canaille-globuzma/canaille/oauth2utils.py

import datetime
from authlib.integrations.flask_oauth2 import AuthorizationServer, ResourceProtector
from authlib.oauth2.rfc6749.grants import (
    AuthorizationCodeGrant as _AuthorizationCodeGrant,
    ResourceOwnerPasswordCredentialsGrant as _ResourceOwnerPasswordCredentialsGrant,
    RefreshTokenGrant as _RefreshTokenGrant,
    ImplicitGrant,
    ClientCredentialsGrant,
)
from authlib.oauth2.rfc6750 import BearerTokenValidator as _BearerTokenValidator
from authlib.oauth2.rfc7009 import RevocationEndpoint as _RevocationEndpoint
from authlib.oauth2.rfc7636 import CodeChallenge as _CodeChallenge
from authlib.oauth2.rfc7662 import IntrospectionEndpoint as _IntrospectionEndpoint
from authlib.oidc.core.grants import (
    OpenIDCode as _OpenIDCode,
    OpenIDImplicitGrant as _OpenIDImplicitGrant,
    OpenIDHybridGrant as _OpenIDHybridGrant,
)
from authlib.oidc.core import UserInfo
from flask import current_app
from .models import Client, AuthorizationCode, Token, User


def exists_nonce(nonce, req):
    exists = AuthorizationCode.filter(oauthClientID=req.client_id, oauthNonce=nonce)
    return bool(exists)


def get_jwt_config(grant):
    with open(current_app.config["JWT"]["PRIVATE_KEY"]) as pk:
        return {
            "key": pk.read(),
            "alg": current_app.config["JWT"]["ALG"],
            "iss": authorization.metadata["issuer"],
            "exp": current_app.config["JWT"]["EXP"],
        }


def generate_user_info(user, scope):
    user = User.get(user)
    fields = ["sub"]
    if "profile" in scope:
        fields += [
            "name",
            "family_name",
            "given_name",
            "nickname",
            "preferred_username",
            "profile",
            "picture",
            "website",
            "gender",
            "birthdate",
            "zoneinfo",
            "locale",
            "updated_at",
        ]
    if "email" in scope:
        fields += ["email", "email_verified"]
    if "address" in scope:
        fields += ["address"]
    if "phone" in scope:
        fields += ["phone_number", "phone_number_verified"]

    data = {}
    for field in fields:
        ldap_field_match = current_app.config["JWT"]["MAPPING"].get(field.upper())
        if ldap_field_match and ldap_field_match in user.attrs:
            data[field] = user.__getattr__(ldap_field_match)
            if isinstance(data[field], list):
                data[field] = data[field][0]

    return UserInfo(**data)


def save_authorization_code(code, request):
    nonce = request.data.get("nonce")
    now = datetime.datetime.now()
    code = AuthorizationCode(
        oauthCode=code,
        oauthSubject=request.user,
        oauthClient=request.client.dn,
        oauthRedirectURI=request.redirect_uri or request.client.oauthRedirectURIs[0],
        oauthScope=request.scope,
        oauthNonce=nonce,
        oauthAuthorizationDate=now.strftime("%Y%m%d%H%M%SZ"),
        oauthAuthorizationLifetime=str(84000),
        oauthCodeChallenge=request.data.get("code_challenge"),
        oauthCodeChallengeMethod=request.data.get("code_challenge_method"),
    )
    code.save()
    return code.oauthCode


class AuthorizationCodeGrant(_AuthorizationCodeGrant):
    TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_basic", "client_secret_post", "none"]

    def save_authorization_code(self, code, request):
        return save_authorization_code(code, request)

    def query_authorization_code(self, code, client):
        item = AuthorizationCode.filter(oauthCode=code, oauthClient=client.dn)
        if item and not item[0].is_expired():
            return item[0]

    def delete_authorization_code(self, authorization_code):
        authorization_code.delete()

    def authenticate_user(self, authorization_code):
        return User.get(authorization_code.oauthSubject).dn


class OpenIDCode(_OpenIDCode):
    def exists_nonce(self, nonce, request):
        return exists_nonce(nonce, request)

    def get_jwt_config(self, grant):
        return get_jwt_config(grant)

    def generate_user_info(self, user, scope):
        return generate_user_info(user, scope)


class PasswordGrant(_ResourceOwnerPasswordCredentialsGrant):
    def authenticate_user(self, username, password):
        return User.authenticate(username, password).dn


class RefreshTokenGrant(_RefreshTokenGrant):
    def authenticate_refresh_token(self, refresh_token):
        token = Token.filter(oauthRefreshToken=refresh_token)
        if token and token[0].is_refresh_token_active():
            return token[0]

    def authenticate_user(self, credential):
        return User.get(credential.oauthSubject).dn

    def revoke_old_credential(self, credential):
        credential.oauthRevokationDate = datetime.datetime.now().strftime(
            "%Y%m%d%H%M%SZ"
        )
        credential.save()


class OpenIDImplicitGrant(_OpenIDImplicitGrant):
    def exists_nonce(self, nonce, request):
        return exists_nonce(nonce, request)

    def get_jwt_config(self, grant=None):
        return get_jwt_config(grant)

    def generate_user_info(self, user, scope):
        return generate_user_info(user, scope)


class OpenIDHybridGrant(_OpenIDHybridGrant):
    def save_authorization_code(self, code, request):
        return save_authorization_code(code, request)

    def exists_nonce(self, nonce, request):
        return exists_nonce(nonce, request)

    def get_jwt_config(self, grant=None):
        return get_jwt_config(grant)

    def generate_user_info(self, user, scope):
        return generate_user_info(user, scope)


def query_client(client_id):
    return Client.get(client_id)


def save_token(token, request):
    now = datetime.datetime.now()
    t = Token(
        oauthTokenType=token["token_type"],
        oauthAccessToken=token["access_token"],
        oauthIssueDate=now.strftime("%Y%m%d%H%M%SZ"),
        oauthTokenLifetime=str(token["expires_in"]),
        oauthScope=token["scope"],
        oauthClient=request.client.dn,
        oauthRefreshToken=token.get("refresh_token"),
        oauthSubject=request.user,
    )
    t.save()


class BearerTokenValidator(_BearerTokenValidator):
    def authenticate_token(self, token_string):
        return Token.get(token_string)

    def request_invalid(self, request):
        return False

    def token_revoked(self, token):
        return bool(token.oauthRevokationDate)


class RevocationEndpoint(_RevocationEndpoint):
    def query_token(self, token, token_type_hint, client):
        if token_type_hint == "access_token":
            return Token.filter(oauthClient=client.dn, oauthAccessToken=token)
        elif token_type_hint == "refresh_token":
            return Token.filter(oauthClient=client.dn, oauthRefreshToken=token)

        item = Token.filter(oauthClient=client.dn, oauthAccessToken=token)
        if item:
            return item[0]

        item = Token.filter(oauthClient=client.dn, oauthRefreshToken=token)
        if item:
            return item[0]

        return None

    def revoke_token(self, token):
        token.oauthRevokationDate = datetime.datetime.now().strftime("%Y%m%d%H%M%SZ")
        token.save()


class IntrospectionEndpoint(_IntrospectionEndpoint):
    def query_token(self, token, token_type_hint, client):
        if token_type_hint == "access_token":
            tok = Token.filter(oauthAccessToken=token)
        elif token_type_hint == "refresh_token":
            tok = Token.filter(oauthRefreshToken=token)
        else:
            tok = Token.filter(oauthAccessToken=token)
            if not tok:
                tok = Token.filter(oauthRefreshToken=token)
        if tok:
            tok = tok[0]
            if tok.oauthClient == client.dn:
                return tok
            # if has_introspect_permission(client):
            #    return tok

    def introspect_token(self, token):
        client_id = Client.get(token.oauthClient).oauthClientID
        return {
            "active": True,
            "client_id": client_id,
            "token_type": token.oauthTokenType,
            "username": User.get(token.oauthSubject).name,
            "scope": token.get_scope(),
            "sub": token.oauthSubject,
            "aud": client_id,
            "iss": authorization.metadata["issuer"],
            "exp": token.get_expires_at(),
            "iat": token.get_issued_at(),
        }


class CodeChallenge(_CodeChallenge):
    def get_authorization_code_challenge(self, authorization_code):
        return authorization_code.oauthCodeChallenge

    def get_authorization_code_challenge_method(self, authorization_code):
        return authorization_code.oauthCodeChallengeMethod


authorization = AuthorizationServer()
require_oauth = ResourceProtector()


def config_oauth(app):
    authorization.init_app(app, query_client=query_client, save_token=save_token)

    authorization.register_grant(PasswordGrant)
    authorization.register_grant(ImplicitGrant)
    authorization.register_grant(RefreshTokenGrant)
    authorization.register_grant(ClientCredentialsGrant)

    authorization.register_grant(
        AuthorizationCodeGrant,
        [OpenIDCode(require_nonce=True), CodeChallenge(required=True)],
    )
    authorization.register_grant(OpenIDImplicitGrant)
    authorization.register_grant(OpenIDHybridGrant)

    require_oauth.register_token_validator(BearerTokenValidator())

    authorization.register_endpoint(IntrospectionEndpoint)
    authorization.register_endpoint(RevocationEndpoint)
Fixed password flow 2020-08-16 17:39:14 +00:00			`import datetime`
wip 2020-08-14 13:26:14 +00:00			`from authlib.integrations.flask_oauth2 import AuthorizationServer, ResourceProtector`
			`from authlib.oauth2.rfc6749.grants import (`
			`AuthorizationCodeGrant as _AuthorizationCodeGrant,`
			`ResourceOwnerPasswordCredentialsGrant as _ResourceOwnerPasswordCredentialsGrant,`
			`RefreshTokenGrant as _RefreshTokenGrant,`
Implicit flow test 2020-08-20 12:30:42 +00:00			`ImplicitGrant,`
			`ClientCredentialsGrant,`
draft 2020-08-14 11:18:08 +00:00			`)`
wip 2020-08-14 13:26:14 +00:00			`from authlib.oauth2.rfc6750 import BearerTokenValidator as _BearerTokenValidator`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`from authlib.oauth2.rfc7009 import RevocationEndpoint as _RevocationEndpoint`
Code challenge unit tests 2020-08-25 13:28:13 +00:00			`from authlib.oauth2.rfc7636 import CodeChallenge as _CodeChallenge`
Token introspection 2020-08-24 12:44:32 +00:00			`from authlib.oauth2.rfc7662 import IntrospectionEndpoint as _IntrospectionEndpoint`
wip 2020-08-14 13:26:14 +00:00			`from authlib.oidc.core.grants import (`
			`OpenIDCode as _OpenIDCode,`
			`OpenIDImplicitGrant as _OpenIDImplicitGrant,`
			`OpenIDHybridGrant as _OpenIDHybridGrant,`
			`)`
			`from authlib.oidc.core import UserInfo`
Claims are configurable 2020-08-24 08:03:48 +00:00			`from flask import current_app`
wip 2020-08-14 13:26:14 +00:00			`from .models import Client, AuthorizationCode, Token, User`


			`def exists_nonce(nonce, req):`
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`exists = AuthorizationCode.filter(oauthClientID=req.client_id, oauthNonce=nonce)`
wip 2020-08-14 13:26:14 +00:00			`return bool(exists)`


Claims are configurable 2020-08-24 08:03:48 +00:00			`def get_jwt_config(grant):`
Use private/public keys to sign JWTs 2020-08-28 14:07:39 +00:00			`with open(current_app.config["JWT"]["PRIVATE_KEY"]) as pk:`
			`return {`
			`"key": pk.read(),`
			`"alg": current_app.config["JWT"]["ALG"],`
			`"iss": authorization.metadata["issuer"],`
			`"exp": current_app.config["JWT"]["EXP"],`
			`}`
Claims are configurable 2020-08-24 08:03:48 +00:00

wip 2020-08-14 13:26:14 +00:00			`def generate_user_info(user, scope):`
User token list view 2020-08-27 08:50:50 +00:00			`user = User.get(user)`
Claims are configurable 2020-08-24 08:03:48 +00:00			`fields = ["sub"]`
			`if "profile" in scope:`
			`fields += [`
			`"name",`
			`"family_name",`
			`"given_name",`
			`"nickname",`
			`"preferred_username",`
			`"profile",`
			`"picture",`
			`"website",`
			`"gender",`
			`"birthdate",`
			`"zoneinfo",`
			`"locale",`
			`"updated_at",`
			`]`
			`if "email" in scope:`
			`fields += ["email", "email_verified"]`
			`if "address" in scope:`
			`fields += ["address"]`
			`if "phone" in scope:`
			`fields += ["phone_number", "phone_number_verified"]`

			`data = {}`
			`for field in fields:`
			`ldap_field_match = current_app.config["JWT"]["MAPPING"].get(field.upper())`
LDAPObject attributes are inherited from parents too 2020-09-25 12:20:39 +00:00			`if ldap_field_match and ldap_field_match in user.attrs:`
			`data[field] = user.__getattr__(ldap_field_match)`
Claims are configurable 2020-08-24 08:03:48 +00:00			`if isinstance(data[field], list):`
			`data[field] = data[field][0]`

			`return UserInfo(**data)`
wip 2020-08-14 13:26:14 +00:00

Fixed a deprecation warning 2020-08-19 09:16:18 +00:00			`def save_authorization_code(code, request):`
wip 2020-08-14 13:26:14 +00:00			`nonce = request.data.get("nonce")`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`now = datetime.datetime.now()`
			`code = AuthorizationCode(`
Fixed a deprecation warning 2020-08-19 09:16:18 +00:00			`oauthCode=code,`
			`oauthSubject=request.user,`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`oauthClient=request.client.dn,`
Fixed a deprecation warning 2020-08-19 09:16:18 +00:00			`oauthRedirectURI=request.redirect_uri or request.client.oauthRedirectURIs[0],`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`oauthScope=request.scope,`
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`oauthNonce=nonce,`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`oauthAuthorizationDate=now.strftime("%Y%m%d%H%M%SZ"),`
			`oauthAuthorizationLifetime=str(84000),`
Token introspection 2020-08-24 12:44:32 +00:00			`oauthCodeChallenge=request.data.get("code_challenge"),`
			`oauthCodeChallengeMethod=request.data.get("code_challenge_method"),`
wip 2020-08-14 13:26:14 +00:00			`)`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`code.save()`
			`return code.oauthCode`
draft 2020-08-14 11:18:08 +00:00

wip 2020-08-14 13:26:14 +00:00			`class AuthorizationCodeGrant(_AuthorizationCodeGrant):`
Better code challenge unit tests 2020-08-25 13:51:49 +00:00			`TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_basic", "client_secret_post", "none"]`

Fixed a deprecation warning 2020-08-19 09:16:18 +00:00			`def save_authorization_code(self, code, request):`
			`return save_authorization_code(code, request)`
draft 2020-08-14 11:18:08 +00:00
Authorization code flow unit tests 2020-08-19 08:28:28 +00:00			`def query_authorization_code(self, code, client):`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`item = AuthorizationCode.filter(oauthCode=code, oauthClient=client.dn)`
Full authorization_code flow 2020-08-17 16:49:05 +00:00			`if item and not item[0].is_expired():`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`return item[0]`
draft 2020-08-14 11:18:08 +00:00
			`def delete_authorization_code(self, authorization_code):`
Some authorization_code work 2020-08-17 16:02:38 +00:00			`authorization_code.delete()`
draft 2020-08-14 11:18:08 +00:00
			`def authenticate_user(self, authorization_code):`
User token list view 2020-08-27 08:50:50 +00:00			`return User.get(authorization_code.oauthSubject).dn`
draft 2020-08-14 11:18:08 +00:00

wip 2020-08-14 13:26:14 +00:00			`class OpenIDCode(_OpenIDCode):`
			`def exists_nonce(self, nonce, request):`
			`return exists_nonce(nonce, request)`

			`def get_jwt_config(self, grant):`
Claims are configurable 2020-08-24 08:03:48 +00:00			`return get_jwt_config(grant)`
wip 2020-08-14 13:26:14 +00:00
			`def generate_user_info(self, user, scope):`
			`return generate_user_info(user, scope)`


			`class PasswordGrant(_ResourceOwnerPasswordCredentialsGrant):`
draft 2020-08-14 11:18:08 +00:00			`def authenticate_user(self, username, password):`
User token list view 2020-08-27 08:50:50 +00:00			`return User.authenticate(username, password).dn`
draft 2020-08-14 11:18:08 +00:00

wip 2020-08-14 13:26:14 +00:00			`class RefreshTokenGrant(_RefreshTokenGrant):`
draft 2020-08-14 11:18:08 +00:00			`def authenticate_refresh_token(self, refresh_token):`
Implemented refresh grant 2020-08-24 08:52:21 +00:00			`token = Token.filter(oauthRefreshToken=refresh_token)`
			`if token and token[0].is_refresh_token_active():`
			`return token[0]`
draft 2020-08-14 11:18:08 +00:00
			`def authenticate_user(self, credential):`
User token list view 2020-08-27 08:50:50 +00:00			`return User.get(credential.oauthSubject).dn`
draft 2020-08-14 11:18:08 +00:00
			`def revoke_old_credential(self, credential):`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`credential.oauthRevokationDate = datetime.datetime.now().strftime(`
			`"%Y%m%d%H%M%SZ"`
			`)`
Implement token revokation 2020-08-25 09:35:30 +00:00			`credential.save()`
wip 2020-08-14 13:26:14 +00:00
Fixed password flow 2020-08-16 17:39:14 +00:00
Implicit flow test 2020-08-20 12:30:42 +00:00			`class OpenIDImplicitGrant(_OpenIDImplicitGrant):`
wip 2020-08-14 13:26:14 +00:00			`def exists_nonce(self, nonce, request):`
			`return exists_nonce(nonce, request)`

oidc implicit flow test 2020-08-23 17:56:37 +00:00			`def get_jwt_config(self, grant=None):`
Claims are configurable 2020-08-24 08:03:48 +00:00			`return get_jwt_config(grant)`
wip 2020-08-14 13:26:14 +00:00
			`def generate_user_info(self, user, scope):`
			`return generate_user_info(user, scope)`


Implicit flow test 2020-08-20 12:30:42 +00:00			`class OpenIDHybridGrant(_OpenIDHybridGrant):`
Fixed a deprecation warning 2020-08-19 09:16:18 +00:00			`def save_authorization_code(self, code, request):`
			`return save_authorization_code(code, request)`
wip 2020-08-14 13:26:14 +00:00
			`def exists_nonce(self, nonce, request):`
			`return exists_nonce(nonce, request)`

Claims are configurable 2020-08-24 08:03:48 +00:00			`def get_jwt_config(self, grant=None):`
			`return get_jwt_config(grant)`
wip 2020-08-14 13:26:14 +00:00
			`def generate_user_info(self, user, scope):`
			`return generate_user_info(user, scope)`
draft 2020-08-14 11:18:08 +00:00

			`def query_client(client_id):`
			`return Client.get(client_id)`


			`def save_token(token, request):`
Fixed password flow 2020-08-16 17:39:14 +00:00			`now = datetime.datetime.now()`
Some authorization_code work 2020-08-17 16:02:38 +00:00			`t = Token(`
Fixed password flow 2020-08-16 17:39:14 +00:00			`oauthTokenType=token["token_type"],`
			`oauthAccessToken=token["access_token"],`
			`oauthIssueDate=now.strftime("%Y%m%d%H%M%SZ"),`
			`oauthTokenLifetime=str(token["expires_in"]),`
LDAPHelper shortcut 2020-08-17 07:45:35 +00:00			`oauthScope=token["scope"],`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`oauthClient=request.client.dn,`
Token introspection 2020-08-24 12:44:32 +00:00			`oauthRefreshToken=token.get("refresh_token"),`
User token list view 2020-08-27 08:50:50 +00:00			`oauthSubject=request.user,`
Fixed password flow 2020-08-16 17:39:14 +00:00			`)`
Some authorization_code work 2020-08-17 16:02:38 +00:00			`t.save()`
draft 2020-08-14 11:18:08 +00:00

wip 2020-08-14 13:26:14 +00:00			`class BearerTokenValidator(_BearerTokenValidator):`
draft 2020-08-14 11:18:08 +00:00			`def authenticate_token(self, token_string):`
			`return Token.get(token_string)`

			`def request_invalid(self, request):`
			`return False`

			`def token_revoked(self, token):`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`return bool(token.oauthRevokationDate)`
draft 2020-08-14 11:18:08 +00:00
wip 2020-08-14 13:26:14 +00:00
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`class RevocationEndpoint(_RevocationEndpoint):`
			`def query_token(self, token, token_type_hint, client):`
			`if token_type_hint == "access_token":`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`return Token.filter(oauthClient=client.dn, oauthAccessToken=token)`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`elif token_type_hint == "refresh_token":`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`return Token.filter(oauthClient=client.dn, oauthRefreshToken=token)`
Token revocation endpoint 2020-08-24 13:56:30 +00:00
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`item = Token.filter(oauthClient=client.dn, oauthAccessToken=token)`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`if item:`
			`return item[0]`

Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`item = Token.filter(oauthClient=client.dn, oauthRefreshToken=token)`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`if item:`
			`return item[0]`

			`return None`

			`def revoke_token(self, token):`
Remember revokation dates 2020-09-17 09:10:12 +00:00			`token.oauthRevokationDate = datetime.datetime.now().strftime("%Y%m%d%H%M%SZ")`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`token.save()`


Token introspection 2020-08-24 12:44:32 +00:00			`class IntrospectionEndpoint(_IntrospectionEndpoint):`
			`def query_token(self, token, token_type_hint, client):`
			`if token_type_hint == "access_token":`
			`tok = Token.filter(oauthAccessToken=token)`
			`elif token_type_hint == "refresh_token":`
			`tok = Token.filter(oauthRefreshToken=token)`
			`else:`
			`tok = Token.filter(oauthAccessToken=token)`
			`if not tok:`
			`tok = Token.filter(oauthRefreshToken=token)`
			`if tok:`
			`tok = tok[0]`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`if tok.oauthClient == client.dn:`
Token introspection 2020-08-24 12:44:32 +00:00			`return tok`
			`# if has_introspect_permission(client):`
			`# return tok`

			`def introspect_token(self, token):`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`client_id = Client.get(token.oauthClient).oauthClientID`
Token introspection 2020-08-24 12:44:32 +00:00			`return {`
			`"active": True,`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`"client_id": client_id,`
Token introspection 2020-08-24 12:44:32 +00:00			`"token_type": token.oauthTokenType,`
			`"username": User.get(token.oauthSubject).name,`
			`"scope": token.get_scope(),`
			`"sub": token.oauthSubject,`
Schema use client dn instead of client id 2020-09-07 13:39:51 +00:00			`"aud": client_id,`
Use private/public keys to sign JWTs 2020-08-28 14:07:39 +00:00			`"iss": authorization.metadata["issuer"],`
Token introspection 2020-08-24 12:44:32 +00:00			`"exp": token.get_expires_at(),`
			`"iat": token.get_issued_at(),`
			`}`


Code challenge unit tests 2020-08-25 13:28:13 +00:00			`class CodeChallenge(_CodeChallenge):`
			`def get_authorization_code_challenge(self, authorization_code):`
			`return authorization_code.oauthCodeChallenge`

			`def get_authorization_code_challenge_method(self, authorization_code):`
			`return authorization_code.oauthCodeChallengeMethod`


wip 2020-08-14 13:26:14 +00:00			`authorization = AuthorizationServer()`
draft 2020-08-14 11:18:08 +00:00			`require_oauth = ResourceProtector()`


			`def config_oauth(app):`
wip 2020-08-14 13:26:14 +00:00			`authorization.init_app(app, query_client=query_client, save_token=save_token)`
draft 2020-08-14 11:18:08 +00:00
Implicit flow test 2020-08-20 12:30:42 +00:00			`authorization.register_grant(PasswordGrant)`
			`authorization.register_grant(ImplicitGrant)`
Implemented refresh grant 2020-08-24 08:52:21 +00:00			`authorization.register_grant(RefreshTokenGrant)`
Implicit flow test 2020-08-20 12:30:42 +00:00			`authorization.register_grant(ClientCredentialsGrant)`

wip 2020-08-14 13:26:14 +00:00			`authorization.register_grant(`
Token introspection 2020-08-24 12:44:32 +00:00			`AuthorizationCodeGrant,`
Mandatory PKCE 2020-08-25 13:39:44 +00:00			`[OpenIDCode(require_nonce=True), CodeChallenge(required=True)],`
wip 2020-08-14 13:26:14 +00:00			`)`
Implicit flow test 2020-08-20 12:30:42 +00:00			`authorization.register_grant(OpenIDImplicitGrant)`
			`authorization.register_grant(OpenIDHybridGrant)`
draft 2020-08-14 11:18:08 +00:00
			`require_oauth.register_token_validator(BearerTokenValidator())`
Token introspection 2020-08-24 12:44:32 +00:00
			`authorization.register_endpoint(IntrospectionEndpoint)`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`authorization.register_endpoint(RevocationEndpoint)`