File: authorization-server.rst

package info (click to toggle)
python-authlib 1.6.1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 3,016 kB
  • sloc: python: 26,998; makefile: 53; sh: 14
file content (144 lines) | stat: -rw-r--r-- 5,102 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
 
Authorization Server
====================

The Authorization Server provides several endpoints for temporary credentials,
authorization, and issuing token credentials. When the resource owner (user)
grants the authorization, this server will issue a token credential to the
client.

Currently, Authlib Django implementation is using cache a lot, which means
you don't have to handle temporary credentials, timestamp and nonce yourself,
they are all built-in.

To create an authorization server, only **Client** and **Token** models are
required::

    from your_project.models import Client, Token
    from authlib.integrations.django_oauth1 import CacheAuthorizationServer

    authorization_server = CacheAuthorizationServer(Client, Token)


Resource Owner
--------------

Resource Owner is the user who is using your service. A resource owner can
log in your website with username/email and password, or other methods. In
Django, we can use the built in contrib user::

    from django.contrib.auth.models import User

Client
------

A client is an application making protected resource requests on behalf of the
resource owner and with its authorization. It contains at least three
information:

- Client Identifier, usually called **client_id**
- Client Password, usually called **client_secret**
- Client RSA Public Key (if RSA-SHA1 signature method supported)

Authlib has no implementation for client model in Django. You need to implement
it yourself::

    from django.db import models
    from django.contrib.auth.models import User
    from authlib.oauth1 import ClientMixin

    class Client(models.Model, ClientMixin):
        user = models.ForeignKey(User, on_delete=CASCADE)
        client_id = models.CharField(max_length=48, unique=True, db_index=True)
        client_secret = models.CharField(max_length=48, blank=True)
        default_redirect_uri = models.TextField(blank=False, default='')

        def get_default_redirect_uri(self):
            return self.default_redirect_uri

        def get_client_secret(self):
            return self.client_secret

        def get_rsa_public_key(self):
            return None

A client is registered by a user (developer) on your website. Get a deep
inside with :class:`~authlib.oauth1.rfc5849.ClientMixin` API reference.

Token
-----

A token credential is used to access resource owners' resources. Unlike
OAuth 2, the token credential will not expire in OAuth 1. This token credentials
are supposed to be saved into a persist database rather than a cache.

Here is an example of how it looks in Django::

    from django.db import models
    from django.contrib.auth.models import User
    from authlib.oauth1 import TokenCredentialMixin

    class Token(models.Model, TokenCredentialMixin):
        user = models.ForeignKey(User, on_delete=CASCADE)
        client_id = models.CharField(max_length=48, db_index=True)
        oauth_token = models.CharField(max_length=84, unique=True, db_index=True)
        oauth_token_secret = models.CharField(max_length=84)

        def get_oauth_token(self):
            return self.oauth_token

        def get_oauth_token_secret(self):
            return self.oauth_token_secret

Server Implementation
---------------------

It is ready to create the endpoints for authorization and issuing tokens.
Let's start with the temporary credentials endpoint, which is used for clients
to fetch a temporary credential::

    from django.views.decorators.http import require_http_methods

    @require_http_methods(["POST"])
    def initiate_temporary_credential(request):
        return server.create_temporary_credential_response(request)

The endpoint for resource owner authorization. OAuth 1 Client will redirect
user to this authorization page, so that resource owner can grant or deny this
request::

    from django.shortcuts import render

    def authorize(request):
        # make sure that user is logged in for yourself
        if request.method == 'GET':
            try:
                req = server.check_authorization_request(request)
                context = {'req': req}
                return render(request, 'authorize.html', context)
            except OAuth1Error as error:
                context = {'error': error}
                return render(request, 'error.html', context)

        granted = request.POST.get('granted')
        if granted:
            grant_user = request.user
        else:
            grant_user = None

        try:
            return server.create_authorization_response(request, grant_user)
        except OAuth1Error as error:
            context = {'error': error}
            return render(request, 'error.html', context)

Then the final token endpoint. OAuth 1 Client will use the given temporary
credential and the ``oauth_verifier`` authorized by resource owner to exchange
the token credential::

    from django.views.decorators.http import require_http_methods

    @require_http_methods(["POST"])
    def issue_token(request):
        return server.create_token_response(request)

At last, you need to register these views into url patterns.