~hIddlmZddlmZddlmZddlmZddlmZddl m Z ddl m Z dd l m Z dd l m Z dd lmZdd lmZd ddZGddZdZy))generate_token) url_decode) ClientAuth) TokenAuth) OAuth2Error)!parse_authorization_code_response)parse_implicit_response)prepare_grant_uri)prepare_token_request)prepare_revoke_token_request)create_s256_code_challengezapplication/jsonz/application/x-www-form-urlencoded;charset=UTF-8)Acceptz Content-Typec,eZdZdZeZeZeZ dZ gZ ddZ dZ dZedZej"dZdd Z dd Zdd Z dd Zdd Z ddZ ddZdZdZ ddZ d dZ ddZdZdZd!dZ dZ!y)" OAuth2Clienta Construct a new OAuth 2 protocol client. :param session: Requests session object to communicate with authorization server. :param client_id: Client ID, which you get from client registration. :param client_secret: Client Secret, which you get from registration. :param token_endpoint_auth_method: client authentication method for token endpoint. :param revocation_endpoint_auth_method: client authentication method for revocation endpoint. :param scope: Scope that you needed to access user resources. :param state: Shared secret to prevent CSRF attack. :param redirect_uri: Redirect URI you registered as callback. :param code_challenge_method: PKCE method name, only S256 is supported. :param token: A dict of token attributes such as ``access_token``, ``token_type`` and ``expires_at``. :param token_placement: The place to put token in HTTP request. Available values: "header", "body", "uri". :param update_token: A function for you to update token. It accept a :class:`OAuth2Token` as parameter. :param leeway: Time window in seconds before the actual expiration of the authentication token, that the token is considered expired and will be refreshed. ) response_modenonceprompt login_hintNc ||_||_||_||_||rd}nd}||_||rd}nd}||_||_||_| |_|j| | ||_ | |_ |jdd}|r td||_tttttd|_i|_| |_y)Nclient_secret_basicnone token_updaterz " & "jjF7O '**f4'A-'PF# $.2.H.HF* +,, -A1 #5 MM!,q  -  nn'    Ezr7c |xs |j}|jdd} | rd| vr|j| |S|j|} | rd| vrd}t | |} | d|d<||j j d}|t|}||j d<|j||fi|}||j|j}|t}||j j d }|j|f||||d | S) amGeneric method for fetching an access token from the token endpoint. :param url: Access Token endpoint URL, if not configured, ``authorization_response`` is used to extract token from its fragment (implicit way). :param body: Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body. :param method: The HTTP method used to make the request. Defaults to POST, but may also be GET. Other methods should be added as needed. :param headers: Dict to default request headers with. :param auth: An auth tuple or method as accepted by requests. :param grant_type: Use specified grant_type to fetch token :return: A :class:`OAuth2Token` object (a dict too). authorization_responseN#zcode=authorization_code)r"rJ grant_typetoken_endpoint)bodyr<methodheaders) r"r+token_from_fragment_extract_session_request_paramsr r-rM_guess_grant_type_prepare_token_endpoint_bodyrBr#DEFAULT_HEADERS _fetch_token) r2rOr[r\r]r<rYr"rQrVsession_kwargsparamss r5 fetch_tokenzOAuth2Client.fetch_tokens@4#!',Dd!K !c-C&C++,BEJ J==fE !g1G&G-J6&F$F^F6N  **<8J  *62J*4DMM, '0t00zLVL <##D$C$CDD ?%G ;--##$45C t   fg IW  r7c~t||}d|vr%|j|d|jd||_|S)Nerrorerror_descriptionrh description)r oauth_error_classrMr3)r2rVr"r3s r5r^z OAuth2Client.token_from_fragmentsP'(>F e ((Gn%)) BH  ?%**,G ;--##$45C(()@A :D!%c7D!9 C$ : <##D$C$CDD"t""  '     r7c| |j}|j|jsy|jd}|jjd}|r|r|j ||y|jjddk(r8|d}|j |d }|jr|j|| yy) N)r1TrnrZrnrYclient_credentials access_token)rY)ru)r3 is_expiredr1rMr-rnrfr*)r2r3rnrOru new_tokens r5ensure_active_tokenz OAuth2Client.ensure_active_token,s =JJEt{{3 /2 mm 01 S   s-  @ ]]  | ,0D D 0L((9M(NI  !!),!G Er7c p||j|j}|jd|f|||||d|S)aRevoke token method defined via `RFC7009`_. :param url: Revoke Token endpoint, must be HTTPS. :param token: The token to be revoked. :param token_type_hint: The type of the token that to be revoked. It can be "access_token" or "refresh_token". :param body: Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body. :param auth: An auth tuple or method as accepted by requests. :param headers: Dict to default request headers with. :return: Revocation Response .. _`RFC7009`: https://tools.ietf.org/html/rfc7009 rr3token_type_hintr[r<r])rBr$_handle_token_hintr2rOr3r{r[r<r]rQs r5 revoke_tokenzOAuth2Client.revoke_token=sZ0 <##D$H$HID&t&& "   +    r7c p||j|j}|jd|f|||||d|S)aImplementation of OAuth 2.0 Token Introspection defined via `RFC7662`_. :param url: Introspection Endpoint, must be HTTPS. :param token: The token to be introspected. :param token_type_hint: The type of the token that to be revoked. It can be "access_token" or "refresh_token". :param body: Optional application/x-www-form-urlencoded body to add the include in the token request. Prefer kwargs over body. :param auth: An auth tuple or method as accepted by requests. :param headers: Dict to default request headers with. :return: Introspection Response .. _`RFC7662`: https://tools.ietf.org/html/rfc7662 rrz)rBr#r|r}s r5introspect_tokenzOAuth2Client.introspect_tokenbsZ0 <##D$C$CDD&t&& &   +    r7c|dk(r&|jjj|y||jvrt d||j|j|j|y)aRegister a hook for request/response tweaking. Available hooks are: * access_token_response: invoked before token parsing. * refresh_token_request: invoked before refreshing token. * refresh_token_response: invoked before refresh token parsing. * protected_request: invoked before making a request. * revoke_token_request: invoked before revoking a token. * introspect_token_request: invoked before introspecting a token. protected_requestNzHook type %s is not in %s.)r)hooksaddr/r,)r2 hook_typerqs r5register_compliance_hookz%OAuth2Client.register_compliance_hooksk + + OO ! ! % %d +  D00 0,i9M9M  Y'++D1r7c|jdk\r|j|j}d|vr%|j|d|j d||_|j S)Nirhrirj) status_coderaise_for_statusjsonrlrMr3)r2respr3s r5parse_response_tokenz!OAuth2Client.parse_response_tokensm   s "  ! ! #  e ((Gn%))V #$4<<$$z$/0'PVDczhhT{+hhT{+'4<<''%,4;AD(()@A D:D ((..r7c ,|j|f|||d|}|jdD] }||} |j|} d| vr||jd<t |j r|j |j||jS)N)r[r<r]rrnrs) _http_postr/rr3callabler*) r2rOrnr[r]r<rQrrqr3s r5rpzOAuth2Client._refresh_tokenstsTD'TVT(()AB D:D ))$/ % '*7DJJ ' D%% &   djj  Fzzr7c |D|jr8|jjdxs|jjd}|d}t||||\}}|j|D]} | |||\}}}||j |j }|j |} |j||f||d| S)Nrnru)r<r])r3rMr r/rBr$r_r) r2rqrOr3r{r[r<r]rQr/rds r5r|zOAuth2Client._handle_token_hints =TZZJJNN?3Utzz~~n7UE <D4 ?D' g $33D9 EO!0gt!D C$ E <##D$H$HID==fEtsDWtWWWWr7c |dk(r d|vr|j|d<t||fi|Sd|vr|jr|j|d<t||fi|S)NrXr&r%)r&r r%)r2r[rYrQs r5raz)OAuth2Client._prepare_token_endpoint_bodysb - -V+)-):):~&(TDVD D & TZZ"jjF7O$Z@@@r7c^i}|jD]}||vs|j|||<|S)zDExtract parameters for session object from the passing ``**kwargs``.)SESSION_REQUEST_PARAMSr+)r2rQrvrRs r5r_z,OAuth2Client._extract_session_request_paramss; ,, &AF{ 1 1 & r7c h|jj|ftt|||d|S)Nr)rrrr)r2rOr[r<r]rQs r5rzOAuth2Client._http_posts< t||   :d+,gD LR  r7c|`yrD)rrEs r5__del__zOAuth2Client.__del__s Lr7) NNNNNNNNNheaderN<)NN)NrrNNNNrD)NNrNN)NNNNN)rNNr)NrNN)NNN)"__name__ __module__ __qualname____doc__rrArr(rrlrNrr6r=rBpropertyr3setterrTrfr^rnrxr~rrrrcrpr|rar_rrr7r5rrs>2# #O #'(," >@1 %% \\))'V   > @IM( T(  # P  # J2, =C/,DH*  X<A r7rc2d|vrd}|Sd|vrd|vrd}|Sd}|S)NrJrXusernamepasswordrtr)rQrYs r5r`r`sB )  v *"6  * r7N)authlib.common.securityrauthlib.common.urlsrr<rrbaserrfc6749.parametersr r r r rfc7009r rfc7636rrbrr`rr7r5rsG2*A7151/!E qqhr7