Implicit flow test

tests/conftest.py

@@ -113,8 +113,8 @@ def client(app, slapd_connection):
         oauthLogoURI="https://mydomain.tld/logo.png",
         oauthIssueDate=datetime.datetime.now().strftime("%Y%m%d%H%S%MZ"),
         oauthClientSecret=gen_salt(48),
-        oauthGrantType=["password", "authorization_code"],
-        oauthResponseType=["code"],
+        oauthGrantType=["password", "authorization_code", "implicit", "hybrid"],
+        oauthResponseType=["code", "token", "id_token"],
         oauthScope=["openid", "profile"],
         oauthTermsOfServiceURI="https://mydomain.tld/tos",
         oauthPolicyURI="https://mydomain.tld/policy",

tests/test_password_flow.py

@@ -15,7 +15,7 @@ def test_success(testclient, slapd_connection, user, client):
     )
     assert 200 == res.status_code
 
-    assert res.json["scope"] == ["openid", "profile"]
+    assert res.json["scope"] == "openid profile"
     assert res.json["token_type"] == "Bearer"
     access_token = res.json["access_token"]
 

web/clients.py

@@ -46,6 +46,8 @@ class ClientAdd(FlaskForm):
         choices=[
             ("password", "password"),
             ("authorization_code", "authorization_code"),
+            ("implicit", "implicit"),
+            ("hybrid", "hybrid"),
         ],
         default=["authorization_code"],
     )
@@ -58,7 +60,7 @@ class ClientAdd(FlaskForm):
     oauthResponseType = wtforms.SelectMultipleField(
         gettext("Response types"),
         validators=[wtforms.validators.DataRequired()],
-        choices=[("code", "code")],
+        choices=[("code", "code"), ("token", "token"), ("id_token", "id_token")],
         default=["code"],
     )
     oauthTokenEndpointAuthMethod = wtforms.SelectField(

web/models.py

@@ -6,6 +6,7 @@ from authlib.oauth2.rfc6749 import (
     ClientMixin,
     TokenMixin,
     AuthorizationCodeMixin,
+    util,
 )
 from flask import current_app, session
 from .ldaputils import LDAPObjectHelper
@@ -73,7 +74,7 @@ class Client(LDAPObjectHelper, ClientMixin):
         return self.oauthRedirectURIs[0]
 
     def get_allowed_scope(self, scope):
-        return self.oauthScope
+        return util.list_to_scope(self.oauthScope)
 
     def check_redirect_uri(self, redirect_uri):
         return redirect_uri in self.oauthRedirectURIs

web/oauth2utils.py

@@ -4,6 +4,8 @@ from authlib.oauth2.rfc6749.grants import (
     AuthorizationCodeGrant as _AuthorizationCodeGrant,
     ResourceOwnerPasswordCredentialsGrant as _ResourceOwnerPasswordCredentialsGrant,
     RefreshTokenGrant as _RefreshTokenGrant,
+    ImplicitGrant,
+    ClientCredentialsGrant,
 )
 from authlib.oauth2.rfc6750 import BearerTokenValidator as _BearerTokenValidator
 from authlib.oidc.core.grants import (
@@ -79,9 +81,7 @@ class OpenIDCode(_OpenIDCode):
 
 class PasswordGrant(_ResourceOwnerPasswordCredentialsGrant):
     def authenticate_user(self, username, password):
-        user = User.get(username)
-        if user is not None and user.check_password(password):
-            return user
+        return User.login(username, password)
 
 
 class RefreshTokenGrant(_RefreshTokenGrant):
@@ -100,28 +100,35 @@ class RefreshTokenGrant(_RefreshTokenGrant):
         credential.revoked = True
 
 
-class ImplicitGrant(_OpenIDImplicitGrant):
+class OpenIDImplicitGrant(_OpenIDImplicitGrant):
     def exists_nonce(self, nonce, request):
+        raise NotImplementedError()
         return exists_nonce(nonce, request)
 
     def get_jwt_config(self, grant):
+        raise NotImplementedError()
         return DUMMY_JWT_CONFIG
 
     def generate_user_info(self, user, scope):
+        raise NotImplementedError()
         return generate_user_info(user, scope)
 
 
-class HybridGrant(_OpenIDHybridGrant):
+class OpenIDHybridGrant(_OpenIDHybridGrant):
     def save_authorization_code(self, code, request):
+        raise NotImplementedError()
         return save_authorization_code(code, request)
 
     def exists_nonce(self, nonce, request):
+        raise NotImplementedError()
         return exists_nonce(nonce, request)
 
     def get_jwt_config(self):
+        raise NotImplementedError()
         return DUMMY_JWT_CONFIG
 
     def generate_user_info(self, user, scope):
+        raise NotImplementedError()
         return generate_user_info(user, scope)
 
 
@@ -162,11 +169,14 @@ require_oauth = ResourceProtector()
 def config_oauth(app):
     authorization.init_app(app, query_client=query_client, save_token=save_token)
 
+    authorization.register_grant(PasswordGrant)
+    authorization.register_grant(ImplicitGrant)
+    authorization.register_grant(ClientCredentialsGrant)
+
     authorization.register_grant(
         AuthorizationCodeGrant, [OpenIDCode(require_nonce=True)]
     )
-    authorization.register_grant(ImplicitGrant)
-    authorization.register_grant(HybridGrant)
-    authorization.register_grant(PasswordGrant)
+    authorization.register_grant(OpenIDImplicitGrant)
+    authorization.register_grant(OpenIDHybridGrant)
 
     require_oauth.register_token_validator(BearerTokenValidator())