registry.oauth2 module¶
OAuth2 (RFC6749) implementation, using authlib
.
This module extends the authlib.flask
implementation, leveraging client
data stored in registry.services.datastore
and instantiating authorized
sessions in registry.services.sessions
.
The current implementation supports the client_credentials and authorization_code grants.
Todo
Implement backend & integration to control client endorsements.
-
class
registry.oauth2.
AuthorizationCodeGrant
(request, server)[source]¶ Bases:
authlib.specs.rfc6749.grants.authorization_code.AuthorizationCodeGrant
Authorization code grant for arXiv users.
-
EXPIRES
= 3600¶
-
TOKEN_ENDPOINT_AUTH_METHODS
= ['client_secret_post']¶
-
authenticate_user
(auth_code)[source]¶ Authenticate the user implicated in the auth code.
Return type: OAuth2User
Generate and store a new authorization code.
Parameters: - client (
OAuth2Client
) – The client requesting authorization. - grant_user (
OAuth2User
) – The resource owner who has granted authorization to the client. - request (
OAuth2Request
) – The request wrapper containing request details.
Returns: An authorization code that the client can exchange for an access token.
Return type: Return type: - client (
Delete an auth code.
Return type: None
Attempt to retrieve an auth code for an API client.
Return type: Optional
[AuthorizationCode
]
-
-
class
registry.oauth2.
ClientCredentialsGrant
(request, server)[source]¶ Bases:
authlib.specs.rfc6749.grants.client_credentials.ClientCredentialsGrant
Our client credentials grant supports only POST requests.
-
TOKEN_ENDPOINT_AUTH_METHODS
= ['client_secret_post']¶
-
-
class
registry.oauth2.
OAuth2AuthorizationCode
(auth_code)[source]¶ Bases:
object
Wraps
domain.AuthorizationCode
for use in OAuth2 workflows.
-
class
registry.oauth2.
OAuth2Client
(client, credential, authorizations, grant_types)[source]¶ Bases:
authlib.specs.rfc6749.models.ClientMixin
Implementation of an OAuth2 client as described in RFC6749.
This class essentially wraps an aggregate of registry domain objects for a particular client, and implements methods expected by the
AuthorizationServer
.-
check_client_secret
(client_secret)[source]¶ Check that the provided client secret is correct.
Return type: bool
-
check_grant_type
(grant_type)[source]¶ Check that the client is authorized for the proposed grant type.
Return type: bool
-
check_redirect_uri
(redirect_uri)[source]¶ Check that the provided redirect URI is authorized.
Return type: bool
-
-
class
registry.oauth2.
OAuth2User
(user)[source]¶ Bases:
object
Represents the resource owner in OAuth2 workflows.
This is a thin wrapper around
domain.User
to support Authlib integration.
-
registry.oauth2.
create_server
()[source]¶ Instantiate and configure an
AuthorizationServer
.Return type: AuthorizationServer
-
registry.oauth2.
get_client
(client_id)[source]¶ Load client data and generate a
OAuth2Client
.Parameters: client_id (str) – Returns: If the client is not found, returns None. Return type: OAuth2Client
or NoneReturn type: Optional
[OAuth2Client
]
-
registry.oauth2.
get_endorsements
(client)[source]¶ Get endorsed categories for a client.
The current implementation just returns all categories.
Parameters: client ( domain.Client
) –Returns: Each item is a domain.Category
.Return type: list Return type: List
[Category
]
-
registry.oauth2.
init_app
(app)[source]¶ Attach an
AuthorizationServer
to aFlask
app.Return type: None
-
registry.oauth2.
save_token
(token, oauth_request)[source]¶ Persist an auth token as a
domain.Session
.We use the access token as the session ID. This makes for a fast lookup by the
authenticator
service.Parameters: - token (dict) – Token data generated by the OAuth2
AuthorizationServer
. At this point the token has not been stored. - oauth_request (
OAuth2Request
) – Wrapper for OAuth2-related request data.
Return type: None
- token (dict) – Token data generated by the OAuth2