diff options
Diffstat (limited to 'gn_auth/auth/authentication/oauth2')
-rw-r--r-- | gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py index 895acb7..8e2f082 100644 --- a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py +++ b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py @@ -1,6 +1,7 @@ """JWT as Authorisation Grant""" from flask import current_app as app +from authlib.common.security import generate_token from authlib.oauth2.rfc7523.jwt_bearer import JWTBearerGrant as _JWTBearerGrant from authlib.oauth2.rfc7523.token import ( JWTBearerTokenGenerator as _JWTBearerTokenGenerator) @@ -30,6 +31,25 @@ class JWTBearerTokenGenerator(_JWTBearerTokenGenerator): "sub": str(tokendata["sub"])} + def __call__(self, grant_type, client, user=None, scope=None, + expires_in=None, include_refresh_token=True): + # there is absolutely no refresh token in JWT format + """ + The default generator does not provide refresh tokens with JWT. It goes + so far as to state "there is absolutely no refresh token in JWT format". + + This shim allows us to have a refresh token. We should probably look for + a supported way of using JWTs with refresh capability. + """ + token = self.generate(grant_type, client, user, scope, expires_in) + if include_refresh_token: + return { + **token, + "refresh_token": generate_token(length=42) + } + return token + + class JWTBearerGrant(_JWTBearerGrant): """Implement JWT as Authorisation Grant.""" @@ -57,3 +77,17 @@ class JWTBearerGrant(_JWTBearerGrant): Check if the client has permission to access the given user's resource. """ return True # TODO: Check this!!! + + def create_token_response(self): + """If valid and authorized, the authorization server issues an access + token. + """ + token = self.generate_token( + scope=self.request.scope, + user=self.request.user, + include_refresh_token=self.request.client.check_grant_type( + "refresh_token") + ) + app.logger.debug('Issue token %r to %r', token, self.request.client) + self.save_token(token) + return 200, token, self.TOKEN_RESPONSE_HEADER |