This part of the documentation covers the interface of Flask OAuth 1.0 Server.
authlib.integrations.flask_oauth1.
AuthorizationServer
(app=None, query_client=None, token_generator=None)¶Flask implementation of authlib.rfc5849.AuthorizationServer
.
Initialize it with Flask app instance, client model class and cache:
server = AuthorizationServer(app=app, query_client=query_client)
# or initialize lazily
server = AuthorizationServer()
server.init_app(app, query_client=query_client)
Parameters: |
|
---|
Validate authorization request and create authorization response.
Assume the endpoint for authorization request is
https://photos.example.net/authorize
, the client redirects Jane’s
user-agent to the server’s Resource Owner Authorization endpoint to
obtain Jane’s approval for accessing her private photos:
https://photos.example.net/authorize?oauth_token=hh5s93j4hdidpola
The server requests Jane to sign in using her username and password and if successful, asks her to approve granting ‘printer.example.com’ access to her private photos. Jane approves the request and her user-agent is redirected to the callback URI provided by the client in the previous request (line breaks are for display purposes only):
http://printer.example.com/ready?
oauth_token=hh5s93j4hdidpola&oauth_verifier=hfdp7dh39dks9884
Parameters: |
|
---|---|
Returns: | (status_code, body, headers) |
Create and bind oauth_verifier
to temporary credential. It
could be re-implemented in this way:
def create_authorization_verifier(self, request):
verifier = generate_token(36)
temporary_credential = request.credential
user_id = request.user.get_user_id()
temporary_credential.user_id = user_id
temporary_credential.oauth_verifier = verifier
# if the credential has a save method
temporary_credential.save()
# remember to return the verifier
return verifier
Parameters: | request – OAuth1Request instance |
---|---|
Returns: | A string of oauth_verifier |
create_temporary_credential
(request)¶Generate and save a temporary credential into database or cache. A temporary credential is used for exchanging token credential. This method should be re-implemented:
def create_temporary_credential(self, request):
oauth_token = generate_token(36)
oauth_token_secret = generate_token(48)
temporary_credential = TemporaryCredential(
oauth_token=oauth_token,
oauth_token_secret=oauth_token_secret,
client_id=request.client_id,
redirect_uri=request.redirect_uri,
)
# if the credential has a save method
temporary_credential.save()
return temporary_credential
Parameters: | request – OAuth1Request instance |
---|---|
Returns: | TemporaryCredential instance |
create_temporary_credentials_response
(request=None)¶Validate temporary credentials token request and create response
for temporary credentials token. Assume the endpoint of temporary
credentials request is https://photos.example.net/initiate
:
POST /initiate HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
The server validates the request and replies with a set of temporary credentials in the body of the HTTP response:
HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded
oauth_token=hh5s93j4hdidpola&oauth_token_secret=hdhd0244k9j7ao03&
oauth_callback_confirmed=true
Parameters: | request – OAuth1Request instance. |
---|---|
Returns: | (status_code, body, headers) |
create_token_credential
(request)¶Create and save token credential into database. This method would be re-implemented like this:
def create_token_credential(self, request):
oauth_token = generate_token(36)
oauth_token_secret = generate_token(48)
temporary_credential = request.credential
token_credential = TokenCredential(
oauth_token=oauth_token,
oauth_token_secret=oauth_token_secret,
client_id=temporary_credential.get_client_id(),
user_id=temporary_credential.get_user_id()
)
# if the credential has a save method
token_credential.save()
return token_credential
Parameters: | request – OAuth1Request instance |
---|---|
Returns: | TokenCredential instance |
create_token_response
(request=None)¶Validate token request and create token response. Assuming the
endpoint of token request is https://photos.example.net/token
,
the callback request informs the client that Jane completed the
authorization process. The client then requests a set of token
credentials using its temporary credentials (over a secure Transport
Layer Security (TLS) channel):
POST /token HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_token="hh5s93j4hdidpola",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201",
oauth_nonce="walatlh",
oauth_verifier="hfdp7dh39dks9884",
oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D"
The server validates the request and replies with a set of token credentials in the body of the HTTP response:
HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded
oauth_token=nnch734d00sl2jdk&oauth_token_secret=pfkkdhi9sl3r4s00
Parameters: | request – OAuth1Request instance. |
---|---|
Returns: | (status_code, body, headers) |
delete_temporary_credential
(request)¶Delete temporary credential from database or cache. For instance, if temporary credential is saved in cache:
def delete_temporary_credential(self, request):
key = 'a-key-prefix:{}'.format(request.token)
cache.delete(key)
Parameters: | request – OAuth1Request instance |
---|
exists_nonce
(nonce, request)¶The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
Parameters: |
|
---|---|
Returns: | Boolean |
get_client_by_id
(client_id)¶Get client instance with the given client_id
.
Parameters: | client_id – A string of client_id |
---|---|
Returns: | Client instance |
get_temporary_credential
(request)¶Get the temporary credential from database or cache. A temporary
credential should share the same methods as described in models of
TemporaryCredentialMixin
:
def get_temporary_credential(self, request):
key = 'a-key-prefix:{}'.format(request.token)
data = cache.get(key)
# TemporaryCredential shares methods from TemporaryCredentialMixin
return TemporaryCredential(data)
Parameters: | request – OAuth1Request instance |
---|---|
Returns: | TemporaryCredential instance |
authlib.integrations.flask_oauth1.
ResourceProtector
(app=None, query_client=None, query_token=None, exists_nonce=None)¶A protecting method for resource servers. Initialize a resource protector with the query_token method:
from authlib.integrations.flask_oauth1 import ResourceProtector, current_credential
from authlib.integrations.flask_oauth1 import create_exists_nonce_func
from authlib.integrations.sqla_oauth1 import (
create_query_client_func,
create_query_token_func,
)
from your_project.models import Token, User, cache
# you need to define a ``cache`` instance yourself
require_oauth= ResourceProtector(
app,
query_client=create_query_client_func(db.session, OAuth1Client),
query_token=create_query_token_func(db.session, OAuth1Token),
exists_nonce=create_exists_nonce_func(cache)
)
# or initialize it lazily
require_oauth = ResourceProtector()
require_oauth.init_app(
app,
query_client=create_query_client_func(db.session, OAuth1Client),
query_token=create_query_token_func(db.session, OAuth1Token),
exists_nonce=create_exists_nonce_func(cache)
)
get_client_by_id
(client_id)¶Get client instance with the given client_id
.
Parameters: | client_id – A string of client_id |
---|---|
Returns: | Client instance |
get_token_credential
(request)¶Fetch the token credential from data store like a database, framework should implement this function.
Parameters: | request – OAuth1Request instance |
---|---|
Returns: | Token model instance |
exists_nonce
(nonce, request)¶The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
Parameters: |
|
---|---|
Returns: | Boolean |
authlib.integrations.flask_oauth1.
current_credential
¶Routes protected by ResourceProtector
can access current credential
with this variable.
Warning
We will drop sqla_oauth2
module in version 1.0.
authlib.integrations.sqla_oauth1.
create_query_client_func
(session, model_class)¶Create an query_client
function that can be used in authorization
server and resource protector.
Parameters: |
|
---|
authlib.integrations.sqla_oauth1.
create_query_token_func
(session, model_class)¶Create an query_token
function that can be used in
resource protector.
Parameters: |
|
---|
authlib.integrations.sqla_oauth1.
create_exists_nonce_func
(session, model_class)¶Create an exists_nonce
function that can be used in hooks and
resource protector.
Parameters: |
|
---|
authlib.integrations.sqla_oauth1.
register_nonce_hooks
(authorization_server, session, model_class)¶Register nonce related hooks to authorization server.
Parameters: |
|
---|
authlib.integrations.sqla_oauth1.
register_temporary_credential_hooks
(authorization_server, session, model_class)¶Register temporary credential related hooks to authorization server.
Parameters: |
|
---|
authlib.integrations.sqla_oauth1.
register_token_credential_hooks
(authorization_server, session, model_class)¶Register token credential related hooks to authorization server.
Parameters: |
|
---|