canaille-globuzma/canaille/oidc/models.py

import datetime

from authlib.oauth2.rfc6749 import AuthorizationCodeMixin
from authlib.oauth2.rfc6749 import ClientMixin
from authlib.oauth2.rfc6749 import TokenMixin
from authlib.oauth2.rfc6749 import util
from canaille.backends.ldap.ldapobject import LDAPObject


class Client(LDAPObject, ClientMixin):
    ldap_object_class = ["oauthClient"]
    base = "ou=clients,ou=oauth"
    rdn_attribute = "oauthClientID"

    client_info_attributes = {
        "client_id": "oauthClientID",
        "client_secret": "oauthClientSecret",
        "client_id_issued_at": "oauthIssueDate",
        "client_secret_expires_at": "oauthClientSecretExpDate",
    }

    client_metadata_attributes = {
        "client_name": "oauthClientName",
        "contacts": "oauthClientContact",
        "client_uri": "oauthClientURI",
        "redirect_uris": "oauthRedirectURIs",
        "logo_uri": "oauthLogoURI",
        "grant_types": "oauthGrantType",
        "response_types": "oauthResponseType",
        "scope": "oauthScope",
        "tos_uri": "oauthTermsOfServiceURI",
        "policy_uri": "oauthPolicyURI",
        "jwks_uri": "oauthJWKURI",
        "jwk": "oauthJWK",
        "token_endpoint_auth_method": "oauthTokenEndpointAuthMethod",
        "software_id": "oauthSoftwareID",
        "software_version": "oauthSoftwareVersion",
    }

    attributes = {
        "id": "dn",
        "description": "description",
        "preconsent": "oauthPreconsent",
        # post_logout_redirect_uris is not yet supported by authlib
        "post_logout_redirect_uris": "oauthPostLogoutRedirectURI",
        "audience": "oauthAudience",
        **client_info_attributes,
        **client_metadata_attributes,
    }

    def get_client_id(self):
        return self.client_id

    def get_default_redirect_uri(self):
        return self.redirect_uris[0]

    def get_allowed_scope(self, scope):
        return util.list_to_scope(
            [scope_piece for scope_piece in self.scope if scope_piece in scope]
        )

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.redirect_uris

    def check_client_secret(self, client_secret):
        return client_secret == self.client_secret

    def check_endpoint_auth_method(self, method, endpoint):
        if endpoint == "token":
            return method == self.token_endpoint_auth_method
        return True

    def check_response_type(self, response_type):
        return all(r in self.response_types for r in response_type.split(" "))

    def check_grant_type(self, grant_type):
        return grant_type in self.grant_types

    @property
    def client_info(self):
        result = {
            attribute_name: getattr(self, attribute_name)
            for attribute_name in self.client_info_attributes
        }
        result["client_id_issued_at"] = int(
            datetime.datetime.timestamp(result["client_id_issued_at"])
        )
        return result

    @property
    def client_metadata(self):
        metadata = {
            attribute_name: getattr(self, attribute_name)
            for attribute_name in self.client_metadata_attributes
        }
        metadata["scope"] = " ".join(metadata["scope"])
        return metadata

    def delete(self):
        for consent in Consent.query(client=self):
            consent.delete()

        for code in AuthorizationCode.query(client=self):
            code.delete()

        for token in Token.query(client=self):
            token.delete()

        super().delete()


class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):
    ldap_object_class = ["oauthAuthorizationCode"]
    base = "ou=authorizations,ou=oauth"
    rdn_attribute = "oauthAuthorizationCodeID"
    attributes = {
        "id": "dn",
        "authorization_code_id": "oauthAuthorizationCodeID",
        "description": "description",
        "code": "oauthCode",
        "client": "oauthClient",
        "subject": "oauthSubject",
        "redirect_uri": "oauthRedirectURI",
        "response_type": "oauthResponseType",
        "scope": "oauthScope",
        "nonce": "oauthNonce",
        "issue_date": "oauthAuthorizationDate",
        "lifetime": "oauthAuthorizationLifetime",
        "challenge": "oauthCodeChallenge",
        "challenge_method": "oauthCodeChallengeMethod",
        "revokation_date": "oauthRevokationDate",
    }

    def get_redirect_uri(self):
        return self.redirect_uri

    def get_scope(self):
        return self.scope[0].split(" ")

    def get_nonce(self):
        return self.nonce

    def is_expired(self):
        return self.issue_date + datetime.timedelta(
            seconds=int(self.lifetime)
        ) < datetime.datetime.now(datetime.timezone.utc)

    def get_auth_time(self):
        return int(
            (
                self.issue_date
                - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
            ).total_seconds()
        )


class Token(LDAPObject, TokenMixin):
    ldap_object_class = ["oauthToken"]
    base = "ou=tokens,ou=oauth"
    rdn_attribute = "oauthTokenID"
    attributes = {
        "id": "dn",
        "token_id": "oauthTokenID",
        "access_token": "oauthAccessToken",
        "description": "description",
        "client": "oauthClient",
        "subject": "oauthSubject",
        "type": "oauthTokenType",
        "refresh_token": "oauthRefreshToken",
        "scope": "oauthScope",
        "issue_date": "oauthIssueDate",
        "lifetime": "oauthTokenLifetime",
        "revokation_date": "oauthRevokationDate",
        "audience": "oauthAudience",
    }

    @property
    def expire_date(self):
        return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))

    @property
    def revoked(self):
        return bool(self.revokation_date)

    def get_scope(self):
        return " ".join(self.scope)

    def get_expires_in(self):
        return int(self.lifetime)

    def get_issued_at(self):
        return int(
            (
                self.issue_date
                - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
            ).total_seconds()
        )

    def get_expires_at(self):
        issue_timestamp = (
            self.issue_date
            - datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)
        ).total_seconds()
        return int(issue_timestamp) + int(self.lifetime)

    def is_refresh_token_active(self):
        if self.revokation_date:
            return False

        return self.expire_date >= datetime.datetime.now(datetime.timezone.utc)

    def is_expired(self):
        return self.issue_date + datetime.timedelta(
            seconds=int(self.lifetime)
        ) < datetime.datetime.now(datetime.timezone.utc)

    def is_revoked(self):
        return bool(self.revokation_date)

    def check_client(self, client):
        return client.client_id == self.client.client_id


class Consent(LDAPObject):
    ldap_object_class = ["oauthConsent"]
    base = "ou=consents,ou=oauth"
    rdn_attribute = "cn"
    attributes = {
        "id": "dn",
        "consent_id": "cn",
        "subject": "oauthSubject",
        "client": "oauthClient",
        "scope": "oauthScope",
        "issue_date": "oauthIssueDate",
        "revokation_date": "oauthRevokationDate",
    }

    @property
    def revoked(self):
        return bool(self.revokation_date)

    def revoke(self):
        self.revokation_date = datetime.datetime.now(datetime.timezone.utc)
        self.save()

        tokens = Token.query(
            client=self.client,
            subject=self.subject,
        )
        tokens = [token for token in tokens if not token.revoked]
        for t in tokens:
            t.revokation_date = self.revokation_date
            t.save()

    def restore(self):
        self.revokation_date = None
        self.save()
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`import datetime`

			`from authlib.oauth2.rfc6749 import AuthorizationCodeMixin`
			`from authlib.oauth2.rfc6749 import ClientMixin`
			`from authlib.oauth2.rfc6749 import TokenMixin`
			`from authlib.oauth2.rfc6749 import util`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00			`from canaille.backends.ldap.ldapobject import LDAPObject`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

			`class Client(LDAPObject, ClientMixin):`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`ldap_object_class = ["oauthClient"]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`base = "ou=clients,ou=oauth"`
Renamed LDAPObject.rdn in LDAPObject.rdn_attribute 2023-03-08 15:25:50 +00:00			`rdn_attribute = "oauthClientID"`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00
			`client_info_attributes = {`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"client_id": "oauthClientID",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"client_secret": "oauthClientSecret",`
			`"client_id_issued_at": "oauthIssueDate",`
			`"client_secret_expires_at": "oauthClientSecretExpDate",`
			`}`

			`client_metadata_attributes = {`
Variable renaming 2022-10-17 15:49:52 +00:00			`"client_name": "oauthClientName",`
			`"contacts": "oauthClientContact",`
			`"client_uri": "oauthClientURI",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"redirect_uris": "oauthRedirectURIs",`
			`"logo_uri": "oauthLogoURI",`
Variable renaming 2022-10-17 15:49:52 +00:00			`"grant_types": "oauthGrantType",`
			`"response_types": "oauthResponseType",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"scope": "oauthScope",`
			`"tos_uri": "oauthTermsOfServiceURI",`
			`"policy_uri": "oauthPolicyURI",`
Variable renaming 2022-10-17 15:49:52 +00:00			`"jwks_uri": "oauthJWKURI",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"jwk": "oauthJWK",`
			`"token_endpoint_auth_method": "oauthTokenEndpointAuthMethod",`
			`"software_id": "oauthSoftwareID",`
			`"software_version": "oauthSoftwareVersion",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`}`

Rename LDAPObject.attribute_table to attributes 2023-05-11 14:55:33 +00:00			`attributes = {`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`"id": "dn",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`"description": "description",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"preconsent": "oauthPreconsent",`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`# post_logout_redirect_uris is not yet supported by authlib`
			`"post_logout_redirect_uris": "oauthPostLogoutRedirectURI",`
			`"audience": "oauthAudience",`
			`**client_info_attributes,`
			`**client_metadata_attributes,`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`def get_client_id(self):`
			`return self.client_id`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def get_default_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uris[0]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_allowed_scope(self, scope):`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`return util.list_to_scope(`
			`[scope_piece for scope_piece in self.scope if scope_piece in scope]`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_redirect_uri(self, redirect_uri):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return redirect_uri in self.redirect_uris`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_client_secret(self, client_secret):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return client_secret == self.client_secret`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`def check_endpoint_auth_method(self, method, endpoint):`
			`if endpoint == "token":`
			`return method == self.token_endpoint_auth_method`
			`return True`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_response_type(self, response_type):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return all(r in self.response_types for r in response_type.split(" "))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def check_grant_type(self, grant_type):`
Variable renaming 2022-10-17 15:49:52 +00:00			`return grant_type in self.grant_types`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def client_info(self):`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`result = {`
			`attribute_name: getattr(self, attribute_name)`
			`for attribute_name in self.client_info_attributes`
			`}`
			`result["client_id_issued_at"] = int(`
			`datetime.datetime.timestamp(result["client_id_issued_at"])`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`return result`

			`@property`
			`def client_metadata(self):`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`metadata = {`
Implemented RFC7592 OAuth Client Registration Management 2022-10-24 15:18:46 +00:00			`attribute_name: getattr(self, attribute_name)`
			`for attribute_name in self.client_metadata_attributes`
			`}`
Fix coverage 2023-01-28 17:35:39 +00:00			`metadata["scope"] = " ".join(metadata["scope"])`
Fixed dynamic client registration scope management 2023-01-28 13:04:04 +00:00			`return metadata`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`def delete(self):`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`for consent in Consent.query(client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`consent.delete()`

LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`for code in AuthorizationCode.query(client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`code.delete()`

LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`for token in Token.query(client=self):`
Client deletion also delete related objects 2023-01-30 18:58:00 +00:00			`token.delete()`

			`super().delete()`

split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`class AuthorizationCode(LDAPObject, AuthorizationCodeMixin):`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`ldap_object_class = ["oauthAuthorizationCode"]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`base = "ou=authorizations,ou=oauth"`
Renamed LDAPObject.rdn in LDAPObject.rdn_attribute 2023-03-08 15:25:50 +00:00			`rdn_attribute = "oauthAuthorizationCodeID"`
Rename LDAPObject.attribute_table to attributes 2023-05-11 14:55:33 +00:00			`attributes = {`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`"id": "dn",`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`"authorization_code_id": "oauthAuthorizationCodeID",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"description": "description",`
			`"code": "oauthCode",`
			`"client": "oauthClient",`
			`"subject": "oauthSubject",`
			`"redirect_uri": "oauthRedirectURI",`
			`"response_type": "oauthResponseType",`
			`"scope": "oauthScope",`
			`"nonce": "oauthNonce",`
			`"issue_date": "oauthAuthorizationDate",`
			`"lifetime": "oauthAuthorizationLifetime",`
			`"challenge": "oauthCodeChallenge",`
			`"challenge_method": "oauthCodeChallengeMethod",`
			`"revokation_date": "oauthRevokationDate",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_redirect_uri(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.redirect_uri`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
Client only return the asked scopes 2022-07-07 14:05:34 +00:00			`return self.scope[0].split(" ")`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_nonce(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.nonce`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_expired(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.issue_date + datetime.timedelta(`
			`seconds=int(self.lifetime)`
			`) < datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_auth_time(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return int(`
			`(`
			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
			`).total_seconds()`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00

			`class Token(LDAPObject, TokenMixin):`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`ldap_object_class = ["oauthToken"]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`base = "ou=tokens,ou=oauth"`
Renamed LDAPObject.rdn in LDAPObject.rdn_attribute 2023-03-08 15:25:50 +00:00			`rdn_attribute = "oauthTokenID"`
Rename LDAPObject.attribute_table to attributes 2023-05-11 14:55:33 +00:00			`attributes = {`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`"id": "dn",`
AuthorizationCode and Token have a new id parameter 2022-02-16 17:00:30 +00:00			`"token_id": "oauthTokenID",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"access_token": "oauthAccessToken",`
			`"description": "description",`
			`"client": "oauthClient",`
			`"subject": "oauthSubject",`
			`"type": "oauthTokenType",`
			`"refresh_token": "oauthRefreshToken",`
			`"scope": "oauthScope",`
			`"issue_date": "oauthIssueDate",`
			`"lifetime": "oauthTokenLifetime",`
			`"revokation_date": "oauthRevokationDate",`
			`"audience": "oauthAudience",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def expire_date(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return self.issue_date + datetime.timedelta(seconds=int(self.lifetime))`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`@property`
			`def revoked(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return bool(self.revokation_date)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_scope(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return " ".join(self.scope)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_expires_in(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int(self.lifetime)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_issued_at(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return int(`
			`(`
			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
			`).total_seconds()`
			`)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def get_expires_at(self):`
			`issue_timestamp = (`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`self.issue_date`
			`- datetime.datetime(1970, 1, 1, tzinfo=datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`).total_seconds()`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return int(issue_timestamp) + int(self.lifetime)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_refresh_token_active(self):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`if self.revokation_date:`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`return False`

Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.expire_date >= datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`def is_expired(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`return self.issue_date + datetime.timedelta(`
			`seconds=int(self.lifetime)`
			`) < datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Bumped to authlib 1 2022-04-10 14:00:51 +00:00			`def is_revoked(self):`
			`return bool(self.revokation_date)`

			`def check_client(self, client):`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`return client.client_id == self.client.client_id`
Bumped to authlib 1 2022-04-10 14:00:51 +00:00
split oidc code from the rest 2022-01-11 18:49:06 +00:00
			`class Consent(LDAPObject):`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`ldap_object_class = ["oauthConsent"]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`base = "ou=consents,ou=oauth"`
Renamed LDAPObject.rdn in LDAPObject.rdn_attribute 2023-03-08 15:25:50 +00:00			`rdn_attribute = "cn"`
Rename LDAPObject.attribute_table to attributes 2023-05-11 14:55:33 +00:00			`attributes = {`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`"id": "dn",`
Consent cn alias 2023-03-09 23:38:16 +00:00			`"consent_id": "cn",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`"subject": "oauthSubject",`
			`"client": "oauthClient",`
			`"scope": "oauthScope",`
			`"issue_date": "oauthIssueDate",`
			`"revokation_date": "oauthRevokationDate",`
			`}`
split oidc code from the rest 2022-01-11 18:49:06 +00:00
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`@property`
			`def revoked(self):`
			`return bool(self.revokation_date)`

split oidc code from the rest 2022-01-11 18:49:06 +00:00			`def revoke(self):`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`self.revokation_date = datetime.datetime.now(datetime.timezone.utc)`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`self.save()`

Merge LDAPObject.all and LDAPObject.filter in LDAPObject.query 2023-03-07 13:49:44 +00:00			`tokens = Token.query(`
Fixes calls to the Consent.oauthClient and Consent.oauthSubject attributes 2023-05-17 10:07:52 +00:00			`client=self.client,`
			`subject=self.subject,`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`)`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00			`tokens = [token for token in tokens if not token.revoked]`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`for t in tokens:`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`t.revokation_date = self.revokation_date`
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`t.save()`
Revoked consents can be restored 2023-02-14 17:43:43 +00:00
			`def restore(self):`
			`self.revokation_date = None`
			`self.save()`