From f538ea8f87947d7c1543a8c0fcea5b0242a12ab6 Mon Sep 17 00:00:00 2001 From: Tyler Jones Date: Thu, 1 Aug 2013 15:29:58 -0700 Subject: #200 First attempt at API cleanup to match OAuth1. --- docs/oauth2/endpoints.rst | 23 ++++++++++------------- docs/oauth2/server.rst | 34 ++++++++++++++++------------------ 2 files changed, 26 insertions(+), 31 deletions(-) (limited to 'docs') diff --git a/docs/oauth2/endpoints.rst b/docs/oauth2/endpoints.rst index aa73d46..1441938 100644 --- a/docs/oauth2/endpoints.rst +++ b/docs/oauth2/endpoints.rst @@ -79,9 +79,8 @@ Grant and the Client Credentials Grant. except FatalClientError as e: # this is your custom error page - from your_views import authorization_error_page_uri - # Use in_uri to embed error code and description in the redirect uri - redirect(e.in_uri(authorization_error_page_uri)) + from your_view_helpers import error_to_response + return error_to_response(e) **Post Authorization Request** @@ -107,23 +106,22 @@ Grant and the Client Credentials Grant. scopes = request.POST.get('scopes') from oauthlib.oauth2 import FatalClientError, OAuth2Error - from your_framework import redirect + from your_framework import http_response + http_response(body, status=status, headers=headers) try: - uri, headers, body, status = server.create_authorization_response( + headers, body, status = server.create_authorization_response( uri, http_method, body, headers, scopes, credentials) - # uri = https://foo.com/welcome_back?code=somerandomstring&state=xyz - # headers = {}, this might change to include suggested headers related + # headers = {'Location': 'https://foo.com/welcome_back?code=somerandomstring&state=xyz'}, this might change to include suggested headers related # to cache best practices etc. # body = '', this might be set in future custom grant types # status = 302, suggested HTTP status code - redirect(uri, headers=headers, status=status, body=body) + return http_response(body, status=status, headers=headers) except FatalClientError as e: # this is your custom error page - from your_views import authorization_error_page_uri - # Use in_uri to embed error code and description in the redirect uri - redirect(e.in_uri(authorization_error_page_uri)) + from your_view_helpers import error_to_response + return error_to_response(e) except OAuth2Error as e: # Less grave errors will be reported back to client @@ -181,10 +179,9 @@ tokens which unless you are certain you need them, are a bad idea. # Extra credentials you wish to include credentials = {'client_ip': '1.2.3.4'} - uri, headers, body, status = server.create_token_response( + headers, body, status = server.create_token_response( uri, http_method, body, headers, credentials) - # uri is not used by most grant types # headers will contain some suggested headers to add to your response { 'Content-Type': 'application/json;charset=UTF-8', diff --git a/docs/oauth2/server.rst b/docs/oauth2/server.rst index 22e5d43..cba56d1 100644 --- a/docs/oauth2/server.rst +++ b/docs/oauth2/server.rst @@ -260,7 +260,6 @@ as well as provide an interface for a backend to store tokens, clients, etc. def __init__(self): # Using the server from previous section self._authorization_endpoint = server - self._error_uri = '/error' def get(self, request): # You need to define extract_params and make sure it does not @@ -288,7 +287,7 @@ as well as provide an interface for a backend to store tokens, clients, etc. # Errors that should be shown to the user on the provider website except errors.FatalClientError as e: - return HttpResponseRedirect(e.in_uri(self._error_uri)) + return response_from_error(e) # Errors embedded in the redirect URI back to the client except errors.OAuth2Error as e: @@ -297,7 +296,7 @@ as well as provide an interface for a backend to store tokens, clients, etc. @csrf_exempt def post(self, request): uri, http_method, body, headers = extract_params(request) - + # The scopes the user actually authorized, i.e. checkboxes # that were selected. scopes = request.POST.getlist(['scopes']) @@ -309,15 +308,12 @@ as well as provide an interface for a backend to store tokens, clients, etc. credentials.update(request.session.get('oauth2_credentials', {})) try: - url, headers, body, status = self._authorization_endpoint.create_authorization_response( + headers, body, status = self._authorization_endpoint.create_authorization_response( uri, http_method, body, headers, scopes, credentials) - return HttpResponseRedirect(url) + return response_from_return(headers, body, status) except errors.FatalClientError as e: - return HttpResponseRedirect(e.in_uri(self._error_uri)) - - except errors.OAuth2Error as e: - return HttpResponseRedirect(e.in_uri(redirect_uri)) + return response_from_error(e) # Handles requests to /token class TokenView(View): @@ -333,21 +329,23 @@ as well as provide an interface for a backend to store tokens, clients, etc. # use in the validator, do so here. credentials = {'foo': 'bar'} - url, headers, body, status = self._token_endpoint.create_token_response( + headers, body, status = self._token_endpoint.create_token_response( uri, http_method, body, headers, credentials) # All requests to /token will return a json response, no redirection. - response = HttpResponse(content=body, status=status) - for k, v in headers.items(): - response[k] = v - return response - + return response_from_return(headers, body, status) - class ErrorView(View): - response = HttpResponse() - response.write('Evil client is unable to send a proper request.') + def response_from_return(headers, body, status): + response = HttpResponse(content=body, status=status) + for k, v in headers.items(): + response[k] = v return response + def response_from_error(e) + return HttpResponseBadRequest('Evil client is unable to send a proper request. Error is: ' + e.description) + + + **5. Protect your APIs using scopes** Let's define a decorator we can use to protect the views. -- cgit v1.2.1