Merge branch 'master' into 445_confirm_redirect

23 files changed, 219 insertions, 37 deletions

diff --git a/.gitignore b/.gitignore
index 683f357..6f24649 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,8 @@ htmlcov*
 # Local file cruft/auto-backups
 .DS_Store
 *~
+**/#*#
+**/.#*
 
 # Sphinx
 docs/_build
diff --git a/LICENSE b/LICENSE
index c10d256..84b5c75 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2011 Idan Gazit and contributors
+Copyright (c) 2018 The OAuthlib Community
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -24,4 +24,4 @@ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/README.rst b/README.rst
index 6741a75..394a984 100644
--- a/README.rst
+++ b/README.rst
@@ -104,6 +104,18 @@ License
 OAuthLib is yours to use and abuse according to the terms of the BSD license.
 Check the LICENSE file for full details.
 
+Credits
+-------
+
+OAuthLib has been started and maintained several years by Idan Gazit and other
+amazing `AUTHORS`_. Thanks to their wonderful work, the open-source `community`_
+creation has been possible and the project can stay active and reactive to users
+requests.
+
+
+.. _`AUTHORS`: https://github.com/oauthlib/oauthlib/blob/master/AUTHORS
+.. _`community`: https://github.com/oauthlib/
+
 Changelog
 ---------
 
diff --git a/docs/conf.py b/docs/conf.py
index 017f686..2594e38 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -41,7 +41,7 @@ master_doc = 'index'
 
 # General information about the project.
 project = u'OAuthLib'
-copyright = u'2012, Idan Gazit and the Python Community'
+copyright = u'2018, The OAuthlib Community'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
diff --git a/docs/contributing.rst b/docs/contributing.rst
index 601c567..3a23d70 100644
--- a/docs/contributing.rst
+++ b/docs/contributing.rst
@@ -35,7 +35,7 @@ Setting up topic branches and generating pull requests
 
 While it's handy to provide useful code snippets in an issue, it is better for
 you as a developer to submit pull requests. By submitting pull request your
-contribution to OpenComparison will be recorded by Github.
+contribution to OAuthlib will be recorded by Github.
 
 In git it is best to isolate each topic or feature into a "topic branch". While
 individual commits allow you control over how small individual changes are made
@@ -127,7 +127,7 @@ request that fails this test suite will be **rejected**.
 Testing multiple versions of Python
 -----------------------------------
 
-OAuthLib supports Python 2.6, 2.7, 3.2, 3.3 and experimentally PyPy. Testing
+OAuthLib supports Python 2.7, 3.4, 3.5, 3.6 and PyPy. Testing
 all versions conveniently can be done using `Tox`_.
 
 .. sourcecode:: bash
@@ -150,6 +150,17 @@ version. For Ubuntu you can easily install all after adding one ppa.
 .. _`Tox`: https://tox.readthedocs.io/en/latest/install.html
 .. _`virtualenv`: https://virtualenv.pypa.io/en/latest/installation/
 
+Test upstream applications
+-----------------------------------
+
+Remember, OAuthLib is used by several 3rd party projects. If you think you
+submit a breaking change, confirm that other projects builds are not affected.
+
+.. sourcecode:: bash
+
+   $ make
+
+
 If you add code you need to add tests!
 --------------------------------------
 
@@ -207,7 +218,7 @@ How pull requests are checked, tested, and done
 
 First we pull the code into a local branch::
 
-    git remote add <submitter-github-name> git@github.com:<submitter-github-name>/opencomparison.git
+    git remote add <submitter-github-name> git@github.com:<submitter-github-name>/oauthlib.git
     git fetch <submitter-github-name>
     git checkout -b <branch-name> <submitter-github-name>/<branch-name>
 
diff --git a/docs/faq.rst b/docs/faq.rst
index 38b0e92..d9cd5c6 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -14,19 +14,23 @@ What parts of OAuth 1 & 2 are supported?
 OAuth 1 with RSA-SHA1 signatures says "could not import cryptography". What should I do?
 ----------------------------------------------------------------------------------
 
-    Install cryptography via pip.
+    Install oauthlib with rsa flag or install cryptography manually via pip.
 
 .. code-block:: sh
 
+    $ pip install oauthlib[rsa]
+    ..or..
     $ pip install cryptography
 
 OAuth 2 ServiceApplicationClient and OAuth 1 with RSA-SHA1 signatures say "could not import jwt". What should I do?
 -------------------------------------------------------------------------------------------------------------------
 
-    Install pyjwt and cryptography with pip.
+    Install oauthlib with signedtoken flag or install pyjwt and cryptography manually with pip.
 
 .. code-block:: sh
 
+    $ pip install oauthlib[signedtoken]
+    ..or..
     $ pip install pyjwt cryptography
 
 What does ValueError `Only unicode objects are escapable. Got one of type X.` mean?
@@ -72,8 +76,8 @@ How do I use OAuthlib as a provider with Django, Flask and other web frameworks?
     - Pyramid `pyramid-oauthlib`_
     - Bottle `bottle-oauthlib`_
 
-    For other frameworks, please get in touch by opening a `GitHub issue`_, on `G+`_ or
-    on IRC #oauthlib irc.freenode.net. If you have written an OAuthLib package that
+    For other frameworks, please get in touch by opening a `GitHub issue`_ or
+    on `Gitter OAuthLib community`_. If you have written an OAuthLib package that
     supports your favorite framework, please open a Pull Request to update the docs.
 
 
@@ -101,5 +105,5 @@ Some argue OAuth 2 is worse than 1, is that true?
 .. _`pyramid-oauthlib`: https://github.com/tilgovi/pyramid-oauthlib
 .. _`bottle-oauthlib`: https://github.com/thomsonreuters/bottle-oauthlib
 .. _`GitHub issue`: https://github.com/oauthlib/oauthlib/issues/new
-.. _`G+`: https://plus.google.com/communities/101889017375384052571
+.. _`Gitter OAuthLib community`: https://gitter.im/oauthlib/Lobby
 .. _`difference`: https://www.cyberciti.biz/faq/authentication-vs-authorization/
diff --git a/docs/oauth1/server.rst b/docs/oauth1/server.rst
index 2a91f30..db469d2 100644
--- a/docs/oauth1/server.rst
+++ b/docs/oauth1/server.rst
@@ -433,9 +433,9 @@ shown below as well as run your flask server locally on port `5000`.
 7. Let us know how it went!
 ---------------------------
 
-Drop a line in our `G+ community`_ or open a `GitHub issue`_ =)
+Drop a line in our `Gitter OAuthLib community`_ or open a `GitHub issue`_ =)
 
-.. _`G+ community`: https://plus.google.com/communities/101889017375384052571
+.. _`Gitter OAuthLib community`: https://gitter.im/oauthlib/Lobby
 .. _`GitHub issue`: https://github.com/oauthlib/oauthlib/issues/new
 
 If you run into issues it can be helpful to enable debug logging::
diff --git a/docs/oauth2/grants/jwt.rst b/docs/oauth2/grants/jwt.rst
index db65342..2c1c0e2 100644
--- a/docs/oauth2/grants/jwt.rst
+++ b/docs/oauth2/grants/jwt.rst
@@ -1,7 +1,14 @@
-==========
-JWT Tokens
-==========
+==============================================================
+JWT Profile for Client Authentication and Authorization Grants
+==============================================================
 
-Not yet implemented. Track progress in `GitHub issue 50`_.
+If you're looking at JWT Tokens, please see :doc:`Bearer Tokens </oauth2/tokens/bearer>` instead.
 
-.. _`GitHub issue 50`: https://github.com/oauthlib/oauthlib/issues/50
+The JWT Profile `RFC7523`_ implements the `RFC7521`_ abstract assertion
+protocol. It aims to extend the OAuth2 protocol to use JWT as an
+additional authorization grant.
+
+Currently, this is not implemented but all PRs are welcome. See how to :doc:`Contribute </contributing>`.
+
+.. _`RFC7521`: https://tools.ietf.org/html/rfc7521
+.. _`RFC7523`: https://tools.ietf.org/html/rfc7523
diff --git a/docs/oauth2/preconfigured_servers.rst b/docs/oauth2/preconfigured_servers.rst
index 6184c27..e1f629c 100644
--- a/docs/oauth2/preconfigured_servers.rst
+++ b/docs/oauth2/preconfigured_servers.rst
@@ -12,7 +12,8 @@ Construction is simple, only import your validator and you are good to go::
 
     server = WebApplicationServer(your_validator)
 
-If you prefer to construct tokens yourself you may pass a token generator::
+If you prefer to construct tokens yourself you may pass a token generator (see
+ :doc:`Tokens <tokens/tokens>` for more examples like JWT) ::
 
     def your_token_generator(request, refresh_token=False):
         return 'a_custom_token' + request.client_id
@@ -21,6 +22,9 @@ If you prefer to construct tokens yourself you may pass a token generator::
 
 This function is passed the request object and a boolean indicating whether to generate an access token (False) or a refresh token (True).
 
+.. autoclass:: oauthlib.oauth2.Server
+    :members:
+
 .. autoclass:: oauthlib.oauth2.WebApplicationServer
     :members:
 
diff --git a/docs/oauth2/server.rst b/docs/oauth2/server.rst
index 8f8b77b..35a58aa 100644
--- a/docs/oauth2/server.rst
+++ b/docs/oauth2/server.rst
@@ -493,9 +493,9 @@ at runtime by a function, rather then by a list.
 6. Let us know how it went!
 ---------------------------
 
-Drop a line in our `G+ community`_ or open a `GitHub issue`_ =)
+Drop a line in our `Gitter OAuthLib community`_ or open a `GitHub issue`_ =)
 
-.. _`G+ community`: https://plus.google.com/communities/101889017375384052571
+.. _`Gitter OAuthLib community`: https://gitter.im/oauthlib/Lobby
 .. _`GitHub issue`: https://github.com/oauthlib/oauthlib/issues/new
 
 If you run into issues it can be helpful to enable debug logging.
diff --git a/docs/oauth2/tokens/bearer.rst b/docs/oauth2/tokens/bearer.rst
index 8c6270d..0776db8 100644
--- a/docs/oauth2/tokens/bearer.rst
+++ b/docs/oauth2/tokens/bearer.rst
@@ -2,12 +2,122 @@
 Bearer Tokens
 =============
 
-The most common OAuth 2 token type. It provides very little in terms of security
-and relies heavily upon the ability of the client to keep the token secret.
+The most common OAuth 2 token type.
 
-Bearer tokens are the default setting with all configured endpoints. Generally
+Bearer tokens is the default setting for all configured endpoints. Generally
 you will not need to ever construct a token yourself as the provided servers
 will do so for you.
 
+By default, :doc:`*Server </oauth2/preconfigured_servers>` generate Bearer tokens as
+random strings. However, you can change the default behavior to generate JWT
+instead. All preconfigured servers take as parameters `token_generator` and
+`refresh_token_generator` to fit your needs.
+
+.. contents:: Tutorial Contents
+    :depth: 3
+
+
+1. Generate signed JWT
+----------------------
+
+A function is available to generate signed JWT (with RS256 PEM key) with static
+and dynamic claims.
+
+.. code-block:: python
+
+    from oauthlib.oauth2.rfc6749 import tokens
+    from oauthlib.oauth2 import Server
+
+    private_pem_key = <load_your_key_in_pem_format>
+    validator = <instantiate_your_validator>
+
+    server = Server(
+      your_validator,
+      token_generator=tokens.signed_token_generator(private_pem_key, issuer="foobar")
+    )
+
+
+Note that you can add any custom claims in `RequestValidator` methods by adding them to
+`request.claims` dictionary. Example below:
+
+
+.. code-block:: python
+
+    def validate_client_id(self, client_id, request):
+        (.. your usual checks ..)
+
+        request.claims = {
+            'aud': self.client_id
+        }
+        return True
+
+
+Once completed, the token endpoint will generate access_token in JWT form:
+
+.. code-block:: shell
+
+
+    access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJy(..)&expires_in=120&token_type=Bearer(..)
+
+
+And you will find all claims in its decoded form:
+
+
+.. code-block:: javascript
+
+    {
+      "aud": "<client_id>",
+      "iss": "foobar",
+      "scope": "profile calendar",
+      "exp": 12345,
+    }
+
+
+2. Define your own implementation (text, JWT, JWE, ...)
+----------------------------------------------------------------
+
+Sometime you may want to generate custom `access_token` with a reference from a
+database (as text) or use a HASH signature in JWT or use JWE (encrypted content).
+
+Also, note that you can declare the generate function in your instanciated
+validator to benefit of the `self` variables.
+
+See the example below:
+
+.. code-block:: python
+
+    class YourValidator(RequestValidator):
+        def __init__(self, secret, issuer):
+            self.secret = secret
+            self.issuer = issuer
+
+        def generate_access_token(self, request):
+            token = jwt.encode({
+                "ref": str(libuuid.uuid4()),
+                "aud": request.client_id,
+                "iss": self.issuer,
+                "exp": now + datetime.timedelta(seconds=request.expires_in)
+            }, self.secret, algorithm='HS256').decode()
+            return token
+
+
+Then associate it to your `Server`:
+
+.. code-block:: python
+
+    validator = YourValidator(secret="<your_secret>", issuer="<your_issuer_id>")
+
+    server = Server(
+        your_validator,
+        token_generator=validator.generate_access_token
+    )
+
+
+3. BearerToken API
+------------------
+
+If none of the :doc:`/oauth2/preconfigured_servers` fit your needs, you can
+declare your own Endpoints and use the `BearerToken` API as below.
+
 .. autoclass:: oauthlib.oauth2.BearerToken
     :members:
diff --git a/docs/oauth2/tokens/tokens.rst b/docs/oauth2/tokens/tokens.rst
index f341509..4e19e7e 100644
--- a/docs/oauth2/tokens/tokens.rst
+++ b/docs/oauth2/tokens/tokens.rst
@@ -3,8 +3,7 @@ Tokens
 ======
 
 The main token type of OAuth 2 is Bearer tokens and that is what OAuthLib
-currently supports. Other tokens, such as JWT, SAML and possibly MAC (if the
-spec matures) can easily be added (and will be in due time).
+currently supports. Other tokens, such as SAML and MAC can easily be added.
 
 The purpose of a token is to authorize access to protected resources to a client
 (i.e. your G+ feed).
diff --git a/docs/release_process.rst b/docs/release_process.rst
index aab97c4..9ee987c 100644
--- a/docs/release_process.rst
+++ b/docs/release_process.rst
@@ -2,12 +2,12 @@ Release process
 ===============
 
 OAuthLib has got to a point where quite a few libraries and users depend on it.
-Because of this a more careful release procedure will be introduced to make
+Because of this, a more careful release procedure will be introduced to make
 sure all these lovely projects don't suddenly break.
 
 When approaching a release we will run the unittests for a set of downstream
 libraries using the unreleased version of OAuthLib. If OAuthLib is the cause of
-failing tests we will either
+failing tests we will either:
 
 1. Find a way to introduce the change without breaking downstream. However,
    this is not always the best long term option.
@@ -25,7 +25,7 @@ OAuthLib release issue on Github at least 2 days prior to release detailing the
 changes and pings the primary contacts for each downstream project.  Please
 respond within those 2 days if you have major concerns. 
 
-How to get on the notifcations list
+How to get on the notifications list
 -----------------------------------
 
 Which projects and the instructions for testing each will be defined in
@@ -45,8 +45,8 @@ A note on versioning
 --------------------
 
 Historically OAuthLib has not been very good at semantic versioning but that
-will change after the 1.0.0 release due late 2014. After that poing any major
-digit release (e.g. 2.0.0) may introduce non backwards compatible changes.
+has changed since the 1.0.0 in 2014. Since, any major digit release
+(e.g. 2.0.0) may introduce non backwards compatible changes.
 Minor point (1.1.0) releases will introduce non API breaking new features and
 changes. Bug releases (1.0.1) will include minor fixes that needs to be
 released quickly (e.g. after a bigger release unintentionally introduced a
diff --git a/oauthlib/__init__.py b/oauthlib/__init__.py
index b7586d2..bc5d96b 100644
--- a/oauthlib/__init__.py
+++ b/oauthlib/__init__.py
@@ -5,7 +5,7 @@
     A generic, spec-compliant, thorough implementation of the OAuth
     request-signing logic.
 
-    :copyright: (c) 2011 by Idan Gazit.
+    :copyright: (c) 2018 by The OAuthlib Community
     :license: BSD, see LICENSE for details.
 """
 import logging
diff --git a/oauthlib/common.py b/oauthlib/common.py
index f25656f..c1180e6 100644
--- a/oauthlib/common.py
+++ b/oauthlib/common.py
@@ -114,7 +114,7 @@ def decode_params_utf8(params):
     return decoded
 
 
-urlencoded = set(always_safe) | set('=&;:%+~,*@!()/?')
+urlencoded = set(always_safe) | set('=&;:%+~,*@!()/?\'$')
 
 
 def urldecode(query):
diff --git a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
index 1ad6727..43d2efa 100644
--- a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
+++ b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
@@ -312,6 +312,8 @@ class AuthorizationCodeGrant(GrantTypeBase):
             log.debug('Using default redirect_uri %s.', request.redirect_uri)
             if not request.redirect_uri:
                 raise errors.MissingRedirectURIError(request=request)
+            if not is_absolute_uri(request.redirect_uri):
+                raise errors.InvalidRedirectURIError(request=request)
 
         # Then check for normal errors.
 
diff --git a/oauthlib/oauth2/rfc6749/parameters.py b/oauthlib/oauth2/rfc6749/parameters.py
index 9ea8c44..c5127e7 100644
--- a/oauthlib/oauth2/rfc6749/parameters.py
+++ b/oauthlib/oauth2/rfc6749/parameters.py
@@ -279,6 +279,10 @@ def parse_implicit_response(uri, state=None, scope=None):
     fragment = urlparse.urlparse(uri).fragment
     params = dict(urlparse.parse_qsl(fragment, keep_blank_values=True))
 
+    for key in ('expires_in',):
+        if key in params:  # cast things to int
+            params[key] = int(params[key])
+
     if 'scope' in params:
         params['scope'] = scope_to_list(params['scope'])
 
diff --git a/setup.py b/setup.py
index 0c4e564..1d69e0d 100755
--- a/setup.py
+++ b/setup.py
@@ -33,7 +33,7 @@ setup(
     version=oauthlib.__version__,
     description='A generic, spec-compliant, thorough implementation of the OAuth request-signing logic',
     long_description=fread('README.rst'),
-    author='Idan Gazit',
+    author='The OAuthlib Community',
     author_email='idan@gazit.me',
     maintainer='Ib Lundgren',
     maintainer_email='ib.lundgren@gmail.com',
diff --git a/tests/oauth2/rfc6749/clients/test_mobile_application.py b/tests/oauth2/rfc6749/clients/test_mobile_application.py
index 51e4dab..622b275 100644
--- a/tests/oauth2/rfc6749/clients/test_mobile_application.py
+++ b/tests/oauth2/rfc6749/clients/test_mobile_application.py
@@ -40,7 +40,7 @@ class MobileApplicationClientTest(TestCase):
     token = {
         "access_token": "2YotnFZFEjr1zCsicMWpAA",
         "token_type": "example",
-        "expires_in": "3600",
+        "expires_in": 3600,
         "expires_at": 4600,
         "scope": scope,
         "example_parameter": "example_value"
diff --git a/tests/oauth2/rfc6749/endpoints/test_error_responses.py b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
index 00f7ba6..ef05c4d 100644
--- a/tests/oauth2/rfc6749/endpoints/test_error_responses.py
+++ b/tests/oauth2/rfc6749/endpoints/test_error_responses.py
@@ -44,6 +44,22 @@ class ErrorResponseTest(TestCase):
         self.assertRaises(errors.InvalidRedirectURIError,
                 self.mobile.create_authorization_response, uri.format('token'), scopes=['foo'])
 
+    def test_invalid_default_redirect_uri(self):
+        uri = 'https://example.com/authorize?response_type={0}&client_id=foo'
+        self.validator.get_default_redirect_uri.return_value = "wrong"
+
+        # Authorization code grant
+        self.assertRaises(errors.InvalidRedirectURIError,
+                self.web.validate_authorization_request, uri.format('code'))
+        self.assertRaises(errors.InvalidRedirectURIError,
+                self.web.create_authorization_response, uri.format('code'), scopes=['foo'])
+
+        # Implicit grant
+        self.assertRaises(errors.InvalidRedirectURIError,
+                self.mobile.validate_authorization_request, uri.format('token'))
+        self.assertRaises(errors.InvalidRedirectURIError,
+                self.mobile.create_authorization_response, uri.format('token'), scopes=['foo'])
+
     def test_missing_redirect_uri(self):
         uri = 'https://example.com/authorize?response_type={0}&client_id=foo'
 
diff --git a/tests/oauth2/rfc6749/test_parameters.py b/tests/oauth2/rfc6749/test_parameters.py
index 6ba98c0..b211d1e 100644
--- a/tests/oauth2/rfc6749/test_parameters.py
+++ b/tests/oauth2/rfc6749/test_parameters.py
@@ -86,7 +86,7 @@ class ParameterTests(TestCase):
         'access_token': '2YotnFZFEjr1zCsicMWpAA',
         'state': state,
         'token_type': 'example',
-        'expires_in': '3600',
+        'expires_in': 3600,
         'expires_at': 4600,
         'scope': ['abc']
     }
diff --git a/tests/test_common.py b/tests/test_common.py
index b0ea20d..fb4bd5b 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -39,6 +39,8 @@ class EncodingTest(TestCase):
         self.assertItemsEqual(urldecode('foo=bar@spam'), [('foo', 'bar@spam')])
         self.assertItemsEqual(urldecode('foo=bar/baz'), [('foo', 'bar/baz')])
         self.assertItemsEqual(urldecode('foo=bar?baz'), [('foo', 'bar?baz')])
+        self.assertItemsEqual(urldecode('foo=bar\'s'), [('foo', 'bar\'s')])
+        self.assertItemsEqual(urldecode('foo=$'), [('foo', '$')])
         self.assertRaises(ValueError, urldecode, 'foo bar')
         self.assertRaises(ValueError, urldecode, '%R')
         self.assertRaises(ValueError, urldecode, '%RA')
diff --git a/tox.ini b/tox.ini
index 7c4652e..eac7a1e 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = py27,py34,py35,py36,pypy,docs
+envlist = py27,py34,py35,py36,pypy,docs,readme
 
 [testenv]
 deps=
@@ -19,3 +19,12 @@ deps=sphinx
 changedir=docs
 whitelist_externals=make
 commands=make clean html
+
+# tox -e readme to mimick pypi long_description check
+[testenv:readme]
+skipsdist=True
+deps=readme
+whitelist_externals=echo
+commands=
+        python setup.py check -r -s
+        echo setup.py/long description is syntaxly correct