keystone.api.os_oauth2

Source code for keystone.api.os_oauth2

# Copyright 2022 OpenStack Foundation
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

import flask
from flask import make_response
import http.client
from oslo_log import log

from keystone.api._shared import authentication
from keystone.api._shared import json_home_relations
from keystone.conf import CONF
from keystone import exception
from keystone.i18n import _
from keystone.server import flask as ks_flask

LOG = log.getLogger(__name__)

_build_resource_relation = json_home_relations.os_oauth2_resource_rel_func


[docs]class AccessTokenResource(ks_flask.ResourceBase): def _method_not_allowed(self): """Raise a method not allowed error""" raise exception.OAuth2OtherError( int(http.client.METHOD_NOT_ALLOWED), http.client.responses[http.client.METHOD_NOT_ALLOWED], _('The method is not allowed for the requested URL.'))
[docs] @ks_flask.unenforced_api def get(self): """The method is not allowed""" self._method_not_allowed()
[docs] @ks_flask.unenforced_api def head(self): """The method is not allowed""" self._method_not_allowed()
[docs] @ks_flask.unenforced_api def put(self): """The method is not allowed""" self._method_not_allowed()
[docs] @ks_flask.unenforced_api def patch(self): """The method is not allowed""" self._method_not_allowed()
[docs] @ks_flask.unenforced_api def delete(self): """The method is not allowed""" self._method_not_allowed()
[docs] @ks_flask.unenforced_api def post(self): """Get an OAuth2.0 Access Token. POST /v3/OS-OAUTH2/token """ client_auth = flask.request.authorization if not client_auth: error = exception.OAuth2InvalidClient( int(http.client.UNAUTHORIZED), http.client.responses[http.client.UNAUTHORIZED], _('OAuth2.0 client authorization is required.')) LOG.info('Get OAuth2.0 Access Token API: ' 'field \'authorization\' is not found in HTTP Headers.') raise error if client_auth.type != 'basic': error = exception.OAuth2InvalidClient( int(http.client.UNAUTHORIZED), http.client.responses[http.client.UNAUTHORIZED], _('OAuth2.0 client authorization type %s is not supported.') % client_auth.type) LOG.info('Get OAuth2.0 Access Token API: ' f'{error.message_format}') raise error client_id = client_auth.username client_secret = client_auth.password if not client_id: error = exception.OAuth2InvalidClient( int(http.client.UNAUTHORIZED), http.client.responses[http.client.UNAUTHORIZED], _('OAuth2.0 client authorization is invalid.')) LOG.info('Get OAuth2.0 Access Token API: ' 'client_id is not found in authorization.') raise error if not client_secret: error = exception.OAuth2InvalidClient( int(http.client.UNAUTHORIZED), http.client.responses[http.client.UNAUTHORIZED], _('OAuth2.0 client authorization is invalid.')) LOG.info('Get OAuth2.0 Access Token API: ' 'client_secret is not found in authorization.') raise error grant_type = flask.request.form.get('grant_type') if grant_type is None: error = exception.OAuth2InvalidRequest( int(http.client.BAD_REQUEST), http.client.responses[http.client.BAD_REQUEST], _('The parameter grant_type is required.')) LOG.info('Get OAuth2.0 Access Token API: ' f'{error.message_format}') raise error if grant_type != 'client_credentials': error = exception.OAuth2UnsupportedGrantType( int(http.client.BAD_REQUEST), http.client.responses[http.client.BAD_REQUEST], _('The parameter grant_type %s is not supported.' ) % grant_type) LOG.info('Get OAuth2.0 Access Token API: ' f'{error.message_format}') raise error auth_data = { 'identity': { 'methods': ['application_credential'], 'application_credential': { 'id': client_id, 'secret': client_secret } } } try: token = authentication.authenticate_for_token(auth_data) except exception.Error as error: if error.code == 401: error = exception.OAuth2InvalidClient( error.code, error.title, str(error)) elif error.code == 400: error = exception.OAuth2InvalidRequest( error.code, error.title, str(error)) else: error = exception.OAuth2OtherError( error.code, error.title, 'An unknown error occurred and failed to get an OAuth2.0 ' 'access token.') LOG.exception(error) raise error except Exception as error: error = exception.OAuth2OtherError( int(http.client.INTERNAL_SERVER_ERROR), http.client.responses[http.client.INTERNAL_SERVER_ERROR], str(error)) LOG.exception(error) raise error resp = make_response({ 'access_token': token.id, 'token_type': 'Bearer', 'expires_in': CONF.token.expiration }) resp.status = '200 OK' return resp
[docs]class OSAuth2API(ks_flask.APIBase): _name = 'OS-OAUTH2' _import_name = __name__ _api_url_prefix = '/OS-OAUTH2' resource_mapping = [ ks_flask.construct_resource_map( resource=AccessTokenResource, url='/token', rel='token', resource_kwargs={}, resource_relation_func=_build_resource_relation )]
APIs = (OSAuth2API,)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.