Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Jonathan Huot
@JonathanHuot
Hi @tribals , I think the doc could be improved
Jonathan Huot
@JonathanHuot
@tribals, as I read it from the RFC, it depends of the AS policy. If you does not allow a default scope, then return False in validate_scopes when request.scopes is empty (and let get_default_scopes returns nothing).
If your AS policy allows that, Then, if request.scopes is empty, return True :)
Anthony
@tribals
Is it correct that RequestValidator.validate_scopes does nothing with actually authorized scopes. I mean, scopes that will be returned in response?
Jonathan Huot
@JonathanHuot
you have to update request.scopes to the reduced list of authorized scopes, if any
& then return True / False as we said
Anthony
@tribals
Ok, got it. Thank you!
Jonathan Huot
@JonathanHuot
however improvement of the docstring of validate_scopes will be helpful if you want to do a PR that's welcomed :D :D
Tim Van den Eynde
@Timvde
Why is oauthlib parsing GET parameters? https://github.com/oauthlib/oauthlib/blob/master/oauthlib/common.py#L395
The spec says: "The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters.", but it does not say the query parameters need to be interpreted
Ow, nvm, I misread it.
Tim Van den Eynde
@Timvde
It makes no sense though
Jonathan Huot
@JonathanHuot
Hi @Timvde, for /authorize parsing GET parameters makes sense, however for POST it doesn't. Are you looking for something in particular ?
Tim Van den Eynde
@Timvde
No, one of our users was doing a POST to get a token with his password in the GET parameters (which works), so we were looking into whether that was valid
It makes no sense, but if I read the spec correctly, it is still valid
Oh, unless... "The endpoint URI MUST NOT include a fragment component."
I'm still new at reading specs, so I'm not sure what that means exactly
Tim Van den Eynde
@Timvde
Oh, or is a fragment the part after a #? In that case, nvm
I think it's technically valid
Jonathan Huot
@JonathanHuot
@Timvde , if you want to continue to use query argument with POST you may want to pinpoint the version <3.1.0 . You will have details in the RFC which states it MUST NOT be in the query. See https://github.com/oauthlib/oauthlib/issues/666#issuecomment-485000169 . Quote: "The parameters can only be transmitted in the request-body and
MUST NOT be included in the request URI."
Tim Van den Eynde
@Timvde
I actually don't want to allow it, I just thought I had to after reading the RFC...
But if it isn't actually part of the RFC and updating oauthlib solves it, I'll glady perform the upgrade and disallow it
Jonathan Huot
@JonathanHuot
that's great! you can read the part mentionned in the #666 ticket and let us know if you have any questions
Tim Van den Eynde
@Timvde
Thank you for your help :)
Chitrank Dixit
@Chitrank-Dixit

Hi oauthlib team,

I am using a library named django-oauth-toolkit which is built on oauthlib. I and my peer were having a discussion about the good libraries to implement oauth in our django app. I came up with django-oauth-toolkit build on oauthlib. He came up with Authlib which has support for Django and Flask. I am listing all the features and support for both of them in order to choose better.

Features:
I can see on the documentation of oauthlib features:
https://oauthlib.readthedocs.io/en/latest/feature_matrix.html

and on Authlib:
https://github.com/lepture/authlib#spec-implementations

also I would like to know if oauthlib can provide a commercial support , because Authlib provides a commercial support : https://authlib.org/plans

I am huge supporter/fan of oauthlib and would like to know more details about it.
Chitrank Dixit
@Chitrank-Dixit
Hi @JonathanHuot , could you please help me with the above specifications. I can see in some of the previous releases that PKCE is supported but in documentation page it says there still some work needs to be done.
Jonathan Huot
@JonathanHuot
Hi Chitrank, PKCE is supported on provider side, however the client part is not done. Note that the client part is not useful because PKCE is usually used on Android/iOS apps (and not python apps!)
Jonathan Huot
@JonathanHuot
@Chitrank-Dixit , about plans & support, we're currently adding a sponsor page, however it implies sponsoring dev members and not doing contract with a company.
Chitrank Dixit
@Chitrank-Dixit

ohk @JonathanHuot . I am inspecting some of the rfc specifications.

RFC7515: JSON Web Signature
RFC7516: JSON Web Encryption
RFC7517: JSON Web Key
RFC7518: JSON Web Algorithms
RFC7519: JSON Web Token
RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

I have seen some discussions around these specifications on github regarding the above specifications and in the source code I am able to find https://github.com/oauthlib/oauthlib/blob/master/oauthlib/openid/connect/core/tokens.py.
So can I say RFC7519 and RFC7523 is functional but RFC7515, RFC7516, RFC7517, RFC7518 will be implemented in the near future? , If yes should I add it as an issue to discuss this in a better way.

Jonathan Huot
@JonathanHuot
Well, those specs can all of them be "used" outside oauthlib, because the hooks and the differents callback allow to have jwt everywhere in your authorization server flows. However, we are missing a native integration in oauthlib. I think we have at least one issue around RFC7523 open.
Having all of these RFCs nicely integrated into oauthlib will be a good think, but not too hard to do
Jonathan Huot
@JonathanHuot
Hi @thedrow , how are you ? did you had a chance to review your comments at oauthlib/oauthlib#702 ? Cheers
Also to anyone who want to review the doc improvement for OIDC, please add your comments in oauthlib/oauthlib#704
phrfpeixoto
@phrfpeixoto

Hello! I'm new to the OAuth world, and I've been reading the oauthlib docs, as well as oauth.com. It's not clear to me the difference between a Grant Type and Response Type, specially when reading this: https://oauthlib.readthedocs.io/en/latest/oauth2/server.html#client-or-consumer

Response Type:
Required, if using a grant type with an associated response type (eg. Authorization Code Grant) or using a grant which only utilizes response types (eg. Implicit Grant)

Aren't all grant types associated with a response type, somehow? In the authorization request, the Client WILL send in a response_type parameter, which is directly related to the grant type it wants to obtain, right? Could someone please break this down to me?

Jonathan Huot
@JonathanHuot
Yes, the confusion is natural. All you need to know is that if it mentions the "Grant Type", most likely it's referencing the type of authorization, whereas if it mentions either "response_type" or "grant_type", that's the field name. Each "Grant Type" has a different combination of response_type/grant_type, so it is confusing. Ideally, the field grant_type in OAuth2 RFC would have been named differently .
Basically the "Grant Type" is the name of the Authorization flow. "grant_type" is the name of the field when sending request to the Token endpoint; "response_type" is the name of the field when sending request to the Authorization endpoint.
The flow can contains either only the Authorization endpoint (implicit), or both Authorization & Token endpoints (Authorization Code), or only token endpoint (client credentials). (+variants from OIDC world)
phrfpeixoto
@phrfpeixoto

Basically the "Grant Type" is the name of the Authorization flow. "grant_type" is the name of the field when sending request to the Token endpoint; "response_type" is the name of the field when sending request to the Authorization endpoint.

Nice! Thanks for the clarification!

Mickey Pashov
@mickeypash
Hi team
I'm being a bit silly here but I want to access the Meetup API via OAuth2 and was wondering when I write my client library do I actually need to spin up an Authorisation Server? Just so I can make requests?
Jonathan Huot
@JonathanHuot
Hi @mickeypash, the authorization server is not needed because the ResourceServer (API) will not be be able to accept the tokens generated by yours. You have to figure out what are the supported AS for Meetup
Basically, if you just want to use public API, you just need a client (requests-oauthlib), or write your own client, hut that's often not needed.
Jared Vacanti
@jaredvacanti
I've been digging through the docs for the last week or so and I'm interested in adding some external authentication (oauth google login at first) to an existing aiohttp project. Is there any async support currently to help in this process? Otherwise, I'm looking at requests-oauthlib, when it is 'built' on oauthlib, does oauthlib provide the classes for the workflows and requests wraps the steps in the auth process? Do these wrappers do more? Just trying to figure out what it takes to implement a new project with oauthlib on its own
Omer Katz
@thedrow
oauthlib does not do any I/O
So it's up for our third-parties to implement those
@jaredvacanti Yes, you are correct.
Jonathan Huot
@JonathanHuot
Hi /all, I'm going to force merge the PR lacking for reviewers in a couple of days. It's waiting for long time and it impacts the latest documentation available on the RTD site. Last chance to give your input !! :) Any inputs are welcomed
Omer Katz
@thedrow
Which PR?
Jonathan Huot
@JonathanHuot
oauthlib/oauthlib#702 ; oauthlib/oauthlib#704 ; oauthlib/oauthlib#705