RFC5849: The OAuth 1.0 Protocol¶
This section contains the generic implementation of RFC5849. Learn how to create an OAuth 1.0 provider in these frameworks:
Flask: Flask OAuth 1.0 Server.
Django: Django OAuth 1.0 Server.
Servers¶
- class authlib.oauth1.rfc5849.AuthorizationServer¶
- create_authorization_response(request, grant_user=None)¶
Validate authorization request and create authorization response. Assume the endpoint for authorization request is
https://photos.example.net/authorize
, the client redirects Jane’s user-agent to the server’s Resource Owner Authorization endpoint to obtain Jane’s approval for accessing her private photos:https://photos.example.net/authorize?oauth_token=hh5s93j4hdidpola
The server requests Jane to sign in using her username and password and if successful, asks her to approve granting ‘printer.example.com’ access to her private photos. Jane approves the request and her user-agent is redirected to the callback URI provided by the client in the previous request (line breaks are for display purposes only):
http://printer.example.com/ready? oauth_token=hh5s93j4hdidpola&oauth_verifier=hfdp7dh39dks9884
- Parameters:
request – OAuth1Request instance.
grant_user – if granted, pass the grant user, otherwise None.
- Returns:
(status_code, body, headers)
- create_authorization_verifier(request)¶
Create and bind
oauth_verifier
to temporary credential. It could be re-implemented in this way:def create_authorization_verifier(self, request): verifier = generate_token(36) temporary_credential = request.credential user_id = request.user.id temporary_credential.user_id = user_id temporary_credential.oauth_verifier = verifier # if the credential has a save method temporary_credential.save() # remember to return the verifier return verifier
- Parameters:
request – OAuth1Request instance
- Returns:
A string of
oauth_verifier
- create_temporary_credential(request)¶
Generate and save a temporary credential into database or cache. A temporary credential is used for exchanging token credential. This method should be re-implemented:
def create_temporary_credential(self, request): oauth_token = generate_token(36) oauth_token_secret = generate_token(48) temporary_credential = TemporaryCredential( oauth_token=oauth_token, oauth_token_secret=oauth_token_secret, client_id=request.client_id, redirect_uri=request.redirect_uri, ) # if the credential has a save method temporary_credential.save() return temporary_credential
- Parameters:
request – OAuth1Request instance
- Returns:
TemporaryCredential instance
- create_temporary_credentials_response(request=None)¶
Validate temporary credentials token request and create response for temporary credentials token. Assume the endpoint of temporary credentials request is
https://photos.example.net/initiate
:POST /initiate HTTP/1.1 Host: photos.example.net Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
The server validates the request and replies with a set of temporary credentials in the body of the HTTP response:
HTTP/1.1 200 OK Content-Type: application/x-www-form-urlencoded oauth_token=hh5s93j4hdidpola&oauth_token_secret=hdhd0244k9j7ao03& oauth_callback_confirmed=true
- Parameters:
request – OAuth1Request instance.
- Returns:
(status_code, body, headers)
- create_token_credential(request)¶
Create and save token credential into database. This method would be re-implemented like this:
def create_token_credential(self, request): oauth_token = generate_token(36) oauth_token_secret = generate_token(48) temporary_credential = request.credential token_credential = TokenCredential( oauth_token=oauth_token, oauth_token_secret=oauth_token_secret, client_id=temporary_credential.get_client_id(), user_id=temporary_credential.get_user_id() ) # if the credential has a save method token_credential.save() return token_credential
- Parameters:
request – OAuth1Request instance
- Returns:
TokenCredential instance
- create_token_response(request)¶
Validate token request and create token response. Assuming the endpoint of token request is
https://photos.example.net/token
, the callback request informs the client that Jane completed the authorization process. The client then requests a set of token credentials using its temporary credentials (over a secure Transport Layer Security (TLS) channel):POST /token HTTP/1.1 Host: photos.example.net Authorization: OAuth realm="Photos", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_token="hh5s93j4hdidpola", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131201", oauth_nonce="walatlh", oauth_verifier="hfdp7dh39dks9884", oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D"
The server validates the request and replies with a set of token credentials in the body of the HTTP response:
HTTP/1.1 200 OK Content-Type: application/x-www-form-urlencoded oauth_token=nnch734d00sl2jdk&oauth_token_secret=pfkkdhi9sl3r4s00
- Parameters:
request – OAuth1Request instance.
- Returns:
(status_code, body, headers)
- delete_temporary_credential(request)¶
Delete temporary credential from database or cache. For instance, if temporary credential is saved in cache:
def delete_temporary_credential(self, request): key = 'a-key-prefix:{}'.format(request.token) cache.delete(key)
- Parameters:
request – OAuth1Request instance
- exists_nonce(nonce, request)¶
The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
- Parameters:
nonce – A string value of
oauth_nonce
request – OAuth1Request instance
- Returns:
Boolean
- get_client_by_id(client_id)¶
Get client instance with the given
client_id
.- Parameters:
client_id – A string of client_id
- Returns:
Client instance
- get_temporary_credential(request)¶
Get the temporary credential from database or cache. A temporary credential should share the same methods as described in models of
TemporaryCredentialMixin
:def get_temporary_credential(self, request): key = 'a-key-prefix:{}'.format(request.token) data = cache.get(key) # TemporaryCredential shares methods from TemporaryCredentialMixin return TemporaryCredential(data)
- Parameters:
request – OAuth1Request instance
- Returns:
TemporaryCredential instance
- classmethod register_signature_method(name, verify)¶
Extend signature method verification.
- Parameters:
name – A string to represent signature method.
verify – A function to verify signature.
The
verify
method acceptOAuth1Request
as parameter:def verify_custom_method(request): # verify this request, return True or False return True Server.register_signature_method('custom-name', verify_custom_method)
- validate_authorization_request(request)¶
Validate the request for resource owner authorization.
- validate_oauth_signature(request)¶
Validate
oauth_signature
from HTTP request.- Parameters:
request – OAuth1Request instance
- validate_temporary_credentials_request(request)¶
Validate HTTP request for temporary credentials.
- validate_timestamp_and_nonce(request)¶
Validate
oauth_timestamp
andoauth_nonce
in HTTP request.- Parameters:
request – OAuth1Request instance
- validate_token_request(request)¶
Validate request for issuing token.
- class authlib.oauth1.rfc5849.ResourceProtector¶
- exists_nonce(nonce, request)¶
The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
- Parameters:
nonce – A string value of
oauth_nonce
request – OAuth1Request instance
- Returns:
Boolean
- get_client_by_id(client_id)¶
Get client instance with the given
client_id
.- Parameters:
client_id – A string of client_id
- Returns:
Client instance
- get_token_credential(request)¶
Fetch the token credential from data store like a database, framework should implement this function.
- Parameters:
request – OAuth1Request instance
- Returns:
Token model instance
- classmethod register_signature_method(name, verify)¶
Extend signature method verification.
- Parameters:
name – A string to represent signature method.
verify – A function to verify signature.
The
verify
method acceptOAuth1Request
as parameter:def verify_custom_method(request): # verify this request, return True or False return True Server.register_signature_method('custom-name', verify_custom_method)
- validate_oauth_signature(request)¶
Validate
oauth_signature
from HTTP request.- Parameters:
request – OAuth1Request instance
- validate_timestamp_and_nonce(request)¶
Validate
oauth_timestamp
andoauth_nonce
in HTTP request.- Parameters:
request – OAuth1Request instance
Models Mixin¶
- class authlib.oauth1.rfc5849.ClientMixin¶
- get_client_secret()¶
A method to return the client_secret of this client. For instance, the database table has a column called
client_secret
:def get_client_secret(self): return self.client_secret
- get_default_redirect_uri()¶
A method to get client default redirect_uri. For instance, the database table for client has a column called
default_redirect_uri
:def get_default_redirect_uri(self): return self.default_redirect_uri
- Returns:
A URL string
- get_rsa_public_key()¶
A method to get the RSA public key for RSA-SHA1 signature method. For instance, the value is saved on column
rsa_public_key
:def get_rsa_public_key(self): return self.rsa_public_key
- class authlib.oauth1.rfc5849.TemporaryCredentialMixin¶
- check_verifier(verifier)¶
A method to check if the given verifier matches this temporary credential. For instance that this temporary credential has recorded the value in database as column
oauth_verifier
:def check_verifier(self, verifier): return self.oauth_verifier == verifier
- Returns:
Boolean
- get_client_id()¶
A method to get the client_id associated with this credential. For instance, the table in the database has a column
client_id
:def get_client_id(self): return self.client_id
- get_oauth_token()¶
A method to get the value of
oauth_token
. For instance, the database table has a column calledoauth_token
:def get_oauth_token(self): return self.oauth_token
- Returns:
A string
- get_oauth_token_secret()¶
A method to get the value of
oauth_token_secret
. For instance, the database table has a column calledoauth_token_secret
:def get_oauth_token_secret(self): return self.oauth_token_secret
- Returns:
A string
- get_redirect_uri()¶
A method to get temporary credential’s
oauth_callback
. For instance, the database table for temporary credential has a column calledoauth_callback
:def get_redirect_uri(self): return self.oauth_callback
- Returns:
A URL string
- class authlib.oauth1.rfc5849.TokenCredentialMixin¶
- get_oauth_token()¶
A method to get the value of
oauth_token
. For instance, the database table has a column calledoauth_token
:def get_oauth_token(self): return self.oauth_token
- Returns:
A string
- get_oauth_token_secret()¶
A method to get the value of
oauth_token_secret
. For instance, the database table has a column calledoauth_token_secret
:def get_oauth_token_secret(self): return self.oauth_token_secret
- Returns:
A string