From 75cc688ed923724e1bfe20a2a030ee92a151095e Mon Sep 17 00:00:00 2001
From: Jonathan Huot <jonathan.huot@thomsonreuters.com>
Date: Tue, 30 Apr 2019 16:18:12 +0200
Subject: Add hooks to highlight the possibilities of the framework

The grey color has been used to show that's optional, and a loop arrow to represent that multiple hooks can be stacked. We can distinctly see three kind of hooks: 1) pre/post+token/auth 2) generate access/refresh tokens 3) code/token modifiers. Also, I have added the optional RequestValidator.rotate_refresh_token callback.
---
 docs/oauth2/oauth2provider-server.dot | 87 +++++++++++++++++++++++++++--------
 1 file changed, 69 insertions(+), 18 deletions(-)

diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot
index ec24078..934bd20 100644
--- a/docs/oauth2/oauth2provider-server.dot
+++ b/docs/oauth2/oauth2provider-server.dot
@@ -5,6 +5,7 @@ digraph oauthlib {
     webapi_ : oauthlib entry/exit points in shape=hexagon
     if_ : internal conditions
     r_ : used when returning from two functions into one for improving clarity
+    h_ : callbacks/hooks available but not required
     */
     center="1"
     edge [ style=bold ];
@@ -62,6 +63,7 @@ digraph oauthlib {
         f_is_within_original_scope [ label="{{<top>is_within_original_scope|{refresh_scopes|refresh_token|request}}|{<true>True|<false>False}}"; ];
         f_validate_user [ label="{{<top>validate_user|{username|password|client|request}}|{<true>True|<false>False}}"; ];
         f_introspect_token [ label="{{<top>introspect_token|{token|token_type_hint|request}}|{<claims>\{claims\}|<none>None}}"; ];
+        f_rotate_refresh_token [ label="{{<top>rotate_refresh_token|{request}}|{<true>True|<false>False}}"; ];
     }
 
     /* OAuthlib Conditions */
@@ -115,11 +117,41 @@ digraph oauthlib {
         f_is_within_original_scope;
     }
 
+    {
+        node [ shape=record,color=grey ];
+        edge [ color=grey ];
+
+        h_pre_auth [ label="{{<top>pre_auth|<arg>request}|<resp>\{credentials\}}}"; ];
+        h_post_auth [ label="{{<top>post_auth|<arg>request}|<resp>\{credentials\}}}"; ];
+        h_pre_token [ label="{{<top>pre_token|<arg>request}|<resp>}}"; ];
+        h_pre_token_password [ label="{{<top>pre_token|<arg>request}|<resp>}}"; ];
+        h_pre_token_implicit [ label="{{<top>pre_token|<arg>request}|<resp>}}"; ];
+        h_post_token [ label="{{<top>post_token|<arg>request}|<resp>}}"; ];
+        h_token_modifiers [ label="{{<top>token_modifiers|{token|token_handler|<arg>request}}|<resp>\{token\}}}"; ];
+        h_code_modifiers [ label="{{<top>code_modifiers|{grant|token_handler|<arg>request}}|<resp>\{grant\}}}"; ];
+        h_generate_access_token [ label="{{<top>generate_access_token|<arg>request}|<resp>\{access token\}}}"; ];
+        h_generate_refresh_token [ label="{{<top>generate_refresh_token|<arg>request}|<resp>\{refresh token\}}}"; ];
+
+        h_pre_auth:resp:se -> h_pre_auth:arg:ne;
+        h_post_auth:resp:se -> h_post_auth:arg:ne;
+        h_pre_token:resp:se -> h_pre_token:arg:ne;
+        h_pre_token_password:resp:se -> h_pre_token_password:arg:ne;
+        h_pre_token_implicit:resp:se -> h_pre_token_implicit:arg:ne;
+        h_post_token:resp:se -> h_post_token:arg:ne;
+        h_token_modifiers:resp:se -> h_token_modifiers:arg:ne;
+        h_code_modifiers:resp:se -> h_code_modifiers:arg:ne;
+    }
+    {
+            rank = same;
+            h_token_modifiers;
+            h_code_modifiers;
+    }
+
     /* Authorization Code - Access Token Request */
     {
         edge [ color=darkgreen ];
 
-        endpoint_token:authorization_code:s -> f_client_authentication_required;
+        endpoint_token:authorization_code:s -> h_pre_token -> f_client_authentication_required;
         f_client_authentication_required:true:s -> f_authenticate_client;
         f_client_authentication_required:false:s -> f_authenticate_client_id;
         f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ];
@@ -134,8 +166,12 @@ digraph oauthlib {
         if_redirect_uri_missing -> f_get_default_redirect_uri;
         f_get_default_redirect_uri:redirect_uri:s -> f_confirm_redirect_uri;
 
-        f_confirm_redirect_uri:true:s -> f_save_bearer_token;
-        f_save_bearer_token -> f_invalidate_authorization_code;
+        f_confirm_redirect_uri:true:s -> h_post_token;
+
+        h_post_token -> h_generate_access_token -> f_rotate_refresh_token;
+        f_rotate_refresh_token:true:s -> h_generate_refresh_token -> h_token_modifiers;
+        f_rotate_refresh_token:false:s -> h_token_modifiers;
+        h_token_modifiers -> f_save_bearer_token ->
         f_invalidate_authorization_code -> webapi_response;
     }
     /* Authorization Code - Authorization Request */
@@ -149,8 +185,9 @@ digraph oauthlib {
         if_redirect_uri_present -> f_validate_redirect_uri;
         if_redirect_uri_missing -> f_get_default_redirect_uri;
 
-        f_validate_redirect_uri:true:s -> f_validate_response_type;
-        f_get_default_redirect_uri:redirect_uri:s -> f_validate_response_type;
+        f_validate_redirect_uri:true:s -> h_pre_auth;
+        f_get_default_redirect_uri:redirect_uri:s -> h_pre_auth;
+        h_pre_auth -> f_validate_response_type;
         f_validate_response_type:true:s -> f_is_pkce_required;
         f_is_pkce_required:true:s -> if_code_challenge;
         f_is_pkce_required:false:s -> f_validate_scopes;
@@ -158,7 +195,8 @@ digraph oauthlib {
         if_code_challenge -> f_validate_scopes [ label="present" ];
         if_code_challenge -> e_normal [ label="missing",style=dashed ];
 
-        f_validate_scopes:true:s -> f_save_authorization_code;
+        f_validate_scopes:true:s -> h_post_auth;
+        h_post_auth -> h_code_modifiers -> f_save_authorization_code;
         f_save_authorization_code -> webapi_response;
     }
 
@@ -173,10 +211,13 @@ digraph oauthlib {
         if_redirect_uri_present -> f_validate_redirect_uri;
         if_redirect_uri_missing -> f_get_default_redirect_uri;
 
-        f_validate_redirect_uri:true:s -> f_validate_response_type;
-        f_get_default_redirect_uri:redirect_uri:s -> f_validate_response_type;
+        f_validate_redirect_uri:true:s -> h_pre_auth;
+        f_get_default_redirect_uri:redirect_uri:s -> h_pre_auth;
+        h_pre_auth -> h_pre_token_implicit -> f_validate_response_type;
+
         f_validate_response_type:true:s -> f_validate_scopes;
-        f_validate_scopes:true:s -> f_save_bearer_token;
+        f_validate_scopes:true:s -> h_post_auth -> h_post_token ->
+        h_generate_access_token -> h_token_modifiers ->
         f_save_bearer_token -> webapi_response;
     }
 
@@ -189,15 +230,19 @@ digraph oauthlib {
         f_client_authentication_required:false:s -> f_authenticate_client_id;
         f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ];
         f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ];
-        r_client_authenticated -> f_validate_user;
+        r_client_authenticated -> h_pre_token_password -> f_validate_user;
         f_validate_user:true:s -> f_validate_grant_type;
 
         f_validate_grant_type:true:s -> if_scopes;
         if_scopes -> f_validate_scopes [ label="present" ];
         if_scopes -> f_get_default_scopes [ label="missing" ];
 
-        f_validate_scopes:true:s -> f_save_bearer_token;
-        f_get_default_scopes -> f_save_bearer_token;
+        f_validate_scopes:true:s -> h_post_token;
+        f_get_default_scopes -> h_post_token;
+
+        h_post_token -> h_generate_access_token -> f_rotate_refresh_token;
+        f_rotate_refresh_token:true:s -> h_generate_refresh_token -> h_token_modifiers;
+        f_rotate_refresh_token:false:s -> h_token_modifiers ->
         f_save_bearer_token -> webapi_response;
     }
 
@@ -205,10 +250,13 @@ digraph oauthlib {
     {
         edge [ color=blue ];
 
-        endpoint_token:client_credentials:s -> f_authenticate_client;
+        endpoint_token:client_credentials:s -> h_pre_token -> f_authenticate_client;
+
         f_authenticate_client:true:s -> f_validate_grant_type;
         f_validate_grant_type:true:s -> f_validate_scopes;
-        f_validate_scopes:true:s -> f_save_bearer_token;
+        f_validate_scopes:true:s -> h_post_token;
+
+        h_post_token -> h_generate_access_token -> h_token_modifiers ->
         f_save_bearer_token -> webapi_response;
     }
 
@@ -216,7 +264,7 @@ digraph oauthlib {
     {
         edge [ color=brown ];
 
-        endpoint_token:refresh_token:s -> f_client_authentication_required;
+        endpoint_token:refresh_token:s -> h_pre_token -> f_client_authentication_required;
         f_client_authentication_required:true:s -> f_authenticate_client;
         f_client_authentication_required:false:s -> f_authenticate_client_id;
         f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ];
@@ -227,9 +275,12 @@ digraph oauthlib {
         f_validate_refresh_token:true:s -> f_get_original_scopes;
         f_get_original_scopes -> if_all;
         if_all -> f_is_within_original_scope [ label="True" ];
-        if_all -> f_save_bearer_token [ label="False" ];
-        f_is_within_original_scope:true:s -> f_save_bearer_token;
-        f_save_bearer_token -> webapi_response;
+        if_all -> h_post_token [ label="False" ];
+        f_is_within_original_scope:true:s -> h_post_token;
+        h_post_token -> h_generate_access_token -> f_rotate_refresh_token;
+        f_rotate_refresh_token:true:s -> h_generate_refresh_token -> h_token_modifiers;
+        f_rotate_refresh_token:false:s -> h_token_modifiers;
+        h_token_modifiers -> f_save_bearer_token -> webapi_response;
     }
 
     /* Introspect Endpoint  */
-- 
cgit v1.2.1