o Df#@sdddlZddlmZmZmZddlmZmZddlm Z m Z m Z e e ZdZGdd d eeZdS) N)InvalidRequestErrorUnauthorizedClientErrorAccessDeniedError) BaseGrantTokenEndpointMixin)AuthorizationPendingErrorExpiredTokenError SlowDownErrorz,urn:ietf:params:oauth:grant-type:device_codec@sLeZdZdZeZgdZddZddZddZ d d Z d d Z d dZ dS)DeviceCodeGrantal This OAuth 2.0 [RFC6749] protocol extension enables OAuth clients to request user authorization from applications on devices that have limited input capabilities or lack a suitable browser. Such devices include smart TVs, media consoles, picture frames, and printers, which lack an easy input method or a suitable browser required for traditional OAuth interactions. Here is the authorization flow:: +----------+ +----------------+ | |>---(A)-- Client Identifier --->| | | | | | | |<---(B)-- Device Code, ---<| | | | User Code, | | | Device | & Verification URI | | | Client | | | | | [polling] | | | |>---(E)-- Device Code --->| | | | & Client Identifier | | | | | Authorization | | |<---(F)-- Access Token ---<| Server | +----------+ (& Optional Refresh Token) | | v | | : | | (C) User Code & Verification URI | | : | | v | | +----------+ | | | End User | | | | at |<---(D)-- End user reviews --->| | | Browser | authorization request | | +----------+ +----------------+ This DeviceCodeGrant is the implementation of step (E) and (F). (E) While the end user reviews the client's request (step D), the client repeatedly polls the authorization server to find out if the user completed the user authorization step. The client includes the device code and its client identifier. (F) The authorization server validates the device code provided by the client and responds with the access token if the client is granted access, an error if they are denied access, or an indication that the client should continue to poll. )client_secret_basicclient_secret_postnonecCs|jjd}|s td|}||jst||}|s%td| | kr0t| |}||j_ ||j_ ||j_ dS)a#After displaying instructions to the user, the client creates an access token request and sends it to the token endpoint with the following parameters: grant_type REQUIRED. Value MUST be set to "urn:ietf:params:oauth:grant-type:device_code". device_code REQUIRED. The device verification code, "device_code" from the device authorization response. client_id REQUIRED if the client is not authenticating with the authorization server as described in Section 3.2.1. of [RFC6749]. The client identifier as described in Section 2.2 of [RFC6749]. For example, the client makes the following HTTPS request:: POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code &device_code=GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS &client_id=1406020730 device_codez Missing "device_code" in payloadz Invalid "device_code" in payloadN)requestdatagetr"authenticate_token_endpoint_clientcheck_grant_type GRANT_TYPErquery_device_credential get_client_idvalidate_device_credentialuserclient credential)selfrrrrr[/home/ubuntu/webapp/venv/lib/python3.10/site-packages/authlib/oauth2/rfc8628/device_code.pyvalidate_token_requestAs    z&DeviceCodeGrant.validate_token_requestcCs`|jj}|jj}|j|jj||dd}td||| ||j d|dd||j fS)zIf the access token request is valid and authorized, the authorization server issues an access token and optional refresh token. refresh_token)rscopeinclude_refresh_tokenzIssue token %r to %r process_token)token) rrr get_scopegenerate_tokenrrlogdebug save_token execute_hookTOKEN_RESPONSE_HEADER)rrr"r%rrrcreate_token_responseqs   z%DeviceCodeGrant.create_token_responsecCsT|rt|}||}|dur|\}}|st|S||r'tt)N) is_expiredr get_user_codequery_user_grantrshould_slow_downr r )rr user_code user_grantrapprovedrrrrs  z*DeviceCodeGrant.validate_device_credentialcCt)aiGet device credential from previously savings via ``DeviceAuthorizationEndpoint``. Developers MUST implement it in subclass:: def query_device_credential(self, device_code): return DeviceCredential.get(device_code) :param device_code: a string represent the code. :return: DeviceCredential instance NotImplementedError)rrrrrrs z'DeviceCodeGrant.query_device_credentialcCr6)a!Get user and grant via the given user code. Developers MUST implement it in subclass:: def query_user_grant(self, user_code): # e.g. we saved user grant info in redis data = redis.get('oauth_user_grant:' + user_code) if not data: return None user_id, allowed = data.split() user = User.get(user_id) return user, bool(allowed) Note, user grant information is saved by verification endpoint. r7)rr3rrrr1sz DeviceCodeGrant.query_user_grantcCr6)zThe authorization request is still pending and polling should continue, but the interval MUST be increased by 5 seconds for this and all subsequent requests. r7)rrrrrr2sz DeviceCodeGrant.should_slow_downN) __name__ __module__ __qualname____doc__DEVICE_CODE_GRANT_TYPErTOKEN_ENDPOINT_AUTH_METHODSr r.rrr1r2rrrrr s+0 r )loggingrfc6749.errorsrrrrfc6749rrerrorsr r r getLoggerr9r)r=r rrrrs