elliotpeele / pyramid_oauth2_provider Goto Github PK

Due to the way exception handling works in pyramid, the db transaction is rolled back on an exception. When the authorization policy checks to see if a token is expired, the revoked flag never gets set because an exception is then raised.

OauthAuthenticationPolicy._get_auth_token raises a TypeError when util.getClientCredentials returns False rather than a tuple. Test this by hitting your site without providing headers/authorization.

I will submit a PR soon as a temporary fix, but exception handling should be revamped as a whole in the long run.

The access_token should be revoked if it is no longer valid.

It would be better if errors were returned in JSON rather than formatted in HTML.

The Oauth2Client model use the following definition

    _client_secret = Column(Binary(255), unique=True, nullable=False)

On db initialization, the following error is raised

OperationalError: (_mysql_exceptions.OperationalError) (1170, "BLOB/TEXT column '_client_secret' used in key specification without a key length") [SQL: u'\nCREATE TABLE oidc_client (\n\tid INTEGER NOT NULL AUTO_INCREMENT, \n\tclient_id VARCHAR(64) NOT NULL, \n\t_client_secret BLOB(255) NOT NULL, \n\trevoked BOOL, \n\trevocation_date DATETIME, \n\tCONSTRAINT pk_oidc_client PRIMARY KEY (id), \n\tCONSTRAINT test UNIQUE (_client_secret), \n\tCONSTRAINT uq_oidc_client_client_id UNIQUE (client_id), \n\tCONSTRAINT ck_oidc_client_revoked CHECK (revoked IN (0, 1))\n)ENGINE=InnoDB CHARSET=utf8\n\n']

setting the column type to sqlalchemy.dialects.mysql.BINARY works as expected (but it's not a satisfying solution).

Hi, it seems there is no support for the Authorization code grant flow
https://tools.ietf.org/html/rfc6749#section-4.1

The token view doesn't support authorization_code grant_type
Am I right ?

"""Generate client credentials using the create_client_credentials script, provided as part of pyramid_oauth2_provider."""

Maybe adding the following entry in the setup.py file could help newcomers

[console_scripts]
...
create_client_credentials=pyramid_oauth2_provider.scripts.create_client_credentials:main

I want to thank you for this library, it has saved me quite some time.

I would like to work on some changes:

• hash/salt of client secret, access_token and refresh_token in the DB - the actual secret/tokens should be provided once at generation time, and then regenerated if forgotten (will have new requirement - cryptacular.bcrypt)
• Sphinx configuration and more docs (need to setup readthedocs and add/fix docstrings)
• Changes file

Let me know if you are open to this.

P.S. I confirmed the PRs from @tonthon are working.

The following script : https://github.com/elliotpeele/pyramid_oauth2_provider/blob/master/pyramid_oauth2_provider/scripts/create_client_credentials.py

uses epdb that is missing in the setup.py requirements

My setup :
OS : fedora
I installed the following packages : gcc libffi-devel python-devel openssl-devel
And I pip installed cryptography.
I get the following error

    raise UnsupportedAlgorithm("This backend does not support scrypt.")
cryptography.exceptions.UnsupportedAlgorithm: This backend does not support scrypt.

It seems something is missing.