Add support for authenticating confidential client with request body params. Fix #55

Author: synasius

oauth2_provider/oauth2_validators.py

@@ -23,16 +23,19 @@
 
 
 class OAuth2Validator(RequestValidator):
-    def authenticate_client(self, request, *args, **kwargs):
+    def _authenticate_basic_auth(self, request):
         """
-        Check if client exists and it's authenticating itself as in rfc:`3.2.1`
+        Authenticates with HTTP Basic Auth
         """
         auth = request.headers.get('HTTP_AUTHORIZATION', None)
 
         if not auth:
             return False
 
         auth_type, auth_string = auth.split(' ')
+        if auth_type != "Basic":
+            return False
+
         encoding = request.encoding or 'utf-8'
 
         auth_string_decoded = base64.b64decode(auth_string).decode(encoding)
@@ -45,15 +48,51 @@ def authenticate_client(self, request, *args, **kwargs):
         except Application.DoesNotExist:
             return False
 
+    def _authenticate_request_body(self, request):
+        """
+        Try to authenticate the client using client_id and client_secret parameters
+        included in body.
+
+        Remember that this method is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize
+        the HTTP Basic authentication scheme. See rfc:`2.3.1` for more details.
+        """
+        client_id = request.client_id
+        client_secret = request.client_secret
+
+        if not client_id:
+            return False
+
+        try:
+            request.client = Application.objects.get(client_id=client_id, client_secret=client_secret)
+            return True
+
+        except Application.DoesNotExist:
+            return False
+
+    def authenticate_client(self, request, *args, **kwargs):
+        """
+        Check if client exists and it's authenticating itself as in rfc:`3.2.1`
+
+        First we try to authenticate with HTTP Basic Auth, and that is the PREFERRED authentication method.
+        Whether this fails we support including the client credentials in the request-body, but
+        this method is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize
+        the HTTP Basic authentication scheme. See rfc:`2.3.1` for more details
+        """
+        authenticated = self._authenticate_basic_auth(request)
+
+        if not authenticated:
+            authenticated = self._authenticate_request_body(request)
+
+        return authenticated
+
     def authenticate_client_id(self, client_id, request, *args, **kwargs):
         """
         If we are here, the client did not authenticate itself as in rfc:`3.2.1` and we can proceed only if the client
         exists and it's not of type 'Confidential'. Also assign Application instance to request.client.
         """
-        client_secret = request.client_secret
 
         try:
-            request.client = request.client or Application.objects.get(client_id=client_id, client_secret=client_secret)
+            request.client = Application.objects.get(client_id=client_id)
             return request.client.client_type != Application.CLIENT_CONFIDENTIAL
 
         except Application.DoesNotExist:

oauth2_provider/tests/test_authorization_code.py

@@ -1,5 +1,6 @@
 from __future__ import unicode_literals
 
+import base64
 import json
 
 from django.test import TestCase, RequestFactory
@@ -437,6 +438,51 @@ def test_basic_auth_bad_secret(self):
         response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
         self.assertEqual(response.status_code, 400)
 
+    def test_basic_auth_wrong_auth_type(self):
+        """
+        Request an access token using basic authentication for client authentication
+        """
+        self.client.login(username="test_user", password="123456")
+        authorization_code = self.get_auth()
+
+        token_request_data = {
+            'grant_type': 'authorization_code',
+            'code': authorization_code,
+            'redirect_uri': 'http://example.it'
+        }
+
+        user_pass = '{0}:{1}'.format(self.application.client_id, self.application.client_secret)
+        auth_string = base64.b64encode(user_pass.encode('utf-8'))
+        auth_headers = {
+            'HTTP_AUTHORIZATION': 'Wrong ' + auth_string.decode("utf-8"),
+        }
+
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+        self.assertEqual(response.status_code, 400)
+
+    def test_request_body_params(self):
+        """
+        Request an access token using client_type: public
+        """
+        self.client.login(username="test_user", password="123456")
+        authorization_code = self.get_auth()
+
+        token_request_data = {
+            'grant_type': 'authorization_code',
+            'code': authorization_code,
+            'redirect_uri': 'http://example.it',
+            'client_id': self.application.client_id,
+            'client_secret':  self.application.client_secret,
+        }
+
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data)
+        self.assertEqual(response.status_code, 200)
+
+        content = json.loads(response.content.decode("utf-8"))
+        self.assertEqual(content['token_type'], "Bearer")
+        self.assertEqual(content['scope'], "read write")
+        self.assertEqual(content['expires_in'], oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS)
+
     def test_public(self):
         """
         Request an access token using client_type: public
@@ -451,8 +497,7 @@ def test_public(self):
             'grant_type': 'authorization_code',
             'code': authorization_code,
             'redirect_uri': 'http://example.it',
-            'client_id': self.application.client_id,
-            'client_secret':  self.application.client_secret,
+            'client_id': self.application.client_id
         }
 
         response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data)