_transport(token_url):
|
||||
|
|
@ -341,20 +325,14 @@ class Client:
|
|||
"""Prepare a token revocation request.
|
||||
|
||||
:param revocation_url: Provider token revocation endpoint URL.
|
||||
|
||||
:param token: The access or refresh token to be revoked (string).
|
||||
|
||||
:param token_type_hint: ``"access_token"`` (default) or
|
||||
``"refresh_token"``. This is optional and if you wish to not pass it you
|
||||
must provide ``token_type_hint=None``.
|
||||
|
||||
``"refresh_token"``. This is optional and if you wish to not pass it you
|
||||
must provide ``token_type_hint=None``.
|
||||
:param body:
|
||||
|
||||
:param callback: A jsonp callback such as ``package.callback`` to be invoked
|
||||
upon receiving the response. Not that it should not include a () suffix.
|
||||
|
||||
upon receiving the response. Not that it should not include a () suffix.
|
||||
:param kwargs: Additional parameters to included in the request.
|
||||
|
||||
:returns: The prepared request tuple with (url, headers, body).
|
||||
|
||||
Note that JSONP request may use GET requests as the parameters will
|
||||
|
|
@ -362,7 +340,7 @@ class Client:
|
|||
|
||||
An example of a revocation request
|
||||
|
||||
.. code-block: http
|
||||
.. code-block:: http
|
||||
|
||||
POST /revoke HTTP/1.1
|
||||
Host: server.example.com
|
||||
|
|
@ -373,7 +351,7 @@ class Client:
|
|||
|
||||
An example of a jsonp revocation request
|
||||
|
||||
.. code-block: http
|
||||
.. code-block:: http
|
||||
|
||||
GET /revoke?token=agabcdefddddafdd&callback=package.myCallback HTTP/1.1
|
||||
Host: server.example.com
|
||||
|
|
@ -382,9 +360,9 @@ class Client:
|
|||
|
||||
and an error response
|
||||
|
||||
.. code-block: http
|
||||
.. code-block:: javascript
|
||||
|
||||
package.myCallback({"error":"unsupported_token_type"});
|
||||
package.myCallback({"error":"unsupported_token_type"});
|
||||
|
||||
Note that these requests usually require client credentials, client_id in
|
||||
the case for public clients and provider specific authentication
|
||||
|
|
@ -408,9 +386,10 @@ class Client:
|
|||
|
||||
:param body: The response body from the token request.
|
||||
:param scope: Scopes originally requested. If none is provided, the ones
|
||||
provided in the constructor are used.
|
||||
provided in the constructor are used.
|
||||
:return: Dictionary of token parameters.
|
||||
:raises: Warning if scope has changed. OAuth2Error if response is invalid.
|
||||
:raises: Warning if scope has changed. :py:class:`oauthlib.oauth2.errors.OAuth2Error`
|
||||
if response is invalid.
|
||||
|
||||
These response are json encoded and could easily be parsed without
|
||||
the assistance of OAuthLib. However, there are a few subtle issues
|
||||
|
|
@ -436,7 +415,7 @@ class Client:
|
|||
If omitted, the authorization server SHOULD provide the
|
||||
expiration time via other means or document the default value.
|
||||
|
||||
**scope**
|
||||
**scope**
|
||||
Providers may supply this in all responses but are required to only
|
||||
if it has changed since the authorization request.
|
||||
|
||||
|
|
@ -454,20 +433,16 @@ class Client:
|
|||
|
||||
If the authorization server issued a refresh token to the client, the
|
||||
client makes a refresh request to the token endpoint by adding the
|
||||
following parameters using the "application/x-www-form-urlencoded"
|
||||
following parameters using the `application/x-www-form-urlencoded`
|
||||
format in the HTTP request entity-body:
|
||||
|
||||
grant_type
|
||||
REQUIRED. Value MUST be set to "refresh_token".
|
||||
refresh_token
|
||||
REQUIRED. The refresh token issued to the client.
|
||||
scope
|
||||
OPTIONAL. The scope of the access request as described by
|
||||
Section 3.3. The requested scope MUST NOT include any scope
|
||||
not originally granted by the resource owner, and if omitted is
|
||||
treated as equal to the scope originally granted by the
|
||||
resource owner. Note that if none is provided, the ones provided
|
||||
in the constructor are used if any.
|
||||
:param refresh_token: REQUIRED. The refresh token issued to the client.
|
||||
:param scope: OPTIONAL. The scope of the access request as described by
|
||||
Section 3.3. The requested scope MUST NOT include any scope
|
||||
not originally granted by the resource owner, and if omitted is
|
||||
treated as equal to the scope originally granted by the
|
||||
resource owner. Note that if none is provided, the ones provided
|
||||
in the constructor are used if any.
|
||||
"""
|
||||
refresh_token = refresh_token or self.refresh_token
|
||||
scope = self.scope if scope is None else scope
|
||||
|
|
@ -492,18 +467,21 @@ class Client:
|
|||
|
||||
def create_code_verifier(self, length):
|
||||
"""Create PKCE **code_verifier** used in computing **code_challenge**.
|
||||
See `RFC7636 Section 4.1`_
|
||||
|
||||
:param length: REQUIRED. The length of the code_verifier.
|
||||
:param length: REQUIRED. The length of the code_verifier.
|
||||
|
||||
The client first creates a code verifier, "code_verifier", for each
|
||||
OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
|
||||
The client first creates a code verifier, "code_verifier", for each
|
||||
OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
|
||||
|
||||
code_verifier = high-entropy cryptographic random STRING using the
|
||||
unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
|
||||
from Section 2.3 of [RFC3986], with a minimum length of 43 characters
|
||||
and a maximum length of 128 characters.
|
||||
|
||||
.. _`Section 4.1`: https://tools.ietf.org/html/rfc7636#section-4.1
|
||||
.. code-block:: text
|
||||
|
||||
code_verifier = high-entropy cryptographic random STRING using the
|
||||
unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
|
||||
from Section 2.3 of [RFC3986], with a minimum length of 43 characters
|
||||
and a maximum length of 128 characters.
|
||||
|
||||
.. _`RFC7636 Section 4.1`: https://tools.ietf.org/html/rfc7636#section-4.1
|
||||
"""
|
||||
code_verifier = None
|
||||
|
||||
|
|
@ -525,33 +503,30 @@ class Client:
|
|||
|
||||
def create_code_challenge(self, code_verifier, code_challenge_method=None):
|
||||
"""Create PKCE **code_challenge** derived from the **code_verifier**.
|
||||
See `RFC7636 Section 4.2`_
|
||||
|
||||
:param code_verifier: REQUIRED. The **code_verifier** generated from create_code_verifier().
|
||||
:param code_challenge_method: OPTIONAL. The method used to derive the **code_challenge**. Acceptable
|
||||
values include "S256". DEFAULT is "plain".
|
||||
:param code_verifier: REQUIRED. The **code_verifier** generated from `create_code_verifier()`.
|
||||
:param code_challenge_method: OPTIONAL. The method used to derive the **code_challenge**. Acceptable values include `S256`. DEFAULT is `plain`.
|
||||
|
||||
|
||||
The client then creates a code challenge derived from the code
|
||||
The client then creates a code challenge derived from the code
|
||||
verifier by using one of the following transformations on the code
|
||||
verifier:
|
||||
verifier::
|
||||
|
||||
plain
|
||||
code_challenge = code_verifier
|
||||
plain
|
||||
code_challenge = code_verifier
|
||||
S256
|
||||
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
|
||||
|
||||
S256
|
||||
code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))
|
||||
|
||||
If the client is capable of using "S256", it MUST use "S256", as
|
||||
"S256" is Mandatory To Implement (MTI) on the server. Clients are
|
||||
permitted to use "plain" only if they cannot support "S256" for some
|
||||
If the client is capable of using `S256`, it MUST use `S256`, as
|
||||
`S256` is Mandatory To Implement (MTI) on the server. Clients are
|
||||
permitted to use `plain` only if they cannot support `S256` for some
|
||||
technical reason and know via out-of-band configuration that the
|
||||
server supports "plain".
|
||||
server supports `plain`.
|
||||
|
||||
The plain transformation is for compatibility with existing
|
||||
deployments and for constrained environments that can't use the S256
|
||||
transformation.
|
||||
deployments and for constrained environments that can't use the S256 transformation.
|
||||
|
||||
.. _`Section 4.2`: https://tools.ietf.org/html/rfc7636#section-4.2
|
||||
.. _`RFC7636 Section 4.2`: https://tools.ietf.org/html/rfc7636#section-4.2
|
||||
"""
|
||||
code_challenge = None
|
||||
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ class LegacyApplicationClient(Client):
|
|||
:param username: The resource owner username.
|
||||
:param password: The resource owner password.
|
||||
:param body: Existing request body (URL encoded string) to embed parameters
|
||||
into. This may contain extra paramters. Default ''.
|
||||
into. This may contain extra parameters. Default ''.
|
||||
:param scope: The scope of the access request as described by
|
||||
`Section 3.3`_.
|
||||
:param include_client_id: `True` to send the `client_id` in the
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ class MobileApplicationClient(Client):
|
|||
using the "application/x-www-form-urlencoded" format, per `Appendix B`_:
|
||||
|
||||
:param redirect_uri: OPTIONAL. The redirect URI must be an absolute URI
|
||||
and it should have been registerd with the OAuth
|
||||
and it should have been registered with the OAuth
|
||||
provider prior to use. As described in `Section 3.1.2`_.
|
||||
|
||||
:param scope: OPTIONAL. The scope of the access request as described by
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ class ServiceApplicationClient(Client):
|
|||
|
||||
def __init__(self, client_id, private_key=None, subject=None, issuer=None,
|
||||
audience=None, **kwargs):
|
||||
"""Initalize a JWT client with defaults for implicit use later.
|
||||
"""Initialize a JWT client with defaults for implicit use later.
|
||||
|
||||
:param client_id: Client identifier given by the OAuth provider upon
|
||||
registration.
|
||||
|
|
@ -99,7 +99,7 @@ class ServiceApplicationClient(Client):
|
|||
:param extra_claims: A dict of additional claims to include in the JWT.
|
||||
|
||||
:param body: Existing request body (URL encoded string) to embed parameters
|
||||
into. This may contain extra paramters. Default ''.
|
||||
into. This may contain extra parameters. Default ''.
|
||||
|
||||
:param scope: The scope of the access request.
|
||||
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ class WebApplicationClient(Client):
|
|||
using the "application/x-www-form-urlencoded" format, per `Appendix B`_:
|
||||
|
||||
:param redirect_uri: OPTIONAL. The redirect URI must be an absolute URI
|
||||
and it should have been registerd with the OAuth
|
||||
and it should have been registered with the OAuth
|
||||
provider prior to use. As described in `Section 3.1.2`_.
|
||||
|
||||
:param scope: OPTIONAL. The scope of the access request as described by
|
||||
|
|
@ -117,7 +117,7 @@ class WebApplicationClient(Client):
|
|||
values MUST be identical.
|
||||
|
||||
:param body: Existing request body (URL encoded string) to embed parameters
|
||||
into. This may contain extra paramters. Default ''.
|
||||
into. This may contain extra parameters. Default ''.
|
||||
|
||||
:param include_client_id: `True` (default) to send the `client_id` in the
|
||||
body of the upstream request. This is required
|
||||
|
|
|
|||
|
|
@ -86,9 +86,9 @@ class IntrospectEndpoint(BaseEndpoint):
|
|||
an HTTP POST request with parameters sent as
|
||||
"application/x-www-form-urlencoded".
|
||||
|
||||
token REQUIRED. The string value of the token.
|
||||
* token REQUIRED. The string value of the token.
|
||||
* token_type_hint OPTIONAL.
|
||||
|
||||
token_type_hint OPTIONAL.
|
||||
A hint about the type of the token submitted for
|
||||
introspection. The protected resource MAY pass this parameter to
|
||||
help the authorization server optimize the token lookup. If the
|
||||
|
|
@ -96,11 +96,9 @@ class IntrospectEndpoint(BaseEndpoint):
|
|||
extend its search across all of its supported token types. An
|
||||
authorization server MAY ignore this parameter, particularly if it
|
||||
is able to detect the token type automatically.
|
||||
* access_token: An Access Token as defined in [`RFC6749`],
|
||||
`section 1.4`_
|
||||
|
||||
* refresh_token: A Refresh Token as defined in [`RFC6749`],
|
||||
`section 1.5`_
|
||||
* access_token: An Access Token as defined in [`RFC6749`], `section 1.4`_
|
||||
* refresh_token: A Refresh Token as defined in [`RFC6749`], `section 1.5`_
|
||||
|
||||
The introspection endpoint MAY accept other OPTIONAL
|
||||
parameters to provide further context to the query. For
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import copy
|
|||
import json
|
||||
import logging
|
||||
|
||||
from .. import grant_types
|
||||
from .. import grant_types, utils
|
||||
from .authorization import AuthorizationEndpoint
|
||||
from .base import BaseEndpoint, catch_errors_and_unavailability
|
||||
from .introspect import IntrospectEndpoint
|
||||
|
|
@ -68,7 +68,7 @@ class MetadataEndpoint(BaseEndpoint):
|
|||
raise ValueError("key {} is a mandatory metadata.".format(key))
|
||||
|
||||
elif is_issuer:
|
||||
if not array[key].startswith("https"):
|
||||
if not utils.is_secure_transport(array[key]):
|
||||
raise ValueError("key {}: {} must be an HTTPS URL".format(key, array[key]))
|
||||
if "?" in array[key] or "&" in array[key] or "#" in array[key]:
|
||||
raise ValueError("key {}: {} must not contain query or fragment components".format(key, array[key]))
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ class RevocationEndpoint(BaseEndpoint):
|
|||
|
||||
|
||||
The authorization server responds with HTTP status code 200 if the
|
||||
token has been revoked sucessfully or if the client submitted an
|
||||
token has been revoked successfully or if the client submitted an
|
||||
invalid token.
|
||||
|
||||
Note: invalid tokens do not cause an error response since the client
|
||||
|
|
@ -95,7 +95,7 @@ class RevocationEndpoint(BaseEndpoint):
|
|||
submitted for revocation. Clients MAY pass this parameter in order to
|
||||
help the authorization server to optimize the token lookup. If the
|
||||
server is unable to locate the token using the given hint, it MUST
|
||||
extend its search accross all of its supported token types. An
|
||||
extend its search across all of its supported token types. An
|
||||
authorization server MAY ignore this parameter, particularly if it is
|
||||
able to detect the token type automatically. This specification
|
||||
defines two such values:
|
||||
|
|
|
|||
|
|
@ -10,7 +10,6 @@ import logging
|
|||
from oauthlib import common
|
||||
|
||||
from .. import errors
|
||||
from ..utils import is_secure_transport
|
||||
from .base import GrantTypeBase
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
|
@ -547,20 +546,3 @@ class AuthorizationCodeGrant(GrantTypeBase):
|
|||
if challenge_method in self._code_challenge_methods:
|
||||
return self._code_challenge_methods[challenge_method](verifier, challenge)
|
||||
raise NotImplementedError('Unknown challenge_method %s' % challenge_method)
|
||||
|
||||
def _create_cors_headers(self, request):
|
||||
"""If CORS is allowed, create the appropriate headers."""
|
||||
if 'origin' not in request.headers:
|
||||
return {}
|
||||
|
||||
origin = request.headers['origin']
|
||||
if not is_secure_transport(origin):
|
||||
log.debug('Origin "%s" is not HTTPS, CORS not allowed.', origin)
|
||||
return {}
|
||||
elif not self.request_validator.is_origin_allowed(
|
||||
request.client_id, origin, request):
|
||||
log.debug('Invalid origin "%s", CORS not allowed.', origin)
|
||||
return {}
|
||||
else:
|
||||
log.debug('Valid origin "%s", injecting CORS headers.', origin)
|
||||
return {'Access-Control-Allow-Origin': origin}
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ from oauthlib.oauth2.rfc6749 import errors, utils
|
|||
from oauthlib.uri_validate import is_absolute_uri
|
||||
|
||||
from ..request_validator import RequestValidator
|
||||
from ..utils import is_secure_transport
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
|
|
@ -248,3 +249,20 @@ class GrantTypeBase:
|
|||
raise errors.MissingRedirectURIError(request=request)
|
||||
if not is_absolute_uri(request.redirect_uri):
|
||||
raise errors.InvalidRedirectURIError(request=request)
|
||||
|
||||
def _create_cors_headers(self, request):
|
||||
"""If CORS is allowed, create the appropriate headers."""
|
||||
if 'origin' not in request.headers:
|
||||
return {}
|
||||
|
||||
origin = request.headers['origin']
|
||||
if not is_secure_transport(origin):
|
||||
log.debug('Origin "%s" is not HTTPS, CORS not allowed.', origin)
|
||||
return {}
|
||||
elif not self.request_validator.is_origin_allowed(
|
||||
request.client_id, origin, request):
|
||||
log.debug('Invalid origin "%s", CORS not allowed.', origin)
|
||||
return {}
|
||||
else:
|
||||
log.debug('Valid origin "%s", injecting CORS headers.', origin)
|
||||
return {'Access-Control-Allow-Origin': origin}
|
||||
|
|
|
|||
|
|
@ -69,6 +69,7 @@ class RefreshTokenGrant(GrantTypeBase):
|
|||
|
||||
log.debug('Issuing new token to client id %r (%r), %r.',
|
||||
request.client_id, request.client, token)
|
||||
headers.update(self._create_cors_headers(request))
|
||||
return headers, json.dumps(token), 200
|
||||
|
||||
def validate_token_request(self, request):
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ def prepare_grant_uri(uri, client_id, response_type, redirect_uri=None,
|
|||
back to the client. The parameter SHOULD be used for
|
||||
preventing cross-site request forgery as described in
|
||||
`Section 10.12`_.
|
||||
:param code_challenge: PKCE paramater. A challenge derived from the
|
||||
:param code_challenge: PKCE parameter. A challenge derived from the
|
||||
code_verifier that is sent in the authorization
|
||||
request, to be verified against later.
|
||||
:param code_challenge_method: PKCE parameter. A method that was used to derive the
|
||||
|
|
|
|||
|
|
@ -191,6 +191,7 @@ class RequestValidator:
|
|||
claims associated, or `None` in case the token is unknown.
|
||||
|
||||
Below the list of registered claims you should be interested in:
|
||||
|
||||
- scope : space-separated list of scopes
|
||||
- client_id : client identifier
|
||||
- username : human-readable identifier for the resource owner
|
||||
|
|
@ -204,10 +205,10 @@ class RequestValidator:
|
|||
- jti : string identifier for the token
|
||||
|
||||
Note that most of them are coming directly from JWT RFC. More details
|
||||
can be found in `Introspect Claims`_ or `_JWT Claims`_.
|
||||
can be found in `Introspect Claims`_ or `JWT Claims`_.
|
||||
|
||||
The implementation can use *token_type_hint* to improve lookup
|
||||
efficency, but must fallback to other types to be compliant with RFC.
|
||||
efficiency, but must fallback to other types to be compliant with RFC.
|
||||
|
||||
The dict of claims is added to request.token after this method.
|
||||
|
||||
|
|
@ -443,6 +444,7 @@ class RequestValidator:
|
|||
- request.user
|
||||
- request.scopes
|
||||
- request.claims (if given)
|
||||
|
||||
OBS! The request.user attribute should be set to the resource owner
|
||||
associated with this authorization code. Similarly request.scopes
|
||||
must also be set.
|
||||
|
|
@ -451,6 +453,7 @@ class RequestValidator:
|
|||
|
||||
If PKCE is enabled (see 'is_pkce_required' and 'save_authorization_code')
|
||||
you MUST set the following based on the information stored:
|
||||
|
||||
- request.code_challenge
|
||||
- request.code_challenge_method
|
||||
|
||||
|
|
@ -561,7 +564,7 @@ class RequestValidator:
|
|||
OBS! The validation should also set the user attribute of the request
|
||||
to a valid resource owner, i.e. request.user = username or similar. If
|
||||
not set you will be unable to associate a token with a user in the
|
||||
persistance method used (commonly, save_bearer_token).
|
||||
persistence method used (commonly, save_bearer_token).
|
||||
|
||||
:param username: Unicode username.
|
||||
:param password: Unicode password.
|
||||
|
|
@ -671,6 +674,7 @@ class RequestValidator:
|
|||
|
||||
Method is used by:
|
||||
- Authorization Code Grant
|
||||
- Refresh Token Grant
|
||||
|
||||
"""
|
||||
return False
|
||||
|
|
|
|||
|
|
@ -257,6 +257,7 @@ def get_token_from_header(request):
|
|||
|
||||
|
||||
class TokenBase:
|
||||
__slots__ = ()
|
||||
|
||||
def __call__(self, request, refresh_token=False):
|
||||
raise NotImplementedError('Subclasses must implement this method.')
|
||||
|
|
|
|||
|
|
@ -5,12 +5,11 @@ oauthlib.oauth2.rfc8628
|
|||
This module is an implementation of various logic needed
|
||||
for consuming and providing OAuth 2.0 Device Authorization RFC8628.
|
||||
"""
|
||||
|
||||
from oauthlib.common import add_params_to_uri
|
||||
from oauthlib.oauth2 import BackendApplicationClient, Client
|
||||
from oauthlib.oauth2.rfc6749.errors import InsecureTransportError
|
||||
from oauthlib.oauth2.rfc6749.parameters import prepare_token_request
|
||||
from oauthlib.oauth2.rfc6749.utils import is_secure_transport, list_to_scope
|
||||
from oauthlib.common import add_params_to_uri
|
||||
|
||||
|
||||
class DeviceClient(Client):
|
||||
|
|
@ -62,7 +61,7 @@ class DeviceClient(Client):
|
|||
body.
|
||||
|
||||
:param body: Existing request body (URL encoded string) to embed parameters
|
||||
into. This may contain extra paramters. Default ''.
|
||||
into. This may contain extra parameters. Default ''.
|
||||
:param scope: The scope of the access request as described by
|
||||
`Section 3.3`_.
|
||||
|
||||
|
|
@ -84,6 +83,8 @@ class DeviceClient(Client):
|
|||
>>> client.prepare_request_body(scope=['hello', 'world'])
|
||||
'grant_type=urn:ietf:params:oauth:grant-type:device_code&scope=hello+world'
|
||||
|
||||
.. _`Section 3.2.1`: https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1
|
||||
.. _`Section 3.3`: https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
|
||||
.. _`Section 3.4`: https://datatracker.ietf.org/doc/html/rfc8628#section-3.4
|
||||
"""
|
||||
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ class UserInfoEndpoint(BaseEndpoint):
|
|||
5.3.1. UserInfo Request
|
||||
The Client sends the UserInfo Request using either HTTP GET or HTTP
|
||||
POST. The Access Token obtained from an OpenID Connect Authentication
|
||||
Request MUST be sent as a Bearer Token, per Section 2 of OAuth 2.0
|
||||
Request MUST be sent as a Bearer Token, per `Section 2`_ of OAuth 2.0
|
||||
Bearer Token Usage [RFC6750].
|
||||
|
||||
It is RECOMMENDED that the request use the HTTP GET method and the
|
||||
|
|
@ -77,21 +77,28 @@ class UserInfoEndpoint(BaseEndpoint):
|
|||
|
||||
The following is a non-normative example of a UserInfo Request:
|
||||
|
||||
GET /userinfo HTTP/1.1
|
||||
Host: server.example.com
|
||||
Authorization: Bearer SlAV32hkKG
|
||||
.. code-block:: http
|
||||
|
||||
GET /userinfo HTTP/1.1
|
||||
Host: server.example.com
|
||||
Authorization: Bearer SlAV32hkKG
|
||||
|
||||
5.3.3. UserInfo Error Response
|
||||
When an error condition occurs, the UserInfo Endpoint returns an Error
|
||||
Response as defined in Section 3 of OAuth 2.0 Bearer Token Usage
|
||||
Response as defined in `Section 3`_ of OAuth 2.0 Bearer Token Usage
|
||||
[RFC6750]. (HTTP errors unrelated to RFC 6750 are returned to the User
|
||||
Agent using the appropriate HTTP status code.)
|
||||
|
||||
The following is a non-normative example of a UserInfo Error Response:
|
||||
|
||||
HTTP/1.1 401 Unauthorized
|
||||
WWW-Authenticate: Bearer error="invalid_token",
|
||||
.. code-block:: http
|
||||
|
||||
HTTP/1.1 401 Unauthorized
|
||||
WWW-Authenticate: Bearer error="invalid_token",
|
||||
error_description="The Access Token expired"
|
||||
|
||||
.. _`Section 2`: https://datatracker.ietf.org/doc/html/rfc6750#section-2
|
||||
.. _`Section 3`: https://datatracker.ietf.org/doc/html/rfc6750#section-3
|
||||
"""
|
||||
if not self.bearer.validate_request(request):
|
||||
raise errors.InvalidTokenError()
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ from oauthlib.oauth2.rfc6749.errors import (
|
|||
ConsentRequired, InvalidRequestError, LoginRequired,
|
||||
)
|
||||
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ class AuthorizationTokenGrantDispatcher(Dispatcher):
|
|||
code = parameters.get('code', None)
|
||||
redirect_uri = parameters.get('redirect_uri', None)
|
||||
|
||||
# If code is not pressent fallback to `default_grant` which will
|
||||
# If code is not present fallback to `default_grant` which will
|
||||
# raise an error for the missing `code` in `create_token_response` step.
|
||||
if code:
|
||||
scopes = self.request_validator.get_authorization_code_scopes(client_id, code, redirect_uri, request)
|
||||
|
|
|
|||
|
|
@ -4,7 +4,9 @@ authlib.openid.connect.core.tokens
|
|||
|
||||
This module contains methods for adding JWT tokens to requests.
|
||||
"""
|
||||
from oauthlib.oauth2.rfc6749.tokens import TokenBase, random_token_generator, get_token_from_header
|
||||
from oauthlib.oauth2.rfc6749.tokens import (
|
||||
TokenBase, get_token_from_header, random_token_generator,
|
||||
)
|
||||
|
||||
|
||||
class JWTToken(TokenBase):
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ IPv4address = r"%(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s \. %(dec_octet)s
|
|||
)
|
||||
|
||||
# IPv6address
|
||||
IPv6address = r"([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+"
|
||||
IPv6address = r"([A-Fa-f0-9:]+[:$])[A-Fa-f0-9]{1,4}"
|
||||
|
||||
# IPvFuture = "v" 1*HEXDIG "." 1*( unreserved / sub-delims / ":" )
|
||||
IPvFuture = r"v %(HEXDIG)s+ \. (?: %(unreserved)s | %(sub_delims)s | : )+" % locals()
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue