AuthorizationCode
This class describe Authorization Code grant type
- class DIRAC.FrameworkSystem.private.authorization.grants.AuthorizationCode.AuthorizationCodeGrant(request: OAuth2Request, server)
Bases:
AuthorizationCodeGrant
See
authlib.oauth2.rfc6749.grants.AuthorizationCodeGrant
- AUTHORIZATION_CODE_LENGTH = 48
Generated “code” length
- ERROR_RESPONSE_FRAGMENT = False
- GRANT_TYPE = 'authorization_code'
Designed for which “grant_type”
- RESPONSE_TYPES = {'code'}
- TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post', 'none']
Allowed client auth methods for token endpoint
- TOKEN_ENDPOINT_HTTP_METHODS = ['POST']
Allowed HTTP methods of this token endpoint
- TOKEN_RESPONSE_HEADER = [('Content-Type', 'application/json'), ('Cache-Control', 'no-store'), ('Pragma', 'no-cache')]
- __init__(request: OAuth2Request, server)
- authenticate_token_endpoint_client()
Authenticate client with the given methods for token endpoint.
For example, the client makes the following HTTP request using TLS:
POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Default available methods are: “none”, “client_secret_basic” and “client_secret_post”.
- Returns:
client
- authenticate_user(authorization_code)
Authenticate the user related to this authorization_code.
- Parameters:
authorization_code – authorization code
- classmethod check_authorization_endpoint(request: OAuth2Request)
- classmethod check_token_endpoint(request: OAuth2Request)
- property client
- create_authorization_response(redirect_uri: str, grant_user)
If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the “application/x-www-form-urlencoded” format. Per Section 4.1.2.
- code
REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI.
- state
REQUIRED if the “state” parameter was present in the client authorization request. The exact value received from the client.
For example, the authorization server redirects the user-agent by sending the following HTTP response.
HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz
- Parameters:
redirect_uri – Redirect to the given URI for the authorization
grant_user – if resource owner granted the request, pass this resource owner, otherwise pass None.
- Returns:
(status_code, body, headers)
- create_token_response()
If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in Section 5.1. If the request client authentication failed or is invalid, the authorization server returns an error response as described in Section 5.2. Per Section 4.1.4.
An example successful response:
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
- Returns:
(status_code, body, headers)
- delete_authorization_code(authorization_code)
Delete authorization code from database or cache. Developers MUST implement it in subclass, e.g.:
def delete_authorization_code(self, authorization_code): authorization_code.delete()
- Parameters:
authorization_code – the instance of authorization_code
- execute_hook(hook_type, *args, **kwargs)
- generate_authorization_code()
The method to generate “code” value for authorization code data.
- Returns:
str
- generate_token(user=None, scope=None, grant_type=None, expires_in=None, include_refresh_token=True)
- query_authorization_code(code, client)
Parse authorization code
- Parameters:
code – authorization code as JWS
client – client
- Returns:
OAuth2Code or None
- register_hook(hook_type, hook)
- save_authorization_code(code, request)
Save authorization_code for later use. Developers MUST implement it in subclass. Here is an example:
def save_authorization_code(self, code, request): client = request.client item = AuthorizationCode( code=code, client_id=client.client_id, redirect_uri=request.redirect_uri, scope=request.scope, user_id=request.user.id, ) item.save()
- save_token(token)
A method to save token into database.
- static validate_authorization_redirect_uri(request: OAuth2Request, client)
- validate_authorization_request()
The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the “application/x-www-form-urlencoded” format. Per Section 4.1.1.
- response_type
REQUIRED. Value MUST be set to “code”.
- client_id
REQUIRED. The client identifier as described in Section 2.2.
- redirect_uri
OPTIONAL. As described in Section 3.1.2.
- scope
OPTIONAL. The scope of the access request as described by Section 3.3.
- state
RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.
The client directs the resource owner to the constructed URI using an HTTP redirection response, or by other means available to it via the user-agent.
For example, the client directs the user-agent to make the following HTTP request using TLS (with extra line breaks for display purposes only):
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
The authorization server validates the request to ensure that all required parameters are present and valid. If the request is valid, the authorization server authenticates the resource owner and obtains an authorization decision (by asking the resource owner or by establishing approval via other means).
- validate_consent_request()
- static validate_no_multiple_request_parameter(request: OAuth2Request)
For the Authorization Endpoint, request and response parameters MUST NOT be included more than once. Per Section 3.1.
- validate_requested_scope()
Validate if requested scope is supported by Authorization Server.
- validate_token_request()
The client makes a request to the token endpoint by sending the following parameters using the “application/x-www-form-urlencoded” format per Section 4.1.3:
- grant_type
REQUIRED. Value MUST be set to “authorization_code”.
- code
REQUIRED. The authorization code received from the authorization server.
- redirect_uri
REQUIRED, if the “redirect_uri” parameter was included in the authorization request as described in Section 4.1.1, and their values MUST be identical.
- client_id
REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.
If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1.
For example, the client makes the following HTTP request using TLS:
POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
- class DIRAC.FrameworkSystem.private.authorization.grants.AuthorizationCode.OAuth2Code(params)
Bases:
dict
This class describes Authorization Code object
- __init__(params)
C’or
- clear() → None. Remove all items from D.
- property code_challenge
- property code_challenge_method
- copy() → a shallow copy of D
- fromkeys(value=None, /)
Create a new dictionary with keys from iterable and values set to value.
- get(key, default=None, /)
Return the value for key if key is in the dictionary, else default.
- get_auth_time()
- get_nonce()
- get_redirect_uri()
- get_scope()
- is_expired()
- items() → a set-like object providing a view on D's items
- keys() → a set-like object providing a view on D's keys
- pop(k[, d]) → v, remove specified key and return the corresponding value.
If the key is not found, return the default if given; otherwise, raise a KeyError.
- popitem()
Remove and return a (key, value) pair as a 2-tuple.
Pairs are returned in LIFO (last-in, first-out) order. Raises KeyError if the dict is empty.
- setdefault(key, default=None, /)
Insert key with a value of default if key is not in the dictionary.
Return the value for key if key is in the dictionary, else default.
- update([E, ]**F) → None. Update D from dict/iterable E and F.
If E is present and has a .keys() method, then does: for k in E: D[k] = E[k] If E is present and lacks a .keys() method, then does: for k, v in E: D[k] = v In either case, this is followed by: for k in F: D[k] = F[k]
- property user
- values() → an object providing a view on D's values