hiidef / oauth2app Goto Github PK

Django OAuth 2.0 Server App. Please fork and improve!

Home Page: https://github.com/hiidef/oauth2app

License: MIT License

Python 61.65% JavaScript 15.57% Shell 2.19% CSS 20.59%

oauth2app's Introduction

Other projects have been able to devote the time and energy necessary to maintain oauth apps that we cannot, so while this library is not exactly unmaintained, you should probably be using something else. We highly recommend djoauth2 and Django OAuth Toolkit

See http://hiidef.github.com/oauth2app for documentation.
See https://github.com/hiidef/oauth2app for source code.
Based on http://code.google.com/p/django-oauth2
Support for OAuth 2.0 draft 16, http://tools.ietf.org/html/draft-ietf-oauth-v2-16

Installation

If easy_install is available, you can use:

easy_install https://github.com/hiidef/oauth2app/tarball/master

Introduction

The oauth2app module helps Django site operators provide an OAuth 2.0 interface. The module is registered as an application.

In settings.py, add 'oauth2app' to INSTALLED_APPS.

INSTALLED_APPS = (
    ...,
    'oauth2app'
)

Sync the DB models.

python manage.py syncdb

In urls.py, add /oauth2/authorize and /oauth2/token views to a new or existing app.

urlpatterns += patterns('',
    (r'^oauth2/missing_redirect_uri/?$',   'mysite.oauth2.views.missing_redirect_uri'),
    (r'^oauth2/authorize/?$',                'mysite.oauth2.views.authorize'),
    (r'^oauth2/token/?$',                    'oauth2app.token.handler'),
)

Create client models.

from oauth2app.models import Client

Client.objects.create(
    name="My Sample OAuth 2.0 Client",
    user=user)

Create authorize and missing_redirect_uri handlers.

from django.shortcuts import render_to_response
from django.http import HttpResponseRedirect
from django.template import RequestContext
from django.contrib.auth.decorators import login_required
from oauth2app.authorize import Authorizer, MissingRedirectURI, AuthorizationException
from django import forms

class AuthorizeForm(forms.Form):
    pass

@login_required
def missing_redirect_uri(request):
    return render_to_response(
        'oauth2/missing_redirect_uri.html',
        {},
        RequestContext(request))

@login_required
def authorize(request):
    authorizer = Authorizer()
    try:
        authorizer.validate(request)
    except MissingRedirectURI, e:
        return HttpResponseRedirect("/oauth2/missing_redirect_uri")
    except AuthorizationException, e:
        # The request is malformed or invalid. Automatically
        # redirects to the provided redirect URL.
        return authorizer.error_redirect()
    if request.method == 'GET':
        template = {}
        # Use any form, make sure it has CSRF protections.
        template["form"] = AuthorizeForm()
        # Appends the original OAuth2 parameters.
        template["form_action"] = '/oauth2/authorize?%s' % authorizer.query_string
        return render_to_response(
            'oauth2/authorize.html',
            template,
            RequestContext(request))
    elif request.method == 'POST':
        form = AuthorizeForm(request.POST)
        if form.is_valid():
            if request.POST.get("connect") == "Yes":
                # User agrees. Redirect to redirect_uri with success params.
                return authorizer.grant_redirect()
            else:
                # User refuses. Redirect to redirect_uri with error params.
                return authorizer.error_redirect()
    return HttpResponseRedirect("/")

Authenticate requests.

from oauth2app.authenticate import Authenticator, AuthenticationException
from django.http import HttpResponse

def test(request):
    authenticator = Authenticator()
    try:
        # Validate the request.
        authenticator.validate(request)
    except AuthenticationException:
        # Return an error response.
        return authenticator.error_response(content="You didn't authenticate.")
    username = authenticator.user.username
    return HttpResponse(content="Hi %s, You authenticated!" % username)

If you want to authenticate JSON requests try the JSONAuthenticator.

from oauth2app.authenticate import JSONAuthenticator, AuthenticationException

def test(request):
    authenticator = JSONAuthenticator()
    try:
        # Validate the request.
        authenticator.validate(request)
    except AuthenticationException:
        # Return a JSON encoded error response.
        return authenticator.error_response()
    username = authenticator.user.userame
    # Return a JSON encoded response.
    return authenticator.response({"username":username})

Examples

An example Django project demonstrating client and server functionality is available in the repository.

https://github.com/hiidef/oauth2app/tree/develop/examples/mysite

oauth2app's People

Contributors

Stargazers

Watchers

Forkers

mnewberg jdlnolen gabrielgrant hpk nimbis netscokhlee mammique krikelin yati-sagade mechanism hvdklauw kamilgrymuza consumerio mistat ghickman jjdelc chrisdev pydanny wehriam dcassiano key ckelly ebottabi pajju ehebert adpande zealotous yuanwr ax003d iamjem alexleigh chipeng dipak87 mattlong samjy minhnhb narrativeteam raekkeri lmoren brightwill flipsideofnullity paultag cpc26 xpktro tomcoder chartbeat alvistar jurecuhalev jetmc shezi kingctan frutik titanjer bjohnson1005 jmburbach ox-it skonieczny patrykw gijs martyr-deepin trezorg jaidan nicoladj77 sureshvtt srgurram memrise kvogel faxioman anas-aldrees openstake trueship kkanahin osiloke edinunzio striderw piotras wirednkod jiangzhonghui liuyuwan jays1967 zixiaowang0711 creo-agency jaseg lemonadelabinc yupengyan ddkangfu educorzo nuse0111 mwerkowski aquarius20th pombredanne luis-wang rainsome-org1 duyet algby g761007 neroliang cathyhuo galileoguzman haijiaoxinheng

oauth2app's Issues

0.3.2 release

Is it possible to release 0.3.2? Master branch includes couple of fixes, including client_credentials grant_type bug. And this is not available in 0.3.0.

Release on PyPI

Thanks so much for putting this together!

Would you mind releasing it on PyPI?

Default base views

oauth2app should have some default base views that are class based.

Currently the views in the example application can be used, but they don't form part of the oauth2app core.

The views should be placed in oauth2app/views.py

These views should be:

BaseSignupView
BaseClientView
BaseAuthorizeView

These views should serve as a basis for your own custom views.

oauth2app.models.Client object in database

The database table for oauth2app.models.Client object have a client_name and client_secret attributes, also it have a user_id which representing the client owner (resource owner).
And that will result a duplication in client_name and client_secret

i.e: CLIENT TABLE

id | name | user_id | description | secret .......

1 | android twitter | 123 | twitter client for android | abcd ........

2 | android twitter | 455 | twitter client for android | abcd ........

3 | android twitter | 789 | twitter client for android | abcd ........

4 | android twitter | 1011 | twitter client for android | abcd ........

as you can see, the name, description, secret attributes are duplicated because the user_id attribute is changed. and that duplication will use a lot of hard disk space.
I hope you understand me :)
Please correct me if i miss understood the source-code

Thanks:)

Granular scope

Hi, thanx a lot for this great app!

I wonder if it would be possible/expedient to validate an authentication if it matches one or more access range?

For example I have a resource that provides information about users, I will want to slice the given information regarding the access rights the client has, instead of rejecting it because it doesn't have access to the whole access range:

E.g:

scope = AccessRange.objects.filter(key__in=["user_info_manage", "user_info_view_email", "user_info_view_name"])
authenticator = Authenticator(scope=scope, sub_scope=True)
authenticator.validate(request) # Assume the request is done by a client that has only access to "user_info_view_email".
>>> authenticator.authorized_sub_scope
["user_info_view_email"]

Thus, regarding the returned .authorized_sub_scope set, I can return the user's email and/or name.

If this is a proper approach to do so, it would be very useful for my case, and maybe other's. What do you think?

Camille.

easy_install installs 0.3

As described in README:

 easy_install https://github.com/hiidef/oauth2app/tarball/master

This installs 0.3.0 instead of 0.3.1.
Is this correct?

Get all parameters from POST data when handling access token request

In TokenGenerator, when handling a request for access tokens, one parameter (client_secret) is being pulled from the POST data, while others are being pulled from the GET data.

I think it would be simpler for both the provider and consumers to extract all data from POST, as is shown in the rfc example.

Refreshing token with missing scope parameter clears scope

TokenGenerator._get_refresh_token doesn't leave the scope attribute on self.access_token alone if the request had no scope parameter (i.e. self.scope is None).

RFC 6749 says:

scope
OPTIONAL. The scope of the access request as described by
Section 3.3. The requested scope MUST NOT include any scope
not originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the
resource owner.

Fix to be attached shortly…

Blank redirect_uri field causes problems

In models.py, Client.redirect_uri has a blank=True setting. If you edit a client in the admin interface, it defaults to making redirect_uri blank instead of None. This leads to various errors when running because the code tries to resolve '' as a URL, and fails.

Substantial differences between draft 16 and draft 20?

In the docs, it's noted that this is providing support for OAuth 2.0, draft 16. The spec is now on to draft 20, and there appear to be significant changes to the spec in draft 17, changes that appear (based on a superficial scan) to affect the authorization workflow. I haven't yet reviewed all the changes, as I'm not very familiar with the spec, nor its perturbations. Are you aware of the updates to the spec, are they substantive, and are you planning to support the spec in its final form?

State value in response incorrect

The state value sent in a request is being returned as a parameter in the response object rather than a fragment when the response type is token. Here's an update: https://gist.github.com/3744228

Unable to refresh token if no scope is defined

Trying to refresh a token without scope defined always throw an exception.
The method _validate_refresh_token in oauth2app / token should initialize self.scope to [] if no scope is used.

Thanks

General oauth2app issues

There are a number of problems with oauth2app that need to be addressed. These are:

Documentation refactor including:
- Installation: easy_install must go.
- Much of the documentation forces the user to create the same views as everyone else. These sample views should be just included in the project, possibly as CBVs.
Lack of templates in the app itself. Or at least make the example ones easier to find.
Add admin functionality to control consuming applications..
Change the branching patterns to handle the different specs of OAuth.
Add more core committers to increase progress. We've got a couple people here at pycon qualified to take on this role.

Remove extra exception types

There are a whole bunch of exception types that extend Exception and pass.

They mostly provide a source of docs.

Should we dump them in favour of logging/docs?

models unicode method

Hi.
Can you add method _ _ unicode _ _ to oauth2app models? So, I can add "Clients" in Django admin.
Thanks

Wrong token field "expire_in"

Hi.
The method grant_response in oauth2app / token generates a token with "expire_in" field. Should be "expires_in".

Fabio