From 1e25facd4f07a5ffba31db24e1aa4ef92c5e5ad2 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 10:00:22 +0100 Subject: [PATCH 01/10] Inverted color for AuthCode AuthZ and Token. Light then Dark is more logical because the two flows must have similar color, but lighter then darker has clearly a better understanding. --- docs/oauth2/oauth2provider-legend.dot | 4 ++-- docs/oauth2/oauth2provider-server.dot | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/oauth2/oauth2provider-legend.dot b/docs/oauth2/oauth2provider-legend.dot index 746ac2b2..ad87d80b 100644 --- a/docs/oauth2/oauth2provider-legend.dot +++ b/docs/oauth2/oauth2provider-legend.dot @@ -18,8 +18,8 @@ digraph oauthlib_legend { flow_introspect [shape=none,label="Token Introspection"]; flow_revoke [shape=none,label="Token Revoke"]; flow_resource [shape=none,label="Resource Access"]; - flow_code_token -> a [style=bold,color=green]; - flow_code_auth -> b [style=bold,color=darkgreen]; + flow_code_token -> a [style=bold,color=darkgreen]; + flow_code_auth -> b [style=bold,color=green]; flow_implicit -> c [style=bold,color=orange]; flow_password -> d [style=bold,color=red]; flow_clicreds -> e [style=bold,color=blue]; diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index bf7df75f..5ed7f3ac 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -71,7 +71,7 @@ digraph oauthlib { /* Authorization Code - Access Token Request */ { - edge [ color=green ]; + edge [ color=darkgreen ]; endpoint_token:authorization_code:s -> f_client_authentication_required; f_client_authentication_required:true:s -> f_authenticate_client; @@ -94,7 +94,7 @@ digraph oauthlib { } /* Authorization Code - Authorization Request */ { - edge [ color=darkgreen ]; + edge [ color=green ]; endpoint_authorize:code:s -> f_validate_client_id; f_validate_client_id:true:s -> if_redirect_uri; From f543f289d5f7628d8f8e1395a48cd04493f7b8de Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 10:00:36 +0100 Subject: [PATCH 02/10] Added two missing webapi_response links --- docs/oauth2/oauth2provider-server.dot | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index 5ed7f3ac..0eeea788 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -113,6 +113,7 @@ digraph oauthlib { if_code_challenge -> e_normal [ label="missing" ]; f_validate_scopes:true:s -> f_save_authorization_code; + f_save_authorization_code -> webapi_response; } /* Implicit */ @@ -130,6 +131,7 @@ digraph oauthlib { f_get_default_redirect_uri -> f_validate_response_type; f_validate_response_type:true:s -> f_validate_scopes; f_validate_scopes:true:s -> f_save_bearer_token; + f_save_bearer_token -> webapi_response; } /* Resource Owner Password Grant */ From 340067080f0ac47c1ad830eebd7738cca22df008 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 10:00:43 +0100 Subject: [PATCH 03/10] Removed empty label --- docs/oauth2/oauth2provider-server.dot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index 0eeea788..cc4fcfdc 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -187,7 +187,7 @@ digraph oauthlib { { edge [ color=yellow ]; - endpoint_introspect:s -> f_client_authentication_required [ label="" ]; + endpoint_introspect:s -> f_client_authentication_required; f_client_authentication_required:true:s -> f_authenticate_client; f_client_authentication_required:false -> f_authenticate_client_id; f_authenticate_client:true:s -> f_introspect_token; From a060c1900f22990df2adb1933fc38453cf4614ce Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 12:21:01 +0100 Subject: [PATCH 04/10] Add comment to help newcomers --- docs/oauth2/oauth2provider-server.dot | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index cc4fcfdc..6877c0ac 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -1,4 +1,11 @@ digraph oauthlib { + /* Naming conventions: + f_ : functions in shape=record + endpoint_ : endpoints in shape=record + webapi_ : oauthlib entry/exit points in shape=hexagon + if_ : internal conditions + r_ : used when returning from two functions into one for improving clarity + */ center="1" edge [ style=bold ]; From 75cd44eba8e7efca6480868afe737b41136da641 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 12:23:22 +0100 Subject: [PATCH 05/10] Group a couple of functions exits points to minimize number of edges --- docs/oauth2/oauth2provider-server.dot | 51 +++++++++++++++++---------- 1 file changed, 32 insertions(+), 19 deletions(-) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index 6877c0ac..1c0a7e9f 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -73,6 +73,11 @@ digraph oauthlib { if_scopes [ label="if scopes"; ]; if_all [ label="all(request_scopes not in scopes)"; ]; + /* OAuthlib functions returns helpers */ + r_client_authenticated [ shape=none,label="True"; ]; + r_redirect_uri_code [ shape=none,label="",width=0,height=0 ]; + r_redirect_uri_token [ shape=none,label="",width=0,height=0 ]; + /* OAuthlib errors */ e_normal [ shape=none,label="ERROR" ]; @@ -82,9 +87,10 @@ digraph oauthlib { endpoint_token:authorization_code:s -> f_client_authentication_required; f_client_authentication_required:true:s -> f_authenticate_client; - f_client_authentication_required:false -> f_authenticate_client_id; - f_authenticate_client:true:s -> f_validate_grant_type; - f_authenticate_client_id:true:s -> f_validate_grant_type; + f_client_authentication_required:false:s -> f_authenticate_client_id; + f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ]; + f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ]; + r_client_authenticated -> f_validate_grant_type; f_validate_grant_type:true:s -> f_validate_code; f_validate_code:true:s -> if_redirect_uri; @@ -110,8 +116,9 @@ digraph oauthlib { if_redirect_uri_present -> f_validate_redirect_uri; if_redirect_uri_missing -> f_get_default_redirect_uri; - f_validate_redirect_uri:true:s -> f_validate_response_type; - f_get_default_redirect_uri -> f_validate_response_type; + f_validate_redirect_uri:true:s -> r_redirect_uri_code [ arrowhead=none ]; + f_get_default_redirect_uri:redirect_uri:s -> r_redirect_uri_code [ arrowhead=none ]; + r_redirect_uri_code -> f_validate_response_type;v f_validate_response_type:true:s -> f_is_pkce_required; f_is_pkce_required:true:s -> if_code_challenge; f_is_pkce_required:false -> f_validate_scopes; @@ -134,8 +141,9 @@ digraph oauthlib { if_redirect_uri_present -> f_validate_redirect_uri; if_redirect_uri_missing -> f_get_default_redirect_uri; - f_validate_redirect_uri:true:s -> f_validate_response_type; - f_get_default_redirect_uri -> f_validate_response_type; + f_validate_redirect_uri:true:s -> r_redirect_uri_token [ arrowhead=none ]; + f_get_default_redirect_uri:redirect_uri:s -> r_redirect_uri_token [ arrowhead=none ]; + r_redirect_uri_token -> f_validate_response_type; f_validate_response_type:true:s -> f_validate_scopes; f_validate_scopes:true:s -> f_save_bearer_token; f_save_bearer_token -> webapi_response; @@ -147,9 +155,10 @@ digraph oauthlib { endpoint_token:password:s -> f_client_authentication_required; f_client_authentication_required:true:s -> f_authenticate_client; - f_client_authentication_required:false -> f_authenticate_client_id; - f_authenticate_client:true:s -> f_validate_user; - f_authenticate_client_id:true:s -> f_validate_user; + f_client_authentication_required:false:s -> f_authenticate_client_id; + f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ]; + f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ]; + r_client_authenticated -> f_validate_user; f_validate_user:true:s -> f_validate_grant_type; f_validate_grant_type:true:s -> if_scopes; @@ -178,9 +187,11 @@ digraph oauthlib { endpoint_token:refresh_token:s -> f_client_authentication_required; f_client_authentication_required:true:s -> f_authenticate_client; - f_client_authentication_required:false -> f_authenticate_client_id; - f_authenticate_client:true:s -> f_validate_grant_type; - f_authenticate_client_id:true:s -> f_validate_grant_type; + f_client_authentication_required:false:s -> f_authenticate_client_id; + f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ]; + f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ]; + r_client_authenticated -> f_validate_grant_type; + f_validate_grant_type:true:s -> f_validate_refresh_token; f_validate_refresh_token:true:s -> f_get_original_scopes; f_get_original_scopes -> if_all; @@ -196,9 +207,10 @@ digraph oauthlib { endpoint_introspect:s -> f_client_authentication_required; f_client_authentication_required:true:s -> f_authenticate_client; - f_client_authentication_required:false -> f_authenticate_client_id; - f_authenticate_client:true:s -> f_introspect_token; - f_authenticate_client_id:true:s -> f_introspect_token; + f_client_authentication_required:false:s -> f_authenticate_client_id; + f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ]; + f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ]; + r_client_authenticated -> f_introspect_token; f_introspect_token:claims -> webapi_response; } @@ -208,9 +220,10 @@ digraph oauthlib { endpoint_revoke:s -> f_client_authentication_required; f_client_authentication_required:true:s -> f_authenticate_client; - f_client_authentication_required:false -> f_authenticate_client_id; - f_authenticate_client:true:s -> f_revoke_token; - f_authenticate_client_id:true:s -> f_revoke_token; + f_client_authentication_required:false:s -> f_authenticate_client_id; + f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ]; + f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ]; + r_client_authenticated -> f_revoke_token; f_revoke_token:s -> webapi_response; } From ef6fb4a71541c074de864df2805ed8188d28453a Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 12:23:37 +0100 Subject: [PATCH 06/10] Increase accuracy of functions exits --- docs/oauth2/oauth2provider-server.dot | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index 1c0a7e9f..f90153a0 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -100,7 +100,7 @@ digraph oauthlib { if_redirect_uri_missing -> f_get_default_redirect_uri; f_confirm_redirect_uri:true:s -> f_save_bearer_token; - f_get_default_redirect_uri -> f_save_bearer_token; + f_get_default_redirect_uri:redirect_uri:s -> f_save_bearer_token; f_save_bearer_token -> f_invalidate_authorization_code; f_invalidate_authorization_code -> webapi_response; @@ -121,7 +121,7 @@ digraph oauthlib { r_redirect_uri_code -> f_validate_response_type;v f_validate_response_type:true:s -> f_is_pkce_required; f_is_pkce_required:true:s -> if_code_challenge; - f_is_pkce_required:false -> f_validate_scopes; + f_is_pkce_required:false:s -> f_validate_scopes; if_code_challenge -> f_validate_scopes [ label="present" ]; if_code_challenge -> e_normal [ label="missing" ]; @@ -175,7 +175,7 @@ digraph oauthlib { edge [ color=blue ]; endpoint_token:client_credentials:s -> f_authenticate_client; - f_authenticate_client -> f_validate_grant_type; + f_authenticate_client:true:s -> f_validate_grant_type; f_validate_grant_type:true:s -> f_validate_scopes; f_validate_scopes:true:s -> f_save_bearer_token; f_save_bearer_token -> webapi_response; From 9e438eb9eb48c9de4dcbe9d50954a1f26e8184c0 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 12:56:46 +0100 Subject: [PATCH 07/10] Added functional rank=same to add clarity --- docs/oauth2/oauth2provider-server.dot | 49 +++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 7 deletions(-) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index f90153a0..636875c7 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -81,6 +81,43 @@ digraph oauthlib { /* OAuthlib errors */ e_normal [ shape=none,label="ERROR" ]; + /* Ranking by functional roles */ + { + rank = same; + f_validate_client_id; + f_validate_code; + /* f_validate_user; */ + f_validate_bearer_token; + f_validate_refresh_token; + f_introspect_token; + f_revoke_token; + } + { + rank = same; + f_validate_redirect_uri; + f_get_default_redirect_uri; + f_confirm_redirect_uri; + } + { + rank = same; + f_save_bearer_token; + f_save_authorization_code; + } + { + rank = same; + f_invalidate_authorization_code; + } + { + rank = same; + f_get_original_scopes; + f_get_default_scopes; + } + { + rank = same; + f_is_within_original_scope; + f_validate_scopes; + } + /* Authorization Code - Access Token Request */ { edge [ color=darkgreen ]; @@ -116,15 +153,14 @@ digraph oauthlib { if_redirect_uri_present -> f_validate_redirect_uri; if_redirect_uri_missing -> f_get_default_redirect_uri; - f_validate_redirect_uri:true:s -> r_redirect_uri_code [ arrowhead=none ]; - f_get_default_redirect_uri:redirect_uri:s -> r_redirect_uri_code [ arrowhead=none ]; - r_redirect_uri_code -> f_validate_response_type;v + f_validate_redirect_uri:true:s -> f_validate_response_type; + f_get_default_redirect_uri:redirect_uri:s -> f_validate_response_type; f_validate_response_type:true:s -> f_is_pkce_required; f_is_pkce_required:true:s -> if_code_challenge; f_is_pkce_required:false:s -> f_validate_scopes; if_code_challenge -> f_validate_scopes [ label="present" ]; - if_code_challenge -> e_normal [ label="missing" ]; + if_code_challenge -> e_normal [ label="missing",style=dashed ]; f_validate_scopes:true:s -> f_save_authorization_code; f_save_authorization_code -> webapi_response; @@ -141,9 +177,8 @@ digraph oauthlib { if_redirect_uri_present -> f_validate_redirect_uri; if_redirect_uri_missing -> f_get_default_redirect_uri; - f_validate_redirect_uri:true:s -> r_redirect_uri_token [ arrowhead=none ]; - f_get_default_redirect_uri:redirect_uri:s -> r_redirect_uri_token [ arrowhead=none ]; - r_redirect_uri_token -> f_validate_response_type; + f_validate_redirect_uri:true:s -> f_validate_response_type; + f_get_default_redirect_uri:redirect_uri:s -> f_validate_response_type; f_validate_response_type:true:s -> f_validate_scopes; f_validate_scopes:true:s -> f_save_bearer_token; f_save_bearer_token -> webapi_response; From 0ee9e7bad8f0c61e3b4b7761170c3e7b8547fb68 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 13:01:54 +0100 Subject: [PATCH 08/10] Removed unnecessary joins --- docs/oauth2/oauth2provider-server.dot | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index 636875c7..5f915494 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -74,9 +74,7 @@ digraph oauthlib { if_all [ label="all(request_scopes not in scopes)"; ]; /* OAuthlib functions returns helpers */ - r_client_authenticated [ shape=none,label="True"; ]; - r_redirect_uri_code [ shape=none,label="",width=0,height=0 ]; - r_redirect_uri_token [ shape=none,label="",width=0,height=0 ]; + r_client_authenticated [ shape=none,label="client authenticated"; ]; /* OAuthlib errors */ e_normal [ shape=none,label="ERROR" ]; From 332c2a40e65ee13c14f82aafd78d8b314688135c Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 13:17:36 +0100 Subject: [PATCH 09/10] Fix flow of authcode/redirect_uri since #445 is merged. --- docs/oauth2/oauth2provider-server.dot | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index 5f915494..ec240787 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -93,7 +93,6 @@ digraph oauthlib { { rank = same; f_validate_redirect_uri; - f_get_default_redirect_uri; f_confirm_redirect_uri; } { @@ -107,13 +106,13 @@ digraph oauthlib { } { rank = same; + f_validate_scopes; f_get_original_scopes; f_get_default_scopes; } { rank = same; f_is_within_original_scope; - f_validate_scopes; } /* Authorization Code - Access Token Request */ @@ -133,10 +132,9 @@ digraph oauthlib { if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ]; if_redirect_uri_present -> f_confirm_redirect_uri; if_redirect_uri_missing -> f_get_default_redirect_uri; + f_get_default_redirect_uri:redirect_uri:s -> f_confirm_redirect_uri; f_confirm_redirect_uri:true:s -> f_save_bearer_token; - f_get_default_redirect_uri:redirect_uri:s -> f_save_bearer_token; - f_save_bearer_token -> f_invalidate_authorization_code; f_invalidate_authorization_code -> webapi_response; } From e5c1d8e9a3624f910a268d9918f10998f5387b26 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 8 Jan 2019 15:59:01 +0100 Subject: [PATCH 10/10] Fix #643 by changing orer of validate_user/grant_type for ROPG --- docs/oauth2/oauth2provider-server.dot | 24 ++++++++----------- .../resource_owner_password_credentials.py | 6 ++--- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/docs/oauth2/oauth2provider-server.dot b/docs/oauth2/oauth2provider-server.dot index ec240787..2c4921cb 100644 --- a/docs/oauth2/oauth2provider-server.dot +++ b/docs/oauth2/oauth2provider-server.dot @@ -83,12 +83,7 @@ digraph oauthlib { { rank = same; f_validate_client_id; - f_validate_code; - /* f_validate_user; */ - f_validate_bearer_token; - f_validate_refresh_token; - f_introspect_token; - f_revoke_token; + f_authenticate_client; } { rank = same; @@ -102,7 +97,12 @@ digraph oauthlib { } { rank = same; - f_invalidate_authorization_code; + f_validate_code; + f_validate_user; + f_validate_bearer_token; + f_validate_refresh_token; + f_introspect_token; + f_revoke_token; } { rank = same; @@ -110,10 +110,6 @@ digraph oauthlib { f_get_original_scopes; f_get_default_scopes; } - { - rank = same; - f_is_within_original_scope; - } /* Authorization Code - Access Token Request */ { @@ -189,10 +185,10 @@ digraph oauthlib { f_client_authentication_required:false:s -> f_authenticate_client_id; f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ]; f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ]; - r_client_authenticated -> f_validate_user; - f_validate_user:true:s -> f_validate_grant_type; + r_client_authenticated -> f_validate_grant_type; + f_validate_grant_type:true:s -> f_validate_user; - f_validate_grant_type:true:s -> if_scopes; + f_validate_user:true:s -> if_scopes; if_scopes -> f_validate_scopes [ label="present" ]; if_scopes -> f_get_default_scopes [ label="missing" ]; diff --git a/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py b/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py index f765d91b..12c74f19 100644 --- a/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py +++ b/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py @@ -178,6 +178,9 @@ def validate_token_request(self, request): if not request.grant_type == 'password': raise errors.UnsupportedGrantTypeError(request=request) + # Ensure client is authorized use of this grant type + self.validate_grant_type(request) + log.debug('Validating username %s.', request.username) if not self.request_validator.validate_user(request.username, request.password, request.client, request): @@ -191,9 +194,6 @@ def validate_token_request(self, request): 'in authenticate_client.') log.debug('Authorizing access to user %r.', request.user) - # Ensure client is authorized use of this grant type - self.validate_grant_type(request) - if request.client: request.client_id = request.client_id or request.client.client_id self.validate_scopes(request)