1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
|
Authorization Server
====================
The Authorization Server provides several endpoints for temporary credentials,
authorization, and issuing token credentials. When the resource owner (user)
grants the authorization, this server will issue a token credential to the
client.
.. versionchanged:: v1.0.0
We have removed built-in SQLAlchemy integrations.
Resource Owner
--------------
Resource Owner is the user who is using your service. A resource owner can
log in your website with username/email and password, or other methods.
A resource owner MUST implement ``get_user_id()`` method::
class User(db.Model):
id = db.Column(db.Integer, primary_key=True)
def get_user_id(self):
return self.id
Client
------
A client is an application making protected resource requests on behalf of the
resource owner and with its authorization. It contains at least three
information:
- Client Identifier, usually called **client_id**
- Client Password, usually called **client_secret**
- Client RSA Public Key (if RSA-SHA1 signature method supported)
Developers MUST implement the missing methods of ``authlib.oauth1.ClientMixin``, take an
example of Flask-SQAlchemy::
from authlib.oauth1 import ClientMixin
class Client(ClientMixin, db.Model):
id = db.Column(db.Integer, primary_key=True)
client_id = db.Column(db.String(48), index=True)
client_secret = db.Column(db.String(120), nullable=False)
default_redirect_uri = db.Column(db.Text, nullable=False, default='')
user_id = db.Column(
db.Integer, db.ForeignKey('user.id', ondelete='CASCADE')
)
user = db.relationship('User')
def get_default_redirect_uri(self):
return self.default_redirect_uri
def get_client_secret(self):
return self.client_secret
def get_rsa_public_key(self):
return None
A client is registered by a user (developer) on your website. Get a deep
inside with :class:`~authlib.oauth1.rfc5849.ClientMixin` API reference.
Temporary Credentials
---------------------
A temporary credential is used to exchange a token credential. It is also
known as "request token and secret". Since it is temporary, it is better to
save them into cache instead of database. A cache instance should have these
methods:
- ``.get(key)``
- ``.set(key, value, expires=None)``
- ``.delete(key)``
A cache can be a memcache, redis or something else. If cache is not available,
developers can also implement it with database. For example, using SQLAlchemy::
from authlib.oauth1 import TemporaryCredentialMixin
class TemporaryCredential(TemporaryCredentialMixin, db.Model):
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(
db.Integer, db.ForeignKey('user.id', ondelete='CASCADE')
)
user = db.relationship('User')
client_id = db.Column(db.String(48), index=True)
oauth_token = db.Column(db.String(84), unique=True, index=True)
oauth_token_secret = db.Column(db.String(84))
oauth_verifier = db.Column(db.String(84))
oauth_callback = db.Column(db.Text, default='')
def get_client_id(self):
return self.client_id
def get_redirect_uri(self):
return self.oauth_callback
def check_verifier(self, verifier):
return self.oauth_verifier == verifier
def get_oauth_token(self):
return self.oauth_token
def get_oauth_token_secret(self):
return self.oauth_token_secret
Token Credentials
-----------------
A token credential is used to access resource owners' resources. Unlike
OAuth 2, the token credential will not expire in OAuth 1. This token credentials
are supposed to be saved into a persist database rather than a cache.
Developers MUST implement :class:`~authlib.oauth1.rfc5849.TokenCredentialMixin`
missing methods. Here is an example of SQLAlchemy integration::
from authlib.oauth1 import TokenCredentialMixin
class TokenCredential(TokenCredentialMixin, db.Model):
id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(
db.Integer, db.ForeignKey('user.id', ondelete='CASCADE')
)
user = db.relationship('User')
client_id = db.Column(db.String(48), index=True)
oauth_token = db.Column(db.String(84), unique=True, index=True)
oauth_token_secret = db.Column(db.String(84))
def get_oauth_token(self):
return self.oauth_token
def get_oauth_token_secret(self):
return self.oauth_token_secret
Timestamp and Nonce
-------------------
The nonce value MUST be unique across all requests with the same timestamp,
client credentials, and token combinations. Authlib Flask integration has a
built-in validation with cache.
If cache is not available, developers can use a database, here is an example of
using SQLAlchemy::
class TimestampNonce(db.Model):
__table_args__ = (
db.UniqueConstraint(
'client_id', 'timestamp', 'nonce', 'oauth_token',
name='unique_nonce'
),
)
id = db.Column(db.Integer, primary_key=True)
client_id = db.Column(db.String(48), nullable=False)
timestamp = db.Column(db.Integer, nullable=False)
nonce = db.Column(db.String(48), nullable=False)
oauth_token = db.Column(db.String(84))
Define A Server
---------------
Authlib provides a ready to use
:class:`~authlib.integrations.flask_oauth1.AuthorizationServer`
which has built-in tools to handle requests and responses::
from authlib.integrations.flask_oauth1 import AuthorizationServer
def query_client(client_id):
return Client.query.filter_by(client_id=client_id).first()
server = AuthorizationServer(app, query_client=query_client)
It can also be initialized lazily with init_app::
server = AuthorizationServer()
server.init_app(app, query_client=query_client)
It is strongly suggested that you use a cache. In this way, you
don't have to re-implement a lot of the missing methods.
There are other configurations. It works well without any changes. Here is a
list of them:
================================== ===============================================
OAUTH1_TOKEN_GENERATOR A string of module path for importing a
function to generate ``oauth_token``
OAUTH1_TOKEN_SECRET_GENERATOR A string of module path for importing a
function to generate ``oauth_token_secret``.
OAUTH1_TOKEN_LENGTH If ``OAUTH1_TOKEN_GENERATOR`` is not
configured, a random function will generate
the given length of ``oauth_token``. Default
value is ``42``.
OAUTH1_TOKEN_SECRET_LENGTH A random function will generate the given
length of ``oauth_token_secret``. Default
value is ``48``.
================================== ===============================================
These configurations are used to create the ``token_generator`` function. But
you can pass the ``token_generator`` when initializing the AuthorizationServer::
def token_generator():
return {
'oauth_token': random_string(20),
'oauth_token_secret': random_string(46)
}
server = AuthorizationServer(
app,
query_client=query_client,
token_generator=token_generator
)
Server Hooks
------------
There are missing hooks that should be ``register_hook`` to AuthorizationServer.
There are helper functions for registering hooks. If cache is available, you
can take the advantage with::
from authlib.integrations.flask_oauth1.cache import (
register_nonce_hooks,
register_temporary_credential_hooks
)
register_nonce_hooks(server, cache)
register_temporary_credential_hooks(server, cache)
If cache is not available, developers MUST register the hooks with the database we
defined above::
# check if nonce exists
def exists_nonce(nonce, timestamp, client_id, oauth_token):
q = TimestampNonce.query.filter_by(
nonce=nonce,
timestamp=timestamp,
client_id=client_id,
)
if oauth_token:
q = q.filter_by(oauth_token=oauth_token)
rv = q.first()
if rv:
return True
item = TimestampNonce(
nonce=nonce,
timestamp=timestamp,
client_id=client_id,
oauth_token=oauth_token,
)
db.session.add(item)
db.session.commit()
return False
server.register_hook('exists_nonce', exists_nonce)
# hooks for temporary credential
def create_temporary_credential(token, client_id, redirect_uri):
item = TemporaryCredential(
client_id=client_id,
oauth_token=token['oauth_token'],
oauth_token_secret=token['oauth_token_secret'],
oauth_callback=redirect_uri,
)
db.session.add(item)
db.session.commit()
return item
def get_temporary_credential(oauth_token):
return TemporaryCredential.query.filter_by(oauth_token=oauth_token).first()
def delete_temporary_credential(oauth_token):
q = TemporaryCredential.query.filter_by(oauth_token=oauth_token)
q.delete(synchronize_session=False)
db.session.commit()
def create_authorization_verifier(credential, grant_user, verifier):
credential.user_id = grant_user.id # assuming your end user model has `.id`
credential.oauth_verifier = verifier
db.session.add(credential)
db.session.commit()
return credential
server.register_hook('create_temporary_credential', create_temporary_credential)
server.register_hook('get_temporary_credential', get_temporary_credential)
server.register_hook('delete_temporary_credential', delete_temporary_credential)
server.register_hook('create_authorization_verifier', create_authorization_verifier)
For both cache and database temporary credential, Developers MUST register a
``create_token_credential`` hook::
def create_token_credential(token, temporary_credential):
credential = TokenCredential(
oauth_token=token['oauth_token'],
oauth_token_secret=token['oauth_token_secret'],
client_id=temporary_credential.get_client_id()
)
credential.user_id = temporary_credential.user_id
db.session.add(credential)
db.session.commit()
return credential
server.register_hook('create_token_credential', create_token_credential)
Server Implementation
---------------------
It is ready to create the endpoints for authorization and issuing tokens.
Let's start with the temporary credentials endpoint, which is used for clients
to fetch a temporary credential::
@app.route('/initiate', methods=['POST'])
def initiate_temporary_credential():
return server.create_temporary_credentials_response()
The endpoint for resource owner authorization. OAuth 1 Client will redirect
user to this authorization page, so that resource owner can grant or deny this
request::
@app.route('/authorize', methods=['GET', 'POST'])
def authorize():
# make sure that user is logged in for yourself
if request.method == 'GET':
try:
req = server.check_authorization_request()
return render_template('authorize.html', req=req)
except OAuth1Error as error:
return render_template('error.html', error=error)
granted = request.form.get('granted')
if granted:
grant_user = current_user
else:
grant_user = None
try:
return server.create_authorization_response(grant_user=grant_user)
except OAuth1Error as error:
return render_template('error.html', error=error)
Then the final token endpoint. OAuth 1 Client will use the given temporary
credential and the ``oauth_verifier`` authorized by resource owner to exchange
the token credential::
@app.route('/token', methods=['POST'])
def issue_token():
return server.create_token_response()
|
