File manager

File manager - Edit - /home/newsbmcs.com/public_html/static/img/logo/rfc6749.tar

Back
request_validator.py��0000644��00000070263�15030301546�0010660 0��ustar�00��""" oauthlib.oauth2.rfc6749.request_validator ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ """ import logging log = logging.getLogger(__name__) class RequestValidator: def client_authentication_required(self, request, args, kwargs): """Determine if client authentication is required for current request. According to the rfc6749, client authentication is required in the following cases: - Resource Owner Password Credentials Grant, when Client type is Confidential or when Client was issued client credentials or whenever Client provided client authentication, see `Section 4.3.2`_. - Authorization Code Grant, when Client type is Confidential or when Client was issued client credentials or whenever Client provided client authentication, see `Section 4.1.3`_. - Refresh Token Grant, when Client type is Confidential or when Client was issued client credentials or whenever Client provided client authentication, see `Section 6`_ :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Resource Owner Password Credentials Grant - Refresh Token Grant .. _`Section 4.3.2`: https://tools.ietf.org/html/rfc6749#section-4.3.2 .. _`Section 4.1.3`: https://tools.ietf.org/html/rfc6749#section-4.1.3 .. _`Section 6`: https://tools.ietf.org/html/rfc6749#section-6 """ return True def authenticate_client(self, request, args, *kwargs): """Authenticate client through means outside the OAuth 2 spec. Means of authentication is negotiated beforehand and may for example be `HTTP Basic Authentication Scheme`_ which utilizes the Authorization header. Headers may be accesses through request.headers and parameters found in both body and query can be obtained by direct attribute access, i.e. request.client_id for client_id in the URL query. The authentication process is required to contain the identification of the client (i.e. search the database based on the client_id). In case the client doesn't exist based on the received client_id, this method has to return False and the HTTP response created by the library will contain 'invalid_client' message. After the client identification succeeds, this method needs to set the client on the request, i.e. request.client = client. A client object's class must contain the 'client_id' attribute and the 'client_id' must have a value. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Resource Owner Password Credentials Grant (may be disabled) - Client Credentials Grant - Refresh Token Grant .. _`HTTP Basic Authentication Scheme`: https://tools.ietf.org/html/rfc1945#section-11.1 """ raise NotImplementedError('Subclasses must implement this method.') def authenticate_client_id(self, client_id, request, args, *kwargs): """Ensure client_id belong to a non-confidential client. A non-confidential client is one that is not required to authenticate through other means, such as using HTTP Basic. Note, while not strictly necessary it can often be very convenient to set request.client to the client object associated with the given client_id. :param client_id: Unicode client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant """ raise NotImplementedError('Subclasses must implement this method.') def confirm_redirect_uri(self, client_id, code, redirect_uri, client, request, args, *kwargs): """Ensure that the authorization process represented by this authorization code began with this 'redirect_uri'. If the client specifies a redirect_uri when obtaining code then that redirect URI must be bound to the code and verified equal in this method, according to RFC 6749 section 4.1.3. Do not compare against the client's allowed redirect URIs, but against the URI used when the code was saved. :param client_id: Unicode client identifier. :param code: Unicode authorization_code. :param redirect_uri: Unicode absolute URI. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant (during token request) """ raise NotImplementedError('Subclasses must implement this method.') def get_default_redirect_uri(self, client_id, request, args, *kwargs): """Get the default redirect URI for the client. :param client_id: Unicode client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: The default redirect URI for the client Method is used by: - Authorization Code Grant - Implicit Grant """ raise NotImplementedError('Subclasses must implement this method.') def get_default_scopes(self, client_id, request, args, *kwargs): """Get the default scopes for the client. :param client_id: Unicode client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: List of default scopes Method is used by all core grant types: - Authorization Code Grant - Implicit Grant - Resource Owner Password Credentials Grant - Client Credentials grant """ raise NotImplementedError('Subclasses must implement this method.') def get_original_scopes(self, refresh_token, request, args, *kwargs): """Get the list of scopes associated with the refresh token. :param refresh_token: Unicode refresh token. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: List of scopes. Method is used by: - Refresh token grant """ raise NotImplementedError('Subclasses must implement this method.') def is_within_original_scope(self, request_scopes, refresh_token, request, args, *kwargs): """Check if requested scopes are within a scope of the refresh token. When access tokens are refreshed the scope of the new token needs to be within the scope of the original token. This is ensured by checking that all requested scopes strings are on the list returned by the get_original_scopes. If this check fails, is_within_original_scope is called. The method can be used in situations where returning all valid scopes from the get_original_scopes is not practical. :param request_scopes: A list of scopes that were requested by client. :param refresh_token: Unicode refresh_token. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Refresh token grant """ return False def introspect_token(self, token, token_type_hint, request, args, *kwargs): """Introspect an access or refresh token. Called once the introspect request is validated. This method should verify the token* and either return a dictionary with the list of claims associated, or `None` in case the token is unknown. Below the list of registered claims you should be interested in: - scope : space-separated list of scopes - client_id : client identifier - username : human-readable identifier for the resource owner - token_type : type of the token - exp : integer timestamp indicating when this token will expire - iat : integer timestamp indicating when this token was issued - nbf : integer timestamp indicating when it can be "not-before" used - sub : subject of the token - identifier of the resource owner - aud : list of string identifiers representing the intended audience - iss : string representing issuer of this token - jti : string identifier for the token Note that most of them are coming directly from JWT RFC. More details can be found in `Introspect Claims`_ or `JWT Claims`_. The implementation can use token_type_hint to improve lookup efficiency, but must fallback to other types to be compliant with RFC. The dict of claims is added to request.token after this method. :param token: The token string. :param token_type_hint: access_token or refresh_token. :param request: OAuthlib request. :type request: oauthlib.common.Request Method is used by: - Introspect Endpoint (all grants are compatible) .. _`Introspect Claims`: https://tools.ietf.org/html/rfc7662#section-2.2 .. _`JWT Claims`: https://tools.ietf.org/html/rfc7519#section-4 """ raise NotImplementedError('Subclasses must implement this method.') def invalidate_authorization_code(self, client_id, code, request, args, kwargs): """Invalidate an authorization code after use. :param client_id: Unicode client identifier. :param code: The authorization code grant (request.code). :param request: OAuthlib request. :type request: oauthlib.common.Request Method is used by: - Authorization Code Grant """ raise NotImplementedError('Subclasses must implement this method.') def revoke_token(self, token, token_type_hint, request, args, *kwargs): """Revoke an access or refresh token. :param token: The token string. :param token_type_hint: access_token or refresh_token. :param request: OAuthlib request. :type request: oauthlib.common.Request Method is used by: - Revocation Endpoint """ raise NotImplementedError('Subclasses must implement this method.') def rotate_refresh_token(self, request): """Determine whether to rotate the refresh token. Default, yes. When access tokens are refreshed the old refresh token can be kept or replaced with a new one (rotated). Return True to rotate and and False for keeping original. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Refresh Token Grant """ return True def save_authorization_code(self, client_id, code, request, args, *kwargs): """Persist the authorization_code. The code should at minimum be stored with: - the client_id (``client_id``) - the redirect URI used (``request.redirect_uri``) - a resource owner / user (``request.user``) - the authorized scopes (``request.scopes``) To support PKCE, you MUST associate the code with: - Code Challenge (``request.code_challenge``) and - Code Challenge Method (``request.code_challenge_method``) To support OIDC, you MUST associate the code with: - nonce, if present (``code["nonce"]``) The ``code`` argument is actually a dictionary, containing at least a ``code`` key with the actual authorization code: ``{'code': 'sdf345jsdf0934f'}`` It may also have a ``claims`` parameter which, when present, will be a dict deserialized from JSON as described at http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter This value should be saved in this method and used again in ``.validate_code``. :param client_id: Unicode client identifier. :param code: A dict of the authorization code grant and, optionally, state. :param request: OAuthlib request. :type request: oauthlib.common.Request Method is used by: - Authorization Code Grant """ raise NotImplementedError('Subclasses must implement this method.') def save_token(self, token, request, args, *kwargs): """Persist the token with a token type specific method. Currently, only save_bearer_token is supported. :param token: A (Bearer) token dict. :param request: OAuthlib request. :type request: oauthlib.common.Request """ return self.save_bearer_token(token, request, args, *kwargs) def save_bearer_token(self, token, request, args, *kwargs): """Persist the Bearer token. The Bearer token should at minimum be associated with: - a client and it's client_id, if available - a resource owner / user (request.user) - authorized scopes (request.scopes) - an expiration time - a refresh token, if issued - a claims document, if present in request.claims The Bearer token dict may hold a number of items:: { 'token_type': 'Bearer', 'access_token': 'askfjh234as9sd8', 'expires_in': 3600, 'scope': 'string of space separated authorized scopes', 'refresh_token': '23sdf876234', # if issued 'state': 'given_by_client', # if supplied by client (implicit ONLY) } Note that while "scope" is a string-separated list of authorized scopes, the original list is still available in request.scopes. The token dict is passed as a reference so any changes made to the dictionary will go back to the user. If additional information must return to the client user, and it is only possible to get this information after writing the token to storage, it should be added to the token dictionary. If the token dictionary must be modified but the changes should not go back to the user, a copy of the dictionary must be made before making the changes. Also note that if an Authorization Code grant request included a valid claims parameter (for OpenID Connect) then the request.claims property will contain the claims dict, which should be saved for later use when generating the id_token and/or UserInfo response content. :param token: A Bearer token dict. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: The default redirect URI for the client Method is used by all core grant types issuing Bearer tokens: - Authorization Code Grant - Implicit Grant - Resource Owner Password Credentials Grant (might not associate a client) - Client Credentials grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_bearer_token(self, token, scopes, request): """Ensure the Bearer token is valid and authorized access to scopes. :param token: A string of random characters. :param scopes: A list of scopes associated with the protected resource. :param request: OAuthlib request. :type request: oauthlib.common.Request A key to OAuth 2 security and restricting impact of leaked tokens is the short expiration time of tokens, always ensure the token has not expired!. Two different approaches to scope validation: 1) all(scopes). The token must be authorized access to all scopes associated with the resource. For example, the token has access to ``read-only`` and ``images``, thus the client can view images but not upload new. Allows for fine grained access control through combining various scopes. 2) any(scopes). The token must be authorized access to one of the scopes associated with the resource. For example, token has access to ``read-only-images``. Allows for fine grained, although arguably less convenient, access control. A powerful way to use scopes would mimic UNIX ACLs and see a scope as a group with certain privileges. For a restful API these might map to HTTP verbs instead of read, write and execute. Note, the request.user attribute can be set to the resource owner associated with this token. Similarly the request.client and request.scopes attribute can be set to associated client object and authorized scopes. If you then use a decorator such as the one provided for django these attributes will be made available in all protected views as keyword arguments. :param token: Unicode Bearer token :param scopes: List of scopes (defined by you) :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is indirectly used by all core Bearer token issuing grant types: - Authorization Code Grant - Implicit Grant - Resource Owner Password Credentials Grant - Client Credentials Grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_client_id(self, client_id, request, args, *kwargs): """Ensure client_id belong to a valid and active client. Note, while not strictly necessary it can often be very convenient to set request.client to the client object associated with the given client_id. :param client_id: Unicode client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Implicit Grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_code(self, client_id, code, client, request, args, *kwargs): """Verify that the authorization_code is valid and assigned to the given client. Before returning true, set the following based on the information stored with the code in 'save_authorization_code': - request.user - request.scopes - request.claims (if given) OBS! The request.user attribute should be set to the resource owner associated with this authorization code. Similarly request.scopes must also be set. The request.claims property, if it was given, should assigned a dict. If PKCE is enabled (see 'is_pkce_required' and 'save_authorization_code') you MUST set the following based on the information stored: - request.code_challenge - request.code_challenge_method :param client_id: Unicode client identifier. :param code: Unicode authorization code. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_grant_type(self, client_id, grant_type, client, request, args, *kwargs): """Ensure client is authorized to use the grant_type requested. :param client_id: Unicode client identifier. :param grant_type: Unicode grant type, i.e. authorization_code, password. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Resource Owner Password Credentials Grant - Client Credentials Grant - Refresh Token Grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_redirect_uri(self, client_id, redirect_uri, request, args, *kwargs): """Ensure client is authorized to redirect to the redirect_uri requested. All clients should register the absolute URIs of all URIs they intend to redirect to. The registration is outside of the scope of oauthlib. :param client_id: Unicode client identifier. :param redirect_uri: Unicode absolute URI. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Implicit Grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_refresh_token(self, refresh_token, client, request, args, *kwargs): """Ensure the Bearer token is valid and authorized access to scopes. OBS! The request.user attribute should be set to the resource owner associated with this refresh token. :param refresh_token: Unicode refresh token. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant (indirectly by issuing refresh tokens) - Resource Owner Password Credentials Grant (also indirectly) - Refresh Token Grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_response_type(self, client_id, response_type, client, request, args, *kwargs): """Ensure client is authorized to use the response_type requested. :param client_id: Unicode client identifier. :param response_type: Unicode response type, i.e. code, token. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Implicit Grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_scopes(self, client_id, scopes, client, request, args, *kwargs): """Ensure the client is authorized access to requested scopes. :param client_id: Unicode client identifier. :param scopes: List of scopes (defined by you). :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by all core grant types: - Authorization Code Grant - Implicit Grant - Resource Owner Password Credentials Grant - Client Credentials Grant """ raise NotImplementedError('Subclasses must implement this method.') def validate_user(self, username, password, client, request, args, *kwargs): """Ensure the username and password is valid. OBS! The validation should also set the user attribute of the request to a valid resource owner, i.e. request.user = username or similar. If not set you will be unable to associate a token with a user in the persistence method used (commonly, save_bearer_token). :param username: Unicode username. :param password: Unicode password. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Resource Owner Password Credentials Grant """ raise NotImplementedError('Subclasses must implement this method.') def is_pkce_required(self, client_id, request): """Determine if current request requires PKCE. Default, False. This is called for both "authorization" and "token" requests. Override this method by ``return True`` to enable PKCE for everyone. You might want to enable it only for public clients. Note that PKCE can also be used in addition of a client authentication. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy"). See `RFC7636`_. :param client_id: Client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant .. _`RFC7636`: https://tools.ietf.org/html/rfc7636 """ return False def get_code_challenge(self, code, request): """Is called for every "token" requests. When the server issues the authorization code in the authorization response, it MUST associate the ``code_challenge`` and ``code_challenge_method`` values with the authorization code so it can be verified later. Typically, the ``code_challenge`` and ``code_challenge_method`` values are stored in encrypted form in the ``code`` itself but could alternatively be stored on the server associated with the code. The server MUST NOT include the ``code_challenge`` value in client requests in a form that other entities can extract. Return the ``code_challenge`` associated to the code. If ``None`` is returned, code is considered to not be associated to any challenges. :param code: Authorization code. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: code_challenge string Method is used by: - Authorization Code Grant - when PKCE is active """ return None def get_code_challenge_method(self, code, request): """Is called during the "token" request processing, when a ``code_verifier`` and a ``code_challenge`` has been provided. See ``.get_code_challenge``. Must return ``plain`` or ``S256``. You can return a custom value if you have implemented your own ``AuthorizationCodeGrant`` class. :param code: Authorization code. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: code_challenge_method string Method is used by: - Authorization Code Grant - when PKCE is active """ raise NotImplementedError('Subclasses must implement this method.') def is_origin_allowed(self, client_id, origin, request, args, *kwargs): """Indicate if the given origin is allowed to access the token endpoint via Cross-Origin Resource Sharing (CORS). CORS is used by browser-based clients, such as Single-Page Applications, to perform the Authorization Code Grant. (Note: If performing Authorization Code Grant via a public client such as a browser, you should use PKCE as well.) If this method returns true, the appropriate CORS headers will be added to the response. By default this method always returns False, meaning CORS is disabled. :param client_id: Unicode client identifier. :param redirect_uri: Unicode origin. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: bool Method is used by: - Authorization Code Grant - Refresh Token Grant """ return False ��clients/base.py��0000644��00000064034�15030301546�0007475 0��ustar�00��# -- coding: utf-8 -- """ oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming OAuth 2.0 RFC6749. """ import base64 import hashlib import re import secrets import time import warnings from oauthlib.common import generate_token from oauthlib.oauth2.rfc6749 import tokens from oauthlib.oauth2.rfc6749.errors import ( InsecureTransportError, TokenExpiredError, ) from oauthlib.oauth2.rfc6749.parameters import ( parse_token_response, prepare_token_request, prepare_token_revocation_request, ) from oauthlib.oauth2.rfc6749.utils import is_secure_transport AUTH_HEADER = 'auth_header' URI_QUERY = 'query' BODY = 'body' FORM_ENC_HEADERS = { 'Content-Type': 'application/x-www-form-urlencoded' } class Client: """Base OAuth2 client responsible for access token management. This class also acts as a generic interface providing methods common to all client types such as ``prepare_authorization_request`` and ``prepare_token_revocation_request``. The ``prepare_x_request`` methods are the recommended way of interacting with clients (as opposed to the abstract prepare uri/body/etc methods). They are recommended over the older set because they are easier to use (more consistent) and add a few additional security checks, such as HTTPS and state checking. Some of these methods require further implementation only provided by the specific purpose clients such as :py:class:`oauthlib.oauth2.MobileApplicationClient` and thus you should always seek to use the client class matching the OAuth workflow you need. For Python, this is usually :py:class:`oauthlib.oauth2.WebApplicationClient`. """ refresh_token_key = 'refresh_token' def __init__(self, client_id, default_token_placement=AUTH_HEADER, token_type='Bearer', access_token=None, refresh_token=None, mac_key=None, mac_algorithm=None, token=None, scope=None, state=None, redirect_url=None, state_generator=generate_token, code_verifier=None, code_challenge=None, code_challenge_method=None, kwargs): """Initialize a client with commonly used attributes. :param client_id: Client identifier given by the OAuth provider upon registration. :param default_token_placement: Tokens can be supplied in the Authorization header (default), the URL query component (``query``) or the request body (``body``). :param token_type: OAuth 2 token type. Defaults to Bearer. Change this if you specify the ``access_token`` parameter and know it is of a different token type, such as a MAC, JWT or SAML token. Can also be supplied as ``token_type`` inside the ``token`` dict parameter. :param access_token: An access token (string) used to authenticate requests to protected resources. Can also be supplied inside the ``token`` dict parameter. :param refresh_token: A refresh token (string) used to refresh expired tokens. Can also be supplied inside the ``token`` dict parameter. :param mac_key: Encryption key used with MAC tokens. :param mac_algorithm: Hashing algorithm for MAC tokens. :param token: A dict of token attributes such as ``access_token``, ``token_type`` and ``expires_at``. :param scope: A list of default scopes to request authorization for. :param state: A CSRF protection string used during authorization. :param redirect_url: The redirection endpoint on the client side to which the user returns after authorization. :param state_generator: A no argument state generation callable. Defaults to :py:meth:`oauthlib.common.generate_token`. :param code_verifier: PKCE parameter. A cryptographically random string that is used to correlate the authorization request to the token request. :param code_challenge: PKCE parameter. A challenge derived from the code verifier that is sent in the authorization request, to be verified against later. :param code_challenge_method: PKCE parameter. A method that was used to derive code challenge. Defaults to "plain" if not present in the request. """ self.client_id = client_id self.default_token_placement = default_token_placement self.token_type = token_type self.access_token = access_token self.refresh_token = refresh_token self.mac_key = mac_key self.mac_algorithm = mac_algorithm self.token = token or {} self.scope = scope self.state_generator = state_generator self.state = state self.redirect_url = redirect_url self.code_verifier = code_verifier self.code_challenge = code_challenge self.code_challenge_method = code_challenge_method self.code = None self.expires_in = None self._expires_at = None self.populate_token_attributes(self.token) @property def token_types(self): """Supported token types and their respective methods Additional tokens can be supported by extending this dictionary. The Bearer token spec is stable and safe to use. The MAC token spec is not yet stable and support for MAC tokens is experimental and currently matching version 00 of the spec. """ return { 'Bearer': self._add_bearer_token, 'MAC': self._add_mac_token } def prepare_request_uri(self, args, *kwargs): """Abstract method used to create request URIs.""" raise NotImplementedError("Must be implemented by inheriting classes.") def prepare_request_body(self, args, *kwargs): """Abstract method used to create request bodies.""" raise NotImplementedError("Must be implemented by inheriting classes.") def parse_request_uri_response(self, args, kwargs): """Abstract method used to parse redirection responses.""" raise NotImplementedError("Must be implemented by inheriting classes.") def add_token(self, uri, http_method='GET', body=None, headers=None, token_placement=None, kwargs): """Add token to the request uri, body or authorization header. The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes). The client MUST NOT use an access token if it does not understand the token type. For example, the "bearer" token type defined in [`I-D.ietf-oauth-v2-bearer`_] is utilized by simply including the access token string in the request: .. code-block:: http GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqM while the "mac" token type defined in [`I-D.ietf-oauth-v2-http-mac`_] is utilized by issuing a MAC key together with the access token which is used to sign certain components of the HTTP requests: .. code-block:: http GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id="h480djs93hd8", nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE=" .. _`I-D.ietf-oauth-v2-bearer`: https://tools.ietf.org/html/rfc6749#section-12.2 .. _`I-D.ietf-oauth-v2-http-mac`: https://tools.ietf.org/html/rfc6749#section-12.2 """ if not is_secure_transport(uri): raise InsecureTransportError() token_placement = token_placement or self.default_token_placement case_insensitive_token_types = { k.lower(): v for k, v in self.token_types.items()} if not self.token_type.lower() in case_insensitive_token_types: raise ValueError("Unsupported token type: %s" % self.token_type) if not (self.access_token or self.token.get('access_token')): raise ValueError("Missing access token.") if self._expires_at and self._expires_at < time.time(): raise TokenExpiredError() return case_insensitive_token_types[self.token_type.lower()](uri, http_method, body, headers, token_placement, kwargs) def prepare_authorization_request(self, authorization_url, state=None, redirect_url=None, scope=None, kwargs): """Prepare the authorization request. This is the first step in many OAuth flows in which the user is redirected to a certain authorization URL. This method adds required parameters to the authorization URL. :param authorization_url: Provider authorization endpoint URL. :param state: CSRF protection string. Will be automatically created if not provided. The generated state is available via the ``state`` attribute. Clients should verify that the state is unchanged and present in the authorization response. This verification is done automatically if using the ``authorization_response`` parameter with ``prepare_token_request``. :param redirect_url: Redirect URL to which the user will be returned after authorization. Must be provided unless previously setup with the provider. If provided then it must also be provided in the token request. :param scope: List of scopes to request. Must be equal to or a subset of the scopes granted when obtaining the refresh token. If none is provided, the ones provided in the constructor are used. :param kwargs: Additional parameters to included in the request. :returns: The prepared request tuple with (url, headers, body). """ if not is_secure_transport(authorization_url): raise InsecureTransportError() self.state = state or self.state_generator() self.redirect_url = redirect_url or self.redirect_url # do not assign scope to self automatically anymore scope = self.scope if scope is None else scope auth_url = self.prepare_request_uri( authorization_url, redirect_uri=self.redirect_url, scope=scope, state=self.state, kwargs) return auth_url, FORM_ENC_HEADERS, '' def prepare_token_request(self, token_url, authorization_response=None, redirect_url=None, state=None, body='', kwargs): """Prepare a token creation request. Note that these requests usually require client authentication, either by including client_id or a set of provider specific authentication credentials. :param token_url: Provider token creation endpoint URL. :param authorization_response: The full redirection URL string, i.e. the location to which the user was redirected after successful authorization. Used to mine credentials needed to obtain a token in this step, such as authorization code. :param redirect_url: The redirect_url supplied with the authorization request (if there was one). :param state: :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param kwargs: Additional parameters to included in the request. :returns: The prepared request tuple with (url, headers, body). """ if not is_secure_transport(token_url): raise InsecureTransportError() state = state or self.state if authorization_response: self.parse_request_uri_response( authorization_response, state=state) self.redirect_url = redirect_url or self.redirect_url body = self.prepare_request_body(body=body, redirect_uri=self.redirect_url, kwargs) return token_url, FORM_ENC_HEADERS, body def prepare_refresh_token_request(self, token_url, refresh_token=None, body='', scope=None, kwargs): """Prepare an access token refresh request. Expired access tokens can be replaced by new access tokens without going through the OAuth dance if the client obtained a refresh token. This refresh token and authentication credentials can be used to obtain a new access token, and possibly a new refresh token. :param token_url: Provider token refresh endpoint URL. :param refresh_token: Refresh token string. :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param scope: List of scopes to request. Must be equal to or a subset of the scopes granted when obtaining the refresh token. If none is provided, the ones provided in the constructor are used. :param kwargs: Additional parameters to included in the request. :returns: The prepared request tuple with (url, headers, body). """ if not is_secure_transport(token_url): raise InsecureTransportError() # do not assign scope to self automatically anymore scope = self.scope if scope is None else scope body = self.prepare_refresh_body(body=body, refresh_token=refresh_token, scope=scope, kwargs) return token_url, FORM_ENC_HEADERS, body def prepare_token_revocation_request(self, revocation_url, token, token_type_hint="access_token", body='', callback=None, kwargs): """Prepare a token revocation request. :param revocation_url: Provider token revocation endpoint URL. :param token: The access or refresh token to be revoked (string). :param token_type_hint: ``"access_token"`` (default) or ``"refresh_token"``. This is optional and if you wish to not pass it you must provide ``token_type_hint=None``. :param body: :param callback: A jsonp callback such as ``package.callback`` to be invoked upon receiving the response. Not that it should not include a () suffix. :param kwargs: Additional parameters to included in the request. :returns: The prepared request tuple with (url, headers, body). Note that JSONP request may use GET requests as the parameters will be added to the request URL query as opposed to the request body. An example of a revocation request .. code-block:: http POST /revoke HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token An example of a jsonp revocation request .. code-block:: http GET /revoke?token=agabcdefddddafdd&callback=package.myCallback HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW and an error response .. code-block:: javascript package.myCallback({"error":"unsupported_token_type"}); Note that these requests usually require client credentials, client_id in the case for public clients and provider specific authentication credentials for confidential clients. """ if not is_secure_transport(revocation_url): raise InsecureTransportError() return prepare_token_revocation_request(revocation_url, token, token_type_hint=token_type_hint, body=body, callback=callback, kwargs) def parse_request_body_response(self, body, scope=None, kwargs): """Parse the JSON response body. If the access token request is valid and authorized, the authorization server issues an access token as described in `Section 5.1`_. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in `Section 5.2`_. :param body: The response body from the token request. :param scope: Scopes originally requested. If none is provided, the ones provided in the constructor are used. :return: Dictionary of token parameters. :raises: Warning if scope has changed. :py:class:`oauthlib.oauth2.errors.OAuth2Error` if response is invalid. These response are json encoded and could easily be parsed without the assistance of OAuthLib. However, there are a few subtle issues to be aware of regarding the response which are helpfully addressed through the raising of various errors. A successful response should always contain access_token The access token issued by the authorization server. Often a random string. token_type The type of the token issued as described in `Section 7.1`_. Commonly ``Bearer``. While it is not mandated it is recommended that the provider include expires_in The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. scope Providers may supply this in all responses but are required to only if it has changed since the authorization request. .. _`Section 5.1`: https://tools.ietf.org/html/rfc6749#section-5.1 .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2 .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1 """ scope = self.scope if scope is None else scope self.token = parse_token_response(body, scope=scope) self.populate_token_attributes(self.token) return self.token def prepare_refresh_body(self, body='', refresh_token=None, scope=None, kwargs): """Prepare an access token request, using a refresh token. If the authorization server issued a refresh token to the client, the client makes a refresh request to the token endpoint by adding the following parameters using the `application/x-www-form-urlencoded` format in the HTTP request entity-body: :param refresh_token: REQUIRED. The refresh token issued to the client. :param scope: OPTIONAL. The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner. Note that if none is provided, the ones provided in the constructor are used if any. """ refresh_token = refresh_token or self.refresh_token scope = self.scope if scope is None else scope return prepare_token_request(self.refresh_token_key, body=body, scope=scope, refresh_token=refresh_token, kwargs) def _add_bearer_token(self, uri, http_method='GET', body=None, headers=None, token_placement=None): """Add a bearer token to the request uri, body or authorization header.""" if token_placement == AUTH_HEADER: headers = tokens.prepare_bearer_headers(self.access_token, headers) elif token_placement == URI_QUERY: uri = tokens.prepare_bearer_uri(self.access_token, uri) elif token_placement == BODY: body = tokens.prepare_bearer_body(self.access_token, body) else: raise ValueError("Invalid token placement.") return uri, headers, body def create_code_verifier(self, length): """Create PKCE code_verifier used in computing code_challenge. See `RFC7636 Section 4.1`_ :param length: REQUIRED. The length of the code_verifier. The client first creates a code verifier, "code_verifier", for each OAuth 2.0 [RFC6749] Authorization Request, in the following manner: .. code-block:: text code_verifier = high-entropy cryptographic random STRING using the unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" from Section 2.3 of [RFC3986], with a minimum length of 43 characters and a maximum length of 128 characters. .. _`RFC7636 Section 4.1`: https://tools.ietf.org/html/rfc7636#section-4.1 """ code_verifier = None if not length >= 43: raise ValueError("Length must be greater than or equal to 43") if not length <= 128: raise ValueError("Length must be less than or equal to 128") allowed_characters = re.compile('^[A-Zaa-z0-9-._~]') code_verifier = secrets.token_urlsafe(length) if not re.search(allowed_characters, code_verifier): raise ValueError("code_verifier contains invalid characters") self.code_verifier = code_verifier return code_verifier def create_code_challenge(self, code_verifier, code_challenge_method=None): """Create PKCE code_challenge derived from the code_verifier. See `RFC7636 Section 4.2`_ :param code_verifier: REQUIRED. The code_verifier generated from `create_code_verifier()`. :param code_challenge_method: OPTIONAL. The method used to derive the code_challenge. Acceptable values include `S256`. DEFAULT is `plain`. The client then creates a code challenge derived from the code verifier by using one of the following transformations on the code verifier:: plain code_challenge = code_verifier S256 code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) If the client is capable of using `S256`, it MUST use `S256`, as `S256` is Mandatory To Implement (MTI) on the server. Clients are permitted to use `plain` only if they cannot support `S256` for some technical reason and know via out-of-band configuration that the server supports `plain`. The plain transformation is for compatibility with existing deployments and for constrained environments that can't use the S256 transformation. .. _`RFC7636 Section 4.2`: https://tools.ietf.org/html/rfc7636#section-4.2 """ code_challenge = None if code_verifier == None: raise ValueError("Invalid code_verifier") if code_challenge_method == None: code_challenge_method = "plain" self.code_challenge_method = code_challenge_method code_challenge = code_verifier self.code_challenge = code_challenge if code_challenge_method == "S256": h = hashlib.sha256() h.update(code_verifier.encode(encoding='ascii')) sha256_val = h.digest() code_challenge = bytes.decode(base64.urlsafe_b64encode(sha256_val)) # replace '+' with '-', '/' with '_', and remove trailing '=' code_challenge = code_challenge.replace("+", "-").replace("/", "_").replace("=", "") self.code_challenge = code_challenge return code_challenge def _add_mac_token(self, uri, http_method='GET', body=None, headers=None, token_placement=AUTH_HEADER, ext=None, kwargs): """Add a MAC token to the request authorization header. Warning: MAC token support is experimental as the spec is not yet stable. """ if token_placement != AUTH_HEADER: raise ValueError("Invalid token placement.") headers = tokens.prepare_mac_header(self.access_token, uri, self.mac_key, http_method, headers=headers, body=body, ext=ext, hash_algorithm=self.mac_algorithm, kwargs) return uri, headers, body def _populate_attributes(self, response): warnings.warn("Please switch to the public method " "populate_token_attributes.", DeprecationWarning) return self.populate_token_attributes(response) def populate_code_attributes(self, response): """Add attributes from an auth code response to self.""" if 'code' in response: self.code = response.get('code') def populate_token_attributes(self, response): """Add attributes from a token exchange response to self.""" if 'access_token' in response: self.access_token = response.get('access_token') if 'refresh_token' in response: self.refresh_token = response.get('refresh_token') if 'token_type' in response: self.token_type = response.get('token_type') if 'expires_in' in response: self.expires_in = response.get('expires_in') self._expires_at = time.time() + int(self.expires_in) if 'expires_at' in response: try: self._expires_at = int(response.get('expires_at')) except: self._expires_at = None if 'mac_key' in response: self.mac_key = response.get('mac_key') if 'mac_algorithm' in response: self.mac_algorithm = response.get('mac_algorithm') ��clients/__pycache__/__init__.cpython-310.pyc��0000644��00000001371�15030301546�0014654 0��ustar�00��o ��h��@��s\��d�Z�ddlmZ�ddlmZmZmZmZ�ddlm Z �ddl mZ�ddlm Z �ddlmZ�dS�) z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming OAuth 2.0 RFC6749. ��)�BackendApplicationClient)�AUTH_HEADER�BODY� URI_QUERY�Client)�LegacyApplicationClient)�MobileApplicationClient)�ServiceApplicationClient)�WebApplicationClientN)�__doc__�backend_applicationr��baser��r��r��r��legacy_applicationr��mobile_applicationr��service_applicationr ��web_applicationr ��r��r��[/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/clients/__init__.py�<module>��s��clients/__pycache__/service_application.cpython-310.pyc��0000644��00000016121�15030301546�0017137 0��ustar�00��o ��h��@��sD��d�Z�ddlZddlmZ�ddlmZ�ddlmZ�G�dd ��d e�ZdS�) z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��N)� to_unicode��)�prepare_token_request��)�Clientc��sH��e�Zd�ZdZdZ d ��fdd� Z ddd �Z��ZS�)�ServiceApplicationClienta��A public client utilizing the JWT bearer grant. JWT bearer tokes can be used to request an access token when a client wishes to utilize an existing trust relationship, expressed through the semantics of (and digital signature or keyed message digest calculated over) the JWT, without a direct user approval step at the authorization server. This grant type does not involve an authorization step. It may be used by both public and confidential clients. z+urn:ietf:params:oauth:grant-type:jwt-bearerNc��s0��t��j\|fi�\|��\|\|�_\|\|�_\|\|�_\|\|�_dS�)ad��Initialize a JWT client with defaults for implicit use later. :param client_id: Client identifier given by the OAuth provider upon registration. :param private_key: Private key used for signing and encrypting. Must be given as a string. :param subject: The principal that is the subject of the JWT, i.e. which user is the token requested on behalf of. For example, ``foo@example.com. :param issuer: The JWT MUST contain an "iss" (issuer) claim that contains a unique identifier for the entity that issued the JWT. For example, ``your-client@provider.com``. :param audience: A value identifying the authorization server as an intended audience, e.g. ``https://provider.com/oauth2/token``. :param kwargs: Additional arguments to pass to base client, such as state and token. See ``Client.__init__.__doc__`` for details. N)�super�__init__�private_key�subject�issuer�audience)�self� client_idr ��r��r��r ��kwargs�� __class__��f/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/clients/service_application.pyr �� s �� z!ServiceApplicationClient.__init__��Fc��K��s��ddl�}\|p\|�j} \| std��\|p\|�j\|p\|�j\|p\|�jt\|p#t��d��t\|pt��d�}dD�]}\|\|�du�r>td\|��q0d\|v�rJ\|�d�\|d <�d \|v�rU\|�d �\|d<�\|� \|pZi��\|� \|\| d�}t\|�}\|�j\|d <�\| \|d<�\| du�rw\|�j n\| } t\|�jf\|\|\| d�\|��S�)a� ��Create and add a JWT assertion to the request body. :param private_key: Private key used for signing and encrypting. Must be given as a string. :param subject: (sub) The principal that is the subject of the JWT, i.e. which user is the token requested on behalf of. For example, ``foo@example.com. :param issuer: (iss) The JWT MUST contain an "iss" (issuer) claim that contains a unique identifier for the entity that issued the JWT. For example, ``your-client@provider.com``. :param audience: (aud) A value identifying the authorization server as an intended audience, e.g. ``https://provider.com/oauth2/token``. :param expires_at: A unix expiration timestamp for the JWT. Defaults to an hour from now, i.e. ``time.time() + 3600``. :param issued_at: A unix timestamp of when the JWT was created. Defaults to now, i.e. ``time.time()``. :param extra_claims: A dict of additional claims to include in the JWT. :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param scope: The scope of the access request. :param include_client_id: `True` to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. False otherwise (default). :type include_client_id: Boolean :param not_before: A unix timestamp after which the JWT may be used. Not included unless provided. :param jwt_id: A unique JWT token identifier. Not included unless provided. * :param kwargs: Extra credentials to include in the token request. Parameters marked with a `` above are not explicit arguments in the function signature, but are specially documented arguments for items appearing in the generic `kwargs` keyworded input. The "scope" parameter may be used, as defined in the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [I-D.ietf-oauth-assertions] specification, to indicate the requested scope. Authentication of the client is optional, as described in `Section 3.2.1`_ of OAuth 2.0 [RFC6749] and consequently, the "client_id" is only needed when a form of client authentication that relies on the parameter is used. The following non-normative example demonstrates an Access Token Request with a JWT as an authorization grant (with extra line breaks for display purposes only): .. code-block: http POST /token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiJ9. eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 r��Nz>An encryption key must be supplied to make JWT token requests.i��)�iss�aud�sub�exp�iat)r��r��r��z)Claim must include %s but none was given.� not_before�nbf�jwt_id�jti�RS256r��include_client_id)�body� assertion�scope)�jwtr �� ValueErrorr��r ��r��int�time�pop�update�encoder��r��r#��r�� grant_type)r��r ��r��r��r �� expires_at� issued_at�extra_claimsr!��r#��r ��r��r$��key�claim�attrr"��r��r��r��prepare_request_body@��sB��X �� z-ServiceApplicationClient.prepare_request_body)NNNN) NNNNNNNr��NF)�__name__� __module__�__qualname__�__doc__r+��r ��r2�� __classcell__r��r��r��r��r��s"��!�r��) r6��r'��oauthlib.commonr�� parametersr��baser��r��r��r��r��r��<module>��s��clients/__pycache__/backend_application.cpython-310.pyc��0000644��00000006637�15030301546�0017101 0��ustar�00��o ��h��@��s0��d�Z�ddlmZ�ddlmZ�G�dd��de�ZdS�)z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��)�prepare_token_request��)�Clientc��@��s"��e�Zd�ZdZdZ ddd�ZdS�) �BackendApplicationClienta��A public client utilizing the client credentials grant workflow. The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner which has been previously arranged with the authorization server (the method of which is beyond the scope of this specification). The client credentials grant type MUST only be used by confidential clients. Since the client authentication is used as the authorization grant, no additional authorization request is needed. �client_credentials��NFc��K��s<��\|�j�\|d<�\|\|d<�\|du�r\|�jn\|}t\|�jf\|\|d�\|��S�)a��Add the client credentials to the request body. The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per `Appendix B`_ in the HTTP request entity-body: :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param scope: The scope of the access request as described by `Section 3.3`_. :param include_client_id: `True` to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. False otherwise (default). :type include_client_id: Boolean :param kwargs: Extra credentials to include in the token request. The client MUST authenticate with the authorization server as described in `Section 3.2.1`_. The prepared body will include all provided credentials as well as the ``grant_type`` parameter set to ``client_credentials``:: >>> from oauthlib.oauth2 import BackendApplicationClient >>> client = BackendApplicationClient('your_id') >>> client.prepare_request_body(scope=['hello', 'world']) 'grant_type=client_credentials&scope=hello+world' .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 � client_id�include_client_idN)�body�scope)r��r��r�� grant_type)�selfr ��r��r ��kwargs��r��f/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/clients/backend_application.py�prepare_request_body!��s�� % ��z-BackendApplicationClient.prepare_request_body)r��NF)�__name__� __module__�__qualname__�__doc__r��r��r��r��r��r��r�� s��r��N)r�� parametersr��baser��r��r��r��r��r��<module>��s��clients/__pycache__/mobile_application.cpython-310.pyc��0000644��00000021733�15030301546�0016753 0��ustar�00��o ��h�"��@��s4��d�Z�ddlmZmZ�ddlmZ�G�dd��de�ZdS�)z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��)�parse_implicit_response�prepare_grant_uri��)�Clientc��@��s,��e�Zd�ZdZdZ ddd�Zd dd�ZdS�) �MobileApplicationClientah��A public client utilizing the implicit code grant workflow. A user-agent-based application is a public client in which the client code is downloaded from a web server and executes within a user-agent (e.g. web browser) on the device used by the resource owner. Protocol data and credentials are easily accessible (and often visible) to the resource owner. Since such applications reside within the user-agent, they can make seamless use of the user-agent capabilities when requesting authorization. The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript. As a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server. Unlike the authorization code grant type in which the client makes separate requests for authorization and access token, the client receives the access token as the result of the authorization request. The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device. �tokenNc��K��s2��\|du�r\|�j�n\|}t\|\|�j\|�jf\|\|\|d�\|��S�)a� ��Prepare the implicit grant request URI. The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: :param redirect_uri: OPTIONAL. The redirect URI must be an absolute URI and it should have been registered with the OAuth provider prior to use. As described in `Section 3.1.2`_. :param scope: OPTIONAL. The scope of the access request as described by Section 3.3`_. These may be any string but are commonly URIs or various categories such as ``videos`` or ``documents``. :param state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. :param kwargs: Extra arguments to include in the request URI. In addition to supplied parameters, OAuthLib will append the ``client_id`` that was provided in the constructor as well as the mandatory ``response_type`` argument, set to ``token``:: >>> from oauthlib.oauth2 import MobileApplicationClient >>> client = MobileApplicationClient('your_id') >>> client.prepare_request_uri('https://example.com') 'https://example.com?client_id=your_id&response_type=token' >>> client.prepare_request_uri('https://example.com', redirect_uri='https://a.b/callback') 'https://example.com?client_id=your_id&response_type=token&redirect_uri=https%3A%2F%2Fa.b%2Fcallback' >>> client.prepare_request_uri('https://example.com', scope=['profile', 'pictures']) 'https://example.com?client_id=your_id&response_type=token&scope=profile+pictures' >>> client.prepare_request_uri('https://example.com', foo='bar') 'https://example.com?client_id=your_id&response_type=token&foo=bar' .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 N)�redirect_uri�state�scope)r ��r�� client_id� response_type)�self�urir��r ��r ��kwargs��r��e/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/clients/mobile_application.py�prepare_request_uri1��s��-��z+MobileApplicationClient.prepare_request_uric��C��s4��\|du�r\|�j�n\|}t\|\|\|d�\|�_\|��\|�j��\|�jS�)a� ��Parse the response URI fragment. If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the "application/x-www-form-urlencoded" format: :param uri: The callback URI that resulted from the user being redirected back from the provider to you, the client. :param state: The state provided in the authorization request. :param scope: The scopes provided in the authorization request. :return: Dictionary of token parameters. :raises: OAuth2Error if response is invalid. A successful response should always contain access_token* The access token issued by the authorization server. Often a random string. token_type The type of the token issued as described in `Section 7.1`_. Commonly ``Bearer``. state If you provided the state parameter in the authorization phase, then the provider is required to include that exact state value in the response. While it is not mandated it is recommended that the provider include expires_in The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. scope Providers may supply this in all responses but are required to only if it has changed since the authorization request. A few example responses can be seen below:: >>> response_uri = 'https://example.com/callback#access_token=sdlfkj452&state=ss345asyht&token_type=Bearer&scope=hello+world' >>> from oauthlib.oauth2 import MobileApplicationClient >>> client = MobileApplicationClient('your_id') >>> client.parse_request_uri_response(response_uri) { 'access_token': 'sdlfkj452', 'token_type': 'Bearer', 'state': 'ss345asyht', 'scope': [u'hello', u'world'] } >>> client.parse_request_uri_response(response_uri, state='other') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "oauthlib/oauth2/rfc6749/__init__.py", line 598, in parse_request_uri_response scope File "oauthlib/oauth2/rfc6749/parameters.py", line 197, in parse_implicit_response raise ValueError("Mismatching or missing state in params.") ValueError: Mismatching or missing state in params. >>> def alert_scope_changed(message, old, new): ... print(message, old, new) ... >>> oauthlib.signals.scope_changed.connect(alert_scope_changed) >>> client.parse_request_body_response(response_body, scope=['other']) ('Scope has changed from "other" to "hello world".', ['other'], ['hello', 'world']) .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 N)r ��r ��)r ��r��r��populate_token_attributes)r ��r��r ��r ��r��r��r��parse_request_uri_responseb��s��Iz2MobileApplicationClient.parse_request_uri_response)NNN)NN)�__name__� __module__�__qualname__�__doc__r��r��r��r��r��r��r��r�� s�� 1r��N)r�� parametersr��r��baser��r��r��r��r��r��<module>��s��clients/__pycache__/base.cpython-310.pyc��0000644��00000056075�15030301546�0014042 0��ustar�00��o ��hh��@��s��d�Z�ddlZddlZddlZddlZddlZddlZddlmZ�ddl m Z �ddlmZm Z �ddlmZmZmZ�ddlmZ�dZd Zd ZddiZG�d d��d�ZdS�)z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming OAuth 2.0 RFC6749. ��N)�generate_token)�tokens)�InsecureTransportError�TokenExpiredError)�parse_token_response�prepare_token_request� prepare_token_revocation_request)�is_secure_transport�auth_header�query�bodyzContent-Typez!application/x-www-form-urlencodedc��@��s��e�Zd�ZdZdZedddddddddedddfdd�Zedd��Z d d ��Z dd��Zd d��Z d.dd�Z d/dd�Z d0dd�Z d1dd�Z d2dd�Zd3dd�Zd4dd�Z d.d d!�Zd"d#��Zd3d$d%�Zdddedfd&d'�Zd(d)��Zdd+��Zd,d-��ZdS�)5�Clienta��Base OAuth2 client responsible for access token management. This class also acts as a generic interface providing methods common to all client types such as ``prepare_authorization_request`` and ``prepare_token_revocation_request``. The ``prepare_x_request`` methods are the recommended way of interacting with clients (as opposed to the abstract prepare uri/body/etc methods). They are recommended over the older set because they are easier to use (more consistent) and add a few additional security checks, such as HTTPS and state checking. Some of these methods require further implementation only provided by the specific purpose clients such as :py:class:`oauthlib.oauth2.MobileApplicationClient` and thus you should always seek to use the client class matching the OAuth workflow you need. For Python, this is usually :py:class:`oauthlib.oauth2.WebApplicationClient`. � refresh_token�BearerNc��K��s��\|\|�_�\|\|�_\|\|�_\|\|�_\|\|�_\|\|�_\|\|�_\|pi�\|�_\| \|�_\|\|�_ \| \|�_ \|\|�_\| \|�_\|\|�_ \|\|�_d\|�_d\|�_d\|�_\|��\|�j��dS�)ae��Initialize a client with commonly used attributes. :param client_id: Client identifier given by the OAuth provider upon registration. :param default_token_placement: Tokens can be supplied in the Authorization header (default), the URL query component (``query``) or the request body (``body``). :param token_type: OAuth 2 token type. Defaults to Bearer. Change this if you specify the ``access_token`` parameter and know it is of a different token type, such as a MAC, JWT or SAML token. Can also be supplied as ``token_type`` inside the ``token`` dict parameter. :param access_token: An access token (string) used to authenticate requests to protected resources. Can also be supplied inside the ``token`` dict parameter. :param refresh_token: A refresh token (string) used to refresh expired tokens. Can also be supplied inside the ``token`` dict parameter. :param mac_key: Encryption key used with MAC tokens. :param mac_algorithm: Hashing algorithm for MAC tokens. :param token: A dict of token attributes such as ``access_token``, ``token_type`` and ``expires_at``. :param scope: A list of default scopes to request authorization for. :param state: A CSRF protection string used during authorization. :param redirect_url: The redirection endpoint on the client side to which the user returns after authorization. :param state_generator: A no argument state generation callable. Defaults to :py:meth:`oauthlib.common.generate_token`. :param code_verifier: PKCE parameter. A cryptographically random string that is used to correlate the authorization request to the token request. :param code_challenge: PKCE parameter. A challenge derived from the code verifier that is sent in the authorization request, to be verified against later. :param code_challenge_method: PKCE parameter. A method that was used to derive code challenge. Defaults to "plain" if not present in the request. N)� client_id�default_token_placement� token_type�access_tokenr��mac_key� mac_algorithm�token�scope�state_generator�state�redirect_url� code_verifier�code_challenge�code_challenge_method�code� expires_in�_expires_at�populate_token_attributes)�selfr��r��r��r��r��r��r��r��r��r��r��r��r��r��r��kwargs��r$��W/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/clients/base.py�__init__8��s&��@ zClient.__init__c��C��s��\|�j�\|�jd�S�)aO��Supported token types and their respective methods Additional tokens can be supported by extending this dictionary. The Bearer token spec is stable and safe to use. The MAC token spec is not yet stable and support for MAC tokens is experimental and currently matching version 00 of the spec. )r��MAC)�_add_bearer_token�_add_mac_token)r"��r$��r$��r%��token_types��s��zClient.token_typesc��O��t�d��)z,Abstract method used to create request URIs.�Must be implemented by inheriting classes.��NotImplementedError�r"��argsr#��r$��r$��r%��prepare_request_uri��zClient.prepare_request_uric��O��r+��)z.Abstract method used to create request bodies.r,��r-��r/��r$��r$��r%��prepare_request_body��r2��zClient.prepare_request_bodyc��O��r+��)z4Abstract method used to parse redirection responses.r,��r-��r/��r$��r$��r%��parse_request_uri_response��r2��z!Client.parse_request_uri_response�GETc��K��s��t�\|�st��\|p\|�j}dd��\|�j��D��}\|�j��\|vr$td\|�j��\|�js1\|�j � d�s1td��\|�jr>\|�jt��k�r>t ��\|\|�j��\|\|\|\|\|fi�\|��S�)ac��Add token to the request uri, body or authorization header. The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes). The client MUST NOT use an access token if it does not understand the token type. For example, the "bearer" token type defined in [`I-D.ietf-oauth-v2-bearer`_] is utilized by simply including the access token string in the request: .. code-block:: http GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqM while the "mac" token type defined in [`I-D.ietf-oauth-v2-http-mac`_] is utilized by issuing a MAC key together with the access token which is used to sign certain components of the HTTP requests: .. code-block:: http GET /resource/1 HTTP/1.1 Host: example.com Authorization: MAC id="h480djs93hd8", nonce="274312:dj83hs9s", mac="kDZvddkndxvhGRXZhvuDjEWhGeE=" .. _`I-D.ietf-oauth-v2-bearer`: https://tools.ietf.org/html/rfc6749#section-12.2 .. _`I-D.ietf-oauth-v2-http-mac`: https://tools.ietf.org/html/rfc6749#section-12.2 c��S��s��i�\|�] \}}\|��\|�qS�r$��)�lower)�.0�k�vr$��r$��r%�� <dictcomp>��s��z$Client.add_token.<locals>.<dictcomp>zUnsupported token type: %sr��zMissing access token.)r ��r��r��r��itemsr��r6�� ValueErrorr��r��getr ��timer��)r"��uri�http_methodr��headers�token_placementr#��case_insensitive_token_typesr$��r$��r%�� add_token��s"��# ��zClient.add_tokenc��K��sb��t�\|�st��\|p\|��\|�_\|p\|�j\|�_\|du�r\|�jn\|}\|�j\|f\|�j\|\|�jd�\|��}\|tdfS�)ae��Prepare the authorization request. This is the first step in many OAuth flows in which the user is redirected to a certain authorization URL. This method adds required parameters to the authorization URL. :param authorization_url: Provider authorization endpoint URL. :param state: CSRF protection string. Will be automatically created if not provided. The generated state is available via the ``state`` attribute. Clients should verify that the state is unchanged and present in the authorization response. This verification is done automatically if using the ``authorization_response`` parameter with ``prepare_token_request``. :param redirect_url: Redirect URL to which the user will be returned after authorization. Must be provided unless previously setup with the provider. If provided then it must also be provided in the token request. :param scope: List of scopes to request. Must be equal to or a subset of the scopes granted when obtaining the refresh token. If none is provided, the ones provided in the constructor are used. :param kwargs: Additional parameters to included in the request. :returns: The prepared request tuple with (url, headers, body). N)�redirect_urir��r��)r ��r��r��r��r��r��r1��FORM_ENC_HEADERS)r"��authorization_urlr��r��r��r#��auth_urlr$��r$��r%��prepare_authorization_request��s�� z$Client.prepare_authorization_requestrF��c��K��sX��t�\|�st��\|p\|�j}\|r\|�j\|\|d��\|p\|�j\|�_\|�jd\|\|�jd�\|��}\|t\|fS�)a��Prepare a token creation request. Note that these requests usually require client authentication, either by including client_id or a set of provider specific authentication credentials. :param token_url: Provider token creation endpoint URL. :param authorization_response: The full redirection URL string, i.e. the location to which the user was redirected after successful authorization. Used to mine credentials needed to obtain a token in this step, such as authorization code. :param redirect_url: The redirect_url supplied with the authorization request (if there was one). :param state: :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param kwargs: Additional parameters to included in the request. :returns: The prepared request tuple with (url, headers, body). )r��)r��rE��Nr$��)r ��r��r��r4��r��r3��rG��)r"�� token_url�authorization_responser��r��r��r#��r$��r$��r%��r��s�� zClient.prepare_token_requestc��K��sB��t�\|�st��\|du�r\|�jn\|}\|�jd\|\|\|d�\|��}\|t\|fS�)a��Prepare an access token refresh request. Expired access tokens can be replaced by new access tokens without going through the OAuth dance if the client obtained a refresh token. This refresh token and authentication credentials can be used to obtain a new access token, and possibly a new refresh token. :param token_url: Provider token refresh endpoint URL. :param refresh_token: Refresh token string. :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param scope: List of scopes to request. Must be equal to or a subset of the scopes granted when obtaining the refresh token. If none is provided, the ones provided in the constructor are used. :param kwargs: Additional parameters to included in the request. :returns: The prepared request tuple with (url, headers, body). N)r��r��r��r$��)r ��r��r��prepare_refresh_bodyrG��)r"��rK��r��r��r��r#��r$��r$��r%��prepare_refresh_token_request&��s�� z$Client.prepare_refresh_token_requestr��c��K��s(��t�\|�st��t\|\|f\|\|\|d�\|��S�)aU��Prepare a token revocation request. :param revocation_url: Provider token revocation endpoint URL. :param token: The access or refresh token to be revoked (string). :param token_type_hint: ``"access_token"`` (default) or ``"refresh_token"``. This is optional and if you wish to not pass it you must provide ``token_type_hint=None``. :param body: :param callback: A jsonp callback such as ``package.callback`` to be invoked upon receiving the response. Not that it should not include a () suffix. :param kwargs: Additional parameters to included in the request. :returns: The prepared request tuple with (url, headers, body). Note that JSONP request may use GET requests as the parameters will be added to the request URL query as opposed to the request body. An example of a revocation request .. code-block:: http POST /revoke HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token An example of a jsonp revocation request .. code-block:: http GET /revoke?token=agabcdefddddafdd&callback=package.myCallback HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW and an error response .. code-block:: javascript package.myCallback({"error":"unsupported_token_type"}); Note that these requests usually require client credentials, client_id in the case for public clients and provider specific authentication credentials for confidential clients. )�token_type_hintr��callback)r ��r��r��)r"��revocation_urlr��rO��r��rP��r#��r$��r$��r%��r��C��s��0��z'Client.prepare_token_revocation_requestc��K��s2��\|du�r\|�j�n\|}t\|\|d�\|�_\|��\|�j��\|�jS�)a��Parse the JSON response body. If the access token request is valid and authorized, the authorization server issues an access token as described in `Section 5.1`_. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in `Section 5.2`_. :param body: The response body from the token request. :param scope: Scopes originally requested. If none is provided, the ones provided in the constructor are used. :return: Dictionary of token parameters. :raises: Warning if scope has changed. :py:class:`oauthlib.oauth2.errors.OAuth2Error` if response is invalid. These response are json encoded and could easily be parsed without the assistance of OAuthLib. However, there are a few subtle issues to be aware of regarding the response which are helpfully addressed through the raising of various errors. A successful response should always contain access_token* The access token issued by the authorization server. Often a random string. token_type The type of the token issued as described in `Section 7.1`_. Commonly ``Bearer``. While it is not mandated it is recommended that the provider include expires_in The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. scope Providers may supply this in all responses but are required to only if it has changed since the authorization request. .. _`Section 5.1`: https://tools.ietf.org/html/rfc6749#section-5.1 .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2 .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1 N)r��)r��r��r��r!��)r"��r��r��r#��r$��r$��r%��parse_request_body_responsez��s��0z"Client.parse_request_body_responsec��K��s6��\|p\|�j�}\|du�r\|�jn\|}t\|�jf\|\|\|d�\|��S�)aO��Prepare an access token request, using a refresh token. If the authorization server issued a refresh token to the client, the client makes a refresh request to the token endpoint by adding the following parameters using the `application/x-www-form-urlencoded` format in the HTTP request entity-body: :param refresh_token: REQUIRED. The refresh token issued to the client. :param scope: OPTIONAL. The scope of the access request as described by Section 3.3. The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner. Note that if none is provided, the ones provided in the constructor are used if any. N)r��r��r��)r��r��r��refresh_token_key)r"��r��r��r��r#��r$��r$��r%��rM��s�� zClient.prepare_refresh_bodyc��C��sZ��\|t�krt�\|�j\|�}n\|tkrt�\|�j\|�}n\|tkr$t�\|�j\|�}ntd��\|\|\|fS�)zDAdd a bearer token to the request uri, body or authorization header.�Invalid token placement.) �AUTH_HEADERr��prepare_bearer_headersr�� URI_QUERY�prepare_bearer_uri�BODY�prepare_bearer_bodyr<��)r"��r?��r@��r��rA��rB��r$��r$��r%��r(��s�� zClient._add_bearer_tokenc��C��sV��d}\|dks t�d��\|dkst�d��t�d�}t�\|�}t�\|\|�s&t�d��\|\|�_\|S�)a��Create PKCE code_verifier used in computing code_challenge. See `RFC7636 Section 4.1`_ :param length: REQUIRED. The length of the code_verifier. The client first creates a code verifier, "code_verifier", for each OAuth 2.0 [RFC6749] Authorization Request, in the following manner: .. code-block:: text code_verifier = high-entropy cryptographic random STRING using the unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" from Section 2.3 of [RFC3986], with a minimum length of 43 characters and a maximum length of 128 characters. .. _`RFC7636 Section 4.1`: https://tools.ietf.org/html/rfc7636#section-4.1 N�+��zLength must be greater than or equal to 43��z(Length must be less than or equal to 128z^[A-Zaa-z0-9-._~]z)code_verifier contains invalid characters)r<��re�compile�secrets� token_urlsafe�searchr��)r"��lengthr��allowed_charactersr$��r$��r%��create_code_verifier��s�� zClient.create_code_verifierc��C��s��d}\|dkr t�d��\|dkrd}\|\|�_\|}\|\|�_\|dkrFt��}\|�\|jdd��\|��}t� t �\|��}\|�dd��d d ��dd�}\|\|�_\|S�) aZ��Create PKCE code_challenge* derived from the code_verifier. See `RFC7636 Section 4.2`_ :param code_verifier: REQUIRED. The code_verifier generated from `create_code_verifier()`. :param code_challenge_method: OPTIONAL. The method used to derive the code_challenge. Acceptable values include `S256`. DEFAULT is `plain`. The client then creates a code challenge derived from the code verifier by using one of the following transformations on the code verifier:: plain code_challenge = code_verifier S256 code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) If the client is capable of using `S256`, it MUST use `S256`, as `S256` is Mandatory To Implement (MTI) on the server. Clients are permitted to use `plain` only if they cannot support `S256` for some technical reason and know via out-of-band configuration that the server supports `plain`. The plain transformation is for compatibility with existing deployments and for constrained environments that can't use the S256 transformation. .. _`RFC7636 Section 4.2`: https://tools.ietf.org/html/rfc7636#section-4.2 NzInvalid code_verifier�plain�S256�ascii)�encoding�+�-�/�_�=rF��) r<��r��r��hashlib�sha256�update�encode�digest�bytes�decode�base64�urlsafe_b64encode�replace)r"��r��r��r��h� sha256_valr$��r$��r%��create_code_challenge��s ��zClient.create_code_challengec��K��sB��\|t�krtd��tj\|�j\|\|�j\|f\|\|\|\|�jd�\|��}\|\|\|fS�)z�Add a MAC token to the request authorization header. Warning: MAC token support is experimental as the spec is not yet stable. rT��)rA��r��ext�hash_algorithm)rU��r<��r��prepare_mac_headerr��r��r��)r"��r?��r@��r��rA��rB��r{��r#��r$��r$��r%��r)��)��s�� zClient._add_mac_tokenc��C��s��t��dt��\|��\|�S�)Nz=Please switch to the public method populate_token_attributes.)�warnings�warn�DeprecationWarningr!��r"��responser$��r$��r%��_populate_attributes7��s�� zClient._populate_attributesc��C��s��d\|v�r\|��d�\|�_dS�dS�)z2Add attributes from an auth code response to self.r��N)r=��r��r��r$��r$��r%��populate_code_attributes<��s��zClient.populate_code_attributesc��C��s��d\|v�r \|��d�\|�_d\|v�r\|��d�\|�_d\|v�r\|��d�\|�_d\|v�r2\|��d�\|�_t��t\|�j��\|�_d\|v�rHz t\|��d��\|�_W�n��d\|�_Y�d\|v�rR\|��d�\|�_d\|v�r^\|��d�\|�_ dS�dS�) z6Add attributes from a token exchange response to self.r��r��r��r�� expires_atNr��r��) r=��r��r��r��r��r>��intr ��r��r��r��r$��r$��r%��r!��B��s&��z Client.populate_token_attributes)r5��NNN)NNN)NNNrF��)NrF��N)r��rF��N)N)rF��NN)�__name__� __module__�__qualname__�__doc__rS��rU��r��r&��propertyr��r1��r3��r4��rD��rJ��r��rN��r��rR��rM��r(��rd��rz��r)��r��r��r!��r$��r$��r$��r%��r ��$��sd�� T �6 �& �" � � 7 5 � $1 �r ��)r��ru��rn��r]��r_��r>��r~��oauthlib.commonr��oauthlib.oauth2.rfc6749r��oauthlib.oauth2.rfc6749.errorsr��r��"oauthlib.oauth2.rfc6749.parametersr��r��r��oauthlib.oauth2.rfc6749.utilsr ��rU��rW��rY��rG��r ��r$��r$��r$��r%��<module>��s$��clients/__pycache__/legacy_application.cpython-310.pyc��0000644��00000010430�15030301546�0016740 0��ustar�00��o ��h��@��s0��d�Z�ddlmZ�ddlmZ�G�dd��de�ZdS�)z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��)�prepare_token_request��)�Clientc��s2��e�Zd�ZdZdZ��fdd�Z d dd �Z��ZS�)�LegacyApplicationClienta��A public client using the resource owner password and username directly. The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type, and only allow it when other flows are not viable. The grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token. The method through which the client obtains the resource owner credentials is beyond the scope of this specification. The client MUST discard the credentials once an access token has been obtained. �passwordc��s��t��j\|fi�\|��d�S�)N)�super�__init__)�self� client_id�kwargs�� __class__��e/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/clients/legacy_application.pyr��&��s��z LegacyApplicationClient.__init__��NFc��K��s@��\|�j�\|d<�\|\|d<�\|du�r\|�jn\|}t\|�jf\|\|\|\|d�\|��S�)a0��Add the resource owner password and username to the request body. The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per `Appendix B`_ in the HTTP request entity-body: :param username: The resource owner username. :param password: The resource owner password. :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param scope: The scope of the access request as described by `Section 3.3`_. :param include_client_id: `True` to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. False otherwise (default). :type include_client_id: Boolean :param kwargs: Extra credentials to include in the token request. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in `Section 3.2.1`_. The prepared body will include all provided credentials as well as the ``grant_type`` parameter set to ``password``:: >>> from oauthlib.oauth2 import LegacyApplicationClient >>> client = LegacyApplicationClient('your_id') >>> client.prepare_request_body(username='foo', password='bar', scope=['hello', 'world']) 'grant_type=password&username=foo&scope=hello+world&password=bar' .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 r ��include_client_idN)�body�usernamer��scope)r ��r��r�� grant_type)r ��r��r��r��r��r��r��r��r��r��prepare_request_body)��s�� '��z,LegacyApplicationClient.prepare_request_body)r��NF)�__name__� __module__�__qualname__�__doc__r��r��r�� __classcell__r��r��r��r��r�� s��r��N)r�� parametersr��baser��r��r��r��r��r��<module>��s��clients/__pycache__/web_application.cpython-310.pyc��0000644��00000027510�15030301546�0016260 0��ustar�00��o ��h8/��@��s@��d�Z�ddlZddlmZmZmZ�ddlmZ�G�dd��de�ZdS�) z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��N��)�!parse_authorization_code_response�prepare_grant_uri�prepare_token_request��)�Clientc��sL��e�Zd�ZdZdZd��fdd� Z ddd�Z ddd�Zdd d�Z��Z S�)�WebApplicationClienta>��A client utilizing the authorization code grant workflow. A web application is a confidential client running on a web server. Resource owners access the client via an HTML user interface rendered in a user-agent on the device used by the resource owner. The client credentials as well as any access token issued to the client are stored on the web server and are not exposed to or accessible by the resource owner. The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. As a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server. �authorization_codeNc��s��t��j\|fi�\|��\|\|�_d�S��N)�super�__init__�code)�self� client_idr ��kwargs�� __class__��b/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/clients/web_application.pyr��'��s�� zWebApplicationClient.__init__�plainc��K��s4��\|du�r\|�j�n\|}t\|\|�jdf\|\|\|\|\|d�\|��S�)a� ��Prepare the authorization code request URI The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: :param redirect_uri: OPTIONAL. The redirect URI must be an absolute URI and it should have been registered with the OAuth provider prior to use. As described in `Section 3.1.2`_. :param scope: OPTIONAL. The scope of the access request as described by Section 3.3`_. These may be any string but are commonly URIs or various categories such as ``videos`` or ``documents``. :param state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. :param code_challenge: OPTIONAL. PKCE parameter. REQUIRED if PKCE is enforced. A challenge derived from the code_verifier that is sent in the authorization request, to be verified against later. :param code_challenge_method: OPTIONAL. PKCE parameter. A method that was used to derive code challenge. Defaults to "plain" if not present in the request. :param kwargs: Extra arguments to include in the request URI. In addition to supplied parameters, OAuthLib will append the ``client_id`` that was provided in the constructor as well as the mandatory ``response_type`` argument, set to ``code``:: >>> from oauthlib.oauth2 import WebApplicationClient >>> client = WebApplicationClient('your_id') >>> client.prepare_request_uri('https://example.com') 'https://example.com?client_id=your_id&response_type=code' >>> client.prepare_request_uri('https://example.com', redirect_uri='https://a.b/callback') 'https://example.com?client_id=your_id&response_type=code&redirect_uri=https%3A%2F%2Fa.b%2Fcallback' >>> client.prepare_request_uri('https://example.com', scope=['profile', 'pictures']) 'https://example.com?client_id=your_id&response_type=code&scope=profile+pictures' >>> client.prepare_request_uri('https://example.com', code_challenge='kjasBS523KdkAILD2k78NdcJSk2k3KHG6') 'https://example.com?client_id=your_id&response_type=code&code_challenge=kjasBS523KdkAILD2k78NdcJSk2k3KHG6' >>> client.prepare_request_uri('https://example.com', code_challenge_method='S256') 'https://example.com?client_id=your_id&response_type=code&code_challenge_method=S256' >>> client.prepare_request_uri('https://example.com', foo='bar') 'https://example.com?client_id=your_id&response_type=code&foo=bar' .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 Nr ��)�redirect_uri�scope�state�code_challenge�code_challenge_method)r��r��r��)r��urir��r��r��r��r��r��r��r��r��prepare_request_uri+��s��8��z(WebApplicationClient.prepare_request_uri��Tc��K��sb��\|p\|�j�}d\|v�rt�dt��\|d�\|�jkrtd��\|�j\|d<�\|\|d<�t\|�jf\|\|\|\|d�\|��S�)a��Prepare the access token request body. The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format in the HTTP request entity-body: :param code: REQUIRED. The authorization code received from the authorization server. :param redirect_uri: REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in `Section 4.1.1`_, and their values MUST be identical. :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param include_client_id: `True` (default) to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. :type include_client_id: Boolean :param code_verifier: OPTIONAL. A cryptographically random string that is used to correlate the authorization request to the token request. :param kwargs: Extra parameters to include in the token request. In addition OAuthLib will add the ``grant_type`` parameter set to ``authorization_code``. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in `Section 3.2.1`_:: >>> from oauthlib.oauth2 import WebApplicationClient >>> client = WebApplicationClient('your_id') >>> client.prepare_request_body(code='sh35ksdf09sf') 'grant_type=authorization_code&code=sh35ksdf09sf' >>> client.prepare_request_body(code_verifier='KB46DCKJ873NCGXK5GD682NHDKK34GR') 'grant_type=authorization_code&code_verifier=KB46DCKJ873NCGXK5GD682NHDKK34GR' >>> client.prepare_request_body(code='sh35ksdf09sf', foo='bar') 'grant_type=authorization_code&code=sh35ksdf09sf&foo=bar' `Section 3.2.1` also states: In the "authorization_code" "grant_type" request to the token endpoint, an unauthenticated client MUST send its "client_id" to prevent itself from inadvertently accepting a code intended for a client with a different "client_id". This protects the client from substitution of the authentication code. (It provides no additional security for the protected resource.) .. _`Section 4.1.1`: https://tools.ietf.org/html/rfc6749#section-4.1.1 .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 r��z�`client_id` has been deprecated in favor of `include_client_id`, a boolean value which will include the already configured `self.client_id`.zO`client_id` was supplied as an argument, but it does not match `self.client_id`�include_client_id)r ��bodyr�� code_verifier)r ��warnings�warn�DeprecationWarningr�� ValueErrorr�� grant_type)r��r ��r��r��r��r ��r��r��r��r��prepare_request_bodyh��s�� 9� ��z)WebApplicationClient.prepare_request_bodyc��C��s��t�\|\|d�}\|��\|��\|S�)aa ��Parse the URI query for code and state. If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format: :param uri: The callback URI that resulted from the user being redirected back from the provider to you, the client. :param state: The state provided in the authorization request. code* The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI. state If the "state" parameter was present in the authorization request. This method is mainly intended to enforce strict state checking with the added benefit of easily extracting parameters from the URI:: >>> from oauthlib.oauth2 import WebApplicationClient >>> client = WebApplicationClient('your_id') >>> uri = 'https://example.com/callback?code=sdfkjh345&state=sfetw45' >>> client.parse_request_uri_response(uri, state='sfetw45') {'state': 'sfetw45', 'code': 'sdfkjh345'} >>> client.parse_request_uri_response(uri, state='other') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "oauthlib/oauth2/rfc6749/__init__.py", line 357, in parse_request_uri_response back from the provider to you, the client. File "oauthlib/oauth2/rfc6749/parameters.py", line 153, in parse_authorization_code_response raise MismatchingStateError() oauthlib.oauth2.rfc6749.errors.MismatchingStateError )r��)r��populate_code_attributes)r��r��r��responser��r��r��parse_request_uri_response��s��, z/WebApplicationClient.parse_request_uri_responser ��)NNNNr��)NNr��TN) �__name__� __module__�__qualname__�__doc__r%��r��r��r&��r)�� __classcell__r��r��r��r��r��s�� = �Hr��) r-��r!�� parametersr��r��r��baser��r��r��r��r��r��<module>��s ��clients/legacy_application.py��0000644��00000007700�15030301546�0012407 0��ustar�00��# -- coding: utf-8 -- """ oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ from ..parameters import prepare_token_request from .base import Client class LegacyApplicationClient(Client): """A public client using the resource owner password and username directly. The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type, and only allow it when other flows are not viable. The grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token. The method through which the client obtains the resource owner credentials is beyond the scope of this specification. The client MUST discard the credentials once an access token has been obtained. """ grant_type = 'password' def __init__(self, client_id, kwargs): super().__init__(client_id, kwargs) def prepare_request_body(self, username, password, body='', scope=None, include_client_id=False, kwargs): """Add the resource owner password and username to the request body. The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per `Appendix B`_ in the HTTP request entity-body: :param username: The resource owner username. :param password: The resource owner password. :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param scope: The scope of the access request as described by `Section 3.3`_. :param include_client_id: `True` to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. False otherwise (default). :type include_client_id: Boolean :param kwargs: Extra credentials to include in the token request. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in `Section 3.2.1`_. The prepared body will include all provided credentials as well as the ``grant_type`` parameter set to ``password``:: >>> from oauthlib.oauth2 import LegacyApplicationClient >>> client = LegacyApplicationClient('your_id') >>> client.prepare_request_body(username='foo', password='bar', scope=['hello', 'world']) 'grant_type=password&username=foo&scope=hello+world&password=bar' .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 """ kwargs['client_id'] = self.client_id kwargs['include_client_id'] = include_client_id scope = self.scope if scope is None else scope return prepare_token_request(self.grant_type, body=body, username=username, password=password, scope=scope, kwargs) ��clients/mobile_application.py��0000644��00000021256�15030301546�0012414 0��ustar�00��# -- coding: utf-8 -- """ oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ from ..parameters import parse_implicit_response, prepare_grant_uri from .base import Client class MobileApplicationClient(Client): """A public client utilizing the implicit code grant workflow. A user-agent-based application is a public client in which the client code is downloaded from a web server and executes within a user-agent (e.g. web browser) on the device used by the resource owner. Protocol data and credentials are easily accessible (and often visible) to the resource owner. Since such applications reside within the user-agent, they can make seamless use of the user-agent capabilities when requesting authorization. The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript. As a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server. Unlike the authorization code grant type in which the client makes separate requests for authorization and access token, the client receives the access token as the result of the authorization request. The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device. """ response_type = 'token' def prepare_request_uri(self, uri, redirect_uri=None, scope=None, state=None, kwargs): """Prepare the implicit grant request URI. The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: :param redirect_uri: OPTIONAL. The redirect URI must be an absolute URI and it should have been registered with the OAuth provider prior to use. As described in `Section 3.1.2`_. :param scope: OPTIONAL. The scope of the access request as described by Section 3.3`_. These may be any string but are commonly URIs or various categories such as ``videos`` or ``documents``. :param state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. :param kwargs: Extra arguments to include in the request URI. In addition to supplied parameters, OAuthLib will append the ``client_id`` that was provided in the constructor as well as the mandatory ``response_type`` argument, set to ``token``:: >>> from oauthlib.oauth2 import MobileApplicationClient >>> client = MobileApplicationClient('your_id') >>> client.prepare_request_uri('https://example.com') 'https://example.com?client_id=your_id&response_type=token' >>> client.prepare_request_uri('https://example.com', redirect_uri='https://a.b/callback') 'https://example.com?client_id=your_id&response_type=token&redirect_uri=https%3A%2F%2Fa.b%2Fcallback' >>> client.prepare_request_uri('https://example.com', scope=['profile', 'pictures']) 'https://example.com?client_id=your_id&response_type=token&scope=profile+pictures' >>> client.prepare_request_uri('https://example.com', foo='bar') 'https://example.com?client_id=your_id&response_type=token&foo=bar' .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 """ scope = self.scope if scope is None else scope return prepare_grant_uri(uri, self.client_id, self.response_type, redirect_uri=redirect_uri, state=state, scope=scope, kwargs) def parse_request_uri_response(self, uri, state=None, scope=None): """Parse the response URI fragment. If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the "application/x-www-form-urlencoded" format: :param uri: The callback URI that resulted from the user being redirected back from the provider to you, the client. :param state: The state provided in the authorization request. :param scope: The scopes provided in the authorization request. :return: Dictionary of token parameters. :raises: OAuth2Error if response is invalid. A successful response should always contain access_token The access token issued by the authorization server. Often a random string. token_type The type of the token issued as described in `Section 7.1`_. Commonly ``Bearer``. state If you provided the state parameter in the authorization phase, then the provider is required to include that exact state value in the response. While it is not mandated it is recommended that the provider include expires_in The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. scope Providers may supply this in all responses but are required to only if it has changed since the authorization request. A few example responses can be seen below:: >>> response_uri = 'https://example.com/callback#access_token=sdlfkj452&state=ss345asyht&token_type=Bearer&scope=hello+world' >>> from oauthlib.oauth2 import MobileApplicationClient >>> client = MobileApplicationClient('your_id') >>> client.parse_request_uri_response(response_uri) { 'access_token': 'sdlfkj452', 'token_type': 'Bearer', 'state': 'ss345asyht', 'scope': [u'hello', u'world'] } >>> client.parse_request_uri_response(response_uri, state='other') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "oauthlib/oauth2/rfc6749/__init__.py", line 598, in parse_request_uri_response scope File "oauthlib/oauth2/rfc6749/parameters.py", line 197, in parse_implicit_response raise ValueError("Mismatching or missing state in params.") ValueError: Mismatching or missing state in params. >>> def alert_scope_changed(message, old, new): ... print(message, old, new) ... >>> oauthlib.signals.scope_changed.connect(alert_scope_changed) >>> client.parse_request_body_response(response_body, scope=['other']) ('Scope has changed from "other" to "hello world".', ['other'], ['hello', 'world']) .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 """ scope = self.scope if scope is None else scope self.token = parse_implicit_response(uri, state=state, scope=scope) self.populate_token_attributes(self.token) return self.token ��clients/backend_application.py��0000644��00000006230�15030301546�0012527 0��ustar�00��# -- coding: utf-8 -- """ oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ from ..parameters import prepare_token_request from .base import Client class BackendApplicationClient(Client): """A public client utilizing the client credentials grant workflow. The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner which has been previously arranged with the authorization server (the method of which is beyond the scope of this specification). The client credentials grant type MUST only be used by confidential clients. Since the client authentication is used as the authorization grant, no additional authorization request is needed. """ grant_type = 'client_credentials' def prepare_request_body(self, body='', scope=None, include_client_id=False, kwargs): """Add the client credentials to the request body. The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per `Appendix B`_ in the HTTP request entity-body: :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param scope: The scope of the access request as described by `Section 3.3`_. :param include_client_id: `True` to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. False otherwise (default). :type include_client_id: Boolean :param kwargs: Extra credentials to include in the token request. The client MUST authenticate with the authorization server as described in `Section 3.2.1`_. The prepared body will include all provided credentials as well as the ``grant_type`` parameter set to ``client_credentials``:: >>> from oauthlib.oauth2 import BackendApplicationClient >>> client = BackendApplicationClient('your_id') >>> client.prepare_request_body(scope=['hello', 'world']) 'grant_type=client_credentials&scope=hello+world' .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 """ kwargs['client_id'] = self.client_id kwargs['include_client_id'] = include_client_id scope = self.scope if scope is None else scope return prepare_token_request(self.grant_type, body=body, scope=scope, kwargs) ��clients/web_application.py��0000644��00000027470�15030301546�0011726 0��ustar�00��# -- coding: utf-8 -- """ oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ import warnings from ..parameters import ( parse_authorization_code_response, prepare_grant_uri, prepare_token_request, ) from .base import Client class WebApplicationClient(Client): """A client utilizing the authorization code grant workflow. A web application is a confidential client running on a web server. Resource owners access the client via an HTML user interface rendered in a user-agent on the device used by the resource owner. The client credentials as well as any access token issued to the client are stored on the web server and are not exposed to or accessible by the resource owner. The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. As a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server. """ grant_type = 'authorization_code' def __init__(self, client_id, code=None, kwargs): super().__init__(client_id, kwargs) self.code = code def prepare_request_uri(self, uri, redirect_uri=None, scope=None, state=None, code_challenge=None, code_challenge_method='plain', kwargs): """Prepare the authorization code request URI The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: :param redirect_uri: OPTIONAL. The redirect URI must be an absolute URI and it should have been registered with the OAuth provider prior to use. As described in `Section 3.1.2`_. :param scope: OPTIONAL. The scope of the access request as described by Section 3.3`_. These may be any string but are commonly URIs or various categories such as ``videos`` or ``documents``. :param state: RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. :param code_challenge: OPTIONAL. PKCE parameter. REQUIRED if PKCE is enforced. A challenge derived from the code_verifier that is sent in the authorization request, to be verified against later. :param code_challenge_method: OPTIONAL. PKCE parameter. A method that was used to derive code challenge. Defaults to "plain" if not present in the request. :param kwargs: Extra arguments to include in the request URI. In addition to supplied parameters, OAuthLib will append the ``client_id`` that was provided in the constructor as well as the mandatory ``response_type`` argument, set to ``code``:: >>> from oauthlib.oauth2 import WebApplicationClient >>> client = WebApplicationClient('your_id') >>> client.prepare_request_uri('https://example.com') 'https://example.com?client_id=your_id&response_type=code' >>> client.prepare_request_uri('https://example.com', redirect_uri='https://a.b/callback') 'https://example.com?client_id=your_id&response_type=code&redirect_uri=https%3A%2F%2Fa.b%2Fcallback' >>> client.prepare_request_uri('https://example.com', scope=['profile', 'pictures']) 'https://example.com?client_id=your_id&response_type=code&scope=profile+pictures' >>> client.prepare_request_uri('https://example.com', code_challenge='kjasBS523KdkAILD2k78NdcJSk2k3KHG6') 'https://example.com?client_id=your_id&response_type=code&code_challenge=kjasBS523KdkAILD2k78NdcJSk2k3KHG6' >>> client.prepare_request_uri('https://example.com', code_challenge_method='S256') 'https://example.com?client_id=your_id&response_type=code&code_challenge_method=S256' >>> client.prepare_request_uri('https://example.com', foo='bar') 'https://example.com?client_id=your_id&response_type=code&foo=bar' .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 """ scope = self.scope if scope is None else scope return prepare_grant_uri(uri, self.client_id, 'code', redirect_uri=redirect_uri, scope=scope, state=state, code_challenge=code_challenge, code_challenge_method=code_challenge_method, kwargs) def prepare_request_body(self, code=None, redirect_uri=None, body='', include_client_id=True, code_verifier=None, kwargs): """Prepare the access token request body. The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format in the HTTP request entity-body: :param code: REQUIRED. The authorization code received from the authorization server. :param redirect_uri: REQUIRED, if the "redirect_uri" parameter was included in the authorization request as described in `Section 4.1.1`_, and their values MUST be identical. :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param include_client_id: `True` (default) to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. :type include_client_id: Boolean :param code_verifier: OPTIONAL. A cryptographically random string that is used to correlate the authorization request to the token request. :param kwargs: Extra parameters to include in the token request. In addition OAuthLib will add the ``grant_type`` parameter set to ``authorization_code``. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in `Section 3.2.1`_:: >>> from oauthlib.oauth2 import WebApplicationClient >>> client = WebApplicationClient('your_id') >>> client.prepare_request_body(code='sh35ksdf09sf') 'grant_type=authorization_code&code=sh35ksdf09sf' >>> client.prepare_request_body(code_verifier='KB46DCKJ873NCGXK5GD682NHDKK34GR') 'grant_type=authorization_code&code_verifier=KB46DCKJ873NCGXK5GD682NHDKK34GR' >>> client.prepare_request_body(code='sh35ksdf09sf', foo='bar') 'grant_type=authorization_code&code=sh35ksdf09sf&foo=bar' `Section 3.2.1` also states: In the "authorization_code" "grant_type" request to the token endpoint, an unauthenticated client MUST send its "client_id" to prevent itself from inadvertently accepting a code intended for a client with a different "client_id". This protects the client from substitution of the authentication code. (It provides no additional security for the protected resource.) .. _`Section 4.1.1`: https://tools.ietf.org/html/rfc6749#section-4.1.1 .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 """ code = code or self.code if 'client_id' in kwargs: warnings.warn("`client_id` has been deprecated in favor of " "`include_client_id`, a boolean value which will " "include the already configured `self.client_id`.", DeprecationWarning) if kwargs['client_id'] != self.client_id: raise ValueError("`client_id` was supplied as an argument, but " "it does not match `self.client_id`") kwargs['client_id'] = self.client_id kwargs['include_client_id'] = include_client_id return prepare_token_request(self.grant_type, code=code, body=body, redirect_uri=redirect_uri, code_verifier=code_verifier, kwargs) def parse_request_uri_response(self, uri, state=None): """Parse the URI query for code and state. If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format: :param uri: The callback URI that resulted from the user being redirected back from the provider to you, the client. :param state: The state provided in the authorization request. code The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI. state If the "state" parameter was present in the authorization request. This method is mainly intended to enforce strict state checking with the added benefit of easily extracting parameters from the URI:: >>> from oauthlib.oauth2 import WebApplicationClient >>> client = WebApplicationClient('your_id') >>> uri = 'https://example.com/callback?code=sdfkjh345&state=sfetw45' >>> client.parse_request_uri_response(uri, state='sfetw45') {'state': 'sfetw45', 'code': 'sdfkjh345'} >>> client.parse_request_uri_response(uri, state='other') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "oauthlib/oauth2/rfc6749/__init__.py", line 357, in parse_request_uri_response back from the provider to you, the client. File "oauthlib/oauth2/rfc6749/parameters.py", line 153, in parse_authorization_code_response raise MismatchingStateError() oauthlib.oauth2.rfc6749.errors.MismatchingStateError """ response = parse_authorization_code_response(uri, state=state) self.populate_code_attributes(response) return response ��clients/service_application.py��0000644��00000017204�15030301546�0012603 0��ustar�00��# -- coding: utf-8 -- """ oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ import time from oauthlib.common import to_unicode from ..parameters import prepare_token_request from .base import Client class ServiceApplicationClient(Client): """A public client utilizing the JWT bearer grant. JWT bearer tokes can be used to request an access token when a client wishes to utilize an existing trust relationship, expressed through the semantics of (and digital signature or keyed message digest calculated over) the JWT, without a direct user approval step at the authorization server. This grant type does not involve an authorization step. It may be used by both public and confidential clients. """ grant_type = 'urn:ietf:params:oauth:grant-type:jwt-bearer' def __init__(self, client_id, private_key=None, subject=None, issuer=None, audience=None, kwargs): """Initialize a JWT client with defaults for implicit use later. :param client_id: Client identifier given by the OAuth provider upon registration. :param private_key: Private key used for signing and encrypting. Must be given as a string. :param subject: The principal that is the subject of the JWT, i.e. which user is the token requested on behalf of. For example, ``foo@example.com. :param issuer: The JWT MUST contain an "iss" (issuer) claim that contains a unique identifier for the entity that issued the JWT. For example, ``your-client@provider.com``. :param audience: A value identifying the authorization server as an intended audience, e.g. ``https://provider.com/oauth2/token``. :param kwargs: Additional arguments to pass to base client, such as state and token. See ``Client.__init__.__doc__`` for details. """ super().__init__(client_id, kwargs) self.private_key = private_key self.subject = subject self.issuer = issuer self.audience = audience def prepare_request_body(self, private_key=None, subject=None, issuer=None, audience=None, expires_at=None, issued_at=None, extra_claims=None, body='', scope=None, include_client_id=False, *kwargs): """Create and add a JWT assertion to the request body. :param private_key: Private key used for signing and encrypting. Must be given as a string. :param subject: (sub) The principal that is the subject of the JWT, i.e. which user is the token requested on behalf of. For example, ``foo@example.com. :param issuer: (iss) The JWT MUST contain an "iss" (issuer) claim that contains a unique identifier for the entity that issued the JWT. For example, ``your-client@provider.com``. :param audience: (aud) A value identifying the authorization server as an intended audience, e.g. ``https://provider.com/oauth2/token``. :param expires_at: A unix expiration timestamp for the JWT. Defaults to an hour from now, i.e. ``time.time() + 3600``. :param issued_at: A unix timestamp of when the JWT was created. Defaults to now, i.e. ``time.time()``. :param extra_claims: A dict of additional claims to include in the JWT. :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param scope: The scope of the access request. :param include_client_id: `True` to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. False otherwise (default). :type include_client_id: Boolean :param not_before: A unix timestamp after which the JWT may be used. Not included unless provided. :param jwt_id: A unique JWT token identifier. Not included unless provided. * :param kwargs: Extra credentials to include in the token request. Parameters marked with a `` above are not explicit arguments in the function signature, but are specially documented arguments for items appearing in the generic `kwargs` keyworded input. The "scope" parameter may be used, as defined in the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [I-D.ietf-oauth-assertions] specification, to indicate the requested scope. Authentication of the client is optional, as described in `Section 3.2.1`_ of OAuth 2.0 [RFC6749] and consequently, the "client_id" is only needed when a form of client authentication that relies on the parameter is used. The following non-normative example demonstrates an Access Token Request with a JWT as an authorization grant (with extra line breaks for display purposes only): .. code-block: http POST /token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiJ9. eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 """ import jwt key = private_key or self.private_key if not key: raise ValueError('An encryption key must be supplied to make JWT' ' token requests.') claim = { 'iss': issuer or self.issuer, 'aud': audience or self.audience, 'sub': subject or self.subject, 'exp': int(expires_at or time.time() + 3600), 'iat': int(issued_at or time.time()), } for attr in ('iss', 'aud', 'sub'): if claim[attr] is None: raise ValueError( 'Claim must include %s but none was given.' % attr) if 'not_before' in kwargs: claim['nbf'] = kwargs.pop('not_before') if 'jwt_id' in kwargs: claim['jti'] = kwargs.pop('jwt_id') claim.update(extra_claims or {}) assertion = jwt.encode(claim, key, 'RS256') assertion = to_unicode(assertion) kwargs['client_id'] = self.client_id kwargs['include_client_id'] = include_client_id scope = self.scope if scope is None else scope return prepare_token_request(self.grant_type, body=body, assertion=assertion, scope=scope, kwargs) ��clients/__init__.py��0000644��00000000770�15030301546�0010317 0��ustar�00��# -- coding: utf-8 -- """ oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming OAuth 2.0 RFC6749. """ from .backend_application import BackendApplicationClient from .base import AUTH_HEADER, BODY, URI_QUERY, Client from .legacy_application import LegacyApplicationClient from .mobile_application import MobileApplicationClient from .service_application import ServiceApplicationClient from .web_application import WebApplicationClient ��__pycache__/request_validator.cpython-310.pyc��0000644��00000072020�15030301546�0015210 0��ustar�00��o ��h�p��@��s(��d�Z�ddlZe�e�ZG�dd��d�ZdS�)zU oauthlib.oauth2.rfc6749.request_validator ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ��Nc��@��s��e�Zd�Zdd��Zdd��Zdd��Zdd��Zd d ��Zdd��Zd d��Z dd��Z dd��Zdd��Zdd��Z dd��Zdd��Zdd��Zdd��Zdd ��Zd!d"��Zd#d$��Zd%d&��Zd'd(��Zd)d��Zd+d,��Zd-d.��Zd/d0��Zd1d2��Zd3d4��Zd5d6��Zd7d8��Zd9S�):�RequestValidatorc��O��dS�)a<��Determine if client authentication is required for current request. According to the rfc6749, client authentication is required in the following cases: - Resource Owner Password Credentials Grant, when Client type is Confidential or when Client was issued client credentials or whenever Client provided client authentication, see `Section 4.3.2`_. - Authorization Code Grant, when Client type is Confidential or when Client was issued client credentials or whenever Client provided client authentication, see `Section 4.1.3`_. - Refresh Token Grant, when Client type is Confidential or when Client was issued client credentials or whenever Client provided client authentication, see `Section 6`_ :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Resource Owner Password Credentials Grant - Refresh Token Grant .. _`Section 4.3.2`: https://tools.ietf.org/html/rfc6749#section-4.3.2 .. _`Section 4.1.3`: https://tools.ietf.org/html/rfc6749#section-4.1.3 .. _`Section 6`: https://tools.ietf.org/html/rfc6749#section-6 T��self�request�args�kwargsr��r��\/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/request_validator.py�client_authentication_required��z/RequestValidator.client_authentication_requiredc��O��t�d��)a��Authenticate client through means outside the OAuth 2 spec. Means of authentication is negotiated beforehand and may for example be `HTTP Basic Authentication Scheme`_ which utilizes the Authorization header. Headers may be accesses through request.headers and parameters found in both body and query can be obtained by direct attribute access, i.e. request.client_id for client_id in the URL query. The authentication process is required to contain the identification of the client (i.e. search the database based on the client_id). In case the client doesn't exist based on the received client_id, this method has to return False and the HTTP response created by the library will contain 'invalid_client' message. After the client identification succeeds, this method needs to set the client on the request, i.e. request.client = client. A client object's class must contain the 'client_id' attribute and the 'client_id' must have a value. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Resource Owner Password Credentials Grant (may be disabled) - Client Credentials Grant - Refresh Token Grant .. _`HTTP Basic Authentication Scheme`: https://tools.ietf.org/html/rfc1945#section-11.1 �&Subclasses must implement this method.��NotImplementedErrorr��r��r��r ��authenticate_client)��"z$RequestValidator.authenticate_clientc��O��r ��)a`��Ensure client_id belong to a non-confidential client. A non-confidential client is one that is not required to authenticate through other means, such as using HTTP Basic. Note, while not strictly necessary it can often be very convenient to set request.client to the client object associated with the given client_id. :param client_id: Unicode client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant r��r��r�� client_idr��r��r ��r��r��r ��authenticate_client_idM��z'RequestValidator.authenticate_client_idc��O��r ��)a��Ensure that the authorization process represented by this authorization code began with this 'redirect_uri'. If the client specifies a redirect_uri when obtaining code then that redirect URI must be bound to the code and verified equal in this method, according to RFC 6749 section 4.1.3. Do not compare against the client's allowed redirect URIs, but against the URI used when the code was saved. :param client_id: Unicode client identifier. :param code: Unicode authorization_code. :param redirect_uri: Unicode absolute URI. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant (during token request) r��r��)r��r��code�redirect_uri�clientr��r��r ��r��r��r ��confirm_redirect_uria��s��z%RequestValidator.confirm_redirect_uric��O��r ��)a\��Get the default redirect URI for the client. :param client_id: Unicode client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: The default redirect URI for the client Method is used by: - Authorization Code Grant - Implicit Grant r��r��r��r��r��r ��get_default_redirect_uriy��s��z)RequestValidator.get_default_redirect_uric��O��r ��)a��Get the default scopes for the client. :param client_id: Unicode client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: List of default scopes Method is used by all core grant types: - Authorization Code Grant - Implicit Grant - Resource Owner Password Credentials Grant - Client Credentials grant r��r��r��r��r��r ��get_default_scopes��z#RequestValidator.get_default_scopesc��O��r ��)a/��Get the list of scopes associated with the refresh token. :param refresh_token: Unicode refresh token. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: List of scopes. Method is used by: - Refresh token grant r��r��)r�� refresh_tokenr��r��r ��r��r��r ��get_original_scopes��z$RequestValidator.get_original_scopesc��O��r��)aO��Check if requested scopes are within a scope of the refresh token. When access tokens are refreshed the scope of the new token needs to be within the scope of the original token. This is ensured by checking that all requested scopes strings are on the list returned by the get_original_scopes. If this check fails, is_within_original_scope is called. The method can be used in situations where returning all valid scopes from the get_original_scopes is not practical. :param request_scopes: A list of scopes that were requested by client. :param refresh_token: Unicode refresh_token. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Refresh token grant Fr��)r��request_scopesr��r��r��r ��r��r��r ��is_within_original_scope��s��z)RequestValidator.is_within_original_scopec��O��r ��)a��Introspect an access or refresh token. Called once the introspect request is validated. This method should verify the token and either return a dictionary with the list of claims associated, or `None` in case the token is unknown. Below the list of registered claims you should be interested in: - scope : space-separated list of scopes - client_id : client identifier - username : human-readable identifier for the resource owner - token_type : type of the token - exp : integer timestamp indicating when this token will expire - iat : integer timestamp indicating when this token was issued - nbf : integer timestamp indicating when it can be "not-before" used - sub : subject of the token - identifier of the resource owner - aud : list of string identifiers representing the intended audience - iss : string representing issuer of this token - jti : string identifier for the token Note that most of them are coming directly from JWT RFC. More details can be found in `Introspect Claims`_ or `JWT Claims`_. The implementation can use token_type_hint to improve lookup efficiency, but must fallback to other types to be compliant with RFC. The dict of claims is added to request.token after this method. :param token: The token string. :param token_type_hint: access_token or refresh_token. :param request: OAuthlib request. :type request: oauthlib.common.Request Method is used by: - Introspect Endpoint (all grants are compatible) .. _`Introspect Claims`: https://tools.ietf.org/html/rfc7662#section-2.2 .. _`JWT Claims`: https://tools.ietf.org/html/rfc7519#section-4 r��r��r��token�token_type_hintr��r��r ��r��r��r ��introspect_token��s��(z!RequestValidator.introspect_tokenc��O��r ��)aH��Invalidate an authorization code after use. :param client_id: Unicode client identifier. :param code: The authorization code grant (request.code). :param request: OAuthlib request. :type request: oauthlib.common.Request Method is used by: - Authorization Code Grant r��r��r��r��r��r��r��r ��r��r��r ��invalidate_authorization_code��r ��z.RequestValidator.invalidate_authorization_codec��O��r ��)a��Revoke an access or refresh token. :param token: The token string. :param token_type_hint: access_token or refresh_token. :param request: OAuthlib request. :type request: oauthlib.common.Request Method is used by: - Revocation Endpoint r��r��r#��r��r��r ��revoke_token��r ��zRequestValidator.revoke_tokenc��C��r��)a��Determine whether to rotate the refresh token. Default, yes. When access tokens are refreshed the old refresh token can be kept or replaced with a new one (rotated). Return True to rotate and and False for keeping original. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Refresh Token Grant Tr��)r��r��r��r��r ��rotate_refresh_token��s��z%RequestValidator.rotate_refresh_tokenc��O��r ��)ao��Persist the authorization_code. The code should at minimum be stored with: - the client_id (``client_id``) - the redirect URI used (``request.redirect_uri``) - a resource owner / user (``request.user``) - the authorized scopes (``request.scopes``) To support PKCE, you MUST associate the code with: - Code Challenge (``request.code_challenge``) and - Code Challenge Method (``request.code_challenge_method``) To support OIDC, you MUST associate the code with: - nonce, if present (``code["nonce"]``) The ``code`` argument is actually a dictionary, containing at least a ``code`` key with the actual authorization code: ``{'code': 'sdf345jsdf0934f'}`` It may also have a ``claims`` parameter which, when present, will be a dict deserialized from JSON as described at http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter This value should be saved in this method and used again in ``.validate_code``. :param client_id: Unicode client identifier. :param code: A dict of the authorization code grant and, optionally, state. :param request: OAuthlib request. :type request: oauthlib.common.Request Method is used by: - Authorization Code Grant r��r��r'��r��r��r ��save_authorization_code��r��z(RequestValidator.save_authorization_codec��O��s��\|�j�\|\|g\|�R�i�\|��S�)z�Persist the token with a token type specific method. Currently, only save_bearer_token is supported. :param token: A (Bearer) token dict. :param request: OAuthlib request. :type request: oauthlib.common.Request )�save_bearer_token�r��r$��r��r��r ��r��r��r �� save_token2��s�� zRequestValidator.save_tokenc��O��r ��)a��Persist the Bearer token. The Bearer token should at minimum be associated with: - a client and it's client_id, if available - a resource owner / user (request.user) - authorized scopes (request.scopes) - an expiration time - a refresh token, if issued - a claims document, if present in request.claims The Bearer token dict may hold a number of items:: { 'token_type': 'Bearer', 'access_token': 'askfjh234as9sd8', 'expires_in': 3600, 'scope': 'string of space separated authorized scopes', 'refresh_token': '23sdf876234', # if issued 'state': 'given_by_client', # if supplied by client (implicit ONLY) } Note that while "scope" is a string-separated list of authorized scopes, the original list is still available in request.scopes. The token dict is passed as a reference so any changes made to the dictionary will go back to the user. If additional information must return to the client user, and it is only possible to get this information after writing the token to storage, it should be added to the token dictionary. If the token dictionary must be modified but the changes should not go back to the user, a copy of the dictionary must be made before making the changes. Also note that if an Authorization Code grant request included a valid claims parameter (for OpenID Connect) then the request.claims property will contain the claims dict, which should be saved for later use when generating the id_token and/or UserInfo response content. :param token: A Bearer token dict. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: The default redirect URI for the client Method is used by all core grant types issuing Bearer tokens: - Authorization Code Grant - Implicit Grant - Resource Owner Password Credentials Grant (might not associate a client) - Client Credentials grant r��r��r-��r��r��r ��r,��=��s��0z"RequestValidator.save_bearer_tokenc��C��r ��)am ��Ensure the Bearer token is valid and authorized access to scopes. :param token: A string of random characters. :param scopes: A list of scopes associated with the protected resource. :param request: OAuthlib request. :type request: oauthlib.common.Request A key to OAuth 2 security and restricting impact of leaked tokens is the short expiration time of tokens, always ensure the token has not expired!. Two different approaches to scope validation: 1) all(scopes). The token must be authorized access to all scopes associated with the resource. For example, the token has access to ``read-only`` and ``images``, thus the client can view images but not upload new. Allows for fine grained access control through combining various scopes. 2) any(scopes). The token must be authorized access to one of the scopes associated with the resource. For example, token has access to ``read-only-images``. Allows for fine grained, although arguably less convenient, access control. A powerful way to use scopes would mimic UNIX ACLs and see a scope as a group with certain privileges. For a restful API these might map to HTTP verbs instead of read, write and execute. Note, the request.user attribute can be set to the resource owner associated with this token. Similarly the request.client and request.scopes attribute can be set to associated client object and authorized scopes. If you then use a decorator such as the one provided for django these attributes will be made available in all protected views as keyword arguments. :param token: Unicode Bearer token :param scopes: List of scopes (defined by you) :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is indirectly used by all core Bearer token issuing grant types: - Authorization Code Grant - Implicit Grant - Resource Owner Password Credentials Grant - Client Credentials Grant r��r��)r��r$��scopesr��r��r��r ��validate_bearer_tokeno��s��2z&RequestValidator.validate_bearer_tokenc��O��r ��)a��Ensure client_id belong to a valid and active client. Note, while not strictly necessary it can often be very convenient to set request.client to the client object associated with the given client_id. :param client_id: Unicode client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Implicit Grant r��r��r��r��r��r ��validate_client_id��z#RequestValidator.validate_client_idc��O��r ��)a��Verify that the authorization_code is valid and assigned to the given client. Before returning true, set the following based on the information stored with the code in 'save_authorization_code': - request.user - request.scopes - request.claims (if given) OBS! The request.user attribute should be set to the resource owner associated with this authorization code. Similarly request.scopes must also be set. The request.claims property, if it was given, should assigned a dict. If PKCE is enabled (see 'is_pkce_required' and 'save_authorization_code') you MUST set the following based on the information stored: - request.code_challenge - request.code_challenge_method :param client_id: Unicode client identifier. :param code: Unicode authorization code. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant r��r��)r��r��r��r��r��r��r ��r��r��r �� validate_code��s��!zRequestValidator.validate_codec��O��r ��)aW��Ensure client is authorized to use the grant_type requested. :param client_id: Unicode client identifier. :param grant_type: Unicode grant type, i.e. authorization_code, password. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Resource Owner Password Credentials Grant - Client Credentials Grant - Refresh Token Grant r��r��)r��r�� grant_typer��r��r��r ��r��r��r ��validate_grant_type��r2��z$RequestValidator.validate_grant_typec��O��r ��)a,��Ensure client is authorized to redirect to the redirect_uri requested. All clients should register the absolute URIs of all URIs they intend to redirect to. The registration is outside of the scope of oauthlib. :param client_id: Unicode client identifier. :param redirect_uri: Unicode absolute URI. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Implicit Grant r��r��)r��r��r��r��r��r ��r��r��r ��validate_redirect_uri��r2��z&RequestValidator.validate_redirect_uric��O��r ��)a��Ensure the Bearer token is valid and authorized access to scopes. OBS! The request.user attribute should be set to the resource owner associated with this refresh token. :param refresh_token: Unicode refresh token. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant (indirectly by issuing refresh tokens) - Resource Owner Password Credentials Grant (also indirectly) - Refresh Token Grant r��r��)r��r��r��r��r��r ��r��r��r ��validate_refresh_token��s��z'RequestValidator.validate_refresh_tokenc��O��r ��)a��Ensure client is authorized to use the response_type requested. :param client_id: Unicode client identifier. :param response_type: Unicode response type, i.e. code, token. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant - Implicit Grant r��r��)r��r�� response_typer��r��r��r ��r��r��r ��validate_response_type��r��z'RequestValidator.validate_response_typec��O��r ��)aL��Ensure the client is authorized access to requested scopes. :param client_id: Unicode client identifier. :param scopes: List of scopes (defined by you). :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by all core grant types: - Authorization Code Grant - Implicit Grant - Resource Owner Password Credentials Grant - Client Credentials Grant r��r��)r��r��r/��r��r��r��r ��r��r��r ��validate_scopes��r2��z RequestValidator.validate_scopesc��O��r ��)a��Ensure the username and password is valid. OBS! The validation should also set the user attribute of the request to a valid resource owner, i.e. request.user = username or similar. If not set you will be unable to associate a token with a user in the persistence method used (commonly, save_bearer_token). :param username: Unicode username. :param password: Unicode password. :param client: Client object set by you, see ``.authenticate_client``. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Resource Owner Password Credentials Grant r��r��)r��username�passwordr��r��r��r ��r��r��r �� validate_user1��r��zRequestValidator.validate_userc��C��r��)a��Determine if current request requires PKCE. Default, False. This is called for both "authorization" and "token" requests. Override this method by ``return True`` to enable PKCE for everyone. You might want to enable it only for public clients. Note that PKCE can also be used in addition of a client authentication. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy"). See `RFC7636`_. :param client_id: Client identifier. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: True or False Method is used by: - Authorization Code Grant .. _`RFC7636`: https://tools.ietf.org/html/rfc7636 Fr��)r��r��r��r��r��r ��is_pkce_requiredE��z!RequestValidator.is_pkce_requiredc��C��r��)a/��Is called for every "token" requests. When the server issues the authorization code in the authorization response, it MUST associate the ``code_challenge`` and ``code_challenge_method`` values with the authorization code so it can be verified later. Typically, the ``code_challenge`` and ``code_challenge_method`` values are stored in encrypted form in the ``code`` itself but could alternatively be stored on the server associated with the code. The server MUST NOT include the ``code_challenge`` value in client requests in a form that other entities can extract. Return the ``code_challenge`` associated to the code. If ``None`` is returned, code is considered to not be associated to any challenges. :param code: Authorization code. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: code_challenge string Method is used by: - Authorization Code Grant - when PKCE is active Nr��r��r��r��r��r��r ��get_code_challenge_��r��z#RequestValidator.get_code_challengec��C��r ��)aK��Is called during the "token" request processing, when a ``code_verifier`` and a ``code_challenge`` has been provided. See ``.get_code_challenge``. Must return ``plain`` or ``S256``. You can return a custom value if you have implemented your own ``AuthorizationCodeGrant`` class. :param code: Authorization code. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: code_challenge_method string Method is used by: - Authorization Code Grant - when PKCE is active r��r��r@��r��r��r ��get_code_challenge_method\|��r��zRequestValidator.get_code_challenge_methodc��O��r��)ax��Indicate if the given origin is allowed to access the token endpoint via Cross-Origin Resource Sharing (CORS). CORS is used by browser-based clients, such as Single-Page Applications, to perform the Authorization Code Grant. (Note: If performing Authorization Code Grant via a public client such as a browser, you should use PKCE as well.) If this method returns true, the appropriate CORS headers will be added to the response. By default this method always returns False, meaning CORS is disabled. :param client_id: Unicode client identifier. :param redirect_uri: Unicode origin. :param request: OAuthlib request. :type request: oauthlib.common.Request :rtype: bool Method is used by: - Authorization Code Grant - Refresh Token Grant Fr��)r��r��originr��r��r ��r��r��r ��is_origin_allowed��r?��z"RequestValidator.is_origin_allowedN)�__name__� __module__�__qualname__r��r��r��r��r��r��r��r"��r&��r(��r)��r��r+��r.��r,��r0��r1��r3��r5��r6��r7��r9��r:��r=��r>��rA��rB��rD��r��r��r��r ��r�� s:��$ $24#r��)�__doc__�logging� getLoggerrE��logr��r��r��r��r ��<module>��s�� __pycache__/__init__.cpython-310.pyc��0000644��00000001214�15030301546�0013207 0��ustar�00��o ��h��@��sJ��d�Z�ddlZddlZddlmZmZ�ddlmZmZm Z m Z �e�e�Z dS�)z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��N��)�BaseEndpoint�catch_errors_and_unavailability)�FatalClientError�OAuth2Error�ServerError�TemporarilyUnavailableError)�__doc__� functools�logging�endpoints.baser��r��errorsr��r��r��r�� getLogger�__name__�log��r��r��S/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/__init__.py�<module>��s��__pycache__/parameters.cpython-310.pyc��0000644��00000040674�15030301546�0013630 0��ustar�00��o ��hHJ��@��s��d�Z�ddlZddlZddlZddlmZ�ddlmZm Z �ddl mZ�ddlm Z mZmZmZmZmZ�ddlmZ�ddlmZmZmZ� dd d�Zddd�Z ddd�Zddd�Zddd�Zddd�Zdd��ZdS�) z� oauthlib.oauth2.rfc6749.parameters ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module contains methods related to `Section 4`_ of the OAuth 2 RFC. .. _`Section 4`: https://tools.ietf.org/html/rfc6749#section-4 ��N)�add_params_to_qs�add_params_to_uri)� scope_changed��)�InsecureTransportError�MismatchingStateError�MissingCodeError�MissingTokenError�MissingTokenTypeError�raise_from_error)�OAuth2Token)�is_secure_transport� list_to_scope� scope_to_list�plainc��K��s��t�\|��st��d\|fd\|fg} \|r\| �d\|f��\|r#\| �dt\|�f��\|r,\| �d\|f��\|dur>\| �d\|f��\| �d\|f��\|D�]} \|\| �rQ\| �t\| �\|\| �f��q@t\|�\| �S�) a] ��Prepare the authorization grant request URI. The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the ``application/x-www-form-urlencoded`` format as defined by [`W3C.REC-html401-19991224`_]: :param uri: :param client_id: The client identifier as described in `Section 2.2`_. :param response_type: To indicate which OAuth 2 grant/flow is required, "code" and "token". :param redirect_uri: The client provided URI to redirect back to after authorization as described in `Section 3.1.2`_. :param scope: The scope of the access request as described by `Section 3.3`_. :param state: An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. :param code_challenge: PKCE parameter. A challenge derived from the code_verifier that is sent in the authorization request, to be verified against later. :param code_challenge_method: PKCE parameter. A method that was used to derive the code_challenge. Defaults to "plain" if not present in the request. :param kwargs: Extra arguments to embed in the grant/authorization URL. An example of an authorization code grant authorization URL: .. code-block:: http GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &code_challenge=kjasBS523KdkAILD2k78NdcJSk2k3KHG6&code_challenge_method=S256 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com .. _`W3C.REC-html401-19991224`: https://tools.ietf.org/html/rfc6749#ref-W3C.REC-html401-19991224 .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 � response_type� client_id�redirect_uri�scope�stateN�code_challenge�code_challenge_method)r ��r��appendr��strr��)�urir��r��r��r��r��r��r��kwargs�params�k��r��U/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/parameters.py�prepare_grant_uri��s&��-�� r ��Tc�� K��s��d\|�fg}d\|v�rt�\|d��\|d<�\|�dd�}\|r$\|dur$\|�d\|f��\|dur/\|�d\|f��\|�dd�}\|dur@\|�d\|f��\|D�]}\|\|�rS\|�t\|�\|\|�f��qBt\|\|�S�)as ��Prepare the access token request. The client makes a request to the token endpoint by adding the following parameters using the ``application/x-www-form-urlencoded`` format in the HTTP request entity-body: :param grant_type: To indicate grant type being used, i.e. "password", "authorization_code" or "client_credentials". :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param include_client_id: `True` (default) to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. :type include_client_id: Boolean :param client_id: Unicode client identifier. Will only appear if `include_client_id` is True. * :param client_secret: Unicode client secret. Will only appear if set to a value that is not `None`. Invoking this function with an empty string will send an empty `client_secret` value to the server. * :param code: If using authorization_code grant, pass the previously obtained authorization code as the ``code`` argument. * :param redirect_uri: If the "redirect_uri" parameter was included in the authorization request as described in `Section 4.1.1`_, and their values MUST be identical. * :param code_verifier: PKCE parameter. A cryptographically random string that is used to correlate the authorization request to the token request. :param kwargs: Extra arguments to embed in the request body. Parameters marked with a `` above are not explicit arguments in the function signature, but are specially documented arguments for items appearing in the generic `kwargs` keyworded input. An example of an authorization code token request body: .. code-block:: http grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb .. _`Section 4.1.1`: https://tools.ietf.org/html/rfc6749#section-4.1.1 � grant_typer��r��N� code_verifier� client_secret)r��popr��r��r��) r"��body�include_client_idr#��r��r��r��r$��r��r��r��r��prepare_token_request]��s"�� 5� r(��access_tokenc�� K��s��t�\|��st��d\|fg}\|r\|�d\|f��\|D�]}\|\|�r(\|�t\|�\|\|�f��qddi}\|r>\|�d\|f��t\|�\|�\|\|fS�\|�\|t\|\|�fS�)ad��Prepare a token revocation request. The client constructs the request by including the following parameters using the ``application/x-www-form-urlencoded`` format in the HTTP request entity-body: :param token: REQUIRED. The token that the client wants to get revoked. :param token_type_hint: OPTIONAL. A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. This specification defines two values for `token_type_hint`: access_token: An access token as defined in [RFC6749], `Section 1.4`_ * refresh_token: A refresh token as defined in [RFC6749], `Section 1.5`_ Specific implementations, profiles, and extensions of this specification MAY define other values for this parameter using the registry defined in `Section 4.1.2`_. .. _`Section 1.4`: https://tools.ietf.org/html/rfc6749#section-1.4 .. _`Section 1.5`: https://tools.ietf.org/html/rfc6749#section-1.5 .. _`Section 4.1.2`: https://tools.ietf.org/html/rfc7009#section-4.1.2 �token�token_type_hintzContent-Typez!application/x-www-form-urlencoded�callback)r ��r��r��r��r��r��) �urlr��r+��r,��r&��r��r��r��headersr��r��r�� prepare_token_revocation_request��s��% �r/��c��C��sn��t�\|��st��t�\|��j}tt�\|��}\|r!\|�dd�\|kr!t��d\|v�r-t\|�d�\|��d\|vr5t d��\|S�)aZ��Parse authorization grant response URI into a dict. If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the ``application/x-www-form-urlencoded`` format: code* REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI. state REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client. :param uri: The full redirect URL back to the client. :param state: The state parameter from the authorization request. For example, the authorization server redirects the user-agent by sending the following HTTP response: .. code-block:: http HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz r��N�error�codez#Missing code parameter in response.) r ��r��urlparse�query�dict� parse_qsl�getr��r��r��)r��r��r3��r��r��r��r��!parse_authorization_code_response��s��&r7��c��C��s��t�\|��st��t�\|��j}ttj\|dd��}dD�]}\|\|v�r&t\|\|��\|\|<�qd\|v�r3t\|d��\|d<�d\|v�rCt��t\|d��\|d<�\|rQ\|� dd�\|krQt d ��t\|\|d �}t\|��\|S�)a��Parse the implicit token response URI into a dict. If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the ``application/x-www-form-urlencoded`` format: access_token REQUIRED. The access token issued by the authorization server. token_type REQUIRED. The type of the token issued as described in Section 7.1. Value is case insensitive. expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. scope OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. The scope of the access token as described by Section 3.3. state REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client. :param uri: :param state: :param scope: Similar to the authorization code response, but with a full token provided in the URL fragment: .. code-block:: http HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600 T)�keep_blank_values�� expires_inr��r:�� expires_atr��Nz'Mismatching or missing state in params.�� old_scope) r ��r��r2��fragmentr4��r5��intr��timer6�� ValueErrorr��validate_token_parameters)r��r��r��r>��r��keyr��r��r��parse_implicit_response!��s"��-�rD��c��C��s��zt��\|��}W�n!�ty(��tt�\|��}dD�]}\|\|v�r%t\|\|��\|\|<�qY�nw�d\|v�r5t\|d��\|d<�d\|v�rQ\|d�du�rE\|�d��nt � ��t\|d��\|d<�t \|\|d�}t\|��\|S�)a� ��Parse the JSON token response body into a dict. The authorization server issues an access token and optional refresh token, and constructs the response by adding the following parameters to the entity body of the HTTP response with a 200 (OK) status code: access_token REQUIRED. The access token issued by the authorization server. token_type REQUIRED. The type of the token issued as described in `Section 7.1`_. Value is case insensitive. expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. refresh_token OPTIONAL. The refresh token which can be used to obtain new access tokens using the same authorization grant as described in `Section 6`_. scope OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. The scope of the access token as described by `Section 3.3`_. The parameters are included in the entity body of the HTTP response using the "application/json" media type as defined by [`RFC4627`_]. The parameters are serialized into a JSON structure by adding each parameter at the highest structure level. Parameter names and string values are included as JSON strings. Numerical values are included as JSON numbers. The order of parameters does not matter and can vary. :param body: The full json encoded response body. :param scope: The scope requested during authorization. For example: .. code-block:: http HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1 .. _`Section 6`: https://tools.ietf.org/html/rfc6749#section-6 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`RFC4627`: https://tools.ietf.org/html/rfc4627 r9��r��r:��Nr;��r<��)�json�loadsrA��r4��r2��r5��r?��r��r%��r@��r��rB��)r&��r��r��rC��r��r��r��parse_token_responsef��s&��<��rG��c��C��s��d\|�v�rt�\|��d�\|��d\|�vrtdd��d\|�vr"tj�d�r"t��\|�jrPdj\|�j\|�j d�}tj \|\|�j\|�jd ��tj�d d�sRt \|�}\|�\|_\|�j\|_\|�j\|_\|�dS�dS�)zCEnsures token presence, token type, expiration and scope in params.r0��r)��zMissing access token parameter.)�description� token_type�OAUTHLIB_STRICT_TOKEN_TYPEzScope has changed from "{old}" to "{new}".)�old�new)�messagerK��rL��OAUTHLIB_RELAX_TOKEN_SCOPEN)r��r6��r ��os�environr ��r��formatr=��r��send� old_scopes�scopes�Warningr�� new_scope)r��rM��wr��r��r��rB��s(�� rB��)NNNNr��)r!��TN)r)��Nr!��)N)NN) �__doc__rE��rO��r@��urllib.parse�parser2��oauthlib.commonr��r��oauthlib.signalsr��errorsr��r��r��r ��r ��r��tokensr��utilsr ��r��r��r ��r(��r/��r7��rD��rG��rB��r��r��r��r��<module>��s�� DR � : 8 EW��__pycache__/errors.cpython-310.pyc��0000644��00000034473�15030301546�0013001 0��ustar�00��o ��h�2��@��sJ��d�Z�ddlZddlmZmZ�G�dd��de�ZG�dd��de�ZG�dd ��d e�ZG�d d��de�Z G�dd ��d e�Z G�dd��de�ZG�dd��de�ZG�dd��de�Z G�dd��de �ZG�dd��de�ZG�dd��de�ZG�dd��de�ZG�dd��de�ZG�dd��de�ZG�d d!��d!e�ZG�d"d#��d#e�ZG�d$d%��d%e�ZG�d&d'��d'e�ZG�d(d)��d)e�ZG�dd+��d+e�ZG�d,d-��d-e�ZG�d.d/��d/e�ZG�d0d1��d1e�ZG�d2d3��d3e�ZG�d4d5��d5e �ZG�d6d7��d7e�ZG�d8d9��d9e�Z G�d:d;��d;e�Z!G�d<d=��d=e�Z"G�d>d?��d?e�Z#G�d@dA��dAe�Z$G�dBdC��dCe�Z%G�dDdE��dEe�Z&G�dFdG��dGe�Z'dJdHdI�Z(dS�)Kz� oauthlib.oauth2.rfc6749.errors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error used both by OAuth 2 clients and providers to represent the spec defined error responses for all four core grant types. ��N)�add_params_to_uri� urlencodec��sf��e�Zd�ZdZdZdZ d��fdd� Zdd��Zedd ��Z ed d��Z edd ��Zedd��Z��Z S�)�OAuth2ErrorN��c��s��\|dur\|\|�_�d�\|�j\|�j��}\|r\|dt\|��7�}t��\|��\|\|�_\|\|�_\|r\|\|�_\|rN\|j \|�_ \|j \|�_ \|j\|�_\|j\|�_\|j \|�_ \|j\|�_\|sL\|j\|�_dS�dS�d\|�_ d\|�_ d\|�_d\|�_d\|�_ d\|�_dS�)a0�� :param description: A human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred. Values for the "error_description" parameter MUST NOT include characters outside the set x20-21 / x23-5B / x5D-7E. :param uri: A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error. Values for the "error_uri" parameter MUST conform to the URI- Reference syntax, and thus MUST NOT include characters outside the set x21 / x23-5B / x5D-7E. :param state: A CSRF protection value received from the client. :param status_code: :param request: OAuthlib request. :type request: oauthlib.common.Request Nz({}) {}� )�description�format�error�repr�super�__init__�uri�state�status_code�redirect_uri� client_id�scopes� response_type� response_mode� grant_type)�selfr��r��r��r��request�message�� __class__��Q/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/errors.pyr ��s4�� zOAuth2Error.__init__c��C��s��\|�j�dk}t\|\|�j\|�S�)N�fragment)r��r�� twotuples)r��r��r��r��r��r��in_uriI��s�� zOAuth2Error.in_uric��C��sR��d\|�j�fg}\|�jr\|�d\|�jf��\|�jr\|�d\|�jf��\|�jr'\|�d\|�jf��\|S�)Nr ��error_description� error_urir��)r ��r��appendr��r��)r��r ��r��r��r��r��M��s��zOAuth2Error.twotuplesc��C��s ��t�\|�j�S��N)r��r��r��r��r��r�� urlencodedX��s�� zOAuth2Error.urlencodedc��C��s��t��t\|�j��S�r$��)�json�dumps�dictr��r%��r��r��r��r'��\��s��zOAuth2Error.jsonc��C��s`��\|�j�dkr. �d�\|�j�g}\|�jr\|�d�\|�j��\|�jr%\|�d�\|�j��ddd�\|��iS�i�S�)N��z error="{}"zerror_description="{}"zerror_uri="{}"zWWW-AuthenticatezBearer z, )r��r ��r ��r��r#��r��join)r�� authvaluesr��r��r��headers`��s�� zOAuth2Error.headers)NNNNN)�__name__� __module__�__qualname__r ��r��r��r ��r ��propertyr��r&��r'��r-�� __classcell__r��r��r��r��r�� s ��7 r��c��@��e�Zd�ZdZdS�)�TokenExpiredError� token_expiredN�r.��r/��r0��r ��r��r��r��r��r4��s��r4��c��@��e�Zd�ZdZdZdS�)�InsecureTransportError�insecure_transportzOAuth 2 MUST utilize https.N�r.��r/��r0��r ��r��r��r��r��r��r9��w��r9��c��@��r8��)�MismatchingStateError�mismatching_statez6CSRF Warning! State not equal in request and response.Nr;��r��r��r��r��r=��\|��r<��r=��c��@��r3��)�MissingCodeError�missing_codeNr6��r��r��r��r��r?��r7��r?��c��@��r3��)�MissingTokenError� missing_tokenNr6��r��r��r��r��rA��r7��rA��c��@��r3��)�MissingTokenTypeError�missing_token_typeNr6��r��r��r��r��rC��r7��rC��c��@��r3��)�FatalClientErrora�� Errors during authorization where user should not be redirected back. If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI. Instead the user should be informed of the error by the provider itself. N)r.��r/��r0��__doc__r��r��r��r��rE��s��rE��c��@��r8��)�InvalidRequestFatalErrorz� For fatal errors, the request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. �invalid_requestN�r.��r/��r0��rF��r ��r��r��r��r��rG��rG��c��@��r3��)�InvalidRedirectURIErrorzInvalid redirect URI.N�r.��r/��r0��r��r��r��r��r��rK��r7��rK��c��@��r3��)�MissingRedirectURIErrorzMissing redirect URI.NrL��r��r��r��r��rM��r7��rM��c��@��r3��)�MismatchingRedirectURIErrorzMismatching redirect URI.NrL��r��r��r��r��rN��r7��rN��c��@��r3��)�InvalidClientIdErrorz"Invalid client_id parameter value.NrL��r��r��r��r��rO��r7��rO��c��@��r3��)�MissingClientIdErrorzMissing client_id parameter.NrL��r��r��r��r��rP��r7��rP��c��@��r8��)�InvalidRequestErrorz� The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. rH��NrI��r��r��r��r��rQ��rJ��rQ��c��@��r3��)�MissingResponseTypeErrorz Missing response_type parameter.NrL��r��r��r��r��rR��r7��rR��c��@��r8��)�MissingCodeChallengeErrora�� If the server requires Proof Key for Code Exchange (PKCE) by OAuth public clients and the client does not send the "code_challenge" in the request, the authorization endpoint MUST return the authorization error response with the "error" value set to "invalid_request". The "error_description" or the response of "error_uri" SHOULD explain the nature of error, e.g., code challenge required. zCode challenge required.N�r.��r/��r0��rF��r��r��r��r��r��rS��rS��c��@��r8��)�MissingCodeVerifierErrorzr The request to the token endpoint, when PKCE is enabled, has the parameter `code_verifier` REQUIRED. zCode verifier required.NrT��r��r��r��r��rV��rV��c��@��r8��)�AccessDeniedErrorzH The resource owner or authorization server denied the request. � access_deniedNrI��r��r��r��r��rX��s��rX��c��@��r8��)�UnsupportedResponseTypeErrorzj The authorization server does not support obtaining an authorization code using this method. �unsupported_response_typeNrI��r��r��r��r��rZ��rW��rZ��c��@��r8��)�#UnsupportedCodeChallengeMethodErrorad�� If the server supporting PKCE does not support the requested transformation, the authorization endpoint MUST return the authorization error response with "error" value set to "invalid_request". The "error_description" or the response of "error_uri" SHOULD explain the nature of error, e.g., transform algorithm not supported. z"Transform algorithm not supported.NrT��r��r��r��r��r\��rU��r\��c��@��r8��)�InvalidScopeErrorz� The requested scope is invalid, unknown, or malformed, or exceeds the scope granted by the resource owner. https://tools.ietf.org/html/rfc6749#section-5.2 � invalid_scopeNrI��r��r��r��r��r]��r]��c��@��r8��)�ServerErrora �� The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via a HTTP redirect.) �server_errorNrI��r��r��r��r��r`��r_��r`��c��@��r8��)�TemporarilyUnavailableErrora�� The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via a HTTP redirect.) �temporarily_unavailableNrI��r��r��r��r��rb�� r_��rb��c��@��e�Zd�ZdZdZdZdS�)�InvalidClientErroraG�� Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client. �invalid_clientr��N�r.��r/��r0��rF��r ��r��r��r��r��r��re��s��re��c��@��rd��)�InvalidGrantErrora7�� The provided authorization grant (e.g. authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. https://tools.ietf.org/html/rfc6749#section-5.2 � invalid_grantr��Nrg��r��r��r��r��rh��#��s��rh��c��@��r8��)�UnauthorizedClientErrorz^ The authenticated client is not authorized to use this authorization grant type. �unauthorized_clientNrI��r��r��r��r��rj��0��rW��rj��c��@��r8��)�UnsupportedGrantTypeErrorzX The authorization grant type is not supported by the authorization server. �unsupported_grant_typeNrI��r��r��r��r��rl��8��rW��rl��c��@��r8��)�UnsupportedTokenTypeErrorz� The authorization server does not support the hint of the presented token type. I.e. the client tried to revoke an access token on a server not supporting this feature. �unsupported_token_typeNrI��r��r��r��r��rn��@��rJ��rn��c��@��e�Zd�ZdZdZdZdZdS�)�InvalidTokenErrora�� The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request. � invalid_tokenr��zWThe access token provided is expired, revoked, malformed, or invalid for other reasons.N�r.��r/��r0��rF��r ��r��r��r��r��r��r��rq��I�� rq��c��@��rp��)�InsufficientScopeErrora�� The request requires higher privileges than provided by the access token. The resource server SHOULD respond with the HTTP 403 (Forbidden) status code and MAY include the "scope" attribute with the scope necessary to access the protected resource. �insufficient_scopei��zIThe request requires higher privileges than provided by the access token.Nrs��r��r��r��r��ru��W��rt��ru��c��@��r8��)�ConsentRequireda�� The Authorization Server requires End-User consent. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User consent. �consent_requiredNrI��r��r��r��r��rw��e��rw��c��@��r8��)� LoginRequireda'�� The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication. �login_requiredNrI��r��r��r��r��rz��p��ry��rz��c��s ��e�Zd�ZdZ��fdd�Z��ZS�)�CustomOAuth2Errorz� This error is a placeholder for all custom errors not described by the RFC. Some of the popular OAuth2 providers are using custom errors. c��s��\|\|�_�t��j\|i�\|��d�S�r$��)r ��r��r ��)r��r ��args�kwargsr��r��r��r ��s��zCustomOAuth2Error.__init__)r.��r/��r0��rF��r ��r2��r��r��r��r��r\|��{��s��r\|��c��C��sv��dd�l�}dd�l}\|�d�\|�d�\|�d�d�}\|�\|jt�\|j�D�]\}}\|j\|�kr1\|di�\|��q!tdd\|�i\|��)Nr��r!��r"��r��)r��r��r��r ��r��) �inspect�sys�get� getmembers�modulesr.��isclassr ��r\|��)r ��paramsr��r��r~��_�clsr��r��r��raise_from_error��s�� r��r$��))rF��r'��oauthlib.commonr��r�� Exceptionr��r4��r9��r=��r?��rA��rC��rE��rG��rK��rM��rN��rO��rP��rQ��rR��rS��rV��rX��rZ��r\��r]��r`��rb��re��rh��rj��rl��rn��rq��ru��rw��rz��r\|��r��r��r��r��r��<module>��sL��f ��__pycache__/utils.cpython-310.pyc��0000644��00000005415�15030301546�0012617 0��ustar�00��o ��h��@��sl��d�Z�ddlZddlZddlmZmZ�ddlmZ�dd��Zdd��Z d d ��Z dd��Zd d��Zdd��Z dd��ZdS�)zp oauthlib.utils ~~~~~~~~~~~~~~ This module contains utility methods used by various parts of the OAuth 2 spec. ��N)�quote�urlparse)� urldecodec��C��sF��t�\|�t�s \|�du�r\|�S�t�\|�tttf�rd�dd��\|�D��S�td\|��)z5Convert a list of scopes to a space separated string.N� c��S��g�\|�]}t�\|��qS��str��.0�sr��r��P/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/utils.py� <listcomp>��z!list_to_scope.<locals>.<listcomp>z8Invalid scope (%s), must be string, tuple, set, or list.)� isinstancer ��set�tuple�list�join� ValueError��scoper��r��r �� list_to_scope��s ��r��c��C��s8��t�\|�tttf�rdd��\|�D��S�\|�du�rdS�\|��d�S�)z5Convert a space separated string to a list of scopes.c��S��r��r��r��r ��r��r��r ��r��r��z!scope_to_list.<locals>.<listcomp>Nr��)r��r��r��r��strip�splitr��r��r��r �� scope_to_list��s ��r��c��C��s.��t�tt\|��j��}d\|v�rt\|d��\|d<�\|S�)Nr��)�dictr��r��queryr��)�uri�paramsr��r��r ��params_from_uri"��s��r ��c�� C��sT��ddd�}t�\|��\}}}}}}d\|v�r\|�dd�\}}\|\|fS�\|�\|��}\|\|fS�)zuExtract hostname and port from URI. Will use default port for HTTP and HTTPS if none is present in the URI. �80�443)�HTTP�HTTPS�:��)r��r��get�upper) r�� default_ports�sch�netloc�path�parr��fra�portr��r��r �� host_from_uri)��s��r0��c��C��s$��t�\|�t�s td��t\|��d�dd�S�)ztEscape a string in an OAuth-compatible fashion. TODO: verify whether this can in fact be used for OAuth 2 z#Only unicode objects are escapable.zutf-8��~)�safe)r��r ��r��r��encode)�ur��r��r ��escape<��s�� r5��c��C��s8��t�j��\|��}\|j\|j\|jd�d��d��d�}t\|�S�)z9Generate a age parameter for MAC authentication draft 00.��i��i@B�)�datetime�now�microseconds�seconds�daysr ��)� issue_time�td�ager��r��r ��generate_ageG��s��r?��c��C��s��t�j�d�rdS�\|��d�S�)zCheck if the uri is over ssl.�OAUTHLIB_INSECURE_TRANSPORTTzhttps://)�os�environr'��lower� startswith)r��r��r��r ��is_secure_transportO��s��rE��)�__doc__r7��rA��urllib.parser��r��oauthlib.commonr��r��r��r ��r0��r5��r?��rE��r��r��r��r ��<module>��s�� __pycache__/tokens.cpython-310.pyc��0000644��00000023264�15030301546�0012764 0��ustar�00��o ��hl+��@��s��d�Z�ddlZddlZddlZddlmZ�ddlmZ�ddlm Z �ddl mZmZ�ddl mZ�G�d d ��d e�Z d d d�Zdd��Zd!dd�Zd"dd�Zd#dd�Zdd��Zdd��ZG�dd��d�ZG�dd��de�ZdS�)$z� oauthlib.oauth2.rfc6749.tokens ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module contains methods for adding two types of access tokens to requests. - Bearer https://tools.ietf.org/html/rfc6750 - MAC https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 ��N)� b2a_base64)�urlparse)�common)�add_params_to_qs�add_params_to_uri��)�utilsc��sr��e�Zd�Zd��fdd� Zedd��Zedd��Zedd ��Zed d��Zedd ��Z edd��Z edd��Z��ZS�)�OAuth2TokenNc��st��t��\|��d�\|�_d\|v�r\|d�rtt�\|d��\|�_\|d�ur4tt�\|��\|�_\|�jd�u�r2\|�j\|�_d�S�d�S�\|�j\|�_d�S�)N�scope)�super�__init__� _new_scope�setr�� scope_to_list� _old_scope)�self�params� old_scope�� __class__��Q/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/tokens.pyr��s�� zOAuth2Token.__init__c��C��s��\|�j�\|�jkS��N)r ��r��r��r��r��r�� scope_changed&��zOAuth2Token.scope_changedc��C��t��\|�j�S�r��)r�� list_to_scoper��r��r��r��r��r����r��zOAuth2Token.old_scopec��C�� t�\|�j�S�r��)�listr��r��r��r��r�� old_scopes.�� zOAuth2Token.old_scopesc��C��r��r��)r��r��r ��r��r��r��r��r ��2��r��zOAuth2Token.scopec��C��r��r��)r��r ��r��r��r��r��scopes6��r!��zOAuth2Token.scopesc��C��t�\|�j\|�j��S�r��)r��r��r ��r��r��r��r��missing_scopes:��zOAuth2Token.missing_scopesc��C��r#��r��)r��r ��r��r��r��r��r��additional_scopes>��r%��zOAuth2Token.additional_scopesr��) �__name__� __module__�__qualname__r��propertyr��r��r ��r ��r"��r$��r&�� __classcell__r��r��r��r��r ��s �� r �� hmac-sha-1c��C��s0��\|��}t�\|�\}}\|��dkrtj} n\|��dkrtj} ntd��\| dkr5\|p3d�t� \| �t ��}nt ��}t ��}t \|�\}}}}}}\|rP\|d�\|�}n\|}\|duro\| dkro\|�d�}t\| \|��dd ��d�}nd }g�}\| dkr}\|�\|��n \|�\|��\|�\|��\|�\|��\|�\|��\|�\|��\|�\|��\| dkr�\|�\|��\|�\|p�d ��d�\|�d�}t\|t�r�\|�d�}t�\|\|�d�\| �}t\|��dd ��d�}g�}\|�d\|��\| dkr�\|�d \|��\|�d\|��\|r�\|�d\|��\|�r\|�d\|��\|�d\|��\|�pi�}d�\|�\|d<�\|S�)a_��Add an `MAC Access Authentication`_ signature to headers. Unlike OAuth 1, this HMAC signature does not require inclusion of the request payload/body, neither does it use a combination of client_secret and token_secret but rather a mac_key provided together with the access token. Currently two algorithms are supported, "hmac-sha-1" and "hmac-sha-256", `extension algorithms`_ are not supported. Example MAC Authorization header, linebreaks added for clarity Authorization: MAC id="h480djs93hd8", nonce="1336363200:dj83hs9s", mac="bhCQXTVyfj5cmA9uKkPFx1zeOXM=" .. _`MAC Access Authentication`: https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 .. _`extension algorithms`: https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01#section-7.1 :param token: :param uri: Request URI. :param key: MAC given provided by token endpoint. :param http_method: HTTP Request method. :param nonce: :param headers: Request headers as a dictionary. :param body: :param ext: :param hash_algorithm: HMAC algorithm provided by token endpoint. :param issue_time: Time when the MAC credentials were issued (datetime). :param draft: MAC authentication specification version. :return: headers dictionary with the authorization field added. r-��zhmac-sha-256zunknown hash algorithmr��z{}:{}�?Nzutf-8��r,�� zMAC id="%s"zts="%s"z nonce="%s"z bodyhash="%s"zext="%s"zmac="%s"z, � Authorization)�upperr�� host_from_uri�lower�hashlib�sha1�sha256� ValueError�format�generate_ager��generate_nonce�generate_timestampr��encoder��digest�decode�append�join� isinstance�str�hmac�new)�token�uri�key�http_method�nonce�headers�body�ext�hash_algorithm� issue_time�draft�host�port�h�ts�sch�net�path�par�query�fra�request_uri�bodyhash�base�base_string�sign�headerr��r��r��prepare_mac_headerC��sf��(� ra��c��C��t�\|d\|�fg�S�)a��Add a `Bearer Token`_ to the request URI. Not recommended, use only if client can't use authorization header or body. http://www.example.com/path?access_token=h480djs93hd8 .. _`Bearer Token`: https://tools.ietf.org/html/rfc6750 :param token: :param uri: �access_token)r��)rF��rG��r��r��r��prepare_bearer_uri��s��rd��c��C��s��\|pi�}d\|��\|d<�\|S�)z�Add a `Bearer Token`_ to the request URI. Recommended method of passing bearer tokens. Authorization: Bearer h480djs93hd8 .. _`Bearer Token`: https://tools.ietf.org/html/rfc6750 :param token: :param headers: z Bearer %sr1��r��)rF��rK��r��r��r��prepare_bearer_headers��s��re��c��C��rb��)z�Add a `Bearer Token`_ to the request body. access_token=h480djs93hd8 .. _`Bearer Token`: https://tools.ietf.org/html/rfc6750 :param token: :param body: rc��)r��)rF��rL��r��r��r��prepare_bearer_body��s�� rf��Fc��C��s��t��S�)zp :param request: OAuthlib request. :type request: oauthlib.common.Request :param refresh_token: )r��generate_token)�request� refresh_tokenr��r��r��random_token_generator��s��rj��c��s��fdd�}\|S�)z :param private_pem: c��s��\|�_�t��\|��S�r��)�claimsr��generate_signed_token)rh��kwargs�private_pemr��r��signed_token_generator��s��z6signed_token_generator.<locals>.signed_token_generatorr��)ro��rn��rp��r��rm��r��rp��s��rp��c��C��sP��d}d\|�j�v�r#\|�j��d��}t\|�dkr!\|d��dkr!\|d�}\|S�\|�j}\|S�)z� Helper function to extract a token from the request header. :param request: OAuthlib request. :type request: oauthlib.common.Request :return: Return the token or None if the Authorization header is malformed. Nr1��r��bearerr��)rK��get�split�lenr4��rc��)rh��rF��split_headerr��r��r��get_token_from_header��s�� rw��c��@��s��e�Zd�ZdZd dd�Zdd��Zdd��Zd S�)� TokenBaser��Fc��C��t�d��)N�&Subclasses must implement this method.��NotImplementedError)r��rh��ri��r��r��r��__call__��s��zTokenBase.__call__c��C��ry��b :param request: OAuthlib request. :type request: oauthlib.common.Request rz��r{��r��rh��r��r��r��validate_request ��zTokenBase.validate_requestc��C��ry��r~��r{��r��r��r��r�� estimate_type��r��zTokenBase.estimate_typeN�F)r'��r(��r)�� __slots__r}��r��r��r��r��r��r��rx��s �� rx��c��@��s8��e�Zd�ZdZ ddd�Zd dd�Zdd ��Zd d��ZdS�)�BearerToken)�request_validator�token_generator�refresh_token_generator� expires_inNc��C��s��\|\|�_�\|pt\|�_\|p\|�j\|�_\|pd\|�_d�S�)Ni��)r��rj��r��r��r��)r��r��r��r��r��r��r��r��r��s �� zBearerToken.__init__Fc��K��s��d\|v�r t��dt��t\|�j�r\|��\|�}n\|�j}\|\|_\|��\|�\|dd�}\|jdur1d�\|j�\|d<�\|rI\|jrB\|�j � \|�sB\|j\|d<�n\|��\|�\|d<�\|�\|j pOi��t\|�S�) z� Create a BearerToken, by default without refresh token. :param request: OAuthlib request. :type request: oauthlib.common.Request :param refresh_token: � save_tokenzx`save_token` has been deprecated, it was not called internally.If you do, call `request_validator.save_token()` instead.�Bearer)rc��r�� token_typeN� r ��ri��)�warnings�warn�DeprecationWarning�callabler��r��r"��rA��ri��r��rotate_refresh_tokenr��update�extra_credentialsr ��)r��rh��ri��rn��r��rF��r��r��r��create_token'��s,�� zBearerToken.create_tokenc��C��s��t�\|�}\|�j�\|\|j\|�S�)r��)rw��r��validate_bearer_tokenr"��)r��rh��rF��r��r��r��r��Q��s��zBearerToken.validate_requestc��C��s6��\|j��dd��d�d��dkrdS�\|jdurdS�dS�) r��r1��r,��r��r��rr�� N��)rK��rs��rt��r4��rc��r��r��r��r��r��Z��s �� zBearerToken.estimate_type)NNNNr��)r'��r(��r)��r��r��r��r��r��r��r��r��r��r��s�� * r��)NNNr,��r-��Nr��r��)r,��r��)�__doc__r5��rD��r��binasciir��urllib.parser��oauthlibr��oauthlib.commonr��r��r,��r��dictr ��ra��rd��re��rf��rj��rp��rw��rx��r��r��r��r��r��<module>��s4�� . �m ��parameters.py��0000644��00000045110�15030301546�0007257 0��ustar�00��""" oauthlib.oauth2.rfc6749.parameters ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module contains methods related to `Section 4`_ of the OAuth 2 RFC. .. _`Section 4`: https://tools.ietf.org/html/rfc6749#section-4 """ import json import os import time import urllib.parse as urlparse from oauthlib.common import add_params_to_qs, add_params_to_uri from oauthlib.signals import scope_changed from .errors import ( InsecureTransportError, MismatchingStateError, MissingCodeError, MissingTokenError, MissingTokenTypeError, raise_from_error, ) from .tokens import OAuth2Token from .utils import is_secure_transport, list_to_scope, scope_to_list def prepare_grant_uri(uri, client_id, response_type, redirect_uri=None, scope=None, state=None, code_challenge=None, code_challenge_method='plain', kwargs): """Prepare the authorization grant request URI. The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the ``application/x-www-form-urlencoded`` format as defined by [`W3C.REC-html401-19991224`_]: :param uri: :param client_id: The client identifier as described in `Section 2.2`_. :param response_type: To indicate which OAuth 2 grant/flow is required, "code" and "token". :param redirect_uri: The client provided URI to redirect back to after authorization as described in `Section 3.1.2`_. :param scope: The scope of the access request as described by `Section 3.3`_. :param state: An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. :param code_challenge: PKCE parameter. A challenge derived from the code_verifier that is sent in the authorization request, to be verified against later. :param code_challenge_method: PKCE parameter. A method that was used to derive the code_challenge. Defaults to "plain" if not present in the request. :param kwargs: Extra arguments to embed in the grant/authorization URL. An example of an authorization code grant authorization URL: .. code-block:: http GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &code_challenge=kjasBS523KdkAILD2k78NdcJSk2k3KHG6&code_challenge_method=S256 &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com .. _`W3C.REC-html401-19991224`: https://tools.ietf.org/html/rfc6749#ref-W3C.REC-html401-19991224 .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 """ if not is_secure_transport(uri): raise InsecureTransportError() params = [(('response_type', response_type)), (('client_id', client_id))] if redirect_uri: params.append(('redirect_uri', redirect_uri)) if scope: params.append(('scope', list_to_scope(scope))) if state: params.append(('state', state)) if code_challenge is not None: params.append(('code_challenge', code_challenge)) params.append(('code_challenge_method', code_challenge_method)) for k in kwargs: if kwargs[k]: params.append((str(k), kwargs[k])) return add_params_to_uri(uri, params) def prepare_token_request(grant_type, body='', include_client_id=True, code_verifier=None, kwargs): """Prepare the access token request. The client makes a request to the token endpoint by adding the following parameters using the ``application/x-www-form-urlencoded`` format in the HTTP request entity-body: :param grant_type: To indicate grant type being used, i.e. "password", "authorization_code" or "client_credentials". :param body: Existing request body (URL encoded string) to embed parameters into. This may contain extra parameters. Default ''. :param include_client_id: `True` (default) to send the `client_id` in the body of the upstream request. This is required if the client is not authenticating with the authorization server as described in `Section 3.2.1`_. :type include_client_id: Boolean :param client_id: Unicode client identifier. Will only appear if `include_client_id` is True. * :param client_secret: Unicode client secret. Will only appear if set to a value that is not `None`. Invoking this function with an empty string will send an empty `client_secret` value to the server. * :param code: If using authorization_code grant, pass the previously obtained authorization code as the ``code`` argument. * :param redirect_uri: If the "redirect_uri" parameter was included in the authorization request as described in `Section 4.1.1`_, and their values MUST be identical. * :param code_verifier: PKCE parameter. A cryptographically random string that is used to correlate the authorization request to the token request. :param kwargs: Extra arguments to embed in the request body. Parameters marked with a `` above are not explicit arguments in the function signature, but are specially documented arguments for items appearing in the generic `kwargs` keyworded input. An example of an authorization code token request body: .. code-block:: http grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb .. _`Section 4.1.1`: https://tools.ietf.org/html/rfc6749#section-4.1.1 """ params = [('grant_type', grant_type)] if 'scope' in kwargs: kwargs['scope'] = list_to_scope(kwargs['scope']) # pull the `client_id` out of the kwargs. client_id = kwargs.pop('client_id', None) if include_client_id: if client_id is not None: params.append(('client_id', client_id)) # use code_verifier if code_challenge was passed in the authorization request if code_verifier is not None: params.append(('code_verifier', code_verifier)) # the kwargs iteration below only supports including boolean truth (truthy) # values, but some servers may require an empty string for `client_secret` client_secret = kwargs.pop('client_secret', None) if client_secret is not None: params.append(('client_secret', client_secret)) # this handles: `code`, `redirect_uri`, and other undocumented params for k in kwargs: if kwargs[k]: params.append((str(k), kwargs[k])) return add_params_to_qs(body, params) def prepare_token_revocation_request(url, token, token_type_hint="access_token", callback=None, body='', kwargs): """Prepare a token revocation request. The client constructs the request by including the following parameters using the ``application/x-www-form-urlencoded`` format in the HTTP request entity-body: :param token: REQUIRED. The token that the client wants to get revoked. :param token_type_hint: OPTIONAL. A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. This specification defines two values for `token_type_hint`: access_token: An access token as defined in [RFC6749], `Section 1.4`_ * refresh_token: A refresh token as defined in [RFC6749], `Section 1.5`_ Specific implementations, profiles, and extensions of this specification MAY define other values for this parameter using the registry defined in `Section 4.1.2`_. .. _`Section 1.4`: https://tools.ietf.org/html/rfc6749#section-1.4 .. _`Section 1.5`: https://tools.ietf.org/html/rfc6749#section-1.5 .. _`Section 4.1.2`: https://tools.ietf.org/html/rfc7009#section-4.1.2 """ if not is_secure_transport(url): raise InsecureTransportError() params = [('token', token)] if token_type_hint: params.append(('token_type_hint', token_type_hint)) for k in kwargs: if kwargs[k]: params.append((str(k), kwargs[k])) headers = {'Content-Type': 'application/x-www-form-urlencoded'} if callback: params.append(('callback', callback)) return add_params_to_uri(url, params), headers, body else: return url, headers, add_params_to_qs(body, params) def parse_authorization_code_response(uri, state=None): """Parse authorization grant response URI into a dict. If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the ``application/x-www-form-urlencoded`` format: code REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI. state REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client. :param uri: The full redirect URL back to the client. :param state: The state parameter from the authorization request. For example, the authorization server redirects the user-agent by sending the following HTTP response: .. code-block:: http HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz """ if not is_secure_transport(uri): raise InsecureTransportError() query = urlparse.urlparse(uri).query params = dict(urlparse.parse_qsl(query)) if state and params.get('state', None) != state: raise MismatchingStateError() if 'error' in params: raise_from_error(params.get('error'), params) if not 'code' in params: raise MissingCodeError("Missing code parameter in response.") return params def parse_implicit_response(uri, state=None, scope=None): """Parse the implicit token response URI into a dict. If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the ``application/x-www-form-urlencoded`` format: access_token REQUIRED. The access token issued by the authorization server. token_type REQUIRED. The type of the token issued as described in Section 7.1. Value is case insensitive. expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. scope OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. The scope of the access token as described by Section 3.3. state REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client. :param uri: :param state: :param scope: Similar to the authorization code response, but with a full token provided in the URL fragment: .. code-block:: http HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600 """ if not is_secure_transport(uri): raise InsecureTransportError() fragment = urlparse.urlparse(uri).fragment params = dict(urlparse.parse_qsl(fragment, keep_blank_values=True)) for key in ('expires_in',): if key in params: # cast things to int params[key] = int(params[key]) if 'scope' in params: params['scope'] = scope_to_list(params['scope']) if 'expires_in' in params: params['expires_at'] = time.time() + int(params['expires_in']) if state and params.get('state', None) != state: raise ValueError("Mismatching or missing state in params.") params = OAuth2Token(params, old_scope=scope) validate_token_parameters(params) return params def parse_token_response(body, scope=None): """Parse the JSON token response body into a dict. The authorization server issues an access token and optional refresh token, and constructs the response by adding the following parameters to the entity body of the HTTP response with a 200 (OK) status code: access_token REQUIRED. The access token issued by the authorization server. token_type REQUIRED. The type of the token issued as described in `Section 7.1`_. Value is case insensitive. expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. refresh_token OPTIONAL. The refresh token which can be used to obtain new access tokens using the same authorization grant as described in `Section 6`_. scope OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED. The scope of the access token as described by `Section 3.3`_. The parameters are included in the entity body of the HTTP response using the "application/json" media type as defined by [`RFC4627`_]. The parameters are serialized into a JSON structure by adding each parameter at the highest structure level. Parameter names and string values are included as JSON strings. Numerical values are included as JSON numbers. The order of parameters does not matter and can vary. :param body: The full json encoded response body. :param scope: The scope requested during authorization. For example: .. code-block:: http HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1 .. _`Section 6`: https://tools.ietf.org/html/rfc6749#section-6 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`RFC4627`: https://tools.ietf.org/html/rfc4627 """ try: params = json.loads(body) except ValueError: # Fall back to URL-encoded string, to support old implementations, # including (at time of writing) Facebook. See: # https://github.com/oauthlib/oauthlib/issues/267 params = dict(urlparse.parse_qsl(body)) for key in ('expires_in',): if key in params: # cast things to int params[key] = int(params[key]) if 'scope' in params: params['scope'] = scope_to_list(params['scope']) if 'expires_in' in params: if params['expires_in'] is None: params.pop('expires_in') else: params['expires_at'] = time.time() + int(params['expires_in']) params = OAuth2Token(params, old_scope=scope) validate_token_parameters(params) return params def validate_token_parameters(params): """Ensures token presence, token type, expiration and scope in params.""" if 'error' in params: raise_from_error(params.get('error'), params) if not 'access_token' in params: raise MissingTokenError(description="Missing access token parameter.") if not 'token_type' in params: if os.environ.get('OAUTHLIB_STRICT_TOKEN_TYPE'): raise MissingTokenTypeError() # If the issued access token scope is different from the one requested by # the client, the authorization server MUST include the "scope" response # parameter to inform the client of the actual scope granted. # https://tools.ietf.org/html/rfc6749#section-3.3 if params.scope_changed: message = 'Scope has changed from "{old}" to "{new}".'.format( old=params.old_scope, new=params.scope, ) scope_changed.send(message=message, old=params.old_scopes, new=params.scopes) if not os.environ.get('OAUTHLIB_RELAX_TOKEN_SCOPE', None): w = Warning(message) w.token = params w.old_scope = params.old_scopes w.new_scope = params.scopes raise w ��grant_types/base.py��0000644��00000025331�15030301546�0010370 0��ustar�00��""" oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ """ import logging from itertools import chain from oauthlib.common import add_params_to_uri from oauthlib.oauth2.rfc6749 import errors, utils from oauthlib.uri_validate import is_absolute_uri from ..request_validator import RequestValidator from ..utils import is_secure_transport log = logging.getLogger(__name__) class ValidatorsContainer: """ Container object for holding custom validator callables to be invoked as part of the grant type `validate_authorization_request()` or `validate_authorization_request()` methods on the various grant types. Authorization validators must be callables that take a request object and return a dict, which may contain items to be added to the `request_info` returned from the grant_type after validation. Token validators must be callables that take a request object and return None. Both authorization validators and token validators may raise OAuth2 exceptions if validation conditions fail. Authorization validators added to `pre_auth` will be run BEFORE the standard validations (but after the critical ones that raise fatal errors) as part of `validate_authorization_request()` Authorization validators added to `post_auth` will be run AFTER the standard validations as part of `validate_authorization_request()` Token validators added to `pre_token` will be run BEFORE the standard validations as part of `validate_token_request()` Token validators added to `post_token` will be run AFTER the standard validations as part of `validate_token_request()` For example: >>> def my_auth_validator(request): ... return {'myval': True} >>> auth_code_grant = AuthorizationCodeGrant(request_validator) >>> auth_code_grant.custom_validators.pre_auth.append(my_auth_validator) >>> def my_token_validator(request): ... if not request.everything_okay: ... raise errors.OAuth2Error("uh-oh") >>> auth_code_grant.custom_validators.post_token.append(my_token_validator) """ def __init__(self, post_auth, post_token, pre_auth, pre_token): self.pre_auth = pre_auth self.post_auth = post_auth self.pre_token = pre_token self.post_token = post_token @property def all_pre(self): return chain(self.pre_auth, self.pre_token) @property def all_post(self): return chain(self.post_auth, self.post_token) class GrantTypeBase: error_uri = None request_validator = None default_response_mode = 'fragment' refresh_token = True response_types = ['code'] def __init__(self, request_validator=None, *kwargs): self.request_validator = request_validator or RequestValidator() # Transforms class variables into instance variables: self.response_types = self.response_types self.refresh_token = self.refresh_token self._setup_custom_validators(kwargs) self._code_modifiers = [] self._token_modifiers = [] for kw, val in kwargs.items(): setattr(self, kw, val) def _setup_custom_validators(self, kwargs): post_auth = kwargs.get('post_auth', []) post_token = kwargs.get('post_token', []) pre_auth = kwargs.get('pre_auth', []) pre_token = kwargs.get('pre_token', []) if not hasattr(self, 'validate_authorization_request'): if post_auth or pre_auth: msg = ("{} does not support authorization validators. Use " "token validators instead.").format(self.__class__.__name__) raise ValueError(msg) # Using tuples here because they can't be appended to: post_auth, pre_auth = (), () self.custom_validators = ValidatorsContainer(post_auth, post_token, pre_auth, pre_token) def register_response_type(self, response_type): self.response_types.append(response_type) def register_code_modifier(self, modifier): self._code_modifiers.append(modifier) def register_token_modifier(self, modifier): self._token_modifiers.append(modifier) def create_authorization_response(self, request, token_handler): """ :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. """ raise NotImplementedError('Subclasses must implement this method.') def create_token_response(self, request, token_handler): """ :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. """ raise NotImplementedError('Subclasses must implement this method.') def add_token(self, token, token_handler, request): """ :param token: :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. :param request: OAuthlib request. :type request: oauthlib.common.Request """ # Only add a hybrid access token on auth step if asked for if not request.response_type in ["token", "code token", "id_token token", "code id_token token"]: return token token.update(token_handler.create_token(request, refresh_token=False)) return token def validate_grant_type(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ client_id = getattr(request, 'client_id', None) if not self.request_validator.validate_grant_type(client_id, request.grant_type, request.client, request): log.debug('Unauthorized from %r (%r) access to grant type %s.', request.client_id, request.client, request.grant_type) raise errors.UnauthorizedClientError(request=request) def validate_scopes(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ if not request.scopes: request.scopes = utils.scope_to_list(request.scope) or utils.scope_to_list( self.request_validator.get_default_scopes(request.client_id, request)) log.debug('Validating access to scopes %r for client %r (%r).', request.scopes, request.client_id, request.client) if not self.request_validator.validate_scopes(request.client_id, request.scopes, request.client, request): raise errors.InvalidScopeError(request=request) def prepare_authorization_response(self, request, token, headers, body, status): """Place token according to response mode. Base classes can define a default response mode for their authorization response by overriding the static `default_response_mode` member. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token: :param headers: :param body: :param status: """ request.response_mode = request.response_mode or self.default_response_mode if request.response_mode not in ('query', 'fragment'): log.debug('Overriding invalid response mode %s with %s', request.response_mode, self.default_response_mode) request.response_mode = self.default_response_mode token_items = token.items() if request.response_type == 'none': state = token.get('state', None) if state: token_items = [('state', state)] else: token_items = [] if request.response_mode == 'query': headers['Location'] = add_params_to_uri( request.redirect_uri, token_items, fragment=False) return headers, body, status if request.response_mode == 'fragment': headers['Location'] = add_params_to_uri( request.redirect_uri, token_items, fragment=True) return headers, body, status raise NotImplementedError( 'Subclasses must set a valid default_response_mode') def _get_default_headers(self): """Create default headers for grant responses.""" return { 'Content-Type': 'application/json', 'Cache-Control': 'no-store', 'Pragma': 'no-cache', } def _handle_redirects(self, request): if request.redirect_uri is not None: request.using_default_redirect_uri = False log.debug('Using provided redirect_uri %s', request.redirect_uri) if not is_absolute_uri(request.redirect_uri): raise errors.InvalidRedirectURIError(request=request) # The authorization server MUST verify that the redirection URI # to which it will redirect the access token matches a # redirection URI registered by the client as described in # Section 3.1.2. # https://tools.ietf.org/html/rfc6749#section-3.1.2 if not self.request_validator.validate_redirect_uri( request.client_id, request.redirect_uri, request): raise errors.MismatchingRedirectURIError(request=request) else: request.redirect_uri = self.request_validator.get_default_redirect_uri( request.client_id, request) request.using_default_redirect_uri = True log.debug('Using default redirect_uri %s.', request.redirect_uri) if not request.redirect_uri: raise errors.MissingRedirectURIError(request=request) if not is_absolute_uri(request.redirect_uri): raise errors.InvalidRedirectURIError(request=request) def _create_cors_headers(self, request): """If CORS is allowed, create the appropriate headers.""" if 'origin' not in request.headers: return {} origin = request.headers['origin'] if not is_secure_transport(origin): log.debug('Origin "%s" is not HTTPS, CORS not allowed.', origin) return {} elif not self.request_validator.is_origin_allowed( request.client_id, origin, request): log.debug('Invalid origin "%s", CORS not allowed.', origin) return {} else: log.debug('Valid origin "%s", injecting CORS headers.', origin) return {'Access-Control-Allow-Origin': origin} ��grant_types/__pycache__/client_credentials.cpython-310.pyc��0000644��00000011244�15030301546�0017646 0��ustar�00��o ��h��@��sJ��d�Z�ddlZddlZddlmZ�ddlmZ�e�e�Z G�dd��de�Z dS�) zJ oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ��N��)�errors��)� GrantTypeBasec��@��s ��e�Zd�ZdZdd��Zdd��ZdS�)�ClientCredentialsGranta��`Client Credentials Grant`_ The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification). The client credentials grant type MUST only be used by confidential clients:: +---------+ +---------------+ : : : : : :>-- A - Client Authentication --->: Authorization : : Client : : Server : : :<-- B ---- Access Token ---------<: : : : : : +---------+ +---------------+ Figure 6: Client Credentials Flow The flow illustrated in Figure 6 includes the following steps: (A) The client authenticates with the authorization server and requests an access token from the token endpoint. (B) The authorization server authenticates the client, and if valid, issues an access token. .. _`Client Credentials Grant`: https://tools.ietf.org/html/rfc6749#section-4.4 c�� C��s��\|��}z t�d\|��\|��\|��W�n&�tjy7�}�zt�d\|��\|�\|j��\|\|j\|j fW��Y�d}~S�d}~ww�\|j \|dd�}\|�jD�]}\|\|�}qB\|�j� \|\|��t�d\|j\|j\|��\|t�\|�dfS�)a��Return token or error in JSON format. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. If the access token request is valid and authorized, the authorization server issues an access token as described in `Section 5.1`_. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in `Section 5.2`_. .. _`Section 5.1`: https://tools.ietf.org/html/rfc6749#section-5.1 .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2 z$Validating access token request, %r.z"Client error in token request. %s.NF)� refresh_tokenz'Issuing token to client id %r (%r), %r.��)�_get_default_headers�log�debug�validate_token_requestr��OAuth2Error�update�headers�json�status_code�create_token�_token_modifiers�request_validator� save_token� client_id�client�dumps)�self�request� token_handlerr��e�token�modifier��r��i/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py�create_token_response1��s$�� z,ClientCredentialsGrant.create_token_responsec��C��s��\|�j�jD�]}\|\|��qt\|dd�stjd\|d��\|jdks#tj\|d��dD�]}\|\|jv�r5tjd\|�\|d��q%t� d \|��\|�j �\|�sNt� d \|��tj\|d��t \|jd�sXtd��\|��\|��\|jpc\|jj\|_t� d \|j��\|��\|��\|�j�jD�]}\|\|��qudS�)zb :param request: OAuthlib request. :type request: oauthlib.common.Request � grant_typeNzRequest is missing grant type.)r��client_credentials)r"��scopezDuplicate %s parameter.)�descriptionr��zAuthenticating client, %r.z!Client authentication failed, %r.r��z[Authenticate client must set the request.client.client_id attribute in authenticate_client.z Authorizing access to client %r.)�custom_validators� pre_token�getattrr��InvalidRequestErrorr"��UnsupportedGrantTypeError�duplicate_paramsr ��r��r��authenticate_client�InvalidClientError�hasattrr��NotImplementedError�validate_grant_typer��validate_scopes� post_token)r��r�� validator�paramr��r��r ��r��V��s6�� z-ClientCredentialsGrant.validate_token_requestN)�__name__� __module__�__qualname__�__doc__r!��r��r��r��r��r ��r��s��!%r��)r8��r��logging��r��baser�� getLoggerr5��r ��r��r��r��r��r ��<module>��s�� grant_types/__pycache__/__init__.cpython-310.pyc��0000644��00000001137�15030301546�0015552 0��ustar�00��o ��hp��@��sD��d�Z�ddlmZ�ddlmZ�ddlmZ�ddlmZ�ddl m Z �dS�)zJ oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ��)�AuthorizationCodeGrant)�ClientCredentialsGrant)� ImplicitGrant)�RefreshTokenGrant)�%ResourceOwnerPasswordCredentialsGrantN)�__doc__�authorization_coder��client_credentialsr��implicitr�� refresh_tokenr��#resource_owner_password_credentialsr��r ��r ��_/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/grant_types/__init__.py�<module>��s��grant_types/__pycache__/refresh_token.cpython-310.pyc��0000644��00000011023�15030301546�0016644 0��ustar�00��o ��h��@��sN��d�Z�ddlZddlZddlmZmZ�ddlmZ�e�e �Z G�dd��de�ZdS�) zJ oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ��N��)�errors�utils��)� GrantTypeBasec��s6��e�Zd�ZdZ d ��fdd� Zdd��Zdd ��Z��ZS�)�RefreshTokenGrantzi`Refresh token grant`_ .. _`Refresh token grant`: https://tools.ietf.org/html/rfc6749#section-6 NTc��s��t��j\|fd\|i\|��d�S�)N�issue_new_refresh_tokens)�super�__init__)�self�request_validatorr��kwargs�� __class__��d/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/grant_types/refresh_token.pyr ��s�� zRefreshTokenGrant.__init__c�� C��s��\|��}z t�d\|��\|��\|��W�n&�tjy7�}�zt�d\|��\|�\|j��\|\|j\|j fW��Y�d}~S�d}~ww�\|j \|\|�jd�}\|�jD�]}\|\|\|\|�}qC\|�j �\|\|��t�d\|j\|j\|��\|�\|��\|��\|t�\|�dfS�)a��Create a new access token from a refresh_token. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. If valid and authorized, the authorization server issues an access token as described in `Section 5.1`_. If the request failed verification or is invalid, the authorization server returns an error response as described in `Section 5.2`_. The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request. .. _`Section 5.1`: https://tools.ietf.org/html/rfc6749#section-5.1 .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2 z%Validating refresh token request, %r.z"Client error in token request, %s.N)� refresh_tokenz+Issuing new token to client id %r (%r), %r.��)�_get_default_headers�log�debug�validate_token_requestr��OAuth2Error�update�headers�json�status_code�create_tokenr��_token_modifiersr�� save_token� client_id�client�_create_cors_headers�dumps)r��request� token_handlerr��e�token�modifierr��r��r��create_token_response��s�� z'RefreshTokenGrant.create_token_responsec��s��\|j�dkrtj\|d��\|�jjD�]}\|\|��q\|jdu�r"tjd\|d��\|�j�\|�rAt � d\|��\|�j�\|�s@t � d\|��tj\|d��n\|�j� \|j\|�sUt � d\|��tj\|d��\|��\|��t � d \|j\|j��\|�j�\|j\|j\|�s\|t � d \|j\|j��tj\|d��t�\|�j�\|j\|��\|jr�t�\|j�\|_t��fdd�\|jD��s�\|�j�\|j\|j\|�s�t � d \|j\|j��tj\|d��n��\|_\|�jjD�]}\|\|��q�dS�)zb :param request: OAuthlib request. :type request: oauthlib.common.Request r��)r$��Nz Missing refresh token parameter.)�descriptionr$��zAuthenticating client, %r.z$Invalid client (%r), denying access.z!Client authentication failed, %r.zValidating refresh token %s for client %r.z)Invalid refresh token, %s, for client %r.c��3��s��\|�]}\|��v�V��qd�S�)Nr��)�.0�s��original_scopesr��r�� <genexpr>~��s��z;RefreshTokenGrant.validate_token_request.<locals>.<genexpr>z+Refresh token %s lack requested scopes, %r.)� grant_typer��UnsupportedGrantTypeError�custom_validators� pre_tokenr��InvalidRequestErrorr��client_authentication_requiredr��r��authenticate_client�InvalidClientError�authenticate_client_idr ��validate_grant_typer!��validate_refresh_token�InvalidGrantErrorr�� scope_to_list�get_original_scopes�scope�scopes�all�is_within_original_scope�InvalidScopeError� post_token)r��r$�� validatorr��r-��r��r��K��sd�� z(RefreshTokenGrant.validate_token_request)NT)�__name__� __module__�__qualname__�__doc__r ��r)��r�� __classcell__r��r��r��r��r��s��.r��)rH��r��logging��r��r��baser�� getLoggerrE��r��r��r��r��r��r��<module>��s�� grant_types/__pycache__/authorization_code.cpython-310.pyc��0000644��00000043551�15030301546�0017713 0��ustar�00��o ��h�e��@��sv��d�Z�ddlZddlZddlZddlZddlmZ�ddlmZ�ddl m Z �e�e�Z dd ��Zd d��ZG�dd ��d e �ZdS�)zJ oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ��N)�common��)�errors��)� GrantTypeBasec��C��s&��t��t�\|��d�\|kS�)a0�� If the "code_challenge_method" from `Section 4.3`_ was "S256", the received "code_verifier" is hashed by SHA-256, base64url-encoded, and then compared to the "code_challenge", i.e.: BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge How to implement a base64url-encoding function without padding, based upon the standard base64-encoding function that uses padding. To be concrete, example C# code implementing these functions is shown below. Similar code could be used in other languages. static string base64urlencode(byte [] arg) { string s = Convert.ToBase64String(arg); // Regular base64 encoder s = s.Split('=')[0]; // Remove any trailing '='s s = s.Replace('+', '-'); // 62nd char of encoding s = s.Replace('/', '_'); // 63rd char of encoding return s; } In python urlsafe_b64encode is already replacing '+' and '/', but preserve the trailing '='. So we have to remove it. .. _`Section 4.3`: https://tools.ietf.org/html/rfc7636#section-4.3 �=)�base64�urlsafe_b64encode�hashlib�sha256�encode�digest�decode�rstrip��verifier� challenge��r��i/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/grant_types/authorization_code.py�code_challenge_method_s256��s ��r��c��C��s��\|�\|kS�)z� If the "code_challenge_method" from `Section 4.3`_ was "plain", they are compared directly, i.e.: code_verifier == code_challenge. .. _`Section 4.3`: https://tools.ietf.org/html/rfc7636#section-4.3 r��r��r��r��r��code_challenge_method_plain4��s�� r��c��@��sT��e�Zd�ZdZdZdgZeed�Zdd��Z dd��Z d d ��Zdd��Zd d��Z dd��ZdS�)�AuthorizationCodeGranta��`Authorization Code Grant`_ The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server:: +----------+ \| Resource \| \| Owner \| \| \| +----------+ ^ \| (B) +----\|-----+ Client Identifier +---------------+ \| -+----(A)-- & Redirection URI ---->\| \| \| User- \| \| Authorization \| \| Agent -+----(B)-- User authenticates --->\| Server \| \| \| \| \| \| -+----(C)-- Authorization Code ---<\| \| +-\|----\|---+ +---------------+ \| \| ^ v (A) (C) \| \| \| \| \| \| ^ v \| \| +---------+ \| \| \| \|>---(D)-- Authorization Code ---------' \| \| Client \| & Redirection URI \| \| \| \| \| \|<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token) Note: The lines illustrating steps (A), (B), and (C) are broken into two parts as they pass through the user-agent. Figure 3: Authorization Code Flow The flow illustrated in Figure 3 includes the following steps: (A) The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). (B) The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. (C) Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier. (D) The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification. (E) The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds back with an access token and, optionally, a refresh token. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. A technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy") is implemented in the current oauthlib implementation. .. _`Authorization Code Grant`: https://tools.ietf.org/html/rfc6749#section-4.1 .. _`PKCE`: https://tools.ietf.org/html/rfc7636 �query�code)�plain�S256c��C��s8��dt��i}t\|d�r\|jr\|j\|d<�t�d\|\|��\|S�)z� Generates an authorization grant represented as a dictionary. :param request: OAuthlib request. :type request: oauthlib.common.Request r��statez3Created authorization code grant %r for request %r.)r��generate_token�hasattrr��log�debug)�self�request�grantr��r��r��create_authorization_code��s�� z0AuthorizationCodeGrant.create_authorization_codec�� C��s��z \|��\|��t�d\|��W�nI�tjy"�}�zt�d\|\|��d}~w�tjyV�}�z(t�d\|\|��\|jp6\|�j\|_tj \|j\|j \|jdkd�}d\|iddfW��Y�d}~S�d}~ww�\|��\|�}\|�j D�]}\|\|\|\|�}q_d \|v�rs\|�j�\|\|��t�d \|\|��\|�j�\|j\|\|��\|��\|\|i�dd�S�)ag�� The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: response_type REQUIRED. Value MUST be set to "code" for standard OAuth2 authorization flow. For OpenID Connect it must be one of "code token", "code id_token", or "code token id_token" - we essentially test that "code" appears in the response_type. client_id REQUIRED. The client identifier as described in `Section 2.2`_. redirect_uri OPTIONAL. As described in `Section 3.1.2`_. scope OPTIONAL. The scope of the access request as described by `Section 3.3`_. state RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. The client directs the resource owner to the constructed URI using an HTTP redirection response, or by other means available to it via the user-agent. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. :returns: headers, body, status :raises: FatalClientError on invalid redirect URI or client id. A few examples:: >>> from your_validator import your_validator >>> request = Request('https://example.com/authorize?client_id=valid' ... '&redirect_uri=http%3A%2F%2Fclient.com%2F') >>> from oauthlib.common import Request >>> from oauthlib.oauth2 import AuthorizationCodeGrant, BearerToken >>> token = BearerToken(your_validator) >>> grant = AuthorizationCodeGrant(your_validator) >>> request.scopes = ['authorized', 'in', 'some', 'form'] >>> grant.create_authorization_response(request, token) (u'http://client.com/?error=invalid_request&error_description=Missing+response_type+parameter.', None, None, 400) >>> request = Request('https://example.com/authorize?client_id=valid' ... '&redirect_uri=http%3A%2F%2Fclient.com%2F' ... '&response_type=code') >>> request.scopes = ['authorized', 'in', 'some', 'form'] >>> grant.create_authorization_response(request, token) (u'http://client.com/?code=u3F05aEObJuP2k7DordviIgW5wl52N', None, None, 200) >>> # If the client id or redirect uri fails validation >>> grant.create_authorization_response(request, token) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "oauthlib/oauth2/rfc6749/grant_types.py", line 515, in create_authorization_response >>> grant.create_authorization_response(request, token) File "oauthlib/oauth2/rfc6749/grant_types.py", line 591, in validate_authorization_request oauthlib.oauth2.rfc6749.errors.InvalidClientIdError .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 z6Pre resource owner authorization validation ok for %r.z/Fatal client error during validation of %r. %r.N�)Client error during validation of %r. %r.�fragment)r&��Locationi.��access_tokenzSaving grant %r for %r.)�validate_authorization_requestr��r ��r��FatalClientError�OAuth2Error�redirect_uri� error_urir��add_params_to_uri� twotuples� response_moder$��_code_modifiers�request_validator� save_token�save_authorization_code� client_id�prepare_authorization_response)r!��r"�� token_handler�er,��r#��modifierr��r��r��create_authorization_response��sB��E �� z4AuthorizationCodeGrant.create_authorization_responsec�� C��s��\|��}z \|��\|��t�d\|��W�n'�tjy8�}�zt�d\|\|��\|�\|j��\|\|j\|j fW��Y�d}~S�d}~ww�\|j \|\|�jd�}\|�jD�]}\|\|\|\|�}qD\|�j �\|\|��\|�j �\|j\|j\|��\|�\|��\|��\|t�\|�dfS�)a��Validate the authorization code. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. z#Token request validation ok for %r.r%��N)� refresh_token��)�_get_default_headers�validate_token_requestr��r ��r��r+��update�headers�json�status_code�create_tokenr;��_token_modifiersr2��r3��invalidate_authorization_coder5��r��_create_cors_headers�dumps)r!��r"��r7��r@��r8��tokenr9��r��r��r��create_token_response��s&�� z,AuthorizationCodeGrant.create_token_responsec�� C��s��dD�]#}z\|j�}W�n�ty��tjd\|d��w�\|\|v�r%tjd\|�\|d��q\|js/tj\|d��\|�j�\|j\|�s=tj\|d��t � d\|j\|j��\|��\|��i�}\|�j jD�] }\|�\|\|��qQ\|jdu�rftj\|d��d\|jvrv\|jd krvtj\|d��\|�j�\|j\|j\|j\|�s�t � d \|j\|j��tj\|d��\|�j�\|j\|�du�r�\|jdu�r�tj\|d��\|jdur�\|j\|d<�\|jdu�r�d \|_\|j\|�jvr�tj\|d��\|j\|d<�\|��\|��\|�\|j\|j\|j\|j\|d��\|�j jD�] }\|�\|\|��q�\|j\|fS�)a��Check the authorization request for normal and fatal errors. A normal error could be a missing response_type parameter or the client attempting to access scope it is not allowed to ask authorization for. Normal errors can safely be included in the redirection URI and sent back to the client. Fatal errors occur when the client_id or redirect_uri is invalid or missing. These must be caught by the provider and handled, how this is done is outside of the scope of OAuthLib but showing an error page describing the issue is a good idea. :param request: OAuthlib request. :type request: oauthlib.common.Request )r5�� response_typer,��scoper��zUnable to parse query string��descriptionr"��Duplicate %s parameter.�r"��z,Validating redirection uri %s for client %s.Nr��nonez4Client %s is not authorized to use response_type %s.T�code_challenger��code_challenge_method)r5��r,��rJ��r��r"��) �duplicate_params� ValueErrorr��InvalidRequestFatalErrorr5��MissingClientIdErrorr2��validate_client_id�InvalidClientIdErrorr��r ��r,��_handle_redirects�custom_validators�pre_authr?��rJ��MissingResponseTypeError�UnsupportedResponseTypeError�validate_response_type�client�UnauthorizedClientError�is_pkce_requiredrQ��MissingCodeChallengeErrorrR��_code_challenge_methods�#UnsupportedCodeChallengeMethodError�validate_scopesr�� post_auth�scopes)r!��r"��paramrS��request_info� validatorr��r��r��r)��>��sj�� z5AuthorizationCodeGrant.validate_authorization_requestc��C��s��\|j�dvrtj\|d��\|�jjD�]}\|\|��q\|jdu�r"tjd\|d��dD�]}\|\|jv�r4tjd\|�\|d��q$\|�j� \|�rN\|�j� \|�sMt�d\|��tj \|d��n\|�j�\|j\|�sbt�d\|��tj \|d��t\|jd �sltd ��\|jpr\|jj\|_\|��\|��\|�j�\|j\|j\|j\|�s�t�d\|j\|j\|j��tj\|d��\|�j�\|j\|�}\|dur�\|jdu�r�tj\|d��\|�j�\|j\|�}\|du�r�tj\|dd ��\|\|�jvr�tjd�\|�\|d��\|��\|\|\|j�s�t�d��tj\|d��n\|�j�\|j\|�du�r�\|jdu�r�tj\|d��tj\|dd ��dD�]}t \|\|d�du��rt�d\|��q\|j!du��r8d\|_"\|�j�#\|j\|�\|_!t�d\|j!��\|j!�s7tj$\|d��n d\|_"t�d\|j!��\|�j�%\|j\|j\|j!\|j\|��sbt�d\|j!\|j\|j��tj&\|d��\|�jj'D�]}\|\|��qfdS�)zb :param request: OAuthlib request. :type request: oauthlib.common.Request )�authorization_code�openidrO��NzMissing code parameter.rL��)r5�� grant_typer,��rN��z!Client authentication failed, %r.r5��z[Authenticate client must set the request.client.client_id attribute in authenticate_client.z4Client, %r (%r), is not allowed access to scopes %r.zChallenge method not found)r"��rM��zcode_challenge_method {} is not supported.z)request provided a invalid code_verifier.TzChallenge not found)�userrg��zrequest.%s was not set on code validation.zUsing default redirect_uri %s.FzUsing provided redirect_uri %sz-Redirect_uri (%r) invalid for client %r (%r).)(rm��r��UnsupportedGrantTypeErrorrZ�� pre_tokenr��InvalidRequestErrorrS��r2��client_authentication_required�authenticate_clientr��r ��InvalidClientError�authenticate_client_idr5��r��r_��NotImplementedError�validate_grant_type� validate_coderg��InvalidGrantError�get_code_challenge� code_verifier�MissingCodeVerifierError�get_code_challenge_methodrc��ServerError�format�validate_code_challengera��getattrr,��using_default_redirect_uri�get_default_redirect_uri�MissingRedirectURIError�confirm_redirect_uri�MismatchingRedirectURIError� post_token)r!��r"��rj��rh��r��challenge_method�attrr��r��r��r>��s�� z-AuthorizationCodeGrant.validate_token_requestc��C��s&��\|\|�j�v�r \|�j�\|�\|\|�S�td\|��)NzUnknown challenge_method %s)rc��rv��)r!��r��r��r��r��r��r��r��!��s�� z.AuthorizationCodeGrant.validate_code_challengeN)�__name__� __module__�__qualname__�__doc__�default_response_mode�response_typesr��r��rc��r$��r:��rI��r)��r>��r��r��r��r��r��r��@��s��S�m#unr��)r��r��r ��rA��logging�oauthlibr��r��baser�� getLoggerr��r��r��r��r��r��r��r��r��<module>��s�� "��grant_types/__pycache__/base.cpython-310.pyc��0000644��00000022052�15030301546�0014724 0��ustar�00��o ��h���@��s��d�Z�ddlZddlmZ�ddlmZ�ddlmZmZ�ddl m Z �ddlmZ�dd lm Z �e�e�ZG�d d��d�ZG�dd ��d �ZdS�)zJ oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ��N)�chain)�add_params_to_uri)�errors�utils)�is_absolute_uri��)�RequestValidator)�is_secure_transportc��@��s0��e�Zd�ZdZdd��Zedd��Zedd��ZdS�) �ValidatorsContainera�� Container object for holding custom validator callables to be invoked as part of the grant type `validate_authorization_request()` or `validate_authorization_request()` methods on the various grant types. Authorization validators must be callables that take a request object and return a dict, which may contain items to be added to the `request_info` returned from the grant_type after validation. Token validators must be callables that take a request object and return None. Both authorization validators and token validators may raise OAuth2 exceptions if validation conditions fail. Authorization validators added to `pre_auth` will be run BEFORE the standard validations (but after the critical ones that raise fatal errors) as part of `validate_authorization_request()` Authorization validators added to `post_auth` will be run AFTER the standard validations as part of `validate_authorization_request()` Token validators added to `pre_token` will be run BEFORE the standard validations as part of `validate_token_request()` Token validators added to `post_token` will be run AFTER the standard validations as part of `validate_token_request()` For example: >>> def my_auth_validator(request): ... return {'myval': True} >>> auth_code_grant = AuthorizationCodeGrant(request_validator) >>> auth_code_grant.custom_validators.pre_auth.append(my_auth_validator) >>> def my_token_validator(request): ... if not request.everything_okay: ... raise errors.OAuth2Error("uh-oh") >>> auth_code_grant.custom_validators.post_token.append(my_token_validator) c��C��s��\|\|�_�\|\|�_\|\|�_\|\|�_d�S��N)�pre_auth� post_auth� pre_token� post_token)�selfr ��r��r��r��r��[/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/grant_types/base.py�__init__;��s�� zValidatorsContainer.__init__c��C��t�\|�j\|�j�S�r��)r��r��r��r��r��r��r��all_preB��zValidatorsContainer.all_prec��C��r��r��)r��r ��r��r��r��r��r��all_postF��r��zValidatorsContainer.all_postN)�__name__� __module__�__qualname__�__doc__r��propertyr��r��r��r��r��r��r ��s��( r ��c��@��s��e�Zd�ZdZdZdZdZdgZd!dd�Zdd��Z d d ��Z dd��Zd d��Zdd��Z dd��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd��Zdd ��ZdS�)"� GrantTypeBaseN�fragmentT�codec��K��sT��\|pt��\|�_\|�j\|�_\|�j\|�_\|��\|��g�\|�_g�\|�_\|��D�] \}}t\|�\|\|��qd�S�r��) r��request_validator�response_types� refresh_token�_setup_custom_validators�_code_modifiers�_token_modifiers�items�setattr)r��r!��kwargs�kw�valr��r��r��r��R��s�� zGrantTypeBase.__init__c��C��st��\|��dg��}\|��dg��}\|��dg��}\|��dg��}t\|�d�s0\|s!\|r,d�\|�jj�}t\|��d\}}t\|\|\|\|�\|�_d�S�)Nr ��r��r��r��validate_authorization_requestzK{} does not support authorization validators. Use token validators instead.)r��r��)�get�hasattr�format� __class__r�� ValueErrorr ��custom_validators)r��r)��r ��r��r��r��msgr��r��r��r$��_��s�� z&GrantTypeBase._setup_custom_validatorsc��C��\|�j��\|��d�S�r��)r"��append)r�� response_typer��r��r��register_response_typen��z$GrantTypeBase.register_response_typec��C��r4��r��)r%��r5��r��modifierr��r��r��register_code_modifierq��r8��z$GrantTypeBase.register_code_modifierc��C��r4��r��)r&��r5��r9��r��r��r��register_token_modifiert��r8��z%GrantTypeBase.register_token_modifierc��C��t�d��z� :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. z&Subclasses must implement this method.��NotImplementedError�r��request� token_handlerr��r��r��create_authorization_responsew��z+GrantTypeBase.create_authorization_responsec��C��r=��r>��r?��rA��r��r��r��create_token_response��rE��z#GrantTypeBase.create_token_responsec��C��s&��\|j�dvr\|S�\|�\|j\|dd��\|S�)z� :param token: :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. :param request: OAuthlib request. :type request: oauthlib.common.Request )�tokenz code tokenzid_token tokenzcode id_token tokenF)r#��)r6��update�create_token)r��rG��rC��rB��r��r��r�� add_token��s�� zGrantTypeBase.add_tokenc��C��sH��t�\|dd�}\|�j�\|\|j\|j\|�s"t�d\|j\|j\|j��tj \|d��dS�)�b :param request: OAuthlib request. :type request: oauthlib.common.Request � client_idNz2Unauthorized from %r (%r) access to grant type %s.�rB��) �getattrr!��validate_grant_type� grant_type�client�log�debugrL��r��UnauthorizedClientError)r��rB��rL��r��r��r��rO��s�� z!GrantTypeBase.validate_grant_typec��C��sh��\|j�st�\|j�pt�\|�j�\|j\|��\|_�t�d\|j�\|j\|j ��\|�j� \|j\|j�\|j \|�s2tj\|d��dS�)rK��z2Validating access to scopes %r for client %r (%r).rM��N) �scopesr�� scope_to_list�scoper!��get_default_scopesrL��rR��rS��rQ��validate_scopesr��InvalidScopeError�r��rB��r��r��r��rY��s�� zGrantTypeBase.validate_scopesc��C��s��\|j�p\|�j\|_�\|j�dvrt�d\|j�\|�j��\|�j\|_�\|��}\|jdkr2\|�dd�}\|r0d\|fg}ng�}\|j�dkrFt\|j\|dd�\|d <�\|\|\|fS�\|j�d krZt\|j\|dd�\|d <�\|\|\|fS�t d��) a��Place token according to response mode. Base classes can define a default response mode for their authorization response by overriding the static `default_response_mode` member. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token: :param headers: :param body: :param status: )�queryr��z+Overriding invalid response mode %s with %s�none�stateNr\��F)r��Locationr��Tz1Subclasses must set a valid default_response_mode) � response_mode�default_response_moderR��rS��r'��r6��r-��r��redirect_urir@��)r��rB��rG��headers�body�status�token_itemsr^��r��r��r��prepare_authorization_response��s2�� z,GrantTypeBase.prepare_authorization_responsec��C��s��dddd�S�)z+Create default headers for grant responses.zapplication/jsonzno-storezno-cache)zContent-Typez Cache-Control�Pragmar��r��r��r��r��_get_default_headers��s��z"GrantTypeBase._get_default_headersc��C��s��\|j�d�ur,d\|_t�d\|j��t\|j��stj\|d��\|�j�\|j \|j�\|�stj \|d��d�S�\|�j�\|j \|�\|_�d\|_t�d\|j��\|j�sHtj\|d��t\|j��sStj\|d��d�S�)NFzUsing provided redirect_uri %srM��TzUsing default redirect_uri %s.) rb��using_default_redirect_urirR��rS��r��r��InvalidRedirectURIErrorr!��validate_redirect_urirL��MismatchingRedirectURIError�get_default_redirect_uri�MissingRedirectURIErrorr[��r��r��r��_handle_redirects��s(�� zGrantTypeBase._handle_redirectsc��C��sf��d\|j�vri�S�\|j�d�}t\|�st�d\|��i�S�\|�j�\|j\|\|�s)t�d\|��i�S�t�d\|��d\|iS�)z3If CORS is allowed, create the appropriate headers.�originz+Origin "%s" is not HTTPS, CORS not allowed.z&Invalid origin "%s", CORS not allowed.zValid origin "%s", injecting CORS headers.zAccess-Control-Allow-Origin)rc��r ��rR��rS��r!��is_origin_allowedrL��)r��rB��rq��r��r��r��_create_cors_headers��s�� z"GrantTypeBase._create_cors_headersr��)r��r��r�� error_urir!��ra��r#��r"��r��r$��r7��r;��r<��rD��rF��rJ��rO��rY��rg��ri��rp��rs��r��r��r��r��r��K��s(�� r��)r��logging� itertoolsr��oauthlib.commonr��oauthlib.oauth2.rfc6749r��r��oauthlib.uri_validater��r!��r��r �� getLoggerr��rR��r ��r��r��r��r��r��<module>��s�� 9��grant_types/__pycache__/resource_owner_password_credentials.cpython-310.pyc��0000644��00000017104�15030301546�0023354 0��ustar�00��o ��hD!��@��sJ��d�Z�ddlZddlZddlmZ�ddlmZ�e�e�Z G�dd��de�Z dS�) zJ oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ��N��)�errors��)� GrantTypeBasec��@��s ��e�Zd�ZdZdd��Zdd��ZdS�)�%ResourceOwnerPasswordCredentialsGranta! ��`Resource Owner Password Credentials Grant`_ The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable. This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token:: +----------+ \| Resource \| \| Owner \| \| \| +----------+ v \| Resource Owner (A) Password Credentials \| v +---------+ +---------------+ \| \|>--(B)---- Resource Owner ------->\| \| \| \| Password Credentials \| Authorization \| \| Client \| \| Server \| \| \|<--(C)---- Access Token ---------<\| \| \| \| (w/ Optional Refresh Token) \| \| +---------+ +---------------+ Figure 5: Resource Owner Password Credentials Flow The flow illustrated in Figure 5 includes the following steps: (A) The resource owner provides the client with its username and password. (B) The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server. (C) The authorization server authenticates the client and validates the resource owner credentials, and if valid, issues an access token. .. _`Resource Owner Password Credentials Grant`: https://tools.ietf.org/html/rfc6749#section-4.3 c�� C��s.��\|��}z@\|�j�\|�r$t�d\|��\|�j�\|�s#t�d\|��tj\|d��n\|�j�\|j \|�s8t�d\|��tj\|d��t�d\|��\|�� \|��W�n&�tjyj�}�zt�d\|��\|�\|j ��\|\|j\|jfW��Y�d}~S�d}~ww�\|�\|\|�j�}\|�jD�]}\|\|�}qu\|�j�\|\|��t�d\|\|j \|j\|j��\|t�\|�dfS�) a��Return token or error in json format. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in `Section 5.1`_. If the request failed client authentication or is invalid, the authorization server returns an error response as described in `Section 5.2`_. .. _`Section 5.1`: https://tools.ietf.org/html/rfc6749#section-5.1 .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2 zAuthenticating client, %r.z!Client authentication failed, %r.��requestz$Validating access token request, %r.z"Client error in token request, %s.Nz6Issuing token %r to client id %r (%r) and username %s.��)�_get_default_headers�request_validator�client_authentication_required�log�debug�authenticate_clientr��InvalidClientError�authenticate_client_id� client_id�validate_token_request�OAuth2Error�update�headers�json�status_code�create_token� refresh_token�_token_modifiers� save_token�client�username�dumps)�selfr�� token_handlerr��e�token�modifier��r%��z/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py�create_token_responseE��s6�� z;ResourceOwnerPasswordCredentialsGrant.create_token_responsec��C��s��\|�j�jD�]}\|\|��qdD�]}t\|\|d�stjd\|�\|d��q dD�]}\|\|jv�r1tjd\|�\|d��q!\|jdks=tj\|d��t� d \|j ��\|�j�\|j \|j \|j\|�sWtjd \|d��t\|jd�satd��t� d \|j��\|��\|��\|jrx\|jpv\|jj\|_\|��\|��\|�j�jD�]}\|\|��q�dS�)a�� :param request: OAuthlib request. :type request: oauthlib.common.Request The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body: grant_type REQUIRED. Value MUST be set to "password". username REQUIRED. The resource owner username. password REQUIRED. The resource owner password. scope OPTIONAL. The scope of the access request as described by `Section 3.3`_. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in `Section 3.2.1`_. The authorization server MUST: o require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements), o authenticate the client if client authentication is included, and o validate the resource owner password credentials using its existing password validation algorithm. Since this access token request utilizes the resource owner's password, the authorization server MUST protect the endpoint against brute force attacks (e.g., using rate-limitation or generating alerts). .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 )� grant_typer��passwordNz Request is missing %s parameter.r��)r(��r��r)��scopezDuplicate %s parameter.)�descriptionr��r)��zValidating username %s.zInvalid credentials given.r��zUValidate user must set the request.client.client_id attribute in authenticate_client.zAuthorizing access to user %r.)�custom_validators� pre_token�getattrr��InvalidRequestError�duplicate_paramsr(��UnsupportedGrantTypeErrorr ��r��r��r�� validate_userr)��r��InvalidGrantError�hasattr�NotImplementedError�user�validate_grant_typer��validate_scopes� post_token)r ��r�� validator�paramr%��r%��r&��r��r��sB��/ �� z<ResourceOwnerPasswordCredentialsGrant.validate_token_requestN)�__name__� __module__�__qualname__�__doc__r'��r��r%��r%��r%��r&��r��s��5-r��)r?��r��logging��r��baser�� getLoggerr<��r ��r��r%��r%��r%��r&��<module>��s�� grant_types/__pycache__/implicit.cpython-310.pyc��0000644��00000031055�15030301546�0015627 0��ustar�00��o ��h�A��@��sN��d�Z�ddlZddlmZ�ddlmZ�ddlmZ�e�e �Z G�dd ��d e�ZdS�) zJ oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ��N)�common��)�errors��)� GrantTypeBasec��@��sF��e�Zd�ZdZdgZdZdd��Zdd��Zdd ��Zd d��Z dd d�Z dS�)� ImplicitGranta��`Implicit Grant`_ The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript. Unlike the authorization code grant type, in which the client makes separate requests for authorization and for an access token, the client receives the access token as the result of the authorization request. The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device:: +----------+ \| Resource \| \| Owner \| \| \| +----------+ ^ \| (B) +----\|-----+ Client Identifier +---------------+ \| -+----(A)-- & Redirection URI --->\| \| \| User- \| \| Authorization \| \| Agent -\|----(B)-- User authenticates -->\| Server \| \| \| \| \| \| \|<---(C)--- Redirection URI ----<\| \| \| \| with Access Token +---------------+ \| \| in Fragment \| \| +---------------+ \| \|----(D)--- Redirection URI ---->\| Web-Hosted \| \| \| without Fragment \| Client \| \| \| \| Resource \| \| (F) \|<---(E)------- Script ---------<\| \| \| \| +---------------+ +-\|--------+ \| \| (A) (G) Access Token \| \| ^ v +---------+ \| \| \| Client \| \| \| +---------+ Note: The lines illustrating steps (A) and (B) are broken into two parts as they pass through the user-agent. Figure 4: Implicit Grant Flow The flow illustrated in Figure 4 includes the following steps: (A) The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). (B) The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. (C) Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment. (D) The user-agent follows the redirection instructions by making a request to the web-hosted client resource (which does not include the fragment per [RFC2616]). The user-agent retains the fragment information locally. (E) The web-hosted client resource returns a web page (typically an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment retained by the user-agent, and extracting the access token (and other parameters) contained in the fragment. (F) The user-agent executes the script provided by the web-hosted client resource locally, which extracts the access token. (G) The user-agent passes the access token to the client. See `Section 10.3`_ and `Section 10.16`_ for important security considerations when using the implicit grant. .. _`Implicit Grant`: https://tools.ietf.org/html/rfc6749#section-4.2 .. _`Section 10.3`: https://tools.ietf.org/html/rfc6749#section-10.3 .. _`Section 10.16`: https://tools.ietf.org/html/rfc6749#section-10.16 �tokenFc��C��s��\|��\|\|�S�)aM��Create an authorization response. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: response_type REQUIRED. Value MUST be set to "token" for standard OAuth2 implicit flow or "id_token token" or just "id_token" for OIDC implicit flow client_id REQUIRED. The client identifier as described in `Section 2.2`_. redirect_uri OPTIONAL. As described in `Section 3.1.2`_. scope OPTIONAL. The scope of the access request as described by `Section 3.3`_. state RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. The authorization server validates the request to ensure that all required parameters are present and valid. The authorization server MUST verify that the redirection URI to which it will redirect the access token matches a redirection URI registered by the client as described in `Section 3.1.2`_. .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B )�create_token_response)�self�request� token_handler��r ��_/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/grant_types/implicit.py�create_authorization_responsev��s��-z+ImplicitGrant.create_authorization_responsec�� C��s��z\|��\|��W�n=�tjy�}�zt�d\|\|��d}~w�tjyD�}�zt�d\|\|��dtj\|j\|j dd�iddfW��Y�d}~S�d}~ww�d\|j ��v�rT\|j\|d d �}ni�}\|j dur`\|j \|d<�\|�jD�]}\|\|\|\|�}qcd\|j ��v�rz\|�j�\|\|��\|��\|\|i�dd�S�)a��Return token or error embedded in the URI fragment. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: access_token REQUIRED. The access token issued by the authorization server. token_type REQUIRED. The type of the token issued as described in `Section 7.1`_. Value is case insensitive. expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED. The scope of the access token as described by `Section 3.3`_. state REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client. The authorization server MUST NOT issue a refresh token. .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1 z/Fatal client error during validation of %r. %r.Nz)Client error during validation of %r. %r.�LocationT)�fragmenti.��r��F)� refresh_token�state)�validate_token_requestr��FatalClientError�log�debug�OAuth2Errorr��add_params_to_uri�redirect_uri� twotuples� response_type�split�create_tokenr��_token_modifiers�request_validator� save_token�prepare_authorization_response)r ��r��r��er��modifierr ��r ��r��r ��s:��,�� z#ImplicitGrant.create_token_responsec��C��s ��\|��\|�S�)zb :param request: OAuthlib request. :type request: oauthlib.common.Request )r��)r ��r��r ��r ��r��validate_authorization_request��s�� z,ImplicitGrant.validate_authorization_requestc�� C��sX��dD�]#}z\|j�}W�n�ty��tjd\|d��w�\|\|v�r%tjd\|�\|d��q\|js/tj\|d��\|�j�\|j\|�s=tj\|d��\|�� \|��\|�� \|\|�jj�}\|j du�rUtj\|d��t\|j ��\|�j�sftj\|d��t�d\|j\|j��\|�j�\|j\|j \|j\|�s�t�d\|j\|j ��tj\|d��\|��\|��\|�\|j\|j\|j \|j\|d ��\|�� \|\|�jj\|�}\|j\|fS�) aC��Check the token request for normal and fatal errors. :param request: OAuthlib request. :type request: oauthlib.common.Request This method is very similar to validate_authorization_request in the AuthorizationCodeGrant but differ in a few subtle areas. A normal error could be a missing response_type parameter or the client attempting to access scope it is not allowed to ask authorization for. Normal errors can safely be included in the redirection URI and sent back to the client. Fatal errors occur when the client_id or redirect_uri is invalid or missing. These must be caught by the provider and handled, how this is done is outside of the scope of OAuthLib but showing an error page describing the issue is a good idea. )� client_idr��r��scoper��zUnable to parse query string)�descriptionr��zDuplicate %s parameter.)r��Nz9Validating use of response_type token for client %r (%r).z4Client %s is not authorized to use response_type %s.)r&��r��r��r��r��)�duplicate_params� ValueErrorr��InvalidRequestFatalErrorr&��MissingClientIdErrorr ��validate_client_id�InvalidClientIdError�_handle_redirects�_run_custom_validators�custom_validators�all_prer��MissingResponseTypeError�setr��issubset�response_types�UnsupportedResponseTypeErrorr��r��client�validate_response_type�UnauthorizedClientError�validate_scopes�updater��r��all_post�scopes)r ��r��paramr)��request_infor ��r ��r��r��s\�� z$ImplicitGrant.validate_token_requestNc��C��s<��\|d�u�ri�n\|��}\|D�]}\|\|�}\|d�ur\|�\|��q\|S��N)�copyr<��)r ��r��validationsr@�� validator�resultr ��r ��r��r0��k��s�� z$ImplicitGrant._run_custom_validatorsrA��)�__name__� __module__�__qualname__�__doc__r6��grant_allows_refresh_tokenr��r ��r%��r��r0��r ��r ��r ��r��r��s��b/Zh�r��)rI��logging�oauthlibr��r��baser�� getLoggerrF��r��r��r ��r ��r ��r��<module>��s�� grant_types/resource_owner_password_credentials.py��0000644��00000020504�15030301546�0017013 0��ustar�00��""" oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ """ import json import logging from .. import errors from .base import GrantTypeBase log = logging.getLogger(__name__) class ResourceOwnerPasswordCredentialsGrant(GrantTypeBase): """`Resource Owner Password Credentials Grant`_ The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable. This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token:: +----------+ \| Resource \| \| Owner \| \| \| +----------+ v \| Resource Owner (A) Password Credentials \| v +---------+ +---------------+ \| \|>--(B)---- Resource Owner ------->\| \| \| \| Password Credentials \| Authorization \| \| Client \| \| Server \| \| \|<--(C)---- Access Token ---------<\| \| \| \| (w/ Optional Refresh Token) \| \| +---------+ +---------------+ Figure 5: Resource Owner Password Credentials Flow The flow illustrated in Figure 5 includes the following steps: (A) The resource owner provides the client with its username and password. (B) The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server. (C) The authorization server authenticates the client and validates the resource owner credentials, and if valid, issues an access token. .. _`Resource Owner Password Credentials Grant`: https://tools.ietf.org/html/rfc6749#section-4.3 """ def create_token_response(self, request, token_handler): """Return token or error in json format. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in `Section 5.1`_. If the request failed client authentication or is invalid, the authorization server returns an error response as described in `Section 5.2`_. .. _`Section 5.1`: https://tools.ietf.org/html/rfc6749#section-5.1 .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2 """ headers = self._get_default_headers() try: if self.request_validator.client_authentication_required(request): log.debug('Authenticating client, %r.', request) if not self.request_validator.authenticate_client(request): log.debug('Client authentication failed, %r.', request) raise errors.InvalidClientError(request=request) elif not self.request_validator.authenticate_client_id(request.client_id, request): log.debug('Client authentication failed, %r.', request) raise errors.InvalidClientError(request=request) log.debug('Validating access token request, %r.', request) self.validate_token_request(request) except errors.OAuth2Error as e: log.debug('Client error in token request, %s.', e) headers.update(e.headers) return headers, e.json, e.status_code token = token_handler.create_token(request, self.refresh_token) for modifier in self._token_modifiers: token = modifier(token) self.request_validator.save_token(token, request) log.debug('Issuing token %r to client id %r (%r) and username %s.', token, request.client_id, request.client, request.username) return headers, json.dumps(token), 200 def validate_token_request(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body: grant_type REQUIRED. Value MUST be set to "password". username REQUIRED. The resource owner username. password REQUIRED. The resource owner password. scope OPTIONAL. The scope of the access request as described by `Section 3.3`_. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in `Section 3.2.1`_. The authorization server MUST: o require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements), o authenticate the client if client authentication is included, and o validate the resource owner password credentials using its existing password validation algorithm. Since this access token request utilizes the resource owner's password, the authorization server MUST protect the endpoint against brute force attacks (e.g., using rate-limitation or generating alerts). .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 3.2.1`: https://tools.ietf.org/html/rfc6749#section-3.2.1 """ for validator in self.custom_validators.pre_token: validator(request) for param in ('grant_type', 'username', 'password'): if not getattr(request, param, None): raise errors.InvalidRequestError( 'Request is missing %s parameter.' % param, request=request) for param in ('grant_type', 'username', 'password', 'scope'): if param in request.duplicate_params: raise errors.InvalidRequestError(description='Duplicate %s parameter.' % param, request=request) # This error should rarely (if ever) occur if requests are routed to # grant type handlers based on the grant_type parameter. if not request.grant_type == 'password': raise errors.UnsupportedGrantTypeError(request=request) log.debug('Validating username %s.', request.username) if not self.request_validator.validate_user(request.username, request.password, request.client, request): raise errors.InvalidGrantError( 'Invalid credentials given.', request=request) else: if not hasattr(request.client, 'client_id'): raise NotImplementedError( 'Validate user must set the ' 'request.client.client_id attribute ' 'in authenticate_client.') log.debug('Authorizing access to user %r.', request.user) # Ensure client is authorized use of this grant type self.validate_grant_type(request) if request.client: request.client_id = request.client_id or request.client.client_id self.validate_scopes(request) for validator in self.custom_validators.post_token: validator(request) ��grant_types/client_credentials.py��0000644��00000011727�15030301546�0013315 0��ustar�00��""" oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ """ import json import logging from .. import errors from .base import GrantTypeBase log = logging.getLogger(__name__) class ClientCredentialsGrant(GrantTypeBase): """`Client Credentials Grant`_ The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification). The client credentials grant type MUST only be used by confidential clients:: +---------+ +---------------+ : : : : : :>-- A - Client Authentication --->: Authorization : : Client : : Server : : :<-- B ---- Access Token ---------<: : : : : : +---------+ +---------------+ Figure 6: Client Credentials Flow The flow illustrated in Figure 6 includes the following steps: (A) The client authenticates with the authorization server and requests an access token from the token endpoint. (B) The authorization server authenticates the client, and if valid, issues an access token. .. _`Client Credentials Grant`: https://tools.ietf.org/html/rfc6749#section-4.4 """ def create_token_response(self, request, token_handler): """Return token or error in JSON format. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. If the access token request is valid and authorized, the authorization server issues an access token as described in `Section 5.1`_. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in `Section 5.2`_. .. _`Section 5.1`: https://tools.ietf.org/html/rfc6749#section-5.1 .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2 """ headers = self._get_default_headers() try: log.debug('Validating access token request, %r.', request) self.validate_token_request(request) except errors.OAuth2Error as e: log.debug('Client error in token request. %s.', e) headers.update(e.headers) return headers, e.json, e.status_code token = token_handler.create_token(request, refresh_token=False) for modifier in self._token_modifiers: token = modifier(token) self.request_validator.save_token(token, request) log.debug('Issuing token to client id %r (%r), %r.', request.client_id, request.client, token) return headers, json.dumps(token), 200 def validate_token_request(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ for validator in self.custom_validators.pre_token: validator(request) if not getattr(request, 'grant_type', None): raise errors.InvalidRequestError('Request is missing grant type.', request=request) if not request.grant_type == 'client_credentials': raise errors.UnsupportedGrantTypeError(request=request) for param in ('grant_type', 'scope'): if param in request.duplicate_params: raise errors.InvalidRequestError(description='Duplicate %s parameter.' % param, request=request) log.debug('Authenticating client, %r.', request) if not self.request_validator.authenticate_client(request): log.debug('Client authentication failed, %r.', request) raise errors.InvalidClientError(request=request) else: if not hasattr(request.client, 'client_id'): raise NotImplementedError('Authenticate client must set the ' 'request.client.client_id attribute ' 'in authenticate_client.') # Ensure client is authorized use of this grant type self.validate_grant_type(request) request.client_id = request.client_id or request.client.client_id log.debug('Authorizing access to client %r.', request.client_id) self.validate_scopes(request) for validator in self.custom_validators.post_token: validator(request) ��grant_types/refresh_token.py��0000644��00000013403�15030301546�0012311 0��ustar�00��""" oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ """ import json import logging from .. import errors, utils from .base import GrantTypeBase log = logging.getLogger(__name__) class RefreshTokenGrant(GrantTypeBase): """`Refresh token grant`_ .. _`Refresh token grant`: https://tools.ietf.org/html/rfc6749#section-6 """ def __init__(self, request_validator=None, issue_new_refresh_tokens=True, kwargs): super().__init__( request_validator, issue_new_refresh_tokens=issue_new_refresh_tokens, kwargs) def create_token_response(self, request, token_handler): """Create a new access token from a refresh_token. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. If valid and authorized, the authorization server issues an access token as described in `Section 5.1`_. If the request failed verification or is invalid, the authorization server returns an error response as described in `Section 5.2`_. The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client. If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request. .. _`Section 5.1`: https://tools.ietf.org/html/rfc6749#section-5.1 .. _`Section 5.2`: https://tools.ietf.org/html/rfc6749#section-5.2 """ headers = self._get_default_headers() try: log.debug('Validating refresh token request, %r.', request) self.validate_token_request(request) except errors.OAuth2Error as e: log.debug('Client error in token request, %s.', e) headers.update(e.headers) return headers, e.json, e.status_code token = token_handler.create_token(request, refresh_token=self.issue_new_refresh_tokens) for modifier in self._token_modifiers: token = modifier(token, token_handler, request) self.request_validator.save_token(token, request) log.debug('Issuing new token to client id %r (%r), %r.', request.client_id, request.client, token) headers.update(self._create_cors_headers(request)) return headers, json.dumps(token), 200 def validate_token_request(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ # REQUIRED. Value MUST be set to "refresh_token". if request.grant_type != 'refresh_token': raise errors.UnsupportedGrantTypeError(request=request) for validator in self.custom_validators.pre_token: validator(request) if request.refresh_token is None: raise errors.InvalidRequestError( description='Missing refresh token parameter.', request=request) # Because refresh tokens are typically long-lasting credentials used to # request additional access tokens, the refresh token is bound to the # client to which it was issued. If the client type is confidential or # the client was issued client credentials (or assigned other # authentication requirements), the client MUST authenticate with the # authorization server as described in Section 3.2.1. # https://tools.ietf.org/html/rfc6749#section-3.2.1 if self.request_validator.client_authentication_required(request): log.debug('Authenticating client, %r.', request) if not self.request_validator.authenticate_client(request): log.debug('Invalid client (%r), denying access.', request) raise errors.InvalidClientError(request=request) elif not self.request_validator.authenticate_client_id(request.client_id, request): log.debug('Client authentication failed, %r.', request) raise errors.InvalidClientError(request=request) # Ensure client is authorized use of this grant type self.validate_grant_type(request) # REQUIRED. The refresh token issued to the client. log.debug('Validating refresh token %s for client %r.', request.refresh_token, request.client) if not self.request_validator.validate_refresh_token( request.refresh_token, request.client, request): log.debug('Invalid refresh token, %s, for client %r.', request.refresh_token, request.client) raise errors.InvalidGrantError(request=request) original_scopes = utils.scope_to_list( self.request_validator.get_original_scopes( request.refresh_token, request)) if request.scope: request.scopes = utils.scope_to_list(request.scope) if (not all(s in original_scopes for s in request.scopes) and not self.request_validator.is_within_original_scope( request.scopes, request.refresh_token, request)): log.debug('Refresh token %s lack requested scopes, %r.', request.refresh_token, request.scopes) raise errors.InvalidScopeError(request=request) else: request.scopes = original_scopes for validator in self.custom_validators.post_token: validator(request) ��grant_types/authorization_code.py��0000644��00000062766�15030301546�0013365 0��ustar�00��""" oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ """ import base64 import hashlib import json import logging from oauthlib import common from .. import errors from .base import GrantTypeBase log = logging.getLogger(__name__) def code_challenge_method_s256(verifier, challenge): """ If the "code_challenge_method" from `Section 4.3`_ was "S256", the received "code_verifier" is hashed by SHA-256, base64url-encoded, and then compared to the "code_challenge", i.e.: BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge How to implement a base64url-encoding function without padding, based upon the standard base64-encoding function that uses padding. To be concrete, example C# code implementing these functions is shown below. Similar code could be used in other languages. static string base64urlencode(byte [] arg) { string s = Convert.ToBase64String(arg); // Regular base64 encoder s = s.Split('=')[0]; // Remove any trailing '='s s = s.Replace('+', '-'); // 62nd char of encoding s = s.Replace('/', '_'); // 63rd char of encoding return s; } In python urlsafe_b64encode is already replacing '+' and '/', but preserve the trailing '='. So we have to remove it. .. _`Section 4.3`: https://tools.ietf.org/html/rfc7636#section-4.3 """ return base64.urlsafe_b64encode( hashlib.sha256(verifier.encode()).digest() ).decode().rstrip('=') == challenge def code_challenge_method_plain(verifier, challenge): """ If the "code_challenge_method" from `Section 4.3`_ was "plain", they are compared directly, i.e.: code_verifier == code_challenge. .. _`Section 4.3`: https://tools.ietf.org/html/rfc7636#section-4.3 """ return verifier == challenge class AuthorizationCodeGrant(GrantTypeBase): """`Authorization Code Grant`_ The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server:: +----------+ \| Resource \| \| Owner \| \| \| +----------+ ^ \| (B) +----\|-----+ Client Identifier +---------------+ \| -+----(A)-- & Redirection URI ---->\| \| \| User- \| \| Authorization \| \| Agent -+----(B)-- User authenticates --->\| Server \| \| \| \| \| \| -+----(C)-- Authorization Code ---<\| \| +-\|----\|---+ +---------------+ \| \| ^ v (A) (C) \| \| \| \| \| \| ^ v \| \| +---------+ \| \| \| \|>---(D)-- Authorization Code ---------' \| \| Client \| & Redirection URI \| \| \| \| \| \|<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token) Note: The lines illustrating steps (A), (B), and (C) are broken into two parts as they pass through the user-agent. Figure 3: Authorization Code Flow The flow illustrated in Figure 3 includes the following steps: (A) The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). (B) The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. (C) Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier. (D) The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification. (E) The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds back with an access token and, optionally, a refresh token. OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. A technique to mitigate against the threat through the use of Proof Key for Code Exchange (PKCE, pronounced "pixy") is implemented in the current oauthlib implementation. .. _`Authorization Code Grant`: https://tools.ietf.org/html/rfc6749#section-4.1 .. _`PKCE`: https://tools.ietf.org/html/rfc7636 """ default_response_mode = 'query' response_types = ['code'] # This dict below is private because as RFC mention it: # "S256" is Mandatory To Implement (MTI) on the server. # _code_challenge_methods = { 'plain': code_challenge_method_plain, 'S256': code_challenge_method_s256 } def create_authorization_code(self, request): """ Generates an authorization grant represented as a dictionary. :param request: OAuthlib request. :type request: oauthlib.common.Request """ grant = {'code': common.generate_token()} if hasattr(request, 'state') and request.state: grant['state'] = request.state log.debug('Created authorization code grant %r for request %r.', grant, request) return grant def create_authorization_response(self, request, token_handler): """ The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: response_type REQUIRED. Value MUST be set to "code" for standard OAuth2 authorization flow. For OpenID Connect it must be one of "code token", "code id_token", or "code token id_token" - we essentially test that "code" appears in the response_type. client_id REQUIRED. The client identifier as described in `Section 2.2`_. redirect_uri OPTIONAL. As described in `Section 3.1.2`_. scope OPTIONAL. The scope of the access request as described by `Section 3.3`_. state RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. The client directs the resource owner to the constructed URI using an HTTP redirection response, or by other means available to it via the user-agent. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. :returns: headers, body, status :raises: FatalClientError on invalid redirect URI or client id. A few examples:: >>> from your_validator import your_validator >>> request = Request('https://example.com/authorize?client_id=valid' ... '&redirect_uri=http%3A%2F%2Fclient.com%2F') >>> from oauthlib.common import Request >>> from oauthlib.oauth2 import AuthorizationCodeGrant, BearerToken >>> token = BearerToken(your_validator) >>> grant = AuthorizationCodeGrant(your_validator) >>> request.scopes = ['authorized', 'in', 'some', 'form'] >>> grant.create_authorization_response(request, token) (u'http://client.com/?error=invalid_request&error_description=Missing+response_type+parameter.', None, None, 400) >>> request = Request('https://example.com/authorize?client_id=valid' ... '&redirect_uri=http%3A%2F%2Fclient.com%2F' ... '&response_type=code') >>> request.scopes = ['authorized', 'in', 'some', 'form'] >>> grant.create_authorization_response(request, token) (u'http://client.com/?code=u3F05aEObJuP2k7DordviIgW5wl52N', None, None, 200) >>> # If the client id or redirect uri fails validation >>> grant.create_authorization_response(request, token) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "oauthlib/oauth2/rfc6749/grant_types.py", line 515, in create_authorization_response >>> grant.create_authorization_response(request, token) File "oauthlib/oauth2/rfc6749/grant_types.py", line 591, in validate_authorization_request oauthlib.oauth2.rfc6749.errors.InvalidClientIdError .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 """ try: self.validate_authorization_request(request) log.debug('Pre resource owner authorization validation ok for %r.', request) # If the request fails due to a missing, invalid, or mismatching # redirection URI, or if the client identifier is missing or invalid, # the authorization server SHOULD inform the resource owner of the # error and MUST NOT automatically redirect the user-agent to the # invalid redirection URI. except errors.FatalClientError as e: log.debug('Fatal client error during validation of %r. %r.', request, e) raise # If the resource owner denies the access request or if the request # fails for reasons other than a missing or invalid redirection URI, # the authorization server informs the client by adding the following # parameters to the query component of the redirection URI using the # "application/x-www-form-urlencoded" format, per Appendix B: # https://tools.ietf.org/html/rfc6749#appendix-B except errors.OAuth2Error as e: log.debug('Client error during validation of %r. %r.', request, e) request.redirect_uri = request.redirect_uri or self.error_uri redirect_uri = common.add_params_to_uri( request.redirect_uri, e.twotuples, fragment=request.response_mode == "fragment") return {'Location': redirect_uri}, None, 302 grant = self.create_authorization_code(request) for modifier in self._code_modifiers: grant = modifier(grant, token_handler, request) if 'access_token' in grant: self.request_validator.save_token(grant, request) log.debug('Saving grant %r for %r.', grant, request) self.request_validator.save_authorization_code( request.client_id, grant, request) return self.prepare_authorization_response( request, grant, {}, None, 302) def create_token_response(self, request, token_handler): """Validate the authorization code. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. """ headers = self._get_default_headers() try: self.validate_token_request(request) log.debug('Token request validation ok for %r.', request) except errors.OAuth2Error as e: log.debug('Client error during validation of %r. %r.', request, e) headers.update(e.headers) return headers, e.json, e.status_code token = token_handler.create_token(request, refresh_token=self.refresh_token) for modifier in self._token_modifiers: token = modifier(token, token_handler, request) self.request_validator.save_token(token, request) self.request_validator.invalidate_authorization_code( request.client_id, request.code, request) headers.update(self._create_cors_headers(request)) return headers, json.dumps(token), 200 def validate_authorization_request(self, request): """Check the authorization request for normal and fatal errors. A normal error could be a missing response_type parameter or the client attempting to access scope it is not allowed to ask authorization for. Normal errors can safely be included in the redirection URI and sent back to the client. Fatal errors occur when the client_id or redirect_uri is invalid or missing. These must be caught by the provider and handled, how this is done is outside of the scope of OAuthLib but showing an error page describing the issue is a good idea. :param request: OAuthlib request. :type request: oauthlib.common.Request """ # First check for fatal errors # If the request fails due to a missing, invalid, or mismatching # redirection URI, or if the client identifier is missing or invalid, # the authorization server SHOULD inform the resource owner of the # error and MUST NOT automatically redirect the user-agent to the # invalid redirection URI. # First check duplicate parameters for param in ('client_id', 'response_type', 'redirect_uri', 'scope', 'state'): try: duplicate_params = request.duplicate_params except ValueError: raise errors.InvalidRequestFatalError(description='Unable to parse query string', request=request) if param in duplicate_params: raise errors.InvalidRequestFatalError(description='Duplicate %s parameter.' % param, request=request) # REQUIRED. The client identifier as described in Section 2.2. # https://tools.ietf.org/html/rfc6749#section-2.2 if not request.client_id: raise errors.MissingClientIdError(request=request) if not self.request_validator.validate_client_id(request.client_id, request): raise errors.InvalidClientIdError(request=request) # OPTIONAL. As described in Section 3.1.2. # https://tools.ietf.org/html/rfc6749#section-3.1.2 log.debug('Validating redirection uri %s for client %s.', request.redirect_uri, request.client_id) # OPTIONAL. As described in Section 3.1.2. # https://tools.ietf.org/html/rfc6749#section-3.1.2 self._handle_redirects(request) # Then check for normal errors. # If the resource owner denies the access request or if the request # fails for reasons other than a missing or invalid redirection URI, # the authorization server informs the client by adding the following # parameters to the query component of the redirection URI using the # "application/x-www-form-urlencoded" format, per Appendix B. # https://tools.ietf.org/html/rfc6749#appendix-B # Note that the correct parameters to be added are automatically # populated through the use of specific exceptions. request_info = {} for validator in self.custom_validators.pre_auth: request_info.update(validator(request)) # REQUIRED. if request.response_type is None: raise errors.MissingResponseTypeError(request=request) # Value MUST be set to "code" or one of the OpenID authorization code including # response_types "code token", "code id_token", "code token id_token" elif not 'code' in request.response_type and request.response_type != 'none': raise errors.UnsupportedResponseTypeError(request=request) if not self.request_validator.validate_response_type(request.client_id, request.response_type, request.client, request): log.debug('Client %s is not authorized to use response_type %s.', request.client_id, request.response_type) raise errors.UnauthorizedClientError(request=request) # OPTIONAL. Validate PKCE request or reply with "error"/"invalid_request" # https://tools.ietf.org/html/rfc6749#section-4.4.1 if self.request_validator.is_pkce_required(request.client_id, request) is True: if request.code_challenge is None: raise errors.MissingCodeChallengeError(request=request) if request.code_challenge is not None: request_info["code_challenge"] = request.code_challenge # OPTIONAL, defaults to "plain" if not present in the request. if request.code_challenge_method is None: request.code_challenge_method = "plain" if request.code_challenge_method not in self._code_challenge_methods: raise errors.UnsupportedCodeChallengeMethodError(request=request) request_info["code_challenge_method"] = request.code_challenge_method # OPTIONAL. The scope of the access request as described by Section 3.3 # https://tools.ietf.org/html/rfc6749#section-3.3 self.validate_scopes(request) request_info.update({ 'client_id': request.client_id, 'redirect_uri': request.redirect_uri, 'response_type': request.response_type, 'state': request.state, 'request': request }) for validator in self.custom_validators.post_auth: request_info.update(validator(request)) return request.scopes, request_info def validate_token_request(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ # REQUIRED. Value MUST be set to "authorization_code". if request.grant_type not in ('authorization_code', 'openid'): raise errors.UnsupportedGrantTypeError(request=request) for validator in self.custom_validators.pre_token: validator(request) if request.code is None: raise errors.InvalidRequestError( description='Missing code parameter.', request=request) for param in ('client_id', 'grant_type', 'redirect_uri'): if param in request.duplicate_params: raise errors.InvalidRequestError(description='Duplicate %s parameter.' % param, request=request) if self.request_validator.client_authentication_required(request): # If the client type is confidential or the client was issued client # credentials (or assigned other authentication requirements), the # client MUST authenticate with the authorization server as described # in Section 3.2.1. # https://tools.ietf.org/html/rfc6749#section-3.2.1 if not self.request_validator.authenticate_client(request): log.debug('Client authentication failed, %r.', request) raise errors.InvalidClientError(request=request) elif not self.request_validator.authenticate_client_id(request.client_id, request): # REQUIRED, if the client is not authenticating with the # authorization server as described in Section 3.2.1. # https://tools.ietf.org/html/rfc6749#section-3.2.1 log.debug('Client authentication failed, %r.', request) raise errors.InvalidClientError(request=request) if not hasattr(request.client, 'client_id'): raise NotImplementedError('Authenticate client must set the ' 'request.client.client_id attribute ' 'in authenticate_client.') request.client_id = request.client_id or request.client.client_id # Ensure client is authorized use of this grant type self.validate_grant_type(request) # REQUIRED. The authorization code received from the # authorization server. if not self.request_validator.validate_code(request.client_id, request.code, request.client, request): log.debug('Client, %r (%r), is not allowed access to scopes %r.', request.client_id, request.client, request.scopes) raise errors.InvalidGrantError(request=request) # OPTIONAL. Validate PKCE code_verifier challenge = self.request_validator.get_code_challenge(request.code, request) if challenge is not None: if request.code_verifier is None: raise errors.MissingCodeVerifierError(request=request) challenge_method = self.request_validator.get_code_challenge_method(request.code, request) if challenge_method is None: raise errors.InvalidGrantError(request=request, description="Challenge method not found") if challenge_method not in self._code_challenge_methods: raise errors.ServerError( description="code_challenge_method {} is not supported.".format(challenge_method), request=request ) if not self.validate_code_challenge(challenge, challenge_method, request.code_verifier): log.debug('request provided a invalid code_verifier.') raise errors.InvalidGrantError(request=request) elif self.request_validator.is_pkce_required(request.client_id, request) is True: if request.code_verifier is None: raise errors.MissingCodeVerifierError(request=request) raise errors.InvalidGrantError(request=request, description="Challenge not found") for attr in ('user', 'scopes'): if getattr(request, attr, None) is None: log.debug('request.%s was not set on code validation.', attr) # REQUIRED, if the "redirect_uri" parameter was included in the # authorization request as described in Section 4.1.1, and their # values MUST be identical. if request.redirect_uri is None: request.using_default_redirect_uri = True request.redirect_uri = self.request_validator.get_default_redirect_uri( request.client_id, request) log.debug('Using default redirect_uri %s.', request.redirect_uri) if not request.redirect_uri: raise errors.MissingRedirectURIError(request=request) else: request.using_default_redirect_uri = False log.debug('Using provided redirect_uri %s', request.redirect_uri) if not self.request_validator.confirm_redirect_uri(request.client_id, request.code, request.redirect_uri, request.client, request): log.debug('Redirect_uri (%r) invalid for client %r (%r).', request.redirect_uri, request.client_id, request.client) raise errors.MismatchingRedirectURIError(request=request) for validator in self.custom_validators.post_token: validator(request) def validate_code_challenge(self, challenge, challenge_method, verifier): if challenge_method in self._code_challenge_methods: return self._code_challenge_methods[challenge_method](verifier, challenge) raise NotImplementedError('Unknown challenge_method %s' % challenge_method) ��grant_types/implicit.py��0000644��00000040724�15030301546�0011273 0��ustar�00��""" oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ """ import logging from oauthlib import common from .. import errors from .base import GrantTypeBase log = logging.getLogger(__name__) class ImplicitGrant(GrantTypeBase): """`Implicit Grant`_ The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript. Unlike the authorization code grant type, in which the client makes separate requests for authorization and for an access token, the client receives the access token as the result of the authorization request. The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device:: +----------+ \| Resource \| \| Owner \| \| \| +----------+ ^ \| (B) +----\|-----+ Client Identifier +---------------+ \| -+----(A)-- & Redirection URI --->\| \| \| User- \| \| Authorization \| \| Agent -\|----(B)-- User authenticates -->\| Server \| \| \| \| \| \| \|<---(C)--- Redirection URI ----<\| \| \| \| with Access Token +---------------+ \| \| in Fragment \| \| +---------------+ \| \|----(D)--- Redirection URI ---->\| Web-Hosted \| \| \| without Fragment \| Client \| \| \| \| Resource \| \| (F) \|<---(E)------- Script ---------<\| \| \| \| +---------------+ +-\|--------+ \| \| (A) (G) Access Token \| \| ^ v +---------+ \| \| \| Client \| \| \| +---------+ Note: The lines illustrating steps (A) and (B) are broken into two parts as they pass through the user-agent. Figure 4: Implicit Grant Flow The flow illustrated in Figure 4 includes the following steps: (A) The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied). (B) The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request. (C) Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment. (D) The user-agent follows the redirection instructions by making a request to the web-hosted client resource (which does not include the fragment per [RFC2616]). The user-agent retains the fragment information locally. (E) The web-hosted client resource returns a web page (typically an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment retained by the user-agent, and extracting the access token (and other parameters) contained in the fragment. (F) The user-agent executes the script provided by the web-hosted client resource locally, which extracts the access token. (G) The user-agent passes the access token to the client. See `Section 10.3`_ and `Section 10.16`_ for important security considerations when using the implicit grant. .. _`Implicit Grant`: https://tools.ietf.org/html/rfc6749#section-4.2 .. _`Section 10.3`: https://tools.ietf.org/html/rfc6749#section-10.3 .. _`Section 10.16`: https://tools.ietf.org/html/rfc6749#section-10.16 """ response_types = ['token'] grant_allows_refresh_token = False def create_authorization_response(self, request, token_handler): """Create an authorization response. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: response_type REQUIRED. Value MUST be set to "token" for standard OAuth2 implicit flow or "id_token token" or just "id_token" for OIDC implicit flow client_id REQUIRED. The client identifier as described in `Section 2.2`_. redirect_uri OPTIONAL. As described in `Section 3.1.2`_. scope OPTIONAL. The scope of the access request as described by `Section 3.3`_. state RECOMMENDED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in `Section 10.12`_. The authorization server validates the request to ensure that all required parameters are present and valid. The authorization server MUST verify that the redirection URI to which it will redirect the access token matches a redirection URI registered by the client as described in `Section 3.1.2`_. .. _`Section 2.2`: https://tools.ietf.org/html/rfc6749#section-2.2 .. _`Section 3.1.2`: https://tools.ietf.org/html/rfc6749#section-3.1.2 .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 10.12`: https://tools.ietf.org/html/rfc6749#section-10.12 .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B """ return self.create_token_response(request, token_handler) def create_token_response(self, request, token_handler): """Return token or error embedded in the URI fragment. :param request: OAuthlib request. :type request: oauthlib.common.Request :param token_handler: A token handler instance, for example of type oauthlib.oauth2.BearerToken. If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the "application/x-www-form-urlencoded" format, per `Appendix B`_: access_token REQUIRED. The access token issued by the authorization server. token_type REQUIRED. The type of the token issued as described in `Section 7.1`_. Value is case insensitive. expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value. scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED. The scope of the access token as described by `Section 3.3`_. state REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client. The authorization server MUST NOT issue a refresh token. .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B .. _`Section 3.3`: https://tools.ietf.org/html/rfc6749#section-3.3 .. _`Section 7.1`: https://tools.ietf.org/html/rfc6749#section-7.1 """ try: self.validate_token_request(request) # If the request fails due to a missing, invalid, or mismatching # redirection URI, or if the client identifier is missing or invalid, # the authorization server SHOULD inform the resource owner of the # error and MUST NOT automatically redirect the user-agent to the # invalid redirection URI. except errors.FatalClientError as e: log.debug('Fatal client error during validation of %r. %r.', request, e) raise # If the resource owner denies the access request or if the request # fails for reasons other than a missing or invalid redirection URI, # the authorization server informs the client by adding the following # parameters to the fragment component of the redirection URI using the # "application/x-www-form-urlencoded" format, per Appendix B: # https://tools.ietf.org/html/rfc6749#appendix-B except errors.OAuth2Error as e: log.debug('Client error during validation of %r. %r.', request, e) return {'Location': common.add_params_to_uri(request.redirect_uri, e.twotuples, fragment=True)}, None, 302 # In OIDC implicit flow it is possible to have a request_type that does not include the access_token! # "id_token token" - return the access token and the id token # "id_token" - don't return the access token if "token" in request.response_type.split(): token = token_handler.create_token(request, refresh_token=False) else: token = {} if request.state is not None: token['state'] = request.state for modifier in self._token_modifiers: token = modifier(token, token_handler, request) # In OIDC implicit flow it is possible to have a request_type that does # not include the access_token! In this case there is no need to save a token. if "token" in request.response_type.split(): self.request_validator.save_token(token, request) return self.prepare_authorization_response( request, token, {}, None, 302) def validate_authorization_request(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ return self.validate_token_request(request) def validate_token_request(self, request): """Check the token request for normal and fatal errors. :param request: OAuthlib request. :type request: oauthlib.common.Request This method is very similar to validate_authorization_request in the AuthorizationCodeGrant but differ in a few subtle areas. A normal error could be a missing response_type parameter or the client attempting to access scope it is not allowed to ask authorization for. Normal errors can safely be included in the redirection URI and sent back to the client. Fatal errors occur when the client_id or redirect_uri is invalid or missing. These must be caught by the provider and handled, how this is done is outside of the scope of OAuthLib but showing an error page describing the issue is a good idea. """ # First check for fatal errors # If the request fails due to a missing, invalid, or mismatching # redirection URI, or if the client identifier is missing or invalid, # the authorization server SHOULD inform the resource owner of the # error and MUST NOT automatically redirect the user-agent to the # invalid redirection URI. # First check duplicate parameters for param in ('client_id', 'response_type', 'redirect_uri', 'scope', 'state'): try: duplicate_params = request.duplicate_params except ValueError: raise errors.InvalidRequestFatalError(description='Unable to parse query string', request=request) if param in duplicate_params: raise errors.InvalidRequestFatalError(description='Duplicate %s parameter.' % param, request=request) # REQUIRED. The client identifier as described in Section 2.2. # https://tools.ietf.org/html/rfc6749#section-2.2 if not request.client_id: raise errors.MissingClientIdError(request=request) if not self.request_validator.validate_client_id(request.client_id, request): raise errors.InvalidClientIdError(request=request) # OPTIONAL. As described in Section 3.1.2. # https://tools.ietf.org/html/rfc6749#section-3.1.2 self._handle_redirects(request) # Then check for normal errors. request_info = self._run_custom_validators(request, self.custom_validators.all_pre) # If the resource owner denies the access request or if the request # fails for reasons other than a missing or invalid redirection URI, # the authorization server informs the client by adding the following # parameters to the fragment component of the redirection URI using the # "application/x-www-form-urlencoded" format, per Appendix B. # https://tools.ietf.org/html/rfc6749#appendix-B # Note that the correct parameters to be added are automatically # populated through the use of specific exceptions # REQUIRED. if request.response_type is None: raise errors.MissingResponseTypeError(request=request) # Value MUST be one of our registered types: "token" by default or if using OIDC "id_token" or "id_token token" elif not set(request.response_type.split()).issubset(self.response_types): raise errors.UnsupportedResponseTypeError(request=request) log.debug('Validating use of response_type token for client %r (%r).', request.client_id, request.client) if not self.request_validator.validate_response_type(request.client_id, request.response_type, request.client, request): log.debug('Client %s is not authorized to use response_type %s.', request.client_id, request.response_type) raise errors.UnauthorizedClientError(request=request) # OPTIONAL. The scope of the access request as described by Section 3.3 # https://tools.ietf.org/html/rfc6749#section-3.3 self.validate_scopes(request) request_info.update({ 'client_id': request.client_id, 'redirect_uri': request.redirect_uri, 'response_type': request.response_type, 'state': request.state, 'request': request, }) request_info = self._run_custom_validators( request, self.custom_validators.all_post, request_info ) return request.scopes, request_info def _run_custom_validators(self, request, validations, request_info=None): # Make a copy so we don't modify the existing request_info dict request_info = {} if request_info is None else request_info.copy() # For implicit grant, auth_validators and token_validators are # basically equivalent since the token is returned from the # authorization endpoint. for validator in validations: result = validator(request) if result is not None: request_info.update(result) return request_info ��grant_types/__init__.py��0000644��00000000560�15030301546�0011212 0��ustar�00��""" oauthlib.oauth2.rfc6749.grant_types ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ """ from .authorization_code import AuthorizationCodeGrant from .client_credentials import ClientCredentialsGrant from .implicit import ImplicitGrant from .refresh_token import RefreshTokenGrant from .resource_owner_password_credentials import ( ResourceOwnerPasswordCredentialsGrant, ) ��endpoints/base.py��0000644��00000010042�15030301546�0010025 0��ustar�00��""" oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ import functools import logging from ..errors import ( FatalClientError, InvalidClientError, InvalidRequestError, OAuth2Error, ServerError, TemporarilyUnavailableError, UnsupportedTokenTypeError, ) log = logging.getLogger(__name__) class BaseEndpoint: def __init__(self): self._available = True self._catch_errors = False self._valid_request_methods = None @property def valid_request_methods(self): return self._valid_request_methods @valid_request_methods.setter def valid_request_methods(self, valid_request_methods): if valid_request_methods is not None: valid_request_methods = [x.upper() for x in valid_request_methods] self._valid_request_methods = valid_request_methods @property def available(self): return self._available @available.setter def available(self, available): self._available = available @property def catch_errors(self): return self._catch_errors @catch_errors.setter def catch_errors(self, catch_errors): self._catch_errors = catch_errors def _raise_on_missing_token(self, request): """Raise error on missing token.""" if not request.token: raise InvalidRequestError(request=request, description='Missing token parameter.') def _raise_on_invalid_client(self, request): """Raise on failed client authentication.""" if self.request_validator.client_authentication_required(request): if not self.request_validator.authenticate_client(request): log.debug('Client authentication failed, %r.', request) raise InvalidClientError(request=request) elif not self.request_validator.authenticate_client_id(request.client_id, request): log.debug('Client authentication failed, %r.', request) raise InvalidClientError(request=request) def _raise_on_unsupported_token(self, request): """Raise on unsupported tokens.""" if (request.token_type_hint and request.token_type_hint in self.valid_token_types and request.token_type_hint not in self.supported_token_types): raise UnsupportedTokenTypeError(request=request) def _raise_on_bad_method(self, request): if self.valid_request_methods is None: raise ValueError('Configure "valid_request_methods" property first') if request.http_method.upper() not in self.valid_request_methods: raise InvalidRequestError(request=request, description=('Unsupported request method %s' % request.http_method.upper())) def _raise_on_bad_post_request(self, request): """Raise if invalid POST request received """ if request.http_method.upper() == 'POST': query_params = request.uri_query or "" if query_params: raise InvalidRequestError(request=request, description=('URL query parameters are not allowed')) def catch_errors_and_unavailability(f): @functools.wraps(f) def wrapper(endpoint, uri, args, *kwargs): if not endpoint.available: e = TemporarilyUnavailableError() log.info('Endpoint unavailable, ignoring request %s.' % uri) return {}, e.json, 503 if endpoint.catch_errors: try: return f(endpoint, uri, args, *kwargs) except OAuth2Error: raise except FatalClientError: raise except Exception as e: error = ServerError() log.warning( 'Exception caught while processing request, %s.' % e) return {}, error.json, 500 else: return f(endpoint, uri, args, *kwargs) return wrapper ��endpoints/__pycache__/pre_configured.cpython-310.pyc��0000644��00000017500�15030301546�0016453 0��ustar�00��o ��h�.��@��s��d�Z�ddlmZmZmZmZmZ�ddlmZ�ddl m Z �ddlmZ�ddl mZ�ddlmZ�dd lmZ�G�d d��de eeee�ZG�dd ��d e eeee�ZG�dd��de eee�ZG�dd��deeee�ZG�dd��deeee�ZdS�)z� oauthlib.oauth2.rfc6749.endpoints.pre_configured ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various endpoints needed for providing OAuth 2.0 RFC6749 servers. ��)�AuthorizationCodeGrant�ClientCredentialsGrant� ImplicitGrant�RefreshTokenGrant�%ResourceOwnerPasswordCredentialsGrant)�BearerToken��)�AuthorizationEndpoint)�IntrospectEndpoint)�ResourceEndpoint)�RevocationEndpoint)� TokenEndpointc��@��e�Zd�ZdZ ddd�ZdS�)�Serverz<An all-in-one endpoint featuring all four major grant types.Nc��O��s��t�\|�\|�_t\|�\|�_t\|�\|�_t\|�\|�_t\|�\|�_ t \|\|\|\|�\|�_tj \|�d\|�j\|�j\|�jd�\|�jd��tj \|�d\|�j\|�j\|�j\|�j d�\|�jd��tj \|�dd\|�jid��t� \|�\|��t� \|�\|��d S�) a��Construct a new all-grants-in-one server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. �code)r��token�none��default_response_type�response_types�default_token_type�authorization_code)r��password�client_credentials� refresh_token��default_grant_type�grant_typesr��Bearer�� default_token�token_typesN)r�� auth_grantr��implicit_grantr��password_grantr��credentials_grantr�� refresh_grantr��bearerr ��__init__r ��r��r��r ��)�self�request_validator�token_expires_in�token_generator�refresh_token_generator�args�kwargs��r0��c/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/pre_configured.pyr(��s<�� zServer.__init__�NNN��__name__� __module__�__qualname__�__doc__r(��r0��r0��r0��r1��r�� r��c��@��r��)�WebApplicationServerzLAn all-in-one endpoint featuring Authorization code grant and Bearer tokens.Nc��K��s��t�\|�\|�_t\|�\|�_t\|\|\|\|�\|�_tj\|�dd\|�ji\|�jd��tj\|�d\|�j\|�jd�\|�jd��t j\|�dd\|�jid��t �\|�\|��t�\|�\|��dS�) a��Construct a new web application server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. r��r��r��)r��r��r��r��r��N)r��r"��r��r&��r��r'��r ��r(��r ��r��r��r ��r)��r��r,��r+��r-��r/��r0��r0��r1��r(��N��s(�� zWebApplicationServer.__init__r2��r3��r0��r0��r0��r1��r9��I��r8��r9��c��@��r��)�MobileApplicationServerzGAn all-in-one endpoint featuring Implicit code grant and Bearer tokens.Nc��K��r��t�\|�\|�_t\|\|\|\|�\|�_tj\|�dd\|�ji\|�jd��tj\|�dd\|�jid��tj\|�\|dgd��tj\|�\|dgd��dS�)a��Construct a new implicit grant server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. r��r��r��r��access_token��supported_token_typesN) r��r#��r��r'��r ��r(��r��r��r ��r:��r0��r0��r1��r(��u��$�� z MobileApplicationServer.__init__r2��r3��r0��r0��r0��r1��r;��p��r8��r;��c��@��r��)�LegacyApplicationServerz]An all-in-one endpoint featuring Resource Owner Password Credentials grant and Bearer tokens.Nc��K��st��t�\|�\|�_t\|�\|�_t\|\|\|\|�\|�_tj\|�d\|�j\|�jd�\|�jd��tj\|�dd\|�jid��t �\|�\|��t �\|�\|��dS�)a��Construct a resource owner password credentials grant server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. r��)r��r��r��r��r��N)r��r$��r��r&��r��r'��r ��r(��r��r��r ��r:��r0��r0��r1��r(��s$�� z LegacyApplicationServer.__init__r2��r3��r0��r0��r0��r1��rA��r8��rA��c��@��r��)�BackendApplicationServerzLAn all-in-one endpoint featuring Client Credentials grant and Bearer tokens.Nc��K��r<��)a��Construct a client credentials grant server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. r��r��r��r��r=��r>��N) r��r%��r��r'��r ��r(��r��r��r ��r:��r0��r0��r1��r(��r@��z!BackendApplicationServer.__init__r2��r3��r0��r0��r0��r1��rB��r8��rB��N)r7��r��r��r��r��r��r��tokensr�� authorizationr �� introspectr ��resourcer�� revocationr��r��r ��r��r9��r;��rA��rB��r0��r0��r0��r1��<module>��s.��5�'�#�%��endpoints/__pycache__/__init__.cpython-310.pyc��0000644��00000001512�15030301546�0015213 0��ustar�00��o ��h)��@��sl��d�Z�ddlmZ�ddlmZ�ddlmZ�ddlmZm Z m Z mZmZ�ddl mZ�ddlmZ�ddlmZ�d S�) z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��)�AuthorizationEndpoint)�IntrospectEndpoint)�MetadataEndpoint)�BackendApplicationServer�LegacyApplicationServer�MobileApplicationServer�Server�WebApplicationServer)�ResourceEndpoint)�RevocationEndpoint)� TokenEndpointN)�__doc__� authorizationr�� introspectr��metadatar��pre_configuredr��r��r��r��r ��resourcer �� revocationr��tokenr��r��r��]/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/__init__.py�<module>��s��endpoints/__pycache__/metadata.cpython-310.pyc��0000644��00000021173�15030301546�0015241 0��ustar�00��o ��h")��@��s��d�Z�ddlZddlZddlZddlmZmZ�ddlmZ�ddl m Z mZ�ddlm Z �dd lmZ�dd lmZ�e�e�ZG�dd��de �ZdS�) z� oauthlib.oauth2.rfc6749.endpoint.metadata ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An implementation of the `OAuth 2.0 Authorization Server Metadata`. .. _`OAuth 2.0 Authorization Server Metadata`: https://tools.ietf.org/html/rfc8414 ��N��)�grant_types�utils��)�AuthorizationEndpoint)�BaseEndpoint�catch_errors_and_unavailability)�IntrospectEndpoint)�RevocationEndpoint)� TokenEndpointc��@��sb��e�Zd�ZdZi�dfdd�Ze ddd��Zdd d�Zdd ��Zdd��Z dd��Z dd��Zdd��ZdS�)�MetadataEndpointa��OAuth2.0 Authorization Server Metadata endpoint. This specification generalizes the metadata format defined by `OpenID Connect Discovery 1.0` in a way that is compatible with OpenID Connect Discovery while being applicable to a wider set of OAuth 2.0 use cases. This is intentionally parallel to the way that OAuth 2.0 Dynamic Client Registration Protocol [`RFC7591`_] generalized the dynamic client registration mechanisms defined by OpenID Connect Dynamic Client Registration 1.0 in a way that is compatible with it. .. _`OpenID Connect Discovery 1.0`: https://openid.net/specs/openid-connect-discovery-1_0.html .. _`RFC7591`: https://tools.ietf.org/html/rfc7591 Tc��C��sP��t�\|t�sJ��\|D�] }t�\|t�sJ��q t�\|��\|\|�_\|\|�_\|\|�_\|��\|�_d�S�)N) � isinstance�dictr��__init__�raise_errors� endpoints�initial_claims�validate_metadata_server�claims)�selfr��r��r��endpoint��r��]/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/metadata.pyr��(��s�� zMetadataEndpoint.__init__�GETNc��C��s��ddd�}\|t��\|�j�dfS�)z!Create metadata response zapplication/json�)zContent-TypezAccess-Control-Allow-Origin��)�json�dumpsr��)r��uri�http_method�body�headersr��r��r��create_metadata_response3��s��z)MetadataEndpoint.create_metadata_responseFc��C��s��\|�j�sd�S�\|\|vr\|rtd�\|��d�S�\|rEt�\|\|��s'td�\|\|\|��d\|\|�v�s9d\|\|�v�s9d\|\|�v�rCtd�\|\|\|��d�S�\|rZ\|\|��d�sXtd�\|\|\|��d�S�\|r�t\|\|�t�smtd �\|\|\|��\|\|�D�]}t\|t�s�td �\|\|\|�\|��qqd�S�d�S�)Nzkey {} is a mandatory metadata.zkey {}: {} must be an HTTPS URL�?�&�#z8key {}: {} must not contain query or fragment components�httpzkey {}: {} must be an URLzkey {}: {} must be an Arrayz/array {}: {} must contains only string (not {})) r�� ValueError�formatr��is_secure_transport� startswithr ��list�str)r��array�key�is_required�is_list�is_url� is_issuer�elemr��r��r��validate_metadata>��s2��$�� z"MetadataEndpoint.validate_metadatac��C��sX��\|�j��\|j��\|�dddg��\|�j\|ddd��\|�j\|ddd��\|�j\|dddd��d S�) z� If the token endpoint is used in the grant type, the value of this parameter MUST be the same as the value of the "grant_type" parameter passed to the token endpoint defined in the grant type definition. �%token_endpoint_auth_methods_supported�client_secret_post�client_secret_basicT�r0��0token_endpoint_auth_signing_alg_values_supported�token_endpoint�r/��r1��N)�_grant_types�extend�keys� setdefaultr4��r��r��r��r��r��r��validate_metadata_tokenW��s ��z(MetadataEndpoint.validate_metadata_tokenc��C��s��\|��dttdd��\|j��\|��dddg��d\|d�v�r$\|�j�d��\|�j\|dd d d ��\|�j\|dd d��d\|d�v�ra\|jd�}t\|t j �sNt\|d �rN\|j}\|��dt\|j ��\|�j\|dd d��\|�j\|dd d d��d�S�)N�response_types_supportedc��S��s��\|�dkS�)N�noner��)�xr��r��r��<lambda>g��s��zBMetadataEndpoint.validate_metadata_authorization.<locals>.<lambda>�response_modes_supported�query�fragment�token�implicitT)r/��r0��r8��code� default_grant� code_challenge_methods_supported�authorization_endpointr;��)r?��r+��filter�_response_typesr>��r<��appendr4��r ��r��AuthorizationCodeGrant�hasattrrL��_code_challenge_methods)r��r��r�� code_grantr��r��r��validate_metadata_authorizatione��s"�� z0MetadataEndpoint.validate_metadata_authorizationc��C��F��\|��dddg��\|�j\|ddd��\|�j\|ddd��\|�j\|dddd��d�S�) N�revocation_endpoint_auth_methods_supportedr6��r7��Tr8��5revocation_endpoint_auth_signing_alg_values_supported�revocation_endpointr;��r?��r4��r@��r��r��r��validate_metadata_revocation\|��z-MetadataEndpoint.validate_metadata_revocationc��C��rW��) N�-introspection_endpoint_auth_methods_supportedr6��r7��Tr8��8introspection_endpoint_auth_signing_alg_values_supported�introspection_endpointr;��r[��r@��r��r��r��validate_metadata_introspection��r]��z0MetadataEndpoint.validate_metadata_introspectionc��C��s ��t��\|�j�}\|�j\|dddd��\|�j\|ddd��\|�j\|ddd��\|�j\|ddd��\|�j\|d dd��\|�j\|d dd��\|�j\|ddd��g�\|�_\|�jD�].}t\|t�rR\|��\|\|��t\|t �r]\|�� \|\|��t\|t�rh\|��\|\|��t\|t �rs\|��\|\|��qE\|�d\|�j��\|�j\|ddd��\|S�) a� �� Authorization servers can have metadata describing their configuration. The following authorization server metadata values are used by this specification. More details can be found in `RFC8414 section 2`_ : issuer REQUIRED authorization_endpoint URL of the authorization server's authorization endpoint [`RFC6749#Authorization`_]. This is REQUIRED unless no grant types are supported that use the authorization endpoint. token_endpoint URL of the authorization server's token endpoint [`RFC6749#Token`_]. This is REQUIRED unless only the implicit grant type is supported. scopes_supported RECOMMENDED. response_types_supported REQUIRED. Other OPTIONAL fields: jwks_uri, registration_endpoint, response_modes_supported grant_types_supported OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the "grant_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [`RFC7591`_]. If omitted, the default value is "["authorization_code", "implicit"]". token_endpoint_auth_methods_supported token_endpoint_auth_signing_alg_values_supported service_documentation ui_locales_supported op_policy_uri op_tos_uri revocation_endpoint revocation_endpoint_auth_methods_supported revocation_endpoint_auth_signing_alg_values_supported introspection_endpoint introspection_endpoint_auth_methods_supported introspection_endpoint_auth_signing_alg_values_supported code_challenge_methods_supported Additional authorization server metadata parameters MAY also be used. Some are defined by other specifications, such as OpenID Connect Discovery 1.0 [`OpenID.Discovery`_]. .. _`RFC8414 section 2`: https://tools.ietf.org/html/rfc8414#section-2 .. _`RFC6749#Authorization`: https://tools.ietf.org/html/rfc6749#section-3.1 .. _`RFC6749#Token`: https://tools.ietf.org/html/rfc6749#section-3.2 .. _`RFC7591`: https://tools.ietf.org/html/rfc7591 .. _`OpenID.Discovery`: https://openid.net/specs/openid-connect-discovery-1_0.html �issuerT)r/��r2��jwks_uri)r1��scopes_supportedr8��service_documentation�ui_locales_supported� op_policy_uri� op_tos_uri�grant_types_supported)�copy�deepcopyr��r4��r<��r��r ��r��rA��r��rV��r ��r\��r ��ra��r?��r@��r��r��r��r��s,��J �z)MetadataEndpoint.validate_metadata_server)r��NN)FFFF) �__name__� __module__�__qualname__�__doc__r��r��r"��r4��rA��rV��r\��ra��r��r��r��r��r��r��s�� r��)ro��rj��r��logging��r��r�� authorizationr��baser��r�� introspectr �� revocationr ��rI��r�� getLoggerrl��logr��r��r��r��r��<module>��s�� endpoints/__pycache__/introspect.cpython-310.pyc��0000644��00000011721�15030301546�0015651 0��ustar�00��o ��hS��@��sZ��d�Z�ddlZddlZddlmZ�ddlmZ�ddlmZm Z �e� e�ZG�dd ��d e�Z dS�) z� oauthlib.oauth2.rfc6749.endpoint.introspect ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An implementation of the OAuth 2.0 `Token Introspection`. .. _`Token Introspection`: https://tools.ietf.org/html/rfc7662 ��N)�Request��)�OAuth2Error��)�BaseEndpoint�catch_errors_and_unavailabilityc��@��s<��e�Zd�ZdZdZdZddd�Ze d dd ��Zd d��Z dS�)�IntrospectEndpointa��Introspect token endpoint. This endpoint defines a method to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource. To prevent the values of access tokens from leaking into server-side logs via query parameters, an authorization server offering token introspection MAY disallow the use of HTTP GET on the introspection endpoint and instead require the HTTP POST method to be used at the introspection endpoint. )�access_token� refresh_token)�POSTNc��C��s ��t��\|��\|\|�_\|p\|�j\|�_d�S��N)r��__init__�request_validator�valid_token_types�supported_token_types)�selfr��r��r��_/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/introspect.pyr ��)��s�� zIntrospectEndpoint.__init__r��c�� C��s��dddd�}t�\|\|\|\|�}z \|��\|��t�d\|��W�n&�ty@�}�zt�d\|\|��\|�\|j��\|\|j\|jfW��Y�d}~S�d}~ww�\|�j � \|j\|j\|�}\|du�rZ\|t� tdd ��d fS�d\|v�rc\|�d��\|t� td ddi\|��d fS�)a��Create introspect valid or invalid response If the authorization server is unable to determine the state of the token without additional information, it SHOULD return an introspection response indicating the token is not active as described in Section 2.2. zapplication/jsonzno-storezno-cache)zContent-Typez Cache-Control�PragmazToken introspect valid for %r.z)Client error during validation of %r. %r.NF)�active��r��Tr��)r��validate_introspect_request�log�debugr��update�headers�json�status_coder��introspect_token�token�token_type_hint�dumps�dict�pop) r��uri�http_method�bodyr��resp_headers�request�e�claimsr��r��r��create_introspect_response/��s0�� z-IntrospectEndpoint.create_introspect_responsec��C��s6��\|��\|��\|��\|��\|��\|��\|��\|��\|��\|��dS�)a��Ensure the request is valid. The protected resource calls the introspection endpoint using an HTTP POST request with parameters sent as "application/x-www-form-urlencoded". token REQUIRED. The string value of the token. * token_type_hint OPTIONAL. A hint about the type of the token submitted for introspection. The protected resource MAY pass this parameter to help the authorization server optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. * access_token: An Access Token as defined in [`RFC6749`], `section 1.4`_ * refresh_token: A Refresh Token as defined in [`RFC6749`], `section 1.5`_ The introspection endpoint MAY accept other OPTIONAL parameters to provide further context to the query. For instance, an authorization server may desire to know the IP address of the client accessing the protected resource to determine if the correct client is likely to be presenting the token. The definition of this or any other parameters are outside the scope of this specification, to be defined by service documentation or extensions to this specification. .. _`section 1.4`: http://tools.ietf.org/html/rfc6749#section-1.4 .. _`section 1.5`: http://tools.ietf.org/html/rfc6749#section-1.5 .. _`RFC6749`: http://tools.ietf.org/html/rfc6749 N)�_raise_on_bad_method�_raise_on_bad_post_request�_raise_on_missing_token�_raise_on_invalid_client�_raise_on_unsupported_token)r��r(��r��r��r��r��R��s �� " z.IntrospectEndpoint.validate_introspect_requestr��)r��NN) �__name__� __module__�__qualname__�__doc__r��valid_request_methodsr ��r��r+��r��r��r��r��r��r��s�� "r��)r4��r��logging�oauthlib.commonr��errorsr��baser��r�� getLoggerr1��r��r��r��r��r��r��<module>��s�� endpoints/__pycache__/authorization.cpython-310.pyc��0000644��00000011013�15030301546�0016351 0��ustar�00��o ��h��@��sR��d�Z�ddlZddlmZ�ddlmZ�ddlmZmZ�e� e �ZG�dd��de�ZdS�) z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��N)�Request)�utils��)�BaseEndpoint�catch_errors_and_unavailabilityc��@��sl��e�Zd�ZdZdd��Zedd��Zedd��Zedd ��Zed d��Z e ddd��Ze ddd��Zd S�)�AuthorizationEndpointaa��Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection. The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g. username and password login, session cookies) is beyond the scope of this specification. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per `Appendix B`_) query component, which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component:: https://example.com/path?query=component # OK https://example.com/path?query=component#fragment # Not OK Since requests to the authorization endpoint result in user authentication and the transmission of clear-text credentials (in the HTTP response), the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the authorization endpoint:: # We will deny any request which URI schema is not with https The authorization server MUST support the use of the HTTP "GET" method [RFC2616] for the authorization endpoint, and MAY support the use of the "POST" method as well:: # HTTP method is currently not enforced Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once:: # Enforced through the design of oauthlib.common.Request .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B c��C��s ��t��\|��\|\|�_\|\|�_\|\|�_d�S��N)r��__init__�_response_types�_default_response_type�_default_token_type)�self�default_response_type�default_token_type�response_types��r��b/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/authorization.pyr ��>��s�� zAuthorizationEndpoint.__init__c��C��\|�j�S�r��)r ��r ��r��r��r��r��E��z$AuthorizationEndpoint.response_typesc��C��r��r��)r��r��r��r��r��r��I��r��z+AuthorizationEndpoint.default_response_typec��C��s��\|�j��\|�j�S�r��)r��getr��r��r��r��r��default_response_type_handlerM��s��z3AuthorizationEndpoint.default_response_type_handlerc��C��r��r��)r��r��r��r��r��r��Q��r��z(AuthorizationEndpoint.default_token_type�GETNc��C��sn��t�\|\|\|\|d�}\|\|_d\|_\|pi��D�] \}} t\|\|\| ��q\|�j�\|j\|�j�} t � d\|j\| ��\| �\|\|�j�S�)�:Extract response_type and route to the designated handler.��http_method�body�headersNz+Dispatching response_type %s request to %r.) r��scopes�user�items�setattrr��r�� response_typer��log�debug�create_authorization_responser��)r ��urir��r��r��r��credentials�request�k�v�response_type_handlerr��r��r��r%��U��s ��z3AuthorizationEndpoint.create_authorization_responsec��C��s:��t�\|\|\|\|d�}t�\|j�\|_\|�j�\|j\|�j�}\|� \|�S�)r��r��) r��r�� scope_to_list�scoper��r��r��r"��r��validate_authorization_request)r ��r&��r��r��r��r(��r+��r��r��r��r.��g��s�� z4AuthorizationEndpoint.validate_authorization_request)r��NNNN)r��NN) �__name__� __module__�__qualname__�__doc__r ��propertyr��r��r��r��r��r%��r.��r��r��r��r��r��s&��* ��r��) r2��logging�oauthlib.commonr��oauthlib.oauth2.rfc6749r��baser��r�� getLoggerr/��r#��r��r��r��r��r��<module>��s�� endpoints/__pycache__/base.cpython-310.pyc��0000644��00000010515�15030301546�0014371 0��ustar�00��o ��h"��@��s\��d�Z�ddlZddlZddlmZmZmZmZmZm Z m Z �e�e�Z G�dd��d�Zdd��ZdS�) z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��N��)�FatalClientError�InvalidClientError�InvalidRequestError�OAuth2Error�ServerError�TemporarilyUnavailableError�UnsupportedTokenTypeErrorc��@��s��e�Zd�Zdd��Zedd��Zejdd��Zedd��Zejdd��Zed d ��Zejdd ��Zdd ��Z dd��Z dd��Zdd��Zdd��Z dS�)�BaseEndpointc��C��s��d\|�_�d\|�_d�\|�_d�S�)NTF)� _available� _catch_errors�_valid_request_methods��self��r��Y/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/base.py�__init__��s�� zBaseEndpoint.__init__c��C��\|�j�S��N�r ��r��r��r��r��valid_request_methods��z"BaseEndpoint.valid_request_methodsc��C��s ��\|d�urdd��\|D��}\|\|�_�d�S�)Nc��S��s��g�\|�]}\|��qS�r��)�upper)�.0�xr��r��r�� <listcomp>!��s��z6BaseEndpoint.valid_request_methods.<locals>.<listcomp>r��)r��r��r��r��r��r��s�� c��C��r��r��r��r��r��r��r�� available%��r��zBaseEndpoint.availablec��C�� \|\|�_�d�S�r��r��)r��r��r��r��r��r��)�� c��C��r��r��r��r��r��r��r��catch_errors-��r��zBaseEndpoint.catch_errorsc��C��r��r��r ��)r��r!��r��r��r��r!��1��r��c��C��s��\|j�s t\|dd��dS�)zRaise error on missing token.zMissing token parameter.��request�descriptionN)�tokenr��r��r#��r��r��r��_raise_on_missing_token5��s ��z$BaseEndpoint._raise_on_missing_tokenc��C��s\��\|�j��\|�r\|�j��\|�st�d\|��t\|d��dS�\|�j��\|j\|�s,t�d\|��t\|d��dS�)z&Raise on failed client authentication.z!Client authentication failed, %r.�r#��N)�request_validator�client_authentication_required�authenticate_client�log�debugr��authenticate_client_id� client_idr&��r��r��r��_raise_on_invalid_client:��s�� z%BaseEndpoint._raise_on_invalid_clientc��C��s4��\|j�r\|j�\|�jv�r\|j�\|�jvrt\|d��dS�dS�dS�)zRaise on unsupported tokens.r(��N)�token_type_hint�valid_token_types�supported_token_typesr ��r&��r��r��r��_raise_on_unsupported_tokenD��s�� z(BaseEndpoint._raise_on_unsupported_tokenc��C��s<��\|�j�d�u�r td��\|j��\|�j�vrt\|d\|j��d��d�S�)Nz0Configure "valid_request_methods" property firstzUnsupported request method %sr"��)r�� ValueError�http_methodr��r��r&��r��r��r��_raise_on_bad_methodK��s�� z!BaseEndpoint._raise_on_bad_methodc��C��s0��\|j��dkr\|jpd}\|rt\|dd��dS�dS�)z/Raise if invalid POST request received �POST��z$URL query parameters are not allowedr"��N)r6��r�� uri_queryr��)r��r#��query_paramsr��r��r��_raise_on_bad_post_requestR��s�� z'BaseEndpoint._raise_on_bad_post_requestN)�__name__� __module__�__qualname__r��propertyr��setterr��r!��r'��r0��r4��r7��r<��r��r��r��r��r ��s&�� r ��c��s��t��fdd��}\|S�)Nc�� s��\|�j�st��}t�d\|��i�\|jdfS�\|�jrTz ��\|�\|g\|�R�i�\|��W�S��ty+��ty2��tyS�}�zt ��}t� d\|��i�\|jdfW��Y�d�}~S�d�}~ww��\|�\|g\|�R�i�\|��S�)NzEndpoint unavailable, ignoring request %s.i��z.Exception caught while processing request, %s.i��)r��r��r,��info�jsonr!��r��r�� Exceptionr��warning)�endpoint�uri�args�kwargs�e�error��fr��r��wrapper\��s(��z0catch_errors_and_unavailability.<locals>.wrapper)� functools�wraps)rM��rN��r��rL��r��catch_errors_and_unavailability[��s��rQ��)�__doc__rO��logging�errorsr��r��r��r��r��r��r �� getLoggerr=��r,��r ��rQ��r��r��r��r��<module>��s��$ H��endpoints/__pycache__/resource.cpython-310.pyc��0000644��00000007453�15030301546�0015315 0��ustar�00��o ��h��@��sF��d�Z�ddlZddlmZ�ddlmZmZ�e�e�Z G�dd��de�Z dS�)z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��N)�Request��)�BaseEndpoint�catch_errors_and_unavailabilityc��@��sV��e�Zd�ZdZdd��Zedd��Zedd��Zedd ��Ze ddd ��Z dd��ZdS�)�ResourceEndpointa��Authorizes access to protected resources. The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource. The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server:: # For most cases, returning a 403 should suffice. The method in which the client utilizes the access token to authenticate with the resource server depends on the type of access token issued by the authorization server. Typically, it involves using the HTTP "Authorization" request header field [RFC2617] with an authentication scheme defined by the specification of the access token type used, such as [RFC6750]:: # Access tokens may also be provided in query and body https://example.com/protected?access_token=kjfch2345sdf # Query access_token=sdf23409df # Body c��C��s��t��\|��\|\|�_\|\|�_d�S��N)r��__init__�_tokens�_default_token)�self� default_token�token_types��r��]/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/resource.pyr��,��s�� zResourceEndpoint.__init__c��C��\|�j�S�r��)r ��r��r��r��r��r��1��zResourceEndpoint.default_tokenc��C��s��\|�j��\|�j�S�r��)�tokens�getr��r��r��r��r��default_token_type_handler5��s��z+ResourceEndpoint.default_token_type_handlerc��C��r��r��)r ��r��r��r��r��r��9��r��zResourceEndpoint.tokens�GETNc��C��sP��t�\|\|\|\|�}\|��\|�\|_\|\|_\|�j�\|j\|�j�}t�d\|j\|��\|� \|�\|fS�)z0Validate client, code etc, return body + headersz(Dispatching token_type %s request to %r.) r��find_token_type� token_type�scopesr��r��r��log�debug�validate_request)r��uri�http_method�body�headersr��request�token_type_handlerr��r��r��verify_request=��s�� zResourceEndpoint.verify_requestc��s8��t��fdd�\|�j��D��dd�}t\|�r\|d�d�S�dS�)a>��Token type identification. RFC 6749 does not provide a method for easily differentiating between different token types during protected resource access. We estimate the most likely token type (if any) by asking each known token type to give an estimation based on the request. c��3��s"��\|�]\}}\|��\|fV��qd�S�r��)� estimate_type)�.0�n�t�r!��r��r�� <genexpr>R��s��z3ResourceEndpoint.find_token_type.<locals>.<genexpr>T)�reverser��r��N)�sortedr��items�len)r��r!�� estimatesr��r(��r��r��J��s��z ResourceEndpoint.find_token_type)r��NNN)�__name__� __module__�__qualname__�__doc__r��propertyr��r��r��r��r#��r��r��r��r��r��r��s�� r��)r2��logging�oauthlib.commonr��baser��r�� getLoggerr/��r��r��r��r��r��r��<module>��s�� endpoints/__pycache__/revocation.cpython-310.pyc��0000644��00000012061�15030301546�0015626 0��ustar�00��o ��h\��@��sR��d�Z�ddlZddlmZ�ddlmZ�ddlmZmZ�e� e �ZG�dd ��d e�ZdS�) z� oauthlib.oauth2.rfc6749.endpoint.revocation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An implementation of the OAuth 2 `Token Revocation`_ spec (draft 11). .. _`Token Revocation`: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11 ��N)�Request��)�OAuth2Error��)�BaseEndpoint�catch_errors_and_unavailabilityc��@��s@��e�Zd�ZdZdZdZ d dd�Ze dd d ��Zdd��Z dS�)�RevocationEndpointz�Token revocation endpoint. Endpoint used by authenticated clients to revoke access and refresh tokens. Commonly this will be part of the Authorization Endpoint. )�access_token� refresh_token)�POSTNFc��C��s&��t��\|��\|\|�_\|p\|�j\|�_\|\|�_d�S�)N)r��__init__�request_validator�valid_token_types�supported_token_types�enable_jsonp)�selfr ��r��r��r��_/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/revocation.pyr��s �� zRevocationEndpoint.__init__r��c�� C��s��dddd�}t�\|\|\|\|d�}z \|��\|��t�d\|��W�n5�tyP�}�z)t�d\|\|��\|j}\|�jr:\|jr:d�\|j\|�}\|� \|j ��\|\|\|jfW��Y�d }~S�d }~ww�\|�j� \|j\|j\|��d }\|�jrh\|jrh\|jd�}i�\|dfS�) a��Revoke supplied access or refresh token. The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token. Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved. The content of the response body is ignored by the client as all necessary information is conveyed in the response code. An invalid token type hint value is ignored by the authorization server and does not influence the revocation response. zapplication/jsonzno-storezno-cache)zContent-Typez Cache-Control�Pragma)�http_method�body�headerszToken revocation valid for %r.z)Client error during validation of %r. %r.z{}({});N��z();��)r��validate_revocation_request�log�debugr��jsonr��callback�format�updater��status_coder ��revoke_token�token�token_type_hint) r��urir��r��r��resp_headers�request�e� response_bodyr��r��r��create_revocation_response&��s4�� z-RevocationEndpoint.create_revocation_responsec��C��s6��\|��\|��\|��\|��\|��\|��\|��\|��\|��\|��dS�)a��Ensure the request is valid. The client constructs the request by including the following parameters using the "application/x-www-form-urlencoded" format in the HTTP request entity-body: token (REQUIRED). The token that the client wants to get revoked. token_type_hint (OPTIONAL). A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. This specification defines two such values: access_token: An Access Token as defined in [RFC6749], `section 1.4`_ * refresh_token: A Refresh Token as defined in [RFC6749], `section 1.5`_ Specific implementations, profiles, and extensions of this specification MAY define other values for this parameter using the registry defined in `Section 4.1.2`_. The client also includes its authentication credentials as described in `Section 2.3`_. of [`RFC6749`_]. .. _`section 1.4`: https://tools.ietf.org/html/rfc6749#section-1.4 .. _`section 1.5`: https://tools.ietf.org/html/rfc6749#section-1.5 .. _`section 2.3`: https://tools.ietf.org/html/rfc6749#section-2.3 .. _`Section 4.1.2`: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11#section-4.1.2 .. _`RFC6749`: https://tools.ietf.org/html/rfc6749 N)�_raise_on_bad_method�_raise_on_bad_post_request�_raise_on_missing_token�_raise_on_invalid_client�_raise_on_unsupported_token)r��r'��r��r��r��r��U��s �� % z.RevocationEndpoint.validate_revocation_request)NF)r��NN) �__name__� __module__�__qualname__�__doc__r��valid_request_methodsr��r��r��r��r��r��r��r��r��s�� .r��) r3��logging�oauthlib.commonr��errorsr��baser��r�� getLoggerr0��r��r��r��r��r��r��<module>��s�� endpoints/__pycache__/token.cpython-310.pyc��0000644��00000010336�15030301546�0014600 0��ustar�00��o ��h��@��sR��d�Z�ddlZddlmZ�ddlmZ�ddlmZmZ�e� e �ZG�dd��de�ZdS�) z� oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. ��N)�Request)�utils��)�BaseEndpoint�catch_errors_and_unavailabilityc��@��sh��e�Zd�ZdZdZdd��Zedd��Zedd��Zed d ��Z edd��Z e ddd��Zdd��Z dS�)� TokenEndpointa��Token issuing endpoint. The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly). The means through which the client obtains the location of the token endpoint are beyond the scope of this specification, but the location is typically provided in the service documentation. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per `Appendix B`_) query component, which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component:: https://example.com/path?query=component # OK https://example.com/path?query=component#fragment # Not OK Since requests to the token endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the token endpoint:: # We will deny any request which URI schema is not with https The client MUST use the HTTP "POST" method when making access token requests:: # HTTP method is currently not enforced Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once:: # Delegated to each grant type. .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B )�POSTc��C��s ��t��\|��\|\|�_\|\|�_\|\|�_d�S��N)r��__init__�_grant_types�_default_token_type�_default_grant_type)�self�default_grant_type�default_token_type�grant_types��r��Z/usr/local/CyberCP/lib/python3.10/site-packages/oauthlib/oauth2/rfc6749/endpoints/token.pyr ��?��s�� zTokenEndpoint.__init__c��C��\|�j�S�r ��)r��r��r��r��r��r��E��zTokenEndpoint.grant_typesc��C��r��r ��)r ��r��r��r��r��r��I��r��z TokenEndpoint.default_grant_typec��C��s��\|�j��\|�j�S�r ��)r��getr��r��r��r��r��default_grant_type_handlerM��s��z(TokenEndpoint.default_grant_type_handlerc��C��r��r ��)r��r��r��r��r��r��Q��r��z TokenEndpoint.default_token_typer��Nc�� C��sr��t�\|\|\|\|d�}\|��\|��t�\|j�\|_\|\|_\|r\|\|_\|r!\|\|_\|�j � \|j\|�j�} t� d\|j\| ��\| �\|\|�j�S�)z7Extract grant_type and route to the designated handler.)�http_method�body�headersz(Dispatching grant_type %s request to %r.)r��validate_token_requestr�� scope_to_list�scope�scopes�extra_credentials� grant_type�claimsr��r��r��log�debug�create_token_responser��) r��urir��r��r��credentials�grant_type_for_scoper"��request�grant_type_handlerr��r��r��r%��U��s&�� z#TokenEndpoint.create_token_responsec��C��s��\|��\|��\|��\|��d�S�r ��)�_raise_on_bad_method�_raise_on_bad_post_request)r��r)��r��r��r��r��u��s�� z$TokenEndpoint.validate_token_request)r��NNNNN)�__name__� __module__�__qualname__�__doc__�valid_request_methodsr ��propertyr��r��r��r��r��r%��r��r��r��r��r��r��s$��) �r��) r0��logging�oauthlib.commonr��oauthlib.oauth2.rfc6749r��baser��r�� getLoggerr-��r#��r��r��r��r��r��<module>��s�� endpoints/token.py��0000644��00000010763�15030301546�0010245 0��ustar�00��""" oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ import logging from oauthlib.common import Request from oauthlib.oauth2.rfc6749 import utils from .base import BaseEndpoint, catch_errors_and_unavailability log = logging.getLogger(__name__) class TokenEndpoint(BaseEndpoint): """Token issuing endpoint. The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly). The means through which the client obtains the location of the token endpoint are beyond the scope of this specification, but the location is typically provided in the service documentation. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per `Appendix B`_) query component, which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component:: https://example.com/path?query=component # OK https://example.com/path?query=component#fragment # Not OK Since requests to the token endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the token endpoint:: # We will deny any request which URI schema is not with https The client MUST use the HTTP "POST" method when making access token requests:: # HTTP method is currently not enforced Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once:: # Delegated to each grant type. .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B """ valid_request_methods = ('POST',) def __init__(self, default_grant_type, default_token_type, grant_types): BaseEndpoint.__init__(self) self._grant_types = grant_types self._default_token_type = default_token_type self._default_grant_type = default_grant_type @property def grant_types(self): return self._grant_types @property def default_grant_type(self): return self._default_grant_type @property def default_grant_type_handler(self): return self.grant_types.get(self.default_grant_type) @property def default_token_type(self): return self._default_token_type @catch_errors_and_unavailability def create_token_response(self, uri, http_method='POST', body=None, headers=None, credentials=None, grant_type_for_scope=None, claims=None): """Extract grant_type and route to the designated handler.""" request = Request( uri, http_method=http_method, body=body, headers=headers) self.validate_token_request(request) # 'scope' is an allowed Token Request param in both the "Resource Owner Password Credentials Grant" # and "Client Credentials Grant" flows # https://tools.ietf.org/html/rfc6749#section-4.3.2 # https://tools.ietf.org/html/rfc6749#section-4.4.2 request.scopes = utils.scope_to_list(request.scope) request.extra_credentials = credentials if grant_type_for_scope: request.grant_type = grant_type_for_scope # OpenID Connect claims, if provided. The server using oauthlib might choose # to implement the claims parameter of the Authorization Request. In this case # it should retrieve those claims and pass them via the claims argument here, # as a dict. if claims: request.claims = claims grant_type_handler = self.grant_types.get(request.grant_type, self.default_grant_type_handler) log.debug('Dispatching grant_type %s request to %r.', request.grant_type, grant_type_handler) return grant_type_handler.create_token_response( request, self.default_token_type) def validate_token_request(self, request): self._raise_on_bad_method(request) self._raise_on_bad_post_request(request) ��endpoints/revocation.py��0000644��00000012134�15030301546�0011270 0��ustar�00��""" oauthlib.oauth2.rfc6749.endpoint.revocation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An implementation of the OAuth 2 `Token Revocation`_ spec (draft 11). .. _`Token Revocation`: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11 """ import logging from oauthlib.common import Request from ..errors import OAuth2Error from .base import BaseEndpoint, catch_errors_and_unavailability log = logging.getLogger(__name__) class RevocationEndpoint(BaseEndpoint): """Token revocation endpoint. Endpoint used by authenticated clients to revoke access and refresh tokens. Commonly this will be part of the Authorization Endpoint. """ valid_token_types = ('access_token', 'refresh_token') valid_request_methods = ('POST',) def __init__(self, request_validator, supported_token_types=None, enable_jsonp=False): BaseEndpoint.__init__(self) self.request_validator = request_validator self.supported_token_types = ( supported_token_types or self.valid_token_types) self.enable_jsonp = enable_jsonp @catch_errors_and_unavailability def create_revocation_response(self, uri, http_method='POST', body=None, headers=None): """Revoke supplied access or refresh token. The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token. Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved. The content of the response body is ignored by the client as all necessary information is conveyed in the response code. An invalid token type hint value is ignored by the authorization server and does not influence the revocation response. """ resp_headers = { 'Content-Type': 'application/json', 'Cache-Control': 'no-store', 'Pragma': 'no-cache', } request = Request( uri, http_method=http_method, body=body, headers=headers) try: self.validate_revocation_request(request) log.debug('Token revocation valid for %r.', request) except OAuth2Error as e: log.debug('Client error during validation of %r. %r.', request, e) response_body = e.json if self.enable_jsonp and request.callback: response_body = '{}({});'.format(request.callback, response_body) resp_headers.update(e.headers) return resp_headers, response_body, e.status_code self.request_validator.revoke_token(request.token, request.token_type_hint, request) response_body = '' if self.enable_jsonp and request.callback: response_body = request.callback + '();' return {}, response_body, 200 def validate_revocation_request(self, request): """Ensure the request is valid. The client constructs the request by including the following parameters using the "application/x-www-form-urlencoded" format in the HTTP request entity-body: token (REQUIRED). The token that the client wants to get revoked. token_type_hint (OPTIONAL). A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. This specification defines two such values: access_token: An Access Token as defined in [RFC6749], `section 1.4`_ * refresh_token: A Refresh Token as defined in [RFC6749], `section 1.5`_ Specific implementations, profiles, and extensions of this specification MAY define other values for this parameter using the registry defined in `Section 4.1.2`_. The client also includes its authentication credentials as described in `Section 2.3`_. of [`RFC6749`_]. .. _`section 1.4`: https://tools.ietf.org/html/rfc6749#section-1.4 .. _`section 1.5`: https://tools.ietf.org/html/rfc6749#section-1.5 .. _`section 2.3`: https://tools.ietf.org/html/rfc6749#section-2.3 .. _`Section 4.1.2`: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11#section-4.1.2 .. _`RFC6749`: https://tools.ietf.org/html/rfc6749 """ self._raise_on_bad_method(request) self._raise_on_bad_post_request(request) self._raise_on_missing_token(request) self._raise_on_invalid_client(request) self._raise_on_unsupported_token(request) ��endpoints/resource.py��0000644��00000006260�15030301546�0010751 0��ustar�00��""" oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ import logging from oauthlib.common import Request from .base import BaseEndpoint, catch_errors_and_unavailability log = logging.getLogger(__name__) class ResourceEndpoint(BaseEndpoint): """Authorizes access to protected resources. The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource. The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server:: # For most cases, returning a 403 should suffice. The method in which the client utilizes the access token to authenticate with the resource server depends on the type of access token issued by the authorization server. Typically, it involves using the HTTP "Authorization" request header field [RFC2617] with an authentication scheme defined by the specification of the access token type used, such as [RFC6750]:: # Access tokens may also be provided in query and body https://example.com/protected?access_token=kjfch2345sdf # Query access_token=sdf23409df # Body """ def __init__(self, default_token, token_types): BaseEndpoint.__init__(self) self._tokens = token_types self._default_token = default_token @property def default_token(self): return self._default_token @property def default_token_type_handler(self): return self.tokens.get(self.default_token) @property def tokens(self): return self._tokens @catch_errors_and_unavailability def verify_request(self, uri, http_method='GET', body=None, headers=None, scopes=None): """Validate client, code etc, return body + headers""" request = Request(uri, http_method, body, headers) request.token_type = self.find_token_type(request) request.scopes = scopes token_type_handler = self.tokens.get(request.token_type, self.default_token_type_handler) log.debug('Dispatching token_type %s request to %r.', request.token_type, token_type_handler) return token_type_handler.validate_request(request), request def find_token_type(self, request): """Token type identification. RFC 6749 does not provide a method for easily differentiating between different token types during protected resource access. We estimate the most likely token type (if any) by asking each known token type to give an estimation based on the request. """ estimates = sorted(((t.estimate_type(request), n) for n, t in self.tokens.items()), reverse=True) return estimates[0][1] if len(estimates) else None ��endpoints/metadata.py��0000644��00000024442�15030301546�0010704 0��ustar�00��""" oauthlib.oauth2.rfc6749.endpoint.metadata ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An implementation of the `OAuth 2.0 Authorization Server Metadata`. .. _`OAuth 2.0 Authorization Server Metadata`: https://tools.ietf.org/html/rfc8414 """ import copy import json import logging from .. import grant_types, utils from .authorization import AuthorizationEndpoint from .base import BaseEndpoint, catch_errors_and_unavailability from .introspect import IntrospectEndpoint from .revocation import RevocationEndpoint from .token import TokenEndpoint log = logging.getLogger(__name__) class MetadataEndpoint(BaseEndpoint): """OAuth2.0 Authorization Server Metadata endpoint. This specification generalizes the metadata format defined by `OpenID Connect Discovery 1.0` in a way that is compatible with OpenID Connect Discovery while being applicable to a wider set of OAuth 2.0 use cases. This is intentionally parallel to the way that OAuth 2.0 Dynamic Client Registration Protocol [`RFC7591`_] generalized the dynamic client registration mechanisms defined by OpenID Connect Dynamic Client Registration 1.0 in a way that is compatible with it. .. _`OpenID Connect Discovery 1.0`: https://openid.net/specs/openid-connect-discovery-1_0.html .. _`RFC7591`: https://tools.ietf.org/html/rfc7591 """ def __init__(self, endpoints, claims={}, raise_errors=True): assert isinstance(claims, dict) for endpoint in endpoints: assert isinstance(endpoint, BaseEndpoint) BaseEndpoint.__init__(self) self.raise_errors = raise_errors self.endpoints = endpoints self.initial_claims = claims self.claims = self.validate_metadata_server() @catch_errors_and_unavailability def create_metadata_response(self, uri, http_method='GET', body=None, headers=None): """Create metadata response """ headers = { 'Content-Type': 'application/json', 'Access-Control-Allow-Origin': '', } return headers, json.dumps(self.claims), 200 def validate_metadata(self, array, key, is_required=False, is_list=False, is_url=False, is_issuer=False): if not self.raise_errors: return if key not in array: if is_required: raise ValueError("key {} is a mandatory metadata.".format(key)) elif is_issuer: if not utils.is_secure_transport(array[key]): raise ValueError("key {}: {} must be an HTTPS URL".format(key, array[key])) if "?" in array[key] or "&" in array[key] or "#" in array[key]: raise ValueError("key {}: {} must not contain query or fragment components".format(key, array[key])) elif is_url: if not array[key].startswith("http"): raise ValueError("key {}: {} must be an URL".format(key, array[key])) elif is_list: if not isinstance(array[key], list): raise ValueError("key {}: {} must be an Array".format(key, array[key])) for elem in array[key]: if not isinstance(elem, str): raise ValueError("array {}: {} must contains only string (not {})".format(key, array[key], elem)) def validate_metadata_token(self, claims, endpoint): """ If the token endpoint is used in the grant type, the value of this parameter MUST be the same as the value of the "grant_type" parameter passed to the token endpoint defined in the grant type definition. """ self._grant_types.extend(endpoint._grant_types.keys()) claims.setdefault("token_endpoint_auth_methods_supported", ["client_secret_post", "client_secret_basic"]) self.validate_metadata(claims, "token_endpoint_auth_methods_supported", is_list=True) self.validate_metadata(claims, "token_endpoint_auth_signing_alg_values_supported", is_list=True) self.validate_metadata(claims, "token_endpoint", is_required=True, is_url=True) def validate_metadata_authorization(self, claims, endpoint): claims.setdefault("response_types_supported", list(filter(lambda x: x != "none", endpoint._response_types.keys()))) claims.setdefault("response_modes_supported", ["query", "fragment"]) # The OAuth2.0 Implicit flow is defined as a "grant type" but it is not # using the "token" endpoint, as such, we have to add it explicitly to # the list of "grant_types_supported" when enabled. if "token" in claims["response_types_supported"]: self._grant_types.append("implicit") self.validate_metadata(claims, "response_types_supported", is_required=True, is_list=True) self.validate_metadata(claims, "response_modes_supported", is_list=True) if "code" in claims["response_types_supported"]: code_grant = endpoint._response_types["code"] if not isinstance(code_grant, grant_types.AuthorizationCodeGrant) and hasattr(code_grant, "default_grant"): code_grant = code_grant.default_grant claims.setdefault("code_challenge_methods_supported", list(code_grant._code_challenge_methods.keys())) self.validate_metadata(claims, "code_challenge_methods_supported", is_list=True) self.validate_metadata(claims, "authorization_endpoint", is_required=True, is_url=True) def validate_metadata_revocation(self, claims, endpoint): claims.setdefault("revocation_endpoint_auth_methods_supported", ["client_secret_post", "client_secret_basic"]) self.validate_metadata(claims, "revocation_endpoint_auth_methods_supported", is_list=True) self.validate_metadata(claims, "revocation_endpoint_auth_signing_alg_values_supported", is_list=True) self.validate_metadata(claims, "revocation_endpoint", is_required=True, is_url=True) def validate_metadata_introspection(self, claims, endpoint): claims.setdefault("introspection_endpoint_auth_methods_supported", ["client_secret_post", "client_secret_basic"]) self.validate_metadata(claims, "introspection_endpoint_auth_methods_supported", is_list=True) self.validate_metadata(claims, "introspection_endpoint_auth_signing_alg_values_supported", is_list=True) self.validate_metadata(claims, "introspection_endpoint", is_required=True, is_url=True) def validate_metadata_server(self): """ Authorization servers can have metadata describing their configuration. The following authorization server metadata values are used by this specification. More details can be found in `RFC8414 section 2`_ : issuer REQUIRED authorization_endpoint URL of the authorization server's authorization endpoint [`RFC6749#Authorization`_]. This is REQUIRED unless no grant types are supported that use the authorization endpoint. token_endpoint URL of the authorization server's token endpoint [`RFC6749#Token`_]. This is REQUIRED unless only the implicit grant type is supported. scopes_supported RECOMMENDED. response_types_supported REQUIRED. Other OPTIONAL fields: jwks_uri, registration_endpoint, response_modes_supported grant_types_supported OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the "grant_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [`RFC7591`_]. If omitted, the default value is "["authorization_code", "implicit"]". token_endpoint_auth_methods_supported token_endpoint_auth_signing_alg_values_supported service_documentation ui_locales_supported op_policy_uri op_tos_uri revocation_endpoint revocation_endpoint_auth_methods_supported revocation_endpoint_auth_signing_alg_values_supported introspection_endpoint introspection_endpoint_auth_methods_supported introspection_endpoint_auth_signing_alg_values_supported code_challenge_methods_supported Additional authorization server metadata parameters MAY also be used. Some are defined by other specifications, such as OpenID Connect Discovery 1.0 [`OpenID.Discovery`_]. .. _`RFC8414 section 2`: https://tools.ietf.org/html/rfc8414#section-2 .. _`RFC6749#Authorization`: https://tools.ietf.org/html/rfc6749#section-3.1 .. _`RFC6749#Token`: https://tools.ietf.org/html/rfc6749#section-3.2 .. _`RFC7591`: https://tools.ietf.org/html/rfc7591 .. _`OpenID.Discovery`: https://openid.net/specs/openid-connect-discovery-1_0.html """ claims = copy.deepcopy(self.initial_claims) self.validate_metadata(claims, "issuer", is_required=True, is_issuer=True) self.validate_metadata(claims, "jwks_uri", is_url=True) self.validate_metadata(claims, "scopes_supported", is_list=True) self.validate_metadata(claims, "service_documentation", is_url=True) self.validate_metadata(claims, "ui_locales_supported", is_list=True) self.validate_metadata(claims, "op_policy_uri", is_url=True) self.validate_metadata(claims, "op_tos_uri", is_url=True) self._grant_types = [] for endpoint in self.endpoints: if isinstance(endpoint, TokenEndpoint): self.validate_metadata_token(claims, endpoint) if isinstance(endpoint, AuthorizationEndpoint): self.validate_metadata_authorization(claims, endpoint) if isinstance(endpoint, RevocationEndpoint): self.validate_metadata_revocation(claims, endpoint) if isinstance(endpoint, IntrospectEndpoint): self.validate_metadata_introspection(claims, endpoint) # "grant_types_supported" is a combination of all OAuth2 grant types # allowed in the current provider implementation. claims.setdefault("grant_types_supported", self._grant_types) self.validate_metadata(claims, "grant_types_supported", is_list=True) return claims ��endpoints/authorization.py��0000644��00000010750�15030301546�0012021 0��ustar�00��""" oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ import logging from oauthlib.common import Request from oauthlib.oauth2.rfc6749 import utils from .base import BaseEndpoint, catch_errors_and_unavailability log = logging.getLogger(__name__) class AuthorizationEndpoint(BaseEndpoint): """Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection. The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g. username and password login, session cookies) is beyond the scope of this specification. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per `Appendix B`_) query component, which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component:: https://example.com/path?query=component # OK https://example.com/path?query=component#fragment # Not OK Since requests to the authorization endpoint result in user authentication and the transmission of clear-text credentials (in the HTTP response), the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the authorization endpoint:: # We will deny any request which URI schema is not with https The authorization server MUST support the use of the HTTP "GET" method [RFC2616] for the authorization endpoint, and MAY support the use of the "POST" method as well:: # HTTP method is currently not enforced Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once:: # Enforced through the design of oauthlib.common.Request .. _`Appendix B`: https://tools.ietf.org/html/rfc6749#appendix-B """ def __init__(self, default_response_type, default_token_type, response_types): BaseEndpoint.__init__(self) self._response_types = response_types self._default_response_type = default_response_type self._default_token_type = default_token_type @property def response_types(self): return self._response_types @property def default_response_type(self): return self._default_response_type @property def default_response_type_handler(self): return self.response_types.get(self.default_response_type) @property def default_token_type(self): return self._default_token_type @catch_errors_and_unavailability def create_authorization_response(self, uri, http_method='GET', body=None, headers=None, scopes=None, credentials=None): """Extract response_type and route to the designated handler.""" request = Request( uri, http_method=http_method, body=body, headers=headers) request.scopes = scopes # TODO: decide whether this should be a required argument request.user = None # TODO: explain this in docs for k, v in (credentials or {}).items(): setattr(request, k, v) response_type_handler = self.response_types.get( request.response_type, self.default_response_type_handler) log.debug('Dispatching response_type %s request to %r.', request.response_type, response_type_handler) return response_type_handler.create_authorization_response( request, self.default_token_type) @catch_errors_and_unavailability def validate_authorization_request(self, uri, http_method='GET', body=None, headers=None): """Extract response_type and route to the designated handler.""" request = Request( uri, http_method=http_method, body=body, headers=headers) request.scopes = utils.scope_to_list(request.scope) response_type_handler = self.response_types.get( request.response_type, self.default_response_type_handler) return response_type_handler.validate_authorization_request(request) ��endpoints/introspect.py��0000644��00000011523�15030301546�0011312 0��ustar�00��""" oauthlib.oauth2.rfc6749.endpoint.introspect ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An implementation of the OAuth 2.0 `Token Introspection`. .. _`Token Introspection`: https://tools.ietf.org/html/rfc7662 """ import json import logging from oauthlib.common import Request from ..errors import OAuth2Error from .base import BaseEndpoint, catch_errors_and_unavailability log = logging.getLogger(__name__) class IntrospectEndpoint(BaseEndpoint): """Introspect token endpoint. This endpoint defines a method to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource. To prevent the values of access tokens from leaking into server-side logs via query parameters, an authorization server offering token introspection MAY disallow the use of HTTP GET on the introspection endpoint and instead require the HTTP POST method to be used at the introspection endpoint. """ valid_token_types = ('access_token', 'refresh_token') valid_request_methods = ('POST',) def __init__(self, request_validator, supported_token_types=None): BaseEndpoint.__init__(self) self.request_validator = request_validator self.supported_token_types = ( supported_token_types or self.valid_token_types) @catch_errors_and_unavailability def create_introspect_response(self, uri, http_method='POST', body=None, headers=None): """Create introspect valid or invalid response If the authorization server is unable to determine the state of the token without additional information, it SHOULD return an introspection response indicating the token is not active as described in Section 2.2. """ resp_headers = { 'Content-Type': 'application/json', 'Cache-Control': 'no-store', 'Pragma': 'no-cache', } request = Request(uri, http_method, body, headers) try: self.validate_introspect_request(request) log.debug('Token introspect valid for %r.', request) except OAuth2Error as e: log.debug('Client error during validation of %r. %r.', request, e) resp_headers.update(e.headers) return resp_headers, e.json, e.status_code claims = self.request_validator.introspect_token( request.token, request.token_type_hint, request ) if claims is None: return resp_headers, json.dumps(dict(active=False)), 200 if "active" in claims: claims.pop("active") return resp_headers, json.dumps(dict(active=True, claims)), 200 def validate_introspect_request(self, request): """Ensure the request is valid. The protected resource calls the introspection endpoint using an HTTP POST request with parameters sent as "application/x-www-form-urlencoded". token REQUIRED. The string value of the token. * token_type_hint OPTIONAL. A hint about the type of the token submitted for introspection. The protected resource MAY pass this parameter to help the authorization server optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. * access_token: An Access Token as defined in [`RFC6749`], `section 1.4`_ * refresh_token: A Refresh Token as defined in [`RFC6749`], `section 1.5`_ The introspection endpoint MAY accept other OPTIONAL parameters to provide further context to the query. For instance, an authorization server may desire to know the IP address of the client accessing the protected resource to determine if the correct client is likely to be presenting the token. The definition of this or any other parameters are outside the scope of this specification, to be defined by service documentation or extensions to this specification. .. _`section 1.4`: http://tools.ietf.org/html/rfc6749#section-1.4 .. _`section 1.5`: http://tools.ietf.org/html/rfc6749#section-1.5 .. _`RFC6749`: http://tools.ietf.org/html/rfc6749 """ self._raise_on_bad_method(request) self._raise_on_bad_post_request(request) self._raise_on_missing_token(request) self._raise_on_invalid_client(request) self._raise_on_unsupported_token(request) ��endpoints/pre_configured.py��0000644��00000027262�15030301546�0012122 0��ustar�00��""" oauthlib.oauth2.rfc6749.endpoints.pre_configured ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various endpoints needed for providing OAuth 2.0 RFC6749 servers. """ from ..grant_types import ( AuthorizationCodeGrant, ClientCredentialsGrant, ImplicitGrant, RefreshTokenGrant, ResourceOwnerPasswordCredentialsGrant, ) from ..tokens import BearerToken from .authorization import AuthorizationEndpoint from .introspect import IntrospectEndpoint from .resource import ResourceEndpoint from .revocation import RevocationEndpoint from .token import TokenEndpoint class Server(AuthorizationEndpoint, IntrospectEndpoint, TokenEndpoint, ResourceEndpoint, RevocationEndpoint): """An all-in-one endpoint featuring all four major grant types.""" def __init__(self, request_validator, token_expires_in=None, token_generator=None, refresh_token_generator=None, args, kwargs): """Construct a new all-grants-in-one server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. """ self.auth_grant = AuthorizationCodeGrant(request_validator) self.implicit_grant = ImplicitGrant(request_validator) self.password_grant = ResourceOwnerPasswordCredentialsGrant( request_validator) self.credentials_grant = ClientCredentialsGrant(request_validator) self.refresh_grant = RefreshTokenGrant(request_validator) self.bearer = BearerToken(request_validator, token_generator, token_expires_in, refresh_token_generator) AuthorizationEndpoint.__init__(self, default_response_type='code', response_types={ 'code': self.auth_grant, 'token': self.implicit_grant, 'none': self.auth_grant }, default_token_type=self.bearer) TokenEndpoint.__init__(self, default_grant_type='authorization_code', grant_types={ 'authorization_code': self.auth_grant, 'password': self.password_grant, 'client_credentials': self.credentials_grant, 'refresh_token': self.refresh_grant, }, default_token_type=self.bearer) ResourceEndpoint.__init__(self, default_token='Bearer', token_types={'Bearer': self.bearer}) RevocationEndpoint.__init__(self, request_validator) IntrospectEndpoint.__init__(self, request_validator) class WebApplicationServer(AuthorizationEndpoint, IntrospectEndpoint, TokenEndpoint, ResourceEndpoint, RevocationEndpoint): """An all-in-one endpoint featuring Authorization code grant and Bearer tokens.""" def __init__(self, request_validator, token_generator=None, token_expires_in=None, refresh_token_generator=None, kwargs): """Construct a new web application server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. """ self.auth_grant = AuthorizationCodeGrant(request_validator) self.refresh_grant = RefreshTokenGrant(request_validator) self.bearer = BearerToken(request_validator, token_generator, token_expires_in, refresh_token_generator) AuthorizationEndpoint.__init__(self, default_response_type='code', response_types={'code': self.auth_grant}, default_token_type=self.bearer) TokenEndpoint.__init__(self, default_grant_type='authorization_code', grant_types={ 'authorization_code': self.auth_grant, 'refresh_token': self.refresh_grant, }, default_token_type=self.bearer) ResourceEndpoint.__init__(self, default_token='Bearer', token_types={'Bearer': self.bearer}) RevocationEndpoint.__init__(self, request_validator) IntrospectEndpoint.__init__(self, request_validator) class MobileApplicationServer(AuthorizationEndpoint, IntrospectEndpoint, ResourceEndpoint, RevocationEndpoint): """An all-in-one endpoint featuring Implicit code grant and Bearer tokens.""" def __init__(self, request_validator, token_generator=None, token_expires_in=None, refresh_token_generator=None, kwargs): """Construct a new implicit grant server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. """ self.implicit_grant = ImplicitGrant(request_validator) self.bearer = BearerToken(request_validator, token_generator, token_expires_in, refresh_token_generator) AuthorizationEndpoint.__init__(self, default_response_type='token', response_types={ 'token': self.implicit_grant}, default_token_type=self.bearer) ResourceEndpoint.__init__(self, default_token='Bearer', token_types={'Bearer': self.bearer}) RevocationEndpoint.__init__(self, request_validator, supported_token_types=['access_token']) IntrospectEndpoint.__init__(self, request_validator, supported_token_types=['access_token']) class LegacyApplicationServer(TokenEndpoint, IntrospectEndpoint, ResourceEndpoint, RevocationEndpoint): """An all-in-one endpoint featuring Resource Owner Password Credentials grant and Bearer tokens.""" def __init__(self, request_validator, token_generator=None, token_expires_in=None, refresh_token_generator=None, kwargs): """Construct a resource owner password credentials grant server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. """ self.password_grant = ResourceOwnerPasswordCredentialsGrant( request_validator) self.refresh_grant = RefreshTokenGrant(request_validator) self.bearer = BearerToken(request_validator, token_generator, token_expires_in, refresh_token_generator) TokenEndpoint.__init__(self, default_grant_type='password', grant_types={ 'password': self.password_grant, 'refresh_token': self.refresh_grant, }, default_token_type=self.bearer) ResourceEndpoint.__init__(self, default_token='Bearer', token_types={'Bearer': self.bearer}) RevocationEndpoint.__init__(self, request_validator) IntrospectEndpoint.__init__(self, request_validator) class BackendApplicationServer(TokenEndpoint, IntrospectEndpoint, ResourceEndpoint, RevocationEndpoint): """An all-in-one endpoint featuring Client Credentials grant and Bearer tokens.""" def __init__(self, request_validator, token_generator=None, token_expires_in=None, refresh_token_generator=None, kwargs): """Construct a client credentials grant server. :param request_validator: An implementation of oauthlib.oauth2.RequestValidator. :param token_expires_in: An int or a function to generate a token expiration offset (in seconds) given a oauthlib.common.Request object. :param token_generator: A function to generate a token from a request. :param refresh_token_generator: A function to generate a token from a request for the refresh token. :param kwargs: Extra parameters to pass to authorization-, token-, resource-, and revocation-endpoint constructors. """ self.credentials_grant = ClientCredentialsGrant(request_validator) self.bearer = BearerToken(request_validator, token_generator, token_expires_in, refresh_token_generator) TokenEndpoint.__init__(self, default_grant_type='client_credentials', grant_types={ 'client_credentials': self.credentials_grant}, default_token_type=self.bearer) ResourceEndpoint.__init__(self, default_token='Bearer', token_types={'Bearer': self.bearer}) RevocationEndpoint.__init__(self, request_validator, supported_token_types=['access_token']) IntrospectEndpoint.__init__(self, request_validator, supported_token_types=['access_token']) ��endpoints/__init__.py��0000644��00000001051�15030301546�0010652 0��ustar�00��""" oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ from .authorization import AuthorizationEndpoint from .introspect import IntrospectEndpoint from .metadata import MetadataEndpoint from .pre_configured import ( BackendApplicationServer, LegacyApplicationServer, MobileApplicationServer, Server, WebApplicationServer, ) from .resource import ResourceEndpoint from .revocation import RevocationEndpoint from .token import TokenEndpoint ��tokens.py��0000644��00000025554�15030301546�0006431 0��ustar�00��""" oauthlib.oauth2.rfc6749.tokens ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module contains methods for adding two types of access tokens to requests. - Bearer https://tools.ietf.org/html/rfc6750 - MAC https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 """ import hashlib import hmac import warnings from binascii import b2a_base64 from urllib.parse import urlparse from oauthlib import common from oauthlib.common import add_params_to_qs, add_params_to_uri from . import utils class OAuth2Token(dict): def __init__(self, params, old_scope=None): super().__init__(params) self._new_scope = None if 'scope' in params and params['scope']: self._new_scope = set(utils.scope_to_list(params['scope'])) if old_scope is not None: self._old_scope = set(utils.scope_to_list(old_scope)) if self._new_scope is None: # the rfc says that if the scope hasn't changed, it's optional # in params so set the new scope to the old scope self._new_scope = self._old_scope else: self._old_scope = self._new_scope @property def scope_changed(self): return self._new_scope != self._old_scope @property def old_scope(self): return utils.list_to_scope(self._old_scope) @property def old_scopes(self): return list(self._old_scope) @property def scope(self): return utils.list_to_scope(self._new_scope) @property def scopes(self): return list(self._new_scope) @property def missing_scopes(self): return list(self._old_scope - self._new_scope) @property def additional_scopes(self): return list(self._new_scope - self._old_scope) def prepare_mac_header(token, uri, key, http_method, nonce=None, headers=None, body=None, ext='', hash_algorithm='hmac-sha-1', issue_time=None, draft=0): """Add an `MAC Access Authentication`_ signature to headers. Unlike OAuth 1, this HMAC signature does not require inclusion of the request payload/body, neither does it use a combination of client_secret and token_secret but rather a mac_key provided together with the access token. Currently two algorithms are supported, "hmac-sha-1" and "hmac-sha-256", `extension algorithms`_ are not supported. Example MAC Authorization header, linebreaks added for clarity Authorization: MAC id="h480djs93hd8", nonce="1336363200:dj83hs9s", mac="bhCQXTVyfj5cmA9uKkPFx1zeOXM=" .. _`MAC Access Authentication`: https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 .. _`extension algorithms`: https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01#section-7.1 :param token: :param uri: Request URI. :param key: MAC given provided by token endpoint. :param http_method: HTTP Request method. :param nonce: :param headers: Request headers as a dictionary. :param body: :param ext: :param hash_algorithm: HMAC algorithm provided by token endpoint. :param issue_time: Time when the MAC credentials were issued (datetime). :param draft: MAC authentication specification version. :return: headers dictionary with the authorization field added. """ http_method = http_method.upper() host, port = utils.host_from_uri(uri) if hash_algorithm.lower() == 'hmac-sha-1': h = hashlib.sha1 elif hash_algorithm.lower() == 'hmac-sha-256': h = hashlib.sha256 else: raise ValueError('unknown hash algorithm') if draft == 0: nonce = nonce or '{}:{}'.format(utils.generate_age(issue_time), common.generate_nonce()) else: ts = common.generate_timestamp() nonce = common.generate_nonce() sch, net, path, par, query, fra = urlparse(uri) if query: request_uri = path + '?' + query else: request_uri = path # Hash the body/payload if body is not None and draft == 0: body = body.encode('utf-8') bodyhash = b2a_base64(h(body).digest())[:-1].decode('utf-8') else: bodyhash = '' # Create the normalized base string base = [] if draft == 0: base.append(nonce) else: base.append(ts) base.append(nonce) base.append(http_method.upper()) base.append(request_uri) base.append(host) base.append(port) if draft == 0: base.append(bodyhash) base.append(ext or '') base_string = '\n'.join(base) + '\n' # hmac struggles with unicode strings - http://bugs.python.org/issue5285 if isinstance(key, str): key = key.encode('utf-8') sign = hmac.new(key, base_string.encode('utf-8'), h) sign = b2a_base64(sign.digest())[:-1].decode('utf-8') header = [] header.append('MAC id="%s"' % token) if draft != 0: header.append('ts="%s"' % ts) header.append('nonce="%s"' % nonce) if bodyhash: header.append('bodyhash="%s"' % bodyhash) if ext: header.append('ext="%s"' % ext) header.append('mac="%s"' % sign) headers = headers or {} headers['Authorization'] = ', '.join(header) return headers def prepare_bearer_uri(token, uri): """Add a `Bearer Token`_ to the request URI. Not recommended, use only if client can't use authorization header or body. http://www.example.com/path?access_token=h480djs93hd8 .. _`Bearer Token`: https://tools.ietf.org/html/rfc6750 :param token: :param uri: """ return add_params_to_uri(uri, [(('access_token', token))]) def prepare_bearer_headers(token, headers=None): """Add a `Bearer Token`_ to the request URI. Recommended method of passing bearer tokens. Authorization: Bearer h480djs93hd8 .. _`Bearer Token`: https://tools.ietf.org/html/rfc6750 :param token: :param headers: """ headers = headers or {} headers['Authorization'] = 'Bearer %s' % token return headers def prepare_bearer_body(token, body=''): """Add a `Bearer Token`_ to the request body. access_token=h480djs93hd8 .. _`Bearer Token`: https://tools.ietf.org/html/rfc6750 :param token: :param body: """ return add_params_to_qs(body, [(('access_token', token))]) def random_token_generator(request, refresh_token=False): """ :param request: OAuthlib request. :type request: oauthlib.common.Request :param refresh_token: """ return common.generate_token() def signed_token_generator(private_pem, kwargs): """ :param private_pem: """ def signed_token_generator(request): request.claims = kwargs return common.generate_signed_token(private_pem, request) return signed_token_generator def get_token_from_header(request): """ Helper function to extract a token from the request header. :param request: OAuthlib request. :type request: oauthlib.common.Request :return: Return the token or None if the Authorization header is malformed. """ token = None if 'Authorization' in request.headers: split_header = request.headers.get('Authorization').split() if len(split_header) == 2 and split_header[0].lower() == 'bearer': token = split_header[1] else: token = request.access_token return token class TokenBase: __slots__ = () def __call__(self, request, refresh_token=False): raise NotImplementedError('Subclasses must implement this method.') def validate_request(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ raise NotImplementedError('Subclasses must implement this method.') def estimate_type(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ raise NotImplementedError('Subclasses must implement this method.') class BearerToken(TokenBase): __slots__ = ( 'request_validator', 'token_generator', 'refresh_token_generator', 'expires_in' ) def __init__(self, request_validator=None, token_generator=None, expires_in=None, refresh_token_generator=None): self.request_validator = request_validator self.token_generator = token_generator or random_token_generator self.refresh_token_generator = ( refresh_token_generator or self.token_generator ) self.expires_in = expires_in or 3600 def create_token(self, request, refresh_token=False, kwargs): """ Create a BearerToken, by default without refresh token. :param request: OAuthlib request. :type request: oauthlib.common.Request :param refresh_token: """ if "save_token" in kwargs: warnings.warn("`save_token` has been deprecated, it was not called internally." "If you do, call `request_validator.save_token()` instead.", DeprecationWarning) if callable(self.expires_in): expires_in = self.expires_in(request) else: expires_in = self.expires_in request.expires_in = expires_in token = { 'access_token': self.token_generator(request), 'expires_in': expires_in, 'token_type': 'Bearer', } # If provided, include - this is optional in some cases https://tools.ietf.org/html/rfc6749#section-3.3 but # there is currently no mechanism to coordinate issuing a token for only a subset of the requested scopes so # all tokens issued are for the entire set of requested scopes. if request.scopes is not None: token['scope'] = ' '.join(request.scopes) if refresh_token: if (request.refresh_token and not self.request_validator.rotate_refresh_token(request)): token['refresh_token'] = request.refresh_token else: token['refresh_token'] = self.refresh_token_generator(request) token.update(request.extra_credentials or {}) return OAuth2Token(token) def validate_request(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ token = get_token_from_header(request) return self.request_validator.validate_bearer_token( token, request.scopes, request) def estimate_type(self, request): """ :param request: OAuthlib request. :type request: oauthlib.common.Request """ if request.headers.get('Authorization', '').split(' ')[0].lower() == 'bearer': return 9 elif request.access_token is not None: return 5 else: return 0 ��__init__.py��0000644��00000000624�15030301546�0006654 0��ustar�00��""" oauthlib.oauth2.rfc6749 ~~~~~~~~~~~~~~~~~~~~~~~ This module is an implementation of various logic needed for consuming and providing OAuth 2.0 RFC6749. """ import functools import logging from .endpoints.base import BaseEndpoint, catch_errors_and_unavailability from .errors import ( FatalClientError, OAuth2Error, ServerError, TemporarilyUnavailableError, ) log = logging.getLogger(__name__) ��utils.py��0000644��00000004237�15030301546�0006261 0��ustar�00��""" oauthlib.utils ~~~~~~~~~~~~~~ This module contains utility methods used by various parts of the OAuth 2 spec. """ import datetime import os from urllib.parse import quote, urlparse from oauthlib.common import urldecode def list_to_scope(scope): """Convert a list of scopes to a space separated string.""" if isinstance(scope, str) or scope is None: return scope elif isinstance(scope, (set, tuple, list)): return " ".join([str(s) for s in scope]) else: raise ValueError("Invalid scope (%s), must be string, tuple, set, or list." % scope) def scope_to_list(scope): """Convert a space separated string to a list of scopes.""" if isinstance(scope, (tuple, list, set)): return [str(s) for s in scope] elif scope is None: return None else: return scope.strip().split(" ") def params_from_uri(uri): params = dict(urldecode(urlparse(uri).query)) if 'scope' in params: params['scope'] = scope_to_list(params['scope']) return params def host_from_uri(uri): """Extract hostname and port from URI. Will use default port for HTTP and HTTPS if none is present in the URI. """ default_ports = { 'HTTP': '80', 'HTTPS': '443', } sch, netloc, path, par, query, fra = urlparse(uri) if ':' in netloc: netloc, port = netloc.split(':', 1) else: port = default_ports.get(sch.upper()) return netloc, port def escape(u): """Escape a string in an OAuth-compatible fashion. TODO: verify whether this can in fact be used for OAuth 2 """ if not isinstance(u, str): raise ValueError('Only unicode objects are escapable.') return quote(u.encode('utf-8'), safe=b'~') def generate_age(issue_time): """Generate a age parameter for MAC authentication draft 00.""" td = datetime.datetime.now() - issue_time age = (td.microseconds + (td.seconds + td.days 24 * 3600) * 10 6) / 10 6 return str(age) def is_secure_transport(uri): """Check if the uri is over ssl.""" if os.environ.get('OAUTHLIB_INSECURE_TRANSPORT'): return True return uri.lower().startswith('https://') ��errors.py��0000644��00000031223�15030301546�0006430 0��ustar�00��""" oauthlib.oauth2.rfc6749.errors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error used both by OAuth 2 clients and providers to represent the spec defined error responses for all four core grant types. """ import json from oauthlib.common import add_params_to_uri, urlencode class OAuth2Error(Exception): error = None status_code = 400 description = '' def __init__(self, description=None, uri=None, state=None, status_code=None, request=None): """ :param description: A human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred. Values for the "error_description" parameter MUST NOT include characters outside the set x20-21 / x23-5B / x5D-7E. :param uri: A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error. Values for the "error_uri" parameter MUST conform to the URI- Reference syntax, and thus MUST NOT include characters outside the set x21 / x23-5B / x5D-7E. :param state: A CSRF protection value received from the client. :param status_code: :param request: OAuthlib request. :type request: oauthlib.common.Request """ if description is not None: self.description = description message = '({}) {}'.format(self.error, self.description) if request: message += ' ' + repr(request) super().__init__(message) self.uri = uri self.state = state if status_code: self.status_code = status_code if request: self.redirect_uri = request.redirect_uri self.client_id = request.client_id self.scopes = request.scopes self.response_type = request.response_type self.response_mode = request.response_mode self.grant_type = request.grant_type if not state: self.state = request.state else: self.redirect_uri = None self.client_id = None self.scopes = None self.response_type = None self.response_mode = None self.grant_type = None def in_uri(self, uri): fragment = self.response_mode == "fragment" return add_params_to_uri(uri, self.twotuples, fragment) @property def twotuples(self): error = [('error', self.error)] if self.description: error.append(('error_description', self.description)) if self.uri: error.append(('error_uri', self.uri)) if self.state: error.append(('state', self.state)) return error @property def urlencoded(self): return urlencode(self.twotuples) @property def json(self): return json.dumps(dict(self.twotuples)) @property def headers(self): if self.status_code == 401: """ https://tools.ietf.org/html/rfc6750#section-3 All challenges defined by this specification MUST use the auth-scheme value "Bearer". This scheme MUST be followed by one or more auth-param values. """ authvalues = ['error="{}"'.format(self.error)] if self.description: authvalues.append('error_description="{}"'.format(self.description)) if self.uri: authvalues.append('error_uri="{}"'.format(self.uri)) return {"WWW-Authenticate": "Bearer " + ", ".join(authvalues)} return {} class TokenExpiredError(OAuth2Error): error = 'token_expired' class InsecureTransportError(OAuth2Error): error = 'insecure_transport' description = 'OAuth 2 MUST utilize https.' class MismatchingStateError(OAuth2Error): error = 'mismatching_state' description = 'CSRF Warning! State not equal in request and response.' class MissingCodeError(OAuth2Error): error = 'missing_code' class MissingTokenError(OAuth2Error): error = 'missing_token' class MissingTokenTypeError(OAuth2Error): error = 'missing_token_type' class FatalClientError(OAuth2Error): """ Errors during authorization where user should not be redirected back. If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI. Instead the user should be informed of the error by the provider itself. """ pass class InvalidRequestFatalError(FatalClientError): """ For fatal errors, the request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. """ error = 'invalid_request' class InvalidRedirectURIError(InvalidRequestFatalError): description = 'Invalid redirect URI.' class MissingRedirectURIError(InvalidRequestFatalError): description = 'Missing redirect URI.' class MismatchingRedirectURIError(InvalidRequestFatalError): description = 'Mismatching redirect URI.' class InvalidClientIdError(InvalidRequestFatalError): description = 'Invalid client_id parameter value.' class MissingClientIdError(InvalidRequestFatalError): description = 'Missing client_id parameter.' class InvalidRequestError(OAuth2Error): """ The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. """ error = 'invalid_request' class MissingResponseTypeError(InvalidRequestError): description = 'Missing response_type parameter.' class MissingCodeChallengeError(InvalidRequestError): """ If the server requires Proof Key for Code Exchange (PKCE) by OAuth public clients and the client does not send the "code_challenge" in the request, the authorization endpoint MUST return the authorization error response with the "error" value set to "invalid_request". The "error_description" or the response of "error_uri" SHOULD explain the nature of error, e.g., code challenge required. """ description = 'Code challenge required.' class MissingCodeVerifierError(InvalidRequestError): """ The request to the token endpoint, when PKCE is enabled, has the parameter `code_verifier` REQUIRED. """ description = 'Code verifier required.' class AccessDeniedError(OAuth2Error): """ The resource owner or authorization server denied the request. """ error = 'access_denied' class UnsupportedResponseTypeError(OAuth2Error): """ The authorization server does not support obtaining an authorization code using this method. """ error = 'unsupported_response_type' class UnsupportedCodeChallengeMethodError(InvalidRequestError): """ If the server supporting PKCE does not support the requested transformation, the authorization endpoint MUST return the authorization error response with "error" value set to "invalid_request". The "error_description" or the response of "error_uri" SHOULD explain the nature of error, e.g., transform algorithm not supported. """ description = 'Transform algorithm not supported.' class InvalidScopeError(OAuth2Error): """ The requested scope is invalid, unknown, or malformed, or exceeds the scope granted by the resource owner. https://tools.ietf.org/html/rfc6749#section-5.2 """ error = 'invalid_scope' class ServerError(OAuth2Error): """ The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via a HTTP redirect.) """ error = 'server_error' class TemporarilyUnavailableError(OAuth2Error): """ The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via a HTTP redirect.) """ error = 'temporarily_unavailable' class InvalidClientError(FatalClientError): """ Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client. """ error = 'invalid_client' status_code = 401 class InvalidGrantError(OAuth2Error): """ The provided authorization grant (e.g. authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. https://tools.ietf.org/html/rfc6749#section-5.2 """ error = 'invalid_grant' status_code = 400 class UnauthorizedClientError(OAuth2Error): """ The authenticated client is not authorized to use this authorization grant type. """ error = 'unauthorized_client' class UnsupportedGrantTypeError(OAuth2Error): """ The authorization grant type is not supported by the authorization server. """ error = 'unsupported_grant_type' class UnsupportedTokenTypeError(OAuth2Error): """ The authorization server does not support the hint of the presented token type. I.e. the client tried to revoke an access token on a server not supporting this feature. """ error = 'unsupported_token_type' class InvalidTokenError(OAuth2Error): """ The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request. """ error = 'invalid_token' status_code = 401 description = ("The access token provided is expired, revoked, malformed, " "or invalid for other reasons.") class InsufficientScopeError(OAuth2Error): """ The request requires higher privileges than provided by the access token. The resource server SHOULD respond with the HTTP 403 (Forbidden) status code and MAY include the "scope" attribute with the scope necessary to access the protected resource. """ error = 'insufficient_scope' status_code = 403 description = ("The request requires higher privileges than provided by " "the access token.") class ConsentRequired(OAuth2Error): """ The Authorization Server requires End-User consent. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User consent. """ error = 'consent_required' class LoginRequired(OAuth2Error): """ The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication. """ error = 'login_required' class CustomOAuth2Error(OAuth2Error): """ This error is a placeholder for all custom errors not described by the RFC. Some of the popular OAuth2 providers are using custom errors. """ def __init__(self, error, args, kwargs): self.error = error super().__init__(args, kwargs) def raise_from_error(error, params=None): import inspect import sys kwargs = { 'description': params.get('error_description'), 'uri': params.get('error_uri'), 'state': params.get('state') } for _, cls in inspect.getmembers(sys.modules[__name__], inspect.isclass): if cls.error == error: raise cls(kwargs) raise CustomOAuth2Error(error=error, **kwargs) ��

| ver. 1.4 | Github | . | PHP 8.2.28 | Generation time: 0.03 | proxy | phpinfo | Settings