AuthorizationCode

This class describe Authorization Code grant type

class DIRAC.FrameworkSystem.private.authorization.grants.AuthorizationCode.AuthorizationCodeGrant(request: OAuth2Request, server)

Bases: AuthorizationCodeGrant

See authlib.oauth2.rfc6749.grants.AuthorizationCodeGrant

AUTHORIZATION_CODE_LENGTH = 48: Generated “code” length

ERROR_RESPONSE_FRAGMENT = False

GRANT_TYPE = 'authorization_code': Designed for which “grant_type”

RESPONSE_TYPES = {'code'}

TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post', 'none']: Allowed client auth methods for token endpoint

TOKEN_ENDPOINT_HTTP_METHODS = ['POST']: Allowed HTTP methods of this token endpoint

TOKEN_RESPONSE_HEADER = [('Content-Type', 'application/json'), ('Cache-Control', 'no-store'), ('Pragma', 'no-cache')]

__init__(request: OAuth2Request, server)

authenticate_token_endpoint_client()

Authenticate client with the given methods for token endpoint.

For example, the client makes the following HTTP request using TLS:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Default available methods are: “none”, “client_secret_basic” and “client_secret_post”.

Returns:: client

authenticate_user(authorization_code)

Authenticate the user related to this authorization_code.

Parameters:: authorization_code – authorization code

classmethod check_authorization_endpoint(request: OAuth2Request)

classmethod check_token_endpoint(request: OAuth2Request)

property client

create_authorization_response(redirect_uri: str, grant_user)

If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the “application/x-www-form-urlencoded” format. Per Section 4.1.2.

code: REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI.
state: REQUIRED if the “state” parameter was present in the client authorization request. The exact value received from the client.

For example, the authorization server redirects the user-agent by sending the following HTTP response.

HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
       &state=xyz

Parameters:

redirect_uri – Redirect to the given URI for the authorization
grant_user – if resource owner granted the request, pass this resource owner, otherwise pass None.

Returns:

(status_code, body, headers)

create_token_response()

If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in Section 5.1. If the request client authentication failed or is invalid, the authorization server returns an error response as described in Section 5.2. Per Section 4.1.4.

An example successful response:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"example",
    "expires_in":3600,
    "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
    "example_parameter":"example_value"
}

Returns:: (status_code, body, headers)

delete_authorization_code(authorization_code)

Delete authorization code from database or cache. Developers MUST implement it in subclass, e.g.:

def delete_authorization_code(self, authorization_code):
    authorization_code.delete()

Parameters:: authorization_code – the instance of authorization_code

execute_hook(hook_type, *args, **kwargs)

generate_authorization_code()

The method to generate “code” value for authorization code data.

Returns:: str

generate_token(user=None, scope=None, grant_type=None, expires_in=None, include_refresh_token=True)

query_authorization_code(code, client)

Parse authorization code

Parameters:

code – authorization code as JWS
client – client

Returns:

OAuth2Code or None

register_hook(hook_type, hook)

save_authorization_code(code, request)

Save authorization_code for later use. Developers MUST implement it in subclass. Here is an example:

def save_authorization_code(self, code, request):
    client = request.client
    item = AuthorizationCode(
        code=code,
        client_id=client.client_id,
        redirect_uri=request.redirect_uri,
        scope=request.scope,
        user_id=request.user.id,
    )
    item.save()

save_token(token): A method to save token into database.

static validate_authorization_redirect_uri(request: OAuth2Request, client)

validate_authorization_request()

The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the “application/x-www-form-urlencoded” format. Per Section 4.1.1.

response_type: REQUIRED. Value MUST be set to “code”.
client_id: REQUIRED. The client identifier as described in Section 2.2.
redirect_uri: OPTIONAL. As described in Section 3.1.2.
scope: OPTIONAL. The scope of the access request as described by Section 3.3.
state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.

The client directs the resource owner to the constructed URI using an HTTP redirection response, or by other means available to it via the user-agent.

For example, the client directs the user-agent to make the following HTTP request using TLS (with extra line breaks for display purposes only):

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com

The authorization server validates the request to ensure that all required parameters are present and valid. If the request is valid, the authorization server authenticates the resource owner and obtains an authorization decision (by asking the resource owner or by establishing approval via other means).

validate_consent_request()

validate_requested_scope(): Validate if requested scope is supported by Authorization Server.

validate_token_request()

The client makes a request to the token endpoint by sending the following parameters using the “application/x-www-form-urlencoded” format per Section 4.1.3:

grant_type: REQUIRED. Value MUST be set to “authorization_code”.
code: REQUIRED. The authorization code received from the authorization server.
redirect_uri: REQUIRED, if the “redirect_uri” parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.
client_id: REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.

If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.

For example, the client makes the following HTTP request using TLS:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

class DIRAC.FrameworkSystem.private.authorization.grants.AuthorizationCode.OAuth2Code(params)

Bases: dict

This class describes Authorization Code object

__init__(params): C’or

clear() → None. Remove all items from D.

property code_challenge

property code_challenge_method

copy() → a shallow copy of D

fromkeys(value=None, /): Create a new dictionary with keys from iterable and values set to value.

get(key, default=None, /): Return the value for key if key is in the dictionary, else default.

get_auth_time()

get_nonce()

get_redirect_uri()

get_scope()

is_expired()

items() → a set-like object providing a view on D's items

keys() → a set-like object providing a view on D's keys

pop(k[, d]) → v, remove specified key and return the corresponding value.: If the key is not found, return the default if given; otherwise, raise a KeyError.

popitem()

Remove and return a (key, value) pair as a 2-tuple.

Pairs are returned in LIFO (last-in, first-out) order. Raises KeyError if the dict is empty.

setdefault(key, default=None, /)

Insert key with a value of default if key is not in the dictionary.

Return the value for key if key is in the dictionary, else default.

update([E, ]**F) → None. Update D from dict/iterable E and F.: If E is present and has a .keys() method, then does: for k in E: D[k] = E[k] If E is present and lacks a .keys() method, then does: for k, v in E: D[k] = v In either case, this is followed by: for k in F: D[k] = F[k]

property user

values() → an object providing a view on D's values