registry.oauth2 module

OAuth2 (RFC6749) implementation, using authlib.

This module extends the authlib.flask implementation, leveraging client data stored in registry.services.datastore and instantiating authorized sessions in registry.services.sessions.

The current implementation supports the client_credentials and authorization_code grants.

Todo

Implement backend & integration to control client endorsements.

class registry.oauth2.AuthorizationCodeGrant(request, server)[source]

Bases: authlib.specs.rfc6749.grants.authorization_code.AuthorizationCodeGrant

Authorization code grant for arXiv users.

EXPIRES = 3600
TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_post']
authenticate_user(auth_code)[source]

Authenticate the user implicated in the auth code.

Return type:OAuth2User
create_authorization_code(client, grant_user, request)[source]

Generate and store a new authorization code.

Parameters:
  • client (OAuth2Client) – The client requesting authorization.
  • grant_user (OAuth2User) – The resource owner who has granted authorization to the client.
  • request (OAuth2Request) – The request wrapper containing request details.
Returns:

An authorization code that the client can exchange for an access token.
Return type:

str
Return type:

str
delete_authorization_code(auth_code)[source]

Delete an auth code.

Return type:None
parse_authorization_code(code, client)[source]

Attempt to retrieve an auth code for an API client.

Return type:Optional[AuthorizationCode]
class registry.oauth2.ClientCredentialsGrant(request, server)[source]

Bases: authlib.specs.rfc6749.grants.client_credentials.ClientCredentialsGrant

Our client credentials grant supports only POST requests.

TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_post']
class registry.oauth2.OAuth2AuthorizationCode(auth_code)[source]

Bases: object

Wraps domain.AuthorizationCode for use in OAuth2 workflows.

get_redirect_uri()[source]

Get the authorization code’s redirect URI.

Return type:str
get_scope()[source]

Get the scope for the authorization code.

Return type:str
is_expired()[source]

Indicate whether the code is expired.

Return type:bool
class registry.oauth2.OAuth2Client(client, credential, authorizations, grant_types)[source]

Bases: authlib.specs.rfc6749.models.ClientMixin

Implementation of an OAuth2 client as described in RFC6749.

This class essentially wraps an aggregate of registry domain objects for a particular client, and implements methods expected by the AuthorizationServer.

check_client_secret(client_secret)[source]

Check that the provided client secret is correct.

Return type:bool
check_grant_type(grant_type)[source]

Check that the client is authorized for the proposed grant type.

Return type:bool
check_redirect_uri(redirect_uri)[source]

Check that the provided redirect URI is authorized.

Return type:bool
check_requested_scopes(scopes)[source]

Check that the requested scopes are authorized for this client.

Return type:bool
check_response_type(response_type)[source]

Check the proposed response type.

Return type:bool
check_token_endpoint_auth_method(method)[source]

Force POST auth method.

Return type:bool
client_id

Get the client ID.

Return type:str
description

Get the client description.

Return type:str
get_default_redirect_uri()[source]

Get the default redirect URI for the client.

Return type:str
has_client_secret()[source]

Check that the client has a secret.

Return type:bool
name

Get the client name.

Return type:str
scopes

Authorized scopes as a list.

Return type:List[str]
url

Get the client URL.

Return type:str
class registry.oauth2.OAuth2User(user)[source]

Bases: object

Represents the resource owner in OAuth2 workflows.

This is a thin wrapper around domain.User to support Authlib integration.

get_user_email()[source]

Get the email address of the user.

Return type:str
get_user_id()[source]

Get the ID of the user.

Return type:str
get_username()[source]

Get the username of the user.

Return type:str
registry.oauth2.create_server()[source]

Instantiate and configure an AuthorizationServer.

Return type:AuthorizationServer
registry.oauth2.get_client(client_id)[source]

Load client data and generate a OAuth2Client.

Parameters:client_id (str) –
Returns:If the client is not found, returns None.
Return type:OAuth2Client or None
Return type:Optional[OAuth2Client]
registry.oauth2.get_endorsements(client)[source]

Get endorsed categories for a client.

The current implementation just returns all categories.

Parameters:client (domain.Client) –
Returns:Each item is a domain.Category.
Return type:list
Return type:List[Category]
registry.oauth2.init_app(app)[source]

Attach an AuthorizationServer to a Flask app.

Return type:None
registry.oauth2.save_token(token, oauth_request)[source]

Persist an auth token as a domain.Session.

We use the access token as the session ID. This makes for a fast lookup by the authenticator service.

Parameters:
  • token (dict) – Token data generated by the OAuth2 AuthorizationServer. At this point the token has not been stored.
  • oauth_request (OAuth2Request) – Wrapper for OAuth2-related request data.
Return type:

None