blob: bf7df75f10f9b3db9b9647e87682f8ed3fca5327 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
digraph oauthlib {
center="1"
edge [ style=bold ];
/* Web Framework Entry and Exit points */
{
node [ shape=hexagon ];
edge [ style=normal ];
webapi_request [ label="WebFramework\nHTTP request" ];
webapi_request:s ->
endpoint_authorize:top:n,
endpoint_token:top:n,
endpoint_introspect:top:n,
endpoint_revoke:top:n,
endpoint_resource:top:n;
webapi_response [ label="WebFramework\nHTTP response" ];
}
/* OAuthlib Endpoints */
{
rank=same;
endpoint_authorize [ shape=record; label="{<top>Authorize Endpoint|{create_authorize_response|{uri|method|body|headers|credentials}}|{<token>token|<code>code}}" ];
endpoint_token [ shape=record; label="{<top>Token Endpoint|{create_token_response|{uri|method|body|headers|credentials}}|{<authorization_code>authorization_code|<password>password|<client_credentials>client_credentials|<refresh_token>refresh_token}}" ];
endpoint_revoke [ shape=record; label="{<top>Revocation Endpoint|{create_revocation_response|{uri|method|body|headers}}}" ];
endpoint_introspect [ shape=record; label="{<top>Introspect Endpoint|{create_introspect_response|{uri|method|body|headers}}}" ];
endpoint_resource [ shape=record; label="{<top>Resource Endpoint|{verify_request|{uri|method|body|headers|scopes_list}}}" ];
}
/* OAuthlib RequestValidator Methods */
{
node [ shape=record ];
f_client_authentication_required [ label="{{<top>client_authentication_required|request}|{<true>True|<false>False}}"; ];
f_authenticate_client [ label="{{<top>authenticate_client|request}|{<true>True|<false>False}}";];
f_authenticate_client_id [ label="{{<top>authenticate_client_id|{client_id|request}}|{<true>True|<false>False}}"; ];
f_validate_grant_type [ label="{{<top>validate_grant_type|{client_id|grant_type|client|request}}|{<true>True|<false>False}}"; ];
f_validate_code [ label="{{<top>validate_code|{client_id|code|request}}|{<true>True|<false>False}}"; ];
f_confirm_redirect_uri [ label="{{<top>confirm_redirect_uri|{client_id|code|redirect_uri|client|request}}|{<true>True|<false>False}}"; ];
f_get_default_redirect_uri [ label="{{<top>get_default_redirect_uri|{client_id|request}}|{<redirect_uri>redirect_uri|<none>None}}"; ];
f_invalidate_authorization_code [ label="{{<top>invalidate_authorization_code|{client_id|code|request}}|None}"; ];
f_validate_scopes [ label="{{<top>validate_scopes|{client_id|scopes|client|request}}|{<true>True|<false>False}}"; ];
f_save_bearer_token [ label="{{<top>save_bearer_token|{token|request}}|None}"; ];
f_revoke_token [ label="{{<top>revoke_token|{token|token_type_hint|request}}|None}"; ];
f_validate_client_id [ label="{{<top>validate_client_id|{client_id|request}}|{<true>True|<false>False}}"; ];
f_validate_redirect_uri [ label="{{<top>validate_redirect_uri|{client_id|redirect_uri|request}}|{<true>True|<false>False}}"; ];
f_is_pkce_required [ label="{{<top>is_pkce_required|{client_id|request}}|{<true>True|<false>False}}"; ];
f_validate_response_type [ label="{{<top>validate_response_type|{client_id|response_type|client|request}}|{<true>True|<false>False}}"; ];
f_save_authorization_code [ label="{{<top>save_authorization_code|{client_id|code|request}}|None}"; ];
f_validate_bearer_token [ label="{{<top>validate_bearer_token|{token|scopes|request}}|{<true>True|<false>False}}"; ];
f_validate_refresh_token [ label="{{<top>validate_refresh_token|{refresh_token|client|request}}|{<true>True|<false>False}}"; ];
f_get_default_scopes [ label="{{<top>get_default_scopes|{client_id|request}}|{<scopes>[scopes]}}"; ];
f_get_original_scopes [ label="{{<top>get_original_scopes|{refresh_token|request}}|{<scopes>[scopes]}}"; ];
f_is_within_original_scope [ label="{{<top>is_within_original_scope|{refresh_scopes|refresh_token|request}}|{<true>True|<false>False}}"; ];
f_validate_user [ label="{{<top>validate_user|{username|password|client|request}}|{<true>True|<false>False}}"; ];
f_introspect_token [ label="{{<top>introspect_token|{token|token_type_hint|request}}|{<claims>\{claims\}|<none>None}}"; ];
}
/* OAuthlib Conditions */
if_code_challenge [ label="if code_challenge"; ];
if_redirect_uri [ label="if redirect_uri"; ];
if_redirect_uri_present [ shape=none;label="present"; ];
if_redirect_uri_missing [ shape=none;label="missing"; ];
if_scopes [ label="if scopes"; ];
if_all [ label="all(request_scopes not in scopes)"; ];
/* OAuthlib errors */
e_normal [ shape=none,label="ERROR" ];
/* Authorization Code - Access Token Request */
{
edge [ color=green ];
endpoint_token:authorization_code:s -> f_client_authentication_required;
f_client_authentication_required:true:s -> f_authenticate_client;
f_client_authentication_required:false -> f_authenticate_client_id;
f_authenticate_client:true:s -> f_validate_grant_type;
f_authenticate_client_id:true:s -> f_validate_grant_type;
f_validate_grant_type:true:s -> f_validate_code;
f_validate_code:true:s -> if_redirect_uri;
if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
if_redirect_uri_present -> f_confirm_redirect_uri;
if_redirect_uri_missing -> f_get_default_redirect_uri;
f_confirm_redirect_uri:true:s -> f_save_bearer_token;
f_get_default_redirect_uri -> f_save_bearer_token;
f_save_bearer_token -> f_invalidate_authorization_code;
f_invalidate_authorization_code -> webapi_response;
}
/* Authorization Code - Authorization Request */
{
edge [ color=darkgreen ];
endpoint_authorize:code:s -> f_validate_client_id;
f_validate_client_id:true:s -> if_redirect_uri;
if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
if_redirect_uri_present -> f_validate_redirect_uri;
if_redirect_uri_missing -> f_get_default_redirect_uri;
f_validate_redirect_uri:true:s -> f_validate_response_type;
f_get_default_redirect_uri -> f_validate_response_type;
f_validate_response_type:true:s -> f_is_pkce_required;
f_is_pkce_required:true:s -> if_code_challenge;
f_is_pkce_required:false -> f_validate_scopes;
if_code_challenge -> f_validate_scopes [ label="present" ];
if_code_challenge -> e_normal [ label="missing" ];
f_validate_scopes:true:s -> f_save_authorization_code;
}
/* Implicit */
{
edge [ color=orange ];
endpoint_authorize:token:s -> f_validate_client_id;
f_validate_client_id:true:s -> if_redirect_uri;
if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
if_redirect_uri_present -> f_validate_redirect_uri;
if_redirect_uri_missing -> f_get_default_redirect_uri;
f_validate_redirect_uri:true:s -> f_validate_response_type;
f_get_default_redirect_uri -> f_validate_response_type;
f_validate_response_type:true:s -> f_validate_scopes;
f_validate_scopes:true:s -> f_save_bearer_token;
}
/* Resource Owner Password Grant */
{
edge [ color=red ];
endpoint_token:password:s -> f_client_authentication_required;
f_client_authentication_required:true:s -> f_authenticate_client;
f_client_authentication_required:false -> f_authenticate_client_id;
f_authenticate_client:true:s -> f_validate_user;
f_authenticate_client_id:true:s -> f_validate_user;
f_validate_user:true:s -> f_validate_grant_type;
f_validate_grant_type:true:s -> if_scopes;
if_scopes -> f_validate_scopes [ label="present" ];
if_scopes -> f_get_default_scopes [ label="missing" ];
f_validate_scopes:true:s -> f_save_bearer_token;
f_get_default_scopes -> f_save_bearer_token;
f_save_bearer_token -> webapi_response;
}
/* Client Credentials Grant */
{
edge [ color=blue ];
endpoint_token:client_credentials:s -> f_authenticate_client;
f_authenticate_client -> f_validate_grant_type;
f_validate_grant_type:true:s -> f_validate_scopes;
f_validate_scopes:true:s -> f_save_bearer_token;
f_save_bearer_token -> webapi_response;
}
/* Refresh Grant */
{
edge [ color=brown ];
endpoint_token:refresh_token:s -> f_client_authentication_required;
f_client_authentication_required:true:s -> f_authenticate_client;
f_client_authentication_required:false -> f_authenticate_client_id;
f_authenticate_client:true:s -> f_validate_grant_type;
f_authenticate_client_id:true:s -> f_validate_grant_type;
f_validate_grant_type:true:s -> f_validate_refresh_token;
f_validate_refresh_token:true:s -> f_get_original_scopes;
f_get_original_scopes -> if_all;
if_all -> f_is_within_original_scope [ label="True" ];
if_all -> f_save_bearer_token [ label="False" ];
f_is_within_original_scope:true:s -> f_save_bearer_token;
f_save_bearer_token -> webapi_response;
}
/* Introspect Endpoint */
{
edge [ color=yellow ];
endpoint_introspect:s -> f_client_authentication_required [ label="" ];
f_client_authentication_required:true:s -> f_authenticate_client;
f_client_authentication_required:false -> f_authenticate_client_id;
f_authenticate_client:true:s -> f_introspect_token;
f_authenticate_client_id:true:s -> f_introspect_token;
f_introspect_token:claims -> webapi_response;
}
/* Revocation Endpoint */
{
edge [ color=purple ];
endpoint_revoke:s -> f_client_authentication_required;
f_client_authentication_required:true:s -> f_authenticate_client;
f_client_authentication_required:false -> f_authenticate_client_id;
f_authenticate_client:true:s -> f_revoke_token;
f_authenticate_client_id:true:s -> f_revoke_token;
f_revoke_token:s -> webapi_response;
}
/* Resource Access - Verify Request */
{
edge [ color=pink ];
endpoint_resource:s -> f_validate_bearer_token;
f_validate_bearer_token:true -> webapi_response;
}
}
|
