diff options
author | Jonathan Huot <jonathan.huot@thomsonreuters.com> | 2019-02-28 10:06:37 +0100 |
---|---|---|
committer | Jonathan Huot <jonathan.huot@thomsonreuters.com> | 2019-02-28 10:06:37 +0100 |
commit | 73032fe688a899f80d2a65479c72fec450ec51a1 (patch) | |
tree | 8d202b555100364b16d961d47c49e501a7ea43da | |
parent | 932b6844c986604e1aa9603f76e83a2229f3d9e8 (diff) | |
download | oauthlib-73032fe688a899f80d2a65479c72fec450ec51a1.tar.gz |
Removed duplicated OIDC members in OAuth2.RequestValidator
-rw-r--r-- | docs/oauth2/oidc/validator.rst | 6 | ||||
-rw-r--r-- | oauthlib/oauth2/rfc6749/request_validator.py | 182 | ||||
-rw-r--r-- | oauthlib/openid/__init__.py | 1 |
3 files changed, 5 insertions, 184 deletions
diff --git a/docs/oauth2/oidc/validator.rst b/docs/oauth2/oidc/validator.rst index a03adfe..7a6f574 100644 --- a/docs/oauth2/oidc/validator.rst +++ b/docs/oauth2/oidc/validator.rst @@ -10,12 +10,14 @@ upgrade it by replacing one line of code: .. code-block:: python from oauthlib.oauth2 import Server + from oauthlib.oauth2 import RequestValidator Into .. code-block:: python from oauthlib.openid import Server + from oauthlib.openid import RequestValidator Then, you have to implement the new RequestValidator methods as shown below. @@ -24,5 +26,5 @@ RequestValidator Extension A couple of methods must be implemented in your validator subclass if you wish to support OpenID Connect: -.. autoclass:: oauthlib.oauth2.RequestValidator - :members: validate_silent_authorization, validate_silent_login, validate_user_match, get_id_token, get_authorization_code_scopes, validate_jwt_bearer_token +.. autoclass:: oauthlib.openid.RequestValidator + :members: diff --git a/oauthlib/oauth2/rfc6749/request_validator.py b/oauthlib/oauth2/rfc6749/request_validator.py index 5ff30d8..d6ec2ab 100644 --- a/oauthlib/oauth2/rfc6749/request_validator.py +++ b/oauthlib/oauth2/rfc6749/request_validator.py @@ -291,32 +291,6 @@ class RequestValidator(object): """ raise NotImplementedError('Subclasses must implement this method.') - def get_authorization_code_scopes(self, client_id, code, redirect_uri, request): - """ Extracts scopes from saved authorization code. - - The scopes returned by this method is used to route token requests - based on scopes passed to Authorization Code requests. - - With that the token endpoint knows when to include OpenIDConnect - id_token in token response only based on authorization code scopes. - - Only code param should be sufficient to retrieve grant code from - any storage you are using, `client_id` and `redirect_uri` can gave a - blank value `""` don't forget to check it before using those values - in a select query if a database is used. - - :param client_id: Unicode client identifier. - :param code: Unicode authorization code grant. - :param redirect_uri: Unicode absolute URI. - :param request: OAuthlib request. - :type request: oauthlib.common.Request - :return: A list of scopes - - Method is used by: - - Authorization Token Grant Dispatcher - """ - raise NotImplementedError('Subclasses must implement this method.') - def save_token(self, token, request, *args, **kwargs): """Persist the token with a token type specific method. @@ -378,104 +352,6 @@ class RequestValidator(object): """ raise NotImplementedError('Subclasses must implement this method.') - def get_jwt_bearer_token(self, token, token_handler, request): - """Get JWT Bearer token or OpenID Connect ID token - - If using OpenID Connect this SHOULD call `oauthlib.oauth2.RequestValidator.get_id_token` - - :param token: A Bearer token dict. - :param token_handler: The token handler (BearerToken class). - :param request: OAuthlib request. - :type request: oauthlib.common.Request - :return: The JWT Bearer token or OpenID Connect ID token (a JWS signed JWT) - - Method is used by JWT Bearer and OpenID Connect tokens: - - JWTToken.create_token - """ - raise NotImplementedError('Subclasses must implement this method.') - - def get_id_token(self, token, token_handler, request): - """Get OpenID Connect ID token - - In the OpenID Connect workflows when an ID Token is requested this method is called. - Subclasses should implement the construction, signing and optional encryption of the - ID Token as described in the OpenID Connect spec. - - In addition to the standard OAuth2 request properties, the request may also contain - these OIDC specific properties which are useful to this method: - - - nonce, if workflow is implicit or hybrid and it was provided - - claims, if provided to the original Authorization Code request - - The token parameter is a dict which may contain an ``access_token`` entry, in which - case the resulting ID Token *should* include a calculated ``at_hash`` claim. - - Similarly, when the request parameter has a ``code`` property defined, the ID Token - *should* include a calculated ``c_hash`` claim. - - http://openid.net/specs/openid-connect-core-1_0.html (sections `3.1.3.6`_, `3.2.2.10`_, `3.3.2.11`_) - - .. _`3.1.3.6`: http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken - .. _`3.2.2.10`: http://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken - .. _`3.3.2.11`: http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken - - :param token: A Bearer token dict. - :param token_handler: The token handler (BearerToken class) - :param request: OAuthlib request. - :type request: oauthlib.common.Request - :return: The ID Token (a JWS signed JWT) - """ - # the request.scope should be used by the get_id_token() method to determine which claims to include in the resulting id_token - raise NotImplementedError('Subclasses must implement this method.') - - def validate_jwt_bearer_token(self, token, scopes, request): - """Ensure the JWT Bearer token or OpenID Connect ID token are valids and authorized access to scopes. - - If using OpenID Connect this SHOULD call `oauthlib.oauth2.RequestValidator.get_id_token` - - If not using OpenID Connect this can `return None` to avoid 5xx rather 401/3 response. - - OpenID connect core 1.0 describe how to validate an id_token: - - http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation - - http://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation - - http://openid.net/specs/openid-connect-core-1_0.html#HybridIDTValidation - - http://openid.net/specs/openid-connect-core-1_0.html#HybridIDTValidation2 - - :param token: Unicode Bearer token. - :param scopes: List of scopes (defined by you). - :param request: OAuthlib request. - :type request: oauthlib.common.Request - :rtype: True or False - - Method is indirectly used by all core OpenID connect JWT token issuing grant types: - - Authorization Code Grant - - Implicit Grant - - Hybrid Grant - """ - raise NotImplementedError('Subclasses must implement this method.') - - def validate_id_token(self, token, scopes, request): - """Ensure the id token is valid and authorized access to scopes. - - OpenID connect core 1.0 describe how to validate an id_token: - - http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation - - http://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation - - http://openid.net/specs/openid-connect-core-1_0.html#HybridIDTValidation - - http://openid.net/specs/openid-connect-core-1_0.html#HybridIDTValidation2 - - :param token: Unicode Bearer token. - :param scopes: List of scopes (defined by you). - :param request: OAuthlib request. - :type request: oauthlib.common.Request - :rtype: True or False - - Method is indirectly used by all core OpenID connect JWT token issuing grant types: - - Authorization Code Grant - - Implicit Grant - - Hybrid Grant - """ - raise NotImplementedError('Subclasses must implement this method.') - def validate_bearer_token(self, token, scopes, request): """Ensure the Bearer token is valid and authorized access to scopes. @@ -668,44 +544,6 @@ class RequestValidator(object): """ raise NotImplementedError('Subclasses must implement this method.') - def validate_silent_authorization(self, request): - """Ensure the logged in user has authorized silent OpenID authorization. - - Silent OpenID authorization allows access tokens and id tokens to be - granted to clients without any user prompt or interaction. - - :param request: OAuthlib request. - :type request: oauthlib.common.Request - :rtype: True or False - - Method is used by: - - OpenIDConnectAuthCode - - OpenIDConnectImplicit - - OpenIDConnectHybrid - """ - raise NotImplementedError('Subclasses must implement this method.') - - def validate_silent_login(self, request): - """Ensure session user has authorized silent OpenID login. - - If no user is logged in or has not authorized silent login, this - method should return False. - - If the user is logged in but associated with multiple accounts and - not selected which one to link to the token then this method should - raise an oauthlib.oauth2.AccountSelectionRequired error. - - :param request: OAuthlib request. - :type request: oauthlib.common.Request - :rtype: True or False - - Method is used by: - - OpenIDConnectAuthCode - - OpenIDConnectImplicit - - OpenIDConnectHybrid - """ - raise NotImplementedError('Subclasses must implement this method.') - def validate_user(self, username, password, client, request, *args, **kwargs): """Ensure the username and password is valid. @@ -726,26 +564,6 @@ class RequestValidator(object): """ raise NotImplementedError('Subclasses must implement this method.') - def validate_user_match(self, id_token_hint, scopes, claims, request): - """Ensure client supplied user id hint matches session user. - - If the sub claim or id_token_hint is supplied then the session - user must match the given ID. - - :param id_token_hint: User identifier string. - :param scopes: List of OAuth 2 scopes and OpenID claims (strings). - :param claims: OpenID Connect claims dict. - :param request: OAuthlib request. - :type request: oauthlib.common.Request - :rtype: True or False - - Method is used by: - - OpenIDConnectAuthCode - - OpenIDConnectImplicit - - OpenIDConnectHybrid - """ - raise NotImplementedError('Subclasses must implement this method.') - def is_pkce_required(self, client_id, request): """Determine if current request requires PKCE. Default, False. This is called for both "authorization" and "token" requests. diff --git a/oauthlib/openid/__init__.py b/oauthlib/openid/__init__.py index 03f0fa2..7f1a876 100644 --- a/oauthlib/openid/__init__.py +++ b/oauthlib/openid/__init__.py @@ -7,3 +7,4 @@ oauthlib.openid from __future__ import absolute_import, unicode_literals from .connect.core.endpoints import Server +from .connect.core.request_validator import RequestValidator |