DeviceFlow
- class DIRAC.FrameworkSystem.private.authorization.grants.DeviceFlow.DeviceAuthorizationEndpoint(server)
Bases:
DeviceAuthorizationEndpoint
See
authlib.oauth2.rfc8628.DeviceAuthorizationEndpoint
- CLIENT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post', 'none']
- ENDPOINT_NAME = 'device_authorization'
- EXPIRES_IN = 1800
The lifetime in seconds of the “device_code” and “user_code”
- INTERVAL = 5
The minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint.
- USER_CODE_TYPE = 'string'
customize “user_code” type, string or digital
- __init__(server)
- authenticate_client(request)
client_id is REQUIRED if the client is not authenticating with the authorization server as described in Section 3.2.1. of [RFC6749].
This means the endpoint support “none” authentication method. In this case, this endpoint’s auth methods are:
client_secret_basic
client_secret_post
none
Developers change the value of
CLIENT_AUTH_METHODS
in subclass. For instance:class MyDeviceAuthorizationEndpoint(DeviceAuthorizationEndpoint): # only support ``client_secret_basic`` auth method CLIENT_AUTH_METHODS = ['client_secret_basic']
- create_endpoint_request(request)
- create_endpoint_response(req)
See
authlib.oauth2.rfc8628.DeviceAuthorizationEndpoint.create_endpoint_response()
- generate_device_code()
A method to generate
device_code
value for device authorization endpoint. This method will generate a random string of 42 characters. Developers can rewrite this method to create their owndevice_code
.
- generate_user_code()
A method to generate
user_code
value for device authorization endpoint. This method will generate a random string like MQNA-JPOZ. Developers can rewrite this method to create their ownuser_code
.
- get_verification_uri()
Create verification uri when DeviceCode flow initialized
- Returns:
str
- class DIRAC.FrameworkSystem.private.authorization.grants.DeviceFlow.DeviceCodeGrant(request: OAuth2Request, server)
Bases:
DeviceCodeGrant
,AuthorizationEndpointMixin
See
authlib.oauth2.rfc8628.DeviceCodeGrant
- ERROR_RESPONSE_FRAGMENT = False
- GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:device_code'
Designed for which “grant_type”
- RESPONSE_TYPES = {'device'}
- TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post', 'none']
Allowed client auth methods for token endpoint
- TOKEN_ENDPOINT_HTTP_METHODS = ['POST']
Allowed HTTP methods of this token endpoint
- TOKEN_RESPONSE_HEADER = [('Content-Type', 'application/json'), ('Cache-Control', 'no-store'), ('Pragma', 'no-cache')]
- __init__(request: OAuth2Request, server)
- authenticate_token_endpoint_client()
Authenticate client with the given methods for token endpoint.
For example, the client makes the following HTTP request using TLS:
POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Default available methods are: “none”, “client_secret_basic” and “client_secret_post”.
- Returns:
client
- classmethod check_authorization_endpoint(request: OAuth2Request)
- classmethod check_token_endpoint(request: OAuth2Request)
- property client
- create_authorization_response(redirect_uri, user)
Mark session as authed with received user
- create_token_response()
If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token.
- execute_hook(hook_type, *args, **kwargs)
- generate_token(user=None, scope=None, grant_type=None, expires_in=None, include_refresh_token=True)
- query_device_credential(device_code)
Get device credential from previously savings via
DeviceAuthorizationEndpoint
.- Parameters:
device_code (str) – device code
- Returns:
dict
- query_user_grant(user_code)
Check if user alredy authed and return it to token generator
- Parameters:
user_code (str) – user code
- Returns:
(str, bool) or None – user dict and user auth status
- register_hook(hook_type, hook)
- save_token(token)
A method to save token into database.
- should_slow_down(*args)
The authorization request is still pending and polling should continue, but the interval MUST be increased by 5 seconds for this and all subsequent requests.
- static validate_authorization_redirect_uri(request: OAuth2Request, client)
- validate_authorization_request()
Validate authorization request
- Returns:
None
- validate_consent_request()
- validate_device_credential(credential)
- static validate_no_multiple_request_parameter(request: OAuth2Request)
For the Authorization Endpoint, request and response parameters MUST NOT be included more than once. Per Section 3.1.
- validate_requested_scope()
Validate if requested scope is supported by Authorization Server.
- validate_token_request()
After displaying instructions to the user, the client creates an access token request and sends it to the token endpoint with the following parameters:
- grant_type
REQUIRED. Value MUST be set to “urn:ietf:params:oauth:grant-type:device_code”.
- device_code
REQUIRED. The device verification code, “device_code” from the device authorization response.
- client_id
REQUIRED if the client is not authenticating with the authorization server as described in Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749].
For example, the client makes the following HTTPS request:
POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code &device_code=GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS &client_id=1406020730