Merge remote-tracking branch 'upstream/master'

authlib/integrations/django_oauth2/authorization_server.py

@@ -6,7 +6,7 @@
     HttpRequest,
     AuthorizationServer as _AuthorizationServer,
 )
-from authlib.oauth2.rfc6750 import BearerToken
+from authlib.oauth2.rfc6750 import BearerTokenGenerator
 from authlib.common.security import generate_token as _generate_token
 from authlib.common.encoding import json_dumps
 from .signals import client_authenticated, token_revoked
@@ -23,15 +23,14 @@ class AuthorizationServer(_AuthorizationServer):
         server = AuthorizationServer(OAuth2Client, OAuth2Token)
     """
 
-    def __init__(self, client_model, token_model, generate_token=None):
+    def __init__(self, client_model, token_model):
         self.config = getattr(settings, 'AUTHLIB_OAUTH2_PROVIDER', {})
         self.client_model = client_model
         self.token_model = token_model
-        if generate_token is None:
-            generate_token = self.create_bearer_token_generator()
-
-        super(AuthorizationServer, self).__init__(generate_token=generate_token)
-        self.scopes_supported = self.config.get('scopes_supported')
+        scopes_supported = self.config.get('scopes_supported')
+        super(AuthorizationServer, self).__init__(scopes_supported=scopes_supported)
+        # add default token generator
+        self.register_token_generator('none', self.create_bearer_token_generator())
 
     def query_client(self, client_id):
         """Default method for ``AuthorizationServer.query_client``. Developers MAY
@@ -92,7 +91,7 @@ def create_bearer_token_generator(self):
         conf = self.config.get('token_expires_in')
         expires_generator = create_token_expires_in_generator(conf)
 
-        return BearerToken(
+        return BearerTokenGenerator(
             access_token_generator=access_token_generator,
             refresh_token_generator=refresh_token_generator,
             expires_generator=expires_generator,
@@ -113,11 +112,11 @@ def token_generator(*args, **kwargs):
 
 def create_token_expires_in_generator(expires_in_conf=None):
     data = {}
-    data.update(BearerToken.GRANT_TYPES_EXPIRES_IN)
+    data.update(BearerTokenGenerator.GRANT_TYPES_EXPIRES_IN)
     if expires_in_conf:
         data.update(expires_in_conf)
 
     def expires_in(client, grant_type):
-        return data.get(grant_type, BearerToken.DEFAULT_EXPIRES_IN)
+        return data.get(grant_type, BearerTokenGenerator.DEFAULT_EXPIRES_IN)
 
     return expires_in

authlib/integrations/django_oauth2/resource_protector.py

@@ -15,28 +15,27 @@
 
 
 class ResourceProtector(_ResourceProtector):
-    def acquire_token(self, request, scope=None, operator='AND'):
+    def acquire_token(self, request, scopes=None):
         """A method to acquire current valid token with the given scope.
 
         :param request: Django HTTP request instance
-        :param scope: string or list of scope values
-        :param operator: value of "AND" or "OR"
+        :param scopes: a list of scope values
         :return: token object
         """
         url = request.get_raw_uri()
         req = HttpRequest(request.method, url, request.body, request.headers)
-        if not callable(operator):
-            operator = operator.upper()
-        token = self.validate_request(scope, req, operator)
+        if isinstance(scopes, str):
+            scopes = [scopes]
+        token = self.validate_request(scopes, req)
         token_authenticated.send(sender=self.__class__, token=token)
         return token
 
-    def __call__(self, scope=None, operator='AND', optional=False):
+    def __call__(self, scopes=None, optional=False):
         def wrapper(f):
             @functools.wraps(f)
             def decorated(request, *args, **kwargs):
                 try:
-                    token = self.acquire_token(request, scope, operator)
+                    token = self.acquire_token(request, scopes)
                     request.oauth_token = token
                 except MissingAuthorizationError as error:
                     if optional:
@@ -51,9 +50,9 @@ def decorated(request, *args, **kwargs):
 
 
 class BearerTokenValidator(_BearerTokenValidator):
-    def __init__(self, token_model, realm=None):
+    def __init__(self, token_model, realm=None, **extra_attributes):
         self.token_model = token_model
-        super(BearerTokenValidator, self).__init__(realm)
+        super(BearerTokenValidator, self).__init__(realm, **extra_attributes)
 
     def authenticate_token(self, token_string):
         try:

authlib/integrations/flask_oauth2/authorization_server.py

@@ -5,7 +5,7 @@
     HttpRequest,
     AuthorizationServer as _AuthorizationServer,
 )
-from authlib.oauth2.rfc6750 import BearerToken
+from authlib.oauth2.rfc6750 import BearerTokenGenerator
 from authlib.common.security import generate_token
 from .signals import client_authenticated, token_revoked
 from ..flask_helpers import create_oauth_request
@@ -54,7 +54,7 @@ def init_app(self, app, query_client=None, save_token=None):
         if save_token is not None:
             self._save_token = save_token
 
-        self.generate_token = self.create_bearer_token_generator(app.config)
+        self.register_token_generator('none', self.create_bearer_token_generator(app.config))
         self.scopes_supported = app.config.get('OAUTH2_SCOPES_SUPPORTED')
         self._error_uris = app.config.get('OAUTH2_ERROR_URIS')
 
@@ -126,7 +126,7 @@ def gen_token(client, grant_type, user, scope):
 
         expires_conf = config.get('OAUTH2_TOKEN_EXPIRES_IN')
         expires_generator = create_token_expires_in_generator(expires_conf)
-        return BearerToken(
+        return BearerTokenGenerator(
             access_token_generator,
             refresh_token_generator,
             expires_generator
@@ -138,12 +138,12 @@ def create_token_expires_in_generator(expires_in_conf=None):
         return import_string(expires_in_conf)
 
     data = {}
-    data.update(BearerToken.GRANT_TYPES_EXPIRES_IN)
+    data.update(BearerTokenGenerator.GRANT_TYPES_EXPIRES_IN)
     if isinstance(expires_in_conf, dict):
         data.update(expires_in_conf)
 
     def expires_in(client, grant_type):
-        return data.get(grant_type, BearerToken.DEFAULT_EXPIRES_IN)
+        return data.get(grant_type, BearerTokenGenerator.DEFAULT_EXPIRES_IN)
 
     return expires_in
 

authlib/integrations/flask_oauth2/resource_protector.py

@@ -43,7 +43,7 @@ def token_revoked(self, token):
         # protect resource with require_oauth
 
         @app.route('/user')
-        @require_oauth('profile')
+        @require_oauth(['profile'])
         def user_profile():
             user = User.query.get(current_token.user_id)
             return jsonify(user.to_dict())
@@ -61,11 +61,10 @@ def raise_error_response(self, error):
         headers = error.get_headers()
         raise_http_exception(status, body, headers)
 
-    def acquire_token(self, scope=None, operator='AND'):
+    def acquire_token(self, scopes=None):
         """A method to acquire current valid token with the given scope.
 
-        :param scope: string or list of scope values
-        :param operator: value of "AND" or "OR"
+        :param scopes: a list of scope values
         :return: token object
         """
         request = HttpRequest(
@@ -74,16 +73,17 @@ def acquire_token(self, scope=None, operator='AND'):
             _req.data,
             _req.headers
         )
-        if not callable(operator):
-            operator = operator.upper()
-        token = self.validate_request(scope, request, operator)
+        # backward compatible
+        if isinstance(scopes, str):
+            scopes = [scopes]
+        token = self.validate_request(scopes, request)
         token_authenticated.send(self, token=token)
         ctx = _app_ctx_stack.top
         ctx.authlib_server_oauth2_token = token
         return token
 
     @contextmanager
-    def acquire(self, scope=None, operator='AND'):
+    def acquire(self, scopes=None):
         """The with statement of ``require_oauth``. Instead of using a
         decorator, you can use a with statement instead::
 
@@ -94,16 +94,16 @@ def user_api():
                     return jsonify(user.to_dict())
         """
         try:
-            yield self.acquire_token(scope, operator)
+            yield self.acquire_token(scopes)
         except OAuth2Error as error:
             self.raise_error_response(error)
 
-    def __call__(self, scope=None, operator='AND', optional=False):
+    def __call__(self, scopes=None, optional=False):
         def wrapper(f):
             @functools.wraps(f)
             def decorated(*args, **kwargs):
                 try:
-                    self.acquire_token(scope, operator)
+                    self.acquire_token(scopes)
                 except MissingAuthorizationError as error:
                     if optional:
                         return f(*args, **kwargs)

authlib/integrations/sqla_oauth2/client_mixin.py

@@ -124,8 +124,11 @@ def has_client_secret(self):
     def check_client_secret(self, client_secret):
         return self.client_secret == client_secret
 
-    def check_token_endpoint_auth_method(self, method):
-        return self.token_endpoint_auth_method == method
+    def check_endpoint_auth_method(self, method, endpoint):
+        if endpoint == 'token':
+            return self.token_endpoint_auth_method == method
+        # TODO
+        return True
 
     def check_response_type(self, response_type):
         return response_type in self.response_types

authlib/jose/__init__.py

@@ -44,32 +44,19 @@
     OKPKey.kty: OKPKey,
 }
 
-# compatible constants
-JWS_ALGORITHMS = list(JsonWebSignature.ALGORITHMS_REGISTRY.keys())
-JWE_ALG_ALGORITHMS = list(JsonWebEncryption.ALG_REGISTRY.keys())
-JWE_ENC_ALGORITHMS = list(JsonWebEncryption.ENC_REGISTRY.keys())
-JWE_ZIP_ALGORITHMS = list(JsonWebEncryption.ZIP_REGISTRY.keys())
-JWE_ALGORITHMS = JWE_ALG_ALGORITHMS + JWE_ENC_ALGORITHMS + JWE_ZIP_ALGORITHMS
-
-# compatible imports
-JWS = JsonWebSignature
-JWE = JsonWebEncryption
-JWK = JsonWebKey
-JWT = JsonWebToken
-
 jwt = JsonWebToken()
 
 
 __all__ = [
     'JoseError',
 
-    'JWS', 'JsonWebSignature', 'JWSAlgorithm', 'JWSHeader', 'JWSObject',
-    'JWE', 'JsonWebEncryption', 'JWEAlgorithm', 'JWEEncAlgorithm', 'JWEZipAlgorithm',
+    'JsonWebSignature', 'JWSAlgorithm', 'JWSHeader', 'JWSObject',
+    'JsonWebEncryption', 'JWEAlgorithm', 'JWEEncAlgorithm', 'JWEZipAlgorithm',
 
-    'JWK', 'JsonWebKey', 'Key', 'KeySet',
+    'JsonWebKey', 'Key', 'KeySet',
 
     'OctKey', 'RSAKey', 'ECKey', 'OKPKey',
 
-    'JWT', 'JsonWebToken', 'BaseClaims', 'JWTClaims',
+    'JsonWebToken', 'BaseClaims', 'JWTClaims',
     'jwt',
 ]

authlib/jose/jwk.py

@@ -15,5 +15,4 @@ def dumps(key, kty=None, **params):
         params['kty'] = kty
 
     key = JsonWebKey.import_key(key, params)
-    data = key.as_dict()
-    return data
+    return dict(key)

authlib/jose/rfc7517/__init__.py

@@ -7,9 +7,11 @@
 
     https://tools.ietf.org/html/rfc7517
 """
-from .models import Key, KeySet
 from ._cryptography_key import load_pem_key
+from .base_key import Key
+from .asymmetric_key import AsymmetricKey
+from .key_set import KeySet
 from .jwk import JsonWebKey
 
 
-__all__ = ['Key', 'KeySet', 'JsonWebKey', 'load_pem_key']
+__all__ = ['Key', 'AsymmetricKey', 'KeySet', 'JsonWebKey', 'load_pem_key']