Update oauthlib-3.1.1

2025-07-07 05:31:15 -07:00 · 2021-10-14 22:34:45 -07:00 · 2021-10-14 22:34:45 -07:00 · d76838a607
commit d76838a607
parent e58aa40099
64 changed files with 4329 additions and 1421 deletions
--- a/lib/oauthlib/oauth2/rfc6749/endpoints/token.py
+++ b/lib/oauthlib/oauth2/rfc6749/endpoints/token.py
@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 """
 oauthlib.oauth2.rfc6749
 ~~~~~~~~~~~~~~~~~~~~~~~
@ -6,15 +5,13 @@ oauthlib.oauth2.rfc6749
 This module is an implementation of various logic needed
 for consuming and providing OAuth 2.0 RFC6749.
 """
-from __future__ import absolute_import, unicode_literals
-
 import logging

 from oauthlib.common import Request
+from oauthlib.oauth2.rfc6749 import utils

 from .base import BaseEndpoint, catch_errors_and_unavailability

-
 log = logging.getLogger(__name__)


@ -39,7 +36,6 @@ class TokenEndpoint(BaseEndpoint):
        https://example.com/path?query=component             # OK
        https://example.com/path?query=component#fragment    # Not OK

-    Since requests to the authorization endpoint result in user
    Since requests to the token endpoint result in the transmission of
    clear-text credentials (in the HTTP request and response), the
    authorization server MUST require the use of TLS as described in
@ -59,9 +55,11 @@ class TokenEndpoint(BaseEndpoint):

        # Delegated to each grant type.

-    .. _`Appendix B`: http://tools.ietf.org/html/rfc6749#appendix-B
+    .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B
    """

+    valid_request_methods = ('POST',)
+
    def __init__(self, default_grant_type, default_token_type, grant_types):
        BaseEndpoint.__init__(self)
        self._grant_types = grant_types
@ -85,16 +83,37 @@ class TokenEndpoint(BaseEndpoint):
        return self._default_token_type

    @catch_errors_and_unavailability
-    def create_token_response(self, uri, http_method='GET', body=None,
-                              headers=None, credentials=None):
+    def create_token_response(self, uri, http_method='POST', body=None,
+                              headers=None, credentials=None, grant_type_for_scope=None,
+                              claims=None):
        """Extract grant_type and route to the designated handler."""
        request = Request(
            uri, http_method=http_method, body=body, headers=headers)
-        request.scopes = None
+        self.validate_token_request(request)
+        # 'scope' is an allowed Token Request param in both the "Resource Owner Password Credentials Grant"
+        # and "Client Credentials Grant" flows
+        # https://tools.ietf.org/html/rfc6749#section-4.3.2
+        # https://tools.ietf.org/html/rfc6749#section-4.4.2
+        request.scopes = utils.scope_to_list(request.scope)
+
        request.extra_credentials = credentials
+        if grant_type_for_scope:
+            request.grant_type = grant_type_for_scope
+
+        # OpenID Connect claims, if provided.  The server using oauthlib might choose
+        # to implement the claims parameter of the Authorization Request.  In this case
+        # it should retrieve those claims and pass them via the claims argument here,
+        # as a dict.
+        if claims:
+            request.claims = claims
+
        grant_type_handler = self.grant_types.get(request.grant_type,
                                                  self.default_grant_type_handler)
        log.debug('Dispatching grant_type %s request to %r.',
                  request.grant_type, grant_type_handler)
        return grant_type_handler.create_token_response(
            request, self.default_token_type)
+
+    def validate_token_request(self, request):
+        self._raise_on_bad_method(request)
+        self._raise_on_bad_post_request(request)