Fix 652: removed "state" from /token response.

Fix OIDC /token flow where &state=None was always returned, and fix OAuth2.0 /token flow where &state=foobar was returned if &state=foobar was present in the token request. Remove "save_token" from create_token() signature cuz it was not used internally. Deprecated the option to let upstream libraries have a chance to remove it, if ever used.
author: Jonathan Huot <jonathan.huot@thomsonreuters.com> 2019-02-20 14:30:03 +0100
committer: Jonathan Huot <jonathan.huot@thomsonreuters.com> 2019-02-20 14:30:03 +0100
commit: 8c9f0a3cee9fab35fdf7269441daab666b931f59 (patch)
tree: 3269712f570666f7ca00521b3f939fa66a167394 /oauthlib
parent: 00c0c3613879396e6511e9fc48d6ba5a6d7d746f (diff)
download: oauthlib-8c9f0a3cee9fab35fdf7269441daab666b931f59.tar.gz
9 files changed, 27 insertions, 19 deletions
diff --git a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
index 6463391..5f03d9c 100644
--- a/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
+++ b/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py
@@ -305,9 +305,11 @@ class AuthorizationCodeGrant(GrantTypeBase):
             headers.update(e.headers)
             return headers, e.json, e.status_code
 
-        token = token_handler.create_token(request, refresh_token=self.refresh_token, save_token=False)
+        token = token_handler.create_token(request, refresh_token=self.refresh_token)
+
         for modifier in self._token_modifiers:
             token = modifier(token, token_handler, request)
+
         self.request_validator.save_token(token, request)
         self.request_validator.invalidate_authorization_code(
             request.client_id, request.code, request)
diff --git a/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py b/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
index c966795..7e50857 100644
--- a/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
+++ b/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
@@ -76,10 +76,11 @@ class ClientCredentialsGrant(GrantTypeBase):
             headers.update(e.headers)
             return headers, e.json, e.status_code
 
-        token = token_handler.create_token(request, refresh_token=False, save_token=False)
+        token = token_handler.create_token(request, refresh_token=False)
 
         for modifier in self._token_modifiers:
             token = modifier(token)
+
         self.request_validator.save_token(token, request)
 
         log.debug('Issuing token to client id %r (%r), %r.',
diff --git a/oauthlib/oauth2/rfc6749/grant_types/implicit.py b/oauthlib/oauth2/rfc6749/grant_types/implicit.py
index d6de906..48bae7a 100644
--- a/oauthlib/oauth2/rfc6749/grant_types/implicit.py
+++ b/oauthlib/oauth2/rfc6749/grant_types/implicit.py
@@ -237,10 +237,13 @@ class ImplicitGrant(GrantTypeBase):
         # "id_token token" - return the access token and the id token
         # "id_token" - don't return the access token
         if "token" in request.response_type.split():
-            token = token_handler.create_token(request, refresh_token=False, save_token=False)
+            token = token_handler.create_token(request, refresh_token=False)
         else:
             token = {}
 
+        if request.state is not None:
+            token['state'] = request.state
+
         for modifier in self._token_modifiers:
             token = modifier(token, token_handler, request)
 
diff --git a/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py b/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py
index bd519e8..fc61d65 100644
--- a/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py
+++ b/oauthlib/oauth2/rfc6749/grant_types/refresh_token.py
@@ -64,10 +64,11 @@ class RefreshTokenGrant(GrantTypeBase):
             return headers, e.json, e.status_code
 
         token = token_handler.create_token(request,
-                                           refresh_token=self.issue_new_refresh_tokens, save_token=False)
+                                           refresh_token=self.issue_new_refresh_tokens)
 
         for modifier in self._token_modifiers:
             token = modifier(token)
+
         self.request_validator.save_token(token, request)
 
         log.debug('Issuing new token to client id %r (%r), %r.',
diff --git a/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py b/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
index f765d91..5929afb 100644
--- a/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
+++ b/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
@@ -104,10 +104,11 @@ class ResourceOwnerPasswordCredentialsGrant(GrantTypeBase):
             headers.update(e.headers)
             return headers, e.json, e.status_code
 
-        token = token_handler.create_token(request, self.refresh_token, save_token=False)
+        token = token_handler.create_token(request, self.refresh_token)
 
         for modifier in self._token_modifiers:
             token = modifier(token)
+
         self.request_validator.save_token(token, request)
 
         log.debug('Issuing token %r to client id %r (%r) and username %s.',
diff --git a/oauthlib/oauth2/rfc6749/tokens.py b/oauthlib/oauth2/rfc6749/tokens.py
index d78df09..44a9a97 100644
--- a/oauthlib/oauth2/rfc6749/tokens.py
+++ b/oauthlib/oauth2/rfc6749/tokens.py
@@ -12,6 +12,7 @@ from __future__ import absolute_import, unicode_literals
 import hashlib
 import hmac
 from binascii import b2a_base64
+import warnings
 
 from oauthlib import common
 from oauthlib.common import add_params_to_qs, add_params_to_uri, unicode_type
@@ -296,15 +297,18 @@ class BearerToken(TokenBase):
         )
         self.expires_in = expires_in or 3600
 
-    def create_token(self, request, refresh_token=False, save_token=True):
+    def create_token(self, request, refresh_token=False, **kwargs):
         """
         Create a BearerToken, by default without refresh token.
-        
+
         :param request: OAuthlib request.
         :type request: oauthlib.common.Request
         :param refresh_token:
-        :param save_token:
         """
+        if "save_token" in kwargs:
+            warnings.warn("`save_token` has been deprecated, it was not used internally."
+                          "If you do, use `request_validator.save_token()` instead.",
+                          DeprecationWarning)
 
         if callable(self.expires_in):
             expires_in = self.expires_in(request)
@@ -325,9 +329,6 @@ class BearerToken(TokenBase):
         if request.scopes is not None:
             token['scope'] = ' '.join(request.scopes)
 
-        if request.state is not None:
-            token['state'] = request.state
-
         if refresh_token:
             if (request.refresh_token and
                     not self.request_validator.rotate_refresh_token(request)):
@@ -336,10 +337,7 @@ class BearerToken(TokenBase):
                 token['refresh_token'] = self.refresh_token_generator(request)
 
         token.update(request.extra_credentials or {})
-        token = OAuth2Token(token)
-        if save_token:
-            self.request_validator.save_bearer_token(token, request)
-        return token
+        return OAuth2Token(token)
 
     def validate_request(self, request):
         """
diff --git a/oauthlib/openid/connect/core/grant_types/base.py b/oauthlib/openid/connect/core/grant_types/base.py
index fa578a5..05cdd37 100644
--- a/oauthlib/openid/connect/core/grant_types/base.py
+++ b/oauthlib/openid/connect/core/grant_types/base.py
@@ -58,9 +58,6 @@ class GrantTypeBase(object):
         if request.response_type and 'id_token' not in request.response_type:
             return token
 
-        if 'state' not in token:
-            token['state'] = request.state
-
         if request.max_age:
             d = datetime.datetime.utcnow()
             token['auth_time'] = d.isoformat("T") + "Z"
diff --git a/oauthlib/openid/connect/core/grant_types/implicit.py b/oauthlib/openid/connect/core/grant_types/implicit.py
index 0eaa5b3..0a6fcb7 100644
--- a/oauthlib/openid/connect/core/grant_types/implicit.py
+++ b/oauthlib/openid/connect/core/grant_types/implicit.py
@@ -26,3 +26,8 @@ class ImplicitGrant(GrantTypeBase):
         self.custom_validators.post_auth.append(
             self.openid_implicit_authorization_validator)
         self.register_token_modifier(self.add_id_token)
+
+    def add_id_token(self, token, token_handler, request):
+        if 'state' not in token:
+            token['state'] = request.state
+        return super(ImplicitGrant, self).add_id_token(token, token_handler, request)
diff --git a/oauthlib/openid/connect/core/tokens.py b/oauthlib/openid/connect/core/tokens.py
index 6b68891..b67cdf2 100644
--- a/oauthlib/openid/connect/core/tokens.py
+++ b/oauthlib/openid/connect/core/tokens.py
@@ -25,7 +25,7 @@ class JWTToken(TokenBase):
         )
         self.expires_in = expires_in or 3600
 
-    def create_token(self, request, refresh_token=False, save_token=False):
+    def create_token(self, request, refresh_token=False):
         """Create a JWT Token, using requestvalidator method."""
 
         if callable(self.expires_in):
author	Jonathan Huot <jonathan.huot@thomsonreuters.com>	2019-02-20 14:30:03 +0100
committer	Jonathan Huot <jonathan.huot@thomsonreuters.com>	2019-02-20 14:30:03 +0100
commit	8c9f0a3cee9fab35fdf7269441daab666b931f59 (patch)
tree	3269712f570666f7ca00521b3f939fa66a167394 /oauthlib
parent	00c0c3613879396e6511e9fc48d6ba5a6d7d746f (diff)
download	oauthlib-8c9f0a3cee9fab35fdf7269441daab666b931f59.tar.gz