diff options
| author | Jonathan Huot <jonathan.huot@thomsonreuters.com> | 2019-01-08 15:59:01 +0100 |
|---|---|---|
| committer | Jonathan Huot <jonathan.huot@thomsonreuters.com> | 2019-01-08 15:59:01 +0100 |
| commit | e5c1d8e9a3624f910a268d9918f10998f5387b26 (patch) | |
| tree | f0cd9b07d8f67cac58ff2c17f6ec6fc8313943cf | |
| parent | 332c2a40e65ee13c14f82aafd78d8b314688135c (diff) | |
| download | oauthlib-improve-reqval-order.tar.gz | |
Fix #643 by changing orer of validate_user/grant_type for ROPGimprove-reqval-order
| -rw-r--r-- | docs/oauth2/oauth2provider-server.dot | 24 | ||||
| -rw-r--r-- | oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py | 6 |
2 files changed, 13 insertions, 17 deletions
diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index ec24078..2c4921c 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -83,12 +83,7 @@ digraph oauthlib { { rank = same; f_validate_client_id; - f_validate_code; - /* f_validate_user; */ - f_validate_bearer_token; - f_validate_refresh_token; - f_introspect_token; - f_revoke_token; + f_authenticate_client; } { rank = same; @@ -102,7 +97,12 @@ digraph oauthlib { } { rank = same; - f_invalidate_authorization_code; + f_validate_code; + f_validate_user; + f_validate_bearer_token; + f_validate_refresh_token; + f_introspect_token; + f_revoke_token; } { rank = same; @@ -110,10 +110,6 @@ digraph oauthlib { f_get_original_scopes; f_get_default_scopes; } - { - rank = same; - f_is_within_original_scope; - } /* Authorization Code - Access Token Request */ { @@ -189,10 +185,10 @@ digraph oauthlib { f_client_authentication_required:false:s -> f_authenticate_client_id; f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ]; f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ]; - r_client_authenticated -> f_validate_user; - f_validate_user:true:s -> f_validate_grant_type; + r_client_authenticated -> f_validate_grant_type; + f_validate_grant_type:true:s -> f_validate_user; - f_validate_grant_type:true:s -> if_scopes; + f_validate_user:true:s -> if_scopes; if_scopes -> f_validate_scopes [ label="present" ]; if_scopes -> f_get_default_scopes [ label="missing" ]; diff --git a/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py b/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py index f765d91..12c74f1 100644 --- a/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py +++ b/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py @@ -178,6 +178,9 @@ class ResourceOwnerPasswordCredentialsGrant(GrantTypeBase): if not request.grant_type == 'password': raise errors.UnsupportedGrantTypeError(request=request) + # Ensure client is authorized use of this grant type + self.validate_grant_type(request) + log.debug('Validating username %s.', request.username) if not self.request_validator.validate_user(request.username, request.password, request.client, request): @@ -191,9 +194,6 @@ class ResourceOwnerPasswordCredentialsGrant(GrantTypeBase): 'in authenticate_client.') log.debug('Authorizing access to user %r.', request.user) - # Ensure client is authorized use of this grant type - self.validate_grant_type(request) - if request.client: request.client_id = request.client_id or request.client.client_id self.validate_scopes(request) |