API Docs¶

Invenio module that implements OAuth 2 server.

class invenio_oauth2server.ext.InvenioOAuth2Server(app=None, **kwargs)[source]¶

Invenio-OAuth2Server extension.

Extension initialization.

Parameters:	app – An instance of `flask.Flask`.

init_app(app, entry_point_group='invenio_oauth2server.scopes', **kwargs)[source]¶

Flask application initialization.

Parameters:	app – An instance of `flask.Flask`. entry_point_group – The entrypoint group name to load plugins. (Default: `'invenio_oauth2server.scopes'`)

init_config(app)[source]¶

Initialize configuration.

Parameters:	app – An instance of `flask.Flask`.

class invenio_oauth2server.ext.InvenioOAuth2ServerREST(app=None, **kwargs)[source]¶

Invenio-OAuth2Server REST extension.

Extension initialization.

Parameters:	app – An instance of `flask.Flask`.

init_app(app, **kwargs)[source]¶

Flask application initialization.

Parameters:	app – An instance of `flask.Flask`.

init_config(app)[source]¶: Initialize configuration.

static monkeypatch_oauthlib_urlencode_chars(chars)[source]¶: Monkeypatch OAuthlib set of “URL encoded”-safe characters.

Note

OAuthlib keeps a set of characters that it considers as valid inside an URL-encoded query-string during parsing of requests. The issue is that this set of characters wasn’t designed to be configurable since it should technically follow various RFC specifications about URIs, like for example RFC3986. Many online services and frameworks though have designed their APIs in ways that aim at keeping things practical and readable to the API consumer, making use of special characters to mark or seperate query-string arguments. Such an example is the usage of embedded JSON strings inside query-string arguments, which of course have to contain the “colon” character (:) for key/value pair definitions.

Users of the OAuthlib library, in order to integrate with these services and frameworks, end up either circumventing these “static” restrictions of OAuthlib by pre-processing query-strings, or -in search of a more permanent solution- directly make Pull Requests to OAuthlib to include additional characters in the set, and explain the logic behind their decision (one can witness these efforts inside the git history of the source file that includes this set of characters here). This kind of tactic leads easily to misconceptions about the ability one has over the usage of specific features of services and frameworks. In order to tackle this issue in Invenio-OAuth2Server, we are monkey-patching this set of characters using a configuration variable, so that usage of any special characters is a conscious decision of the package user.

invenio_oauth2server.ext.verify_oauth_token_and_set_current_user()[source]¶

Verify OAuth token and set current user on request stack.

This function should be used only on REST application.

app.before_request(verify_oauth_token_and_set_current_user)

Decorators¶

Useful decorators for checking authentication and scopes.

invenio_oauth2server.decorators.require_api_auth(allow_anonymous=False)[source]¶

Decorator to require API authentication using OAuth token.

Parameters:	allow_anonymous – Allow access without OAuth token (default: `False`).

invenio_oauth2server.decorators.require_oauth_scopes(*scopes)[source]¶

Decorator to require a list of OAuth scopes.

Decorator must be preceded by a require_api_auth() decorator. Note, API key authentication is bypassing this check.

Parameters:	*scopes – List of scopes required.

Models¶

OAuth2Server models.

class invenio_oauth2server.models.Client(**kwargs)[source]¶

A client is the app which want to use the resource of a user.

It is suggested that the client is registered by a user on your site, but it is not required.

The client should contain at least these information:

client_id: A random string client_secret: A random string client_type: A string represents if it is confidential redirect_uris: A list of redirect uris default_redirect_uri: One of the redirect uris default_scopes: Default scopes of the client

But it could be better, if you implemented:

allowed_grant_types: A list of grant types allowed_response_types: A list of response types validate_scopes: A function to validate scopes

A simple constructor that allows initialization from kwargs.

Sets attributes on the constructed instance using the names and values in kwargs.

Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.

allowed_grant_types¶: Return allowed grant types.

allowed_response_types¶: Return allowed response types.

client_id¶: Client application ID.

client_secret¶: Client application secret.

client_type¶: Return client type.

default_redirect_uri¶: Return default redirect uri.

default_scopes¶: List of default scopes for client.

description¶: Human readable description.

gen_salt()[source]¶: Generate salt.

get_users¶: Get number of users.

is_confidential¶: Determine if client application is public or not.

is_internal¶: Determins if client application is an internal application.

name¶: Human readable name of the application.

redirect_uris¶: Return redirect uris.

reset_client_id()[source]¶: Reset client id.

reset_client_secret()[source]¶: Reset client secret.

user¶: Relationship to user.

user_id¶: Creator of the client application.

validate_scopes(scopes)[source]¶: Validate if client is allowed to access scopes.

class invenio_oauth2server.models.NoneAesEngine[source]¶

Filter None values from encrypting.

decrypt(value)[source]¶: Decrypt value on the way out.

encrypt(value)[source]¶: Encrypt a value on the way in.

class invenio_oauth2server.models.OAuthUserProxy(user)[source]¶

Proxy object to an Invenio User.

Initialize proxy object with user instance.

check_password(password)[source]¶: Check user password.

classmethod get_current_user()[source]¶: Return an instance of current user object.

id¶: Return user identifier.

class invenio_oauth2server.models.Scope(id_, help_text='', group='', internal=False)[source]¶

OAuth scope definition.

Initialize scope values.

class invenio_oauth2server.models.Token(**kwargs)[source]¶

A bearer token is the final token that can be used by the client.

A simple constructor that allows initialization from kwargs.

Sets attributes on the constructed instance using the names and values in kwargs.

Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.

client¶: SQLAlchemy relationship to client application.

client_id¶: Foreign key to client application.

classmethod create_personal(name, user_id, scopes=None, is_internal=False)[source]¶

Create a personal access token.

A token that is bound to a specific user and which doesn’t expire, i.e. similar to the concept of an API key.

Parameters:	name – Client name. user_id – User ID. scopes – The list of permitted scopes. (Default: `None`) is_internal – If `True` it’s a internal access token. (Default: `False`)
Returns:	A new access token.

get_visible_scopes()[source]¶

Get list of non-internal scopes for token.

Returns:	A list of scopes.

id¶: Object ID.

is_internal¶: Determines if token is an internally generated token.

is_personal¶: Personal accesss token.

scopes¶

Return all scopes.

Returns:	A list of scopes.

token_type¶: Token type - only bearer is supported at the moment.

user¶: SQLAlchemy relationship to user.

user_id¶: Foreign key to user.

invenio_oauth2server.models.secret_key()[source]¶: Return secret key as bytearray.

Provider¶

Configuration of Flask-OAuthlib provider.

invenio_oauth2server.provider.get_client(client_id)[source]¶

Load the client.

Needed for grant_type client_credentials.

Add support for OAuth client_credentials access type, with user inactivation support.

Parameters:	client_id – The client ID.
Returns:	The client instance or `None`.

invenio_oauth2server.provider.get_token(access_token=None, refresh_token=None)[source]¶

Load an access token.

Add support for personal access tokens compared to flask-oauthlib. If the access token is None, it looks for the refresh token.

Parameters:	access_token – The access token. (Default: `None`) refresh_token – The refresh token. (Default: `None`)
Returns:	The token instance or `None`.

invenio_oauth2server.provider.get_user(email, password, *args, **kwargs)[source]¶

Get user for grant type password.

Needed for grant type ‘password’. Note, grant type password is by default disabled.

Parameters:	email – User email. password – Password.
Returns:	The user instance or `None`.

invenio_oauth2server.provider.save_token(token, request, *args, **kwargs)[source]¶

Token persistence.

Parameters:	token – A dictionary with the token data. request – The request instance.
Returns:	A `invenio_oauth2server.models.Token` instance.

Validators¶

Validators for OAuth 2.0 redirect URIs and scopes.

class invenio_oauth2server.validators.URLValidator(require_tld=True, message=None)[source]¶: URL validator.

invenio_oauth2server.validators.validate_redirect_uri(value)[source]¶

Validate a redirect URI.

Redirect URIs must be a valid URL and use https unless the host is localhost for which http is accepted.

Parameters:	value – The redirect URI.

invenio_oauth2server.validators.validate_scopes(value_list)[source]¶

Validate if each element in a list is a registered scope.

Parameters:	value_list – The list of scopes.
Raises:	invenio_oauth2server.errors.ScopeDoesNotExists – The exception is raised if a scope is not registered.
Returns:	`True` if it’s successfully validated.

Proxies¶

Helper proxy to the state object.

invenio_oauth2server.proxies.current_oauth2server = <LocalProxy unbound>¶: Return current state of the OAuth2 server extension.

Errors¶

Errors raised by Invenio-OAuth2Server.

exception invenio_oauth2server.errors.JWTDecodeError(errors=None, **kwargs)[source]¶

Exception raised when decoding is failed.

Initialize JWTExtendedException.

exception invenio_oauth2server.errors.JWTExpiredToken(errors=None, **kwargs)[source]¶

Exception raised when JWT is expired.

Initialize JWTExtendedException.

exception invenio_oauth2server.errors.JWTExtendedException(errors=None, **kwargs)[source]¶

Base exception for all JWT errors.

Initialize JWTExtendedException.

get_body(environ=None)[source]¶: Get the request body.

get_errors()[source]¶

Get errors.

Returns:	A list containing a dictionary representing the errors.

get_headers(environ=None)[source]¶: Get a list of headers.

exception invenio_oauth2server.errors.JWTInvalidHeaderError(errors=None, **kwargs)[source]¶

Exception raised when header argument is missing.

Initialize JWTExtendedException.

exception invenio_oauth2server.errors.JWTInvalidIssuer(errors=None, **kwargs)[source]¶

Exception raised when the user is not valid.

Initialize JWTExtendedException.

exception invenio_oauth2server.errors.JWTNoAuthorizationError(errors=None, **kwargs)[source]¶

Exception raised when permission denied.

Initialize JWTExtendedException.

exception invenio_oauth2server.errors.OAuth2ServerError[source]¶: Base class for errors in oauth2server module.

exception invenio_oauth2server.errors.ScopeDoesNotExists(scope, *args, **kwargs)[source]¶

Scope is not registered it scopes registry.

Initialize exception by storing invalid scope.

API Docs¶

Decorators¶

Models¶

Provider¶

Validators¶

Proxies¶

Errors¶

Invenio-OAuth2Server

Navigation

Related Topics