mirror of
https://github.com/Tautulli/Tautulli.git
synced 2025-07-07 05:31:15 -07:00
Update oauthlib-3.1.1
This commit is contained in:
parent
e58aa40099
commit
d76838a607
64 changed files with 4329 additions and 1421 deletions
|
@ -1,16 +1,13 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
"""
|
||||
oauthlib.oauth2.rfc6749.grant_types
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
oauthlib.oauth2.rfc6749.request_validator
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
"""
|
||||
from __future__ import unicode_literals, absolute_import
|
||||
|
||||
import logging
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class RequestValidator(object):
|
||||
class RequestValidator:
|
||||
|
||||
def client_authentication_required(self, request, *args, **kwargs):
|
||||
"""Determine if client authentication is required for current request.
|
||||
|
@ -26,7 +23,8 @@ class RequestValidator(object):
|
|||
client credentials or whenever Client provided client authentication, see
|
||||
`Section 6`_
|
||||
|
||||
:param request: oauthlib.common.Request
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -34,9 +32,9 @@ class RequestValidator(object):
|
|||
- Resource Owner Password Credentials Grant
|
||||
- Refresh Token Grant
|
||||
|
||||
.. _`Section 4.3.2`: http://tools.ietf.org/html/rfc6749#section-4.3.2
|
||||
.. _`Section 4.1.3`: http://tools.ietf.org/html/rfc6749#section-4.1.3
|
||||
.. _`Section 6`: http://tools.ietf.org/html/rfc6749#section-6
|
||||
.. _`Section 4.3.2`: https://tools.ietf.org/html/rfc6749#section-4.3.2
|
||||
.. _`Section 4.1.3`: https://tools.ietf.org/html/rfc6749#section-4.1.3
|
||||
.. _`Section 6`: https://tools.ietf.org/html/rfc6749#section-6
|
||||
"""
|
||||
return True
|
||||
|
||||
|
@ -50,8 +48,20 @@ class RequestValidator(object):
|
|||
Headers may be accesses through request.headers and parameters found in
|
||||
both body and query can be obtained by direct attribute access, i.e.
|
||||
request.client_id for client_id in the URL query.
|
||||
|
||||
The authentication process is required to contain the identification of
|
||||
the client (i.e. search the database based on the client_id). In case the
|
||||
client doesn't exist based on the received client_id, this method has to
|
||||
return False and the HTTP response created by the library will contain
|
||||
'invalid_client' message.
|
||||
|
||||
:param request: oauthlib.common.Request
|
||||
After the client identification succeeds, this method needs to set the
|
||||
client on the request, i.e. request.client = client. A client object's
|
||||
class must contain the 'client_id' attribute and the 'client_id' must have
|
||||
a value.
|
||||
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -60,7 +70,7 @@ class RequestValidator(object):
|
|||
- Client Credentials Grant
|
||||
- Refresh Token Grant
|
||||
|
||||
.. _`HTTP Basic Authentication Scheme`: http://tools.ietf.org/html/rfc1945#section-11.1
|
||||
.. _`HTTP Basic Authentication Scheme`: https://tools.ietf.org/html/rfc1945#section-11.1
|
||||
"""
|
||||
raise NotImplementedError('Subclasses must implement this method.')
|
||||
|
||||
|
@ -74,7 +84,9 @@ class RequestValidator(object):
|
|||
to set request.client to the client object associated with the
|
||||
given client_id.
|
||||
|
||||
:param request: oauthlib.common.Request
|
||||
:param client_id: Unicode client identifier.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -82,7 +94,7 @@ class RequestValidator(object):
|
|||
"""
|
||||
raise NotImplementedError('Subclasses must implement this method.')
|
||||
|
||||
def confirm_redirect_uri(self, client_id, code, redirect_uri, client,
|
||||
def confirm_redirect_uri(self, client_id, code, redirect_uri, client, request,
|
||||
*args, **kwargs):
|
||||
"""Ensure that the authorization process represented by this authorization
|
||||
code began with this 'redirect_uri'.
|
||||
|
@ -93,11 +105,12 @@ class RequestValidator(object):
|
|||
the client's allowed redirect URIs, but against the URI used when the
|
||||
code was saved.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param client_id: Unicode client identifier.
|
||||
:param code: Unicode authorization_code.
|
||||
:param redirect_uri: Unicode absolute URI
|
||||
:param client: Client object set by you, see authenticate_client.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param redirect_uri: Unicode absolute URI.
|
||||
:param client: Client object set by you, see ``.authenticate_client``.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -108,8 +121,9 @@ class RequestValidator(object):
|
|||
def get_default_redirect_uri(self, client_id, request, *args, **kwargs):
|
||||
"""Get the default redirect URI for the client.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param client_id: Unicode client identifier.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: The default redirect URI for the client
|
||||
|
||||
Method is used by:
|
||||
|
@ -121,8 +135,9 @@ class RequestValidator(object):
|
|||
def get_default_scopes(self, client_id, request, *args, **kwargs):
|
||||
"""Get the default scopes for the client.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param client_id: Unicode client identifier.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: List of default scopes
|
||||
|
||||
Method is used by all core grant types:
|
||||
|
@ -136,8 +151,9 @@ class RequestValidator(object):
|
|||
def get_original_scopes(self, refresh_token, request, *args, **kwargs):
|
||||
"""Get the list of scopes associated with the refresh token.
|
||||
|
||||
:param refresh_token: Unicode refresh token
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param refresh_token: Unicode refresh token.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: List of scopes.
|
||||
|
||||
Method is used by:
|
||||
|
@ -156,9 +172,10 @@ class RequestValidator(object):
|
|||
used in situations where returning all valid scopes from the
|
||||
get_original_scopes is not practical.
|
||||
|
||||
:param request_scopes: A list of scopes that were requested by client
|
||||
:param refresh_token: Unicode refresh_token
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param request_scopes: A list of scopes that were requested by client.
|
||||
:param refresh_token: Unicode refresh_token.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -166,12 +183,54 @@ class RequestValidator(object):
|
|||
"""
|
||||
return False
|
||||
|
||||
def introspect_token(self, token, token_type_hint, request, *args, **kwargs):
|
||||
"""Introspect an access or refresh token.
|
||||
|
||||
Called once the introspect request is validated. This method should
|
||||
verify the *token* and either return a dictionary with the list of
|
||||
claims associated, or `None` in case the token is unknown.
|
||||
|
||||
Below the list of registered claims you should be interested in:
|
||||
- scope : space-separated list of scopes
|
||||
- client_id : client identifier
|
||||
- username : human-readable identifier for the resource owner
|
||||
- token_type : type of the token
|
||||
- exp : integer timestamp indicating when this token will expire
|
||||
- iat : integer timestamp indicating when this token was issued
|
||||
- nbf : integer timestamp indicating when it can be "not-before" used
|
||||
- sub : subject of the token - identifier of the resource owner
|
||||
- aud : list of string identifiers representing the intended audience
|
||||
- iss : string representing issuer of this token
|
||||
- jti : string identifier for the token
|
||||
|
||||
Note that most of them are coming directly from JWT RFC. More details
|
||||
can be found in `Introspect Claims`_ or `_JWT Claims`_.
|
||||
|
||||
The implementation can use *token_type_hint* to improve lookup
|
||||
efficency, but must fallback to other types to be compliant with RFC.
|
||||
|
||||
The dict of claims is added to request.token after this method.
|
||||
|
||||
:param token: The token string.
|
||||
:param token_type_hint: access_token or refresh_token.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
|
||||
Method is used by:
|
||||
- Introspect Endpoint (all grants are compatible)
|
||||
|
||||
.. _`Introspect Claims`: https://tools.ietf.org/html/rfc7662#section-2.2
|
||||
.. _`JWT Claims`: https://tools.ietf.org/html/rfc7519#section-4
|
||||
"""
|
||||
raise NotImplementedError('Subclasses must implement this method.')
|
||||
|
||||
def invalidate_authorization_code(self, client_id, code, request, *args, **kwargs):
|
||||
"""Invalidate an authorization code after use.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param client_id: Unicode client identifier.
|
||||
:param code: The authorization code grant (request.code).
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
|
||||
Method is used by:
|
||||
- Authorization Code Grant
|
||||
|
@ -183,7 +242,8 @@ class RequestValidator(object):
|
|||
|
||||
:param token: The token string.
|
||||
:param token_type_hint: access_token or refresh_token.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
|
||||
Method is used by:
|
||||
- Revocation Endpoint
|
||||
|
@ -197,7 +257,8 @@ class RequestValidator(object):
|
|||
or replaced with a new one (rotated). Return True to rotate and
|
||||
and False for keeping original.
|
||||
|
||||
:param request: oauthlib.common.Request
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -209,30 +270,49 @@ class RequestValidator(object):
|
|||
"""Persist the authorization_code.
|
||||
|
||||
The code should at minimum be stored with:
|
||||
- the client_id (client_id)
|
||||
- the redirect URI used (request.redirect_uri)
|
||||
- a resource owner / user (request.user)
|
||||
- the authorized scopes (request.scopes)
|
||||
- the client state, if given (code.get('state'))
|
||||
- the client_id (``client_id``)
|
||||
- the redirect URI used (``request.redirect_uri``)
|
||||
- a resource owner / user (``request.user``)
|
||||
- the authorized scopes (``request.scopes``)
|
||||
|
||||
The 'code' argument is actually a dictionary, containing at least a
|
||||
'code' key with the actual authorization code:
|
||||
To support PKCE, you MUST associate the code with:
|
||||
- Code Challenge (``request.code_challenge``) and
|
||||
- Code Challenge Method (``request.code_challenge_method``)
|
||||
|
||||
{'code': 'sdf345jsdf0934f'}
|
||||
To support OIDC, you MUST associate the code with:
|
||||
- nonce, if present (``code["nonce"]``)
|
||||
|
||||
It may also have a 'state' key containing a nonce for the client, if it
|
||||
chose to send one. That value should be saved and used in
|
||||
'validate_code'.
|
||||
The ``code`` argument is actually a dictionary, containing at least a
|
||||
``code`` key with the actual authorization code:
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
``{'code': 'sdf345jsdf0934f'}``
|
||||
|
||||
It may also have a ``claims`` parameter which, when present, will be a dict
|
||||
deserialized from JSON as described at
|
||||
http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
|
||||
This value should be saved in this method and used again in ``.validate_code``.
|
||||
|
||||
:param client_id: Unicode client identifier.
|
||||
:param code: A dict of the authorization code grant and, optionally, state.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
|
||||
Method is used by:
|
||||
- Authorization Code Grant
|
||||
"""
|
||||
raise NotImplementedError('Subclasses must implement this method.')
|
||||
|
||||
def save_token(self, token, request, *args, **kwargs):
|
||||
"""Persist the token with a token type specific method.
|
||||
|
||||
Currently, only save_bearer_token is supported.
|
||||
|
||||
:param token: A (Bearer) token dict.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
"""
|
||||
return self.save_bearer_token(token, request, *args, **kwargs)
|
||||
|
||||
def save_bearer_token(self, token, request, *args, **kwargs):
|
||||
"""Persist the Bearer token.
|
||||
|
||||
|
@ -242,6 +322,7 @@ class RequestValidator(object):
|
|||
- authorized scopes (request.scopes)
|
||||
- an expiration time
|
||||
- a refresh token, if issued
|
||||
- a claims document, if present in request.claims
|
||||
|
||||
The Bearer token dict may hold a number of items::
|
||||
|
||||
|
@ -251,15 +332,27 @@ class RequestValidator(object):
|
|||
'expires_in': 3600,
|
||||
'scope': 'string of space separated authorized scopes',
|
||||
'refresh_token': '23sdf876234', # if issued
|
||||
'state': 'given_by_client', # if supplied by client
|
||||
'state': 'given_by_client', # if supplied by client (implicit ONLY)
|
||||
}
|
||||
|
||||
Note that while "scope" is a string-separated list of authorized scopes,
|
||||
the original list is still available in request.scopes
|
||||
the original list is still available in request.scopes.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param token: A Bearer token dict
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
The token dict is passed as a reference so any changes made to the dictionary
|
||||
will go back to the user. If additional information must return to the client
|
||||
user, and it is only possible to get this information after writing the token
|
||||
to storage, it should be added to the token dictionary. If the token
|
||||
dictionary must be modified but the changes should not go back to the user,
|
||||
a copy of the dictionary must be made before making the changes.
|
||||
|
||||
Also note that if an Authorization Code grant request included a valid claims
|
||||
parameter (for OpenID Connect) then the request.claims property will contain
|
||||
the claims dict, which should be saved for later use when generating the
|
||||
id_token and/or UserInfo response content.
|
||||
|
||||
:param token: A Bearer token dict.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: The default redirect URI for the client
|
||||
|
||||
Method is used by all core grant types issuing Bearer tokens:
|
||||
|
@ -275,7 +368,8 @@ class RequestValidator(object):
|
|||
|
||||
:param token: A string of random characters.
|
||||
:param scopes: A list of scopes associated with the protected resource.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
|
||||
A key to OAuth 2 security and restricting impact of leaked tokens is
|
||||
the short expiration time of tokens, *always ensure the token has not
|
||||
|
@ -309,7 +403,8 @@ class RequestValidator(object):
|
|||
|
||||
:param token: Unicode Bearer token
|
||||
:param scopes: List of scopes (defined by you)
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is indirectly used by all core Bearer token issuing grant types:
|
||||
|
@ -327,7 +422,9 @@ class RequestValidator(object):
|
|||
to set request.client to the client object associated with the
|
||||
given client_id.
|
||||
|
||||
:param request: oauthlib.common.Request
|
||||
:param client_id: Unicode client identifier.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -344,16 +441,24 @@ class RequestValidator(object):
|
|||
with the code in 'save_authorization_code':
|
||||
|
||||
- request.user
|
||||
- request.state (if given)
|
||||
- request.scopes
|
||||
- request.claims (if given)
|
||||
OBS! The request.user attribute should be set to the resource owner
|
||||
associated with this authorization code. Similarly request.scopes
|
||||
must also be set.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param code: Unicode authorization code
|
||||
:param client: Client object set by you, see authenticate_client.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
The request.claims property, if it was given, should assigned a dict.
|
||||
|
||||
If PKCE is enabled (see 'is_pkce_required' and 'save_authorization_code')
|
||||
you MUST set the following based on the information stored:
|
||||
- request.code_challenge
|
||||
- request.code_challenge_method
|
||||
|
||||
:param client_id: Unicode client identifier.
|
||||
:param code: Unicode authorization code.
|
||||
:param client: Client object set by you, see ``.authenticate_client``.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -364,10 +469,11 @@ class RequestValidator(object):
|
|||
def validate_grant_type(self, client_id, grant_type, client, request, *args, **kwargs):
|
||||
"""Ensure client is authorized to use the grant_type requested.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param client_id: Unicode client identifier.
|
||||
:param grant_type: Unicode grant type, i.e. authorization_code, password.
|
||||
:param client: Client object set by you, see authenticate_client.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param client: Client object set by you, see ``.authenticate_client``.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -384,9 +490,10 @@ class RequestValidator(object):
|
|||
All clients should register the absolute URIs of all URIs they intend
|
||||
to redirect to. The registration is outside of the scope of oauthlib.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param redirect_uri: Unicode absolute URI
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param client_id: Unicode client identifier.
|
||||
:param redirect_uri: Unicode absolute URI.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -401,9 +508,10 @@ class RequestValidator(object):
|
|||
OBS! The request.user attribute should be set to the resource owner
|
||||
associated with this refresh token.
|
||||
|
||||
:param refresh_token: Unicode refresh token
|
||||
:param client: Client object set by you, see authenticate_client.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param refresh_token: Unicode refresh token.
|
||||
:param client: Client object set by you, see ``.authenticate_client``.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -416,10 +524,11 @@ class RequestValidator(object):
|
|||
def validate_response_type(self, client_id, response_type, client, request, *args, **kwargs):
|
||||
"""Ensure client is authorized to use the response_type requested.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param client_id: Unicode client identifier.
|
||||
:param response_type: Unicode response type, i.e. code, token.
|
||||
:param client: Client object set by you, see authenticate_client.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param client: Client object set by you, see ``.authenticate_client``.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
|
@ -431,10 +540,11 @@ class RequestValidator(object):
|
|||
def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
|
||||
"""Ensure the client is authorized access to requested scopes.
|
||||
|
||||
:param client_id: Unicode client identifier
|
||||
:param scopes: List of scopes (defined by you)
|
||||
:param client: Client object set by you, see authenticate_client.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param client_id: Unicode client identifier.
|
||||
:param scopes: List of scopes (defined by you).
|
||||
:param client: Client object set by you, see ``.authenticate_client``.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by all core grant types:
|
||||
|
@ -453,13 +563,89 @@ class RequestValidator(object):
|
|||
not set you will be unable to associate a token with a user in the
|
||||
persistance method used (commonly, save_bearer_token).
|
||||
|
||||
:param username: Unicode username
|
||||
:param password: Unicode password
|
||||
:param client: Client object set by you, see authenticate_client.
|
||||
:param request: The HTTP Request (oauthlib.common.Request)
|
||||
:param username: Unicode username.
|
||||
:param password: Unicode password.
|
||||
:param client: Client object set by you, see ``.authenticate_client``.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
- Resource Owner Password Credentials Grant
|
||||
"""
|
||||
raise NotImplementedError('Subclasses must implement this method.')
|
||||
|
||||
def is_pkce_required(self, client_id, request):
|
||||
"""Determine if current request requires PKCE. Default, False.
|
||||
This is called for both "authorization" and "token" requests.
|
||||
|
||||
Override this method by ``return True`` to enable PKCE for everyone.
|
||||
You might want to enable it only for public clients.
|
||||
Note that PKCE can also be used in addition of a client authentication.
|
||||
|
||||
OAuth 2.0 public clients utilizing the Authorization Code Grant are
|
||||
susceptible to the authorization code interception attack. This
|
||||
specification describes the attack as well as a technique to mitigate
|
||||
against the threat through the use of Proof Key for Code Exchange
|
||||
(PKCE, pronounced "pixy"). See `RFC7636`_.
|
||||
|
||||
:param client_id: Client identifier.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: True or False
|
||||
|
||||
Method is used by:
|
||||
- Authorization Code Grant
|
||||
|
||||
.. _`RFC7636`: https://tools.ietf.org/html/rfc7636
|
||||
"""
|
||||
return False
|
||||
|
||||
def get_code_challenge(self, code, request):
|
||||
"""Is called for every "token" requests.
|
||||
|
||||
When the server issues the authorization code in the authorization
|
||||
response, it MUST associate the ``code_challenge`` and
|
||||
``code_challenge_method`` values with the authorization code so it can
|
||||
be verified later.
|
||||
|
||||
Typically, the ``code_challenge`` and ``code_challenge_method`` values
|
||||
are stored in encrypted form in the ``code`` itself but could
|
||||
alternatively be stored on the server associated with the code. The
|
||||
server MUST NOT include the ``code_challenge`` value in client requests
|
||||
in a form that other entities can extract.
|
||||
|
||||
Return the ``code_challenge`` associated to the code.
|
||||
If ``None`` is returned, code is considered to not be associated to any
|
||||
challenges.
|
||||
|
||||
:param code: Authorization code.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: code_challenge string
|
||||
|
||||
Method is used by:
|
||||
- Authorization Code Grant - when PKCE is active
|
||||
|
||||
"""
|
||||
return None
|
||||
|
||||
def get_code_challenge_method(self, code, request):
|
||||
"""Is called during the "token" request processing, when a
|
||||
``code_verifier`` and a ``code_challenge`` has been provided.
|
||||
|
||||
See ``.get_code_challenge``.
|
||||
|
||||
Must return ``plain`` or ``S256``. You can return a custom value if you have
|
||||
implemented your own ``AuthorizationCodeGrant`` class.
|
||||
|
||||
:param code: Authorization code.
|
||||
:param request: OAuthlib request.
|
||||
:type request: oauthlib.common.Request
|
||||
:rtype: code_challenge_method string
|
||||
|
||||
Method is used by:
|
||||
- Authorization Code Grant - when PKCE is active
|
||||
|
||||
"""
|
||||
raise NotImplementedError('Subclasses must implement this method.')
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue