invalid_scopeerror if authorized user doesn't have scopes requested by client. Rather, resulting authorized scopes in this case simply should be reduced to user's scopes, is it? Is it correct that AS respond with
invalid_scopeerror if and only if
scopeparameter is malformed, or client requested scope(s) that doesn't exist at all?
File: oauthlib/oauth2/rfc6749/grant_types/base.py 77: class GrantTypeBase(object): <...snip...> 166: def validate_scopes(self, request): 167: """ 168: :param request: OAuthlib request. 169: :type request: oauthlib.common.Request 170: """ 171: if not request.scopes: 172: request.scopes = utils.scope_to_list(request.scope) or utils.scope_to_list( 173: self.request_validator.get_default_scopes(request.client_id, request)) 174: log.debug('Validating access to scopes %r for client %r (%r).', 175: request.scopes, request.client_id, request.client) 176: if not self.request_validator.validate_scopes(request.client_id, 177: request.scopes, request.client, request): 178: raise errors.InvalidScopeError(request=request)
Hi oauthlib team,
I am using a library named django-oauth-toolkit which is built on oauthlib. I and my peer were having a discussion about the good libraries to implement oauth in our django app. I came up with django-oauth-toolkit build on oauthlib. He came up with Authlib which has support for Django and Flask. I am listing all the features and support for both of them in order to choose better.
I can see on the documentation of oauthlib features:
and on Authlib:
also I would like to know if oauthlib can provide a commercial support , because Authlib provides a commercial support : https://authlib.org/plans
ohk @JonathanHuot . I am inspecting some of the rfc specifications.
RFC7515: JSON Web Signature
RFC7516: JSON Web Encryption
RFC7517: JSON Web Key
RFC7518: JSON Web Algorithms
RFC7519: JSON Web Token
RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
I have seen some discussions around these specifications on github regarding the above specifications and in the source code I am able to find https://github.com/oauthlib/oauthlib/blob/master/oauthlib/openid/connect/core/tokens.py.
So can I say RFC7519 and RFC7523 is functional but RFC7515, RFC7516, RFC7517, RFC7518 will be implemented in the near future? , If yes should I add it as an issue to discuss this in a better way.
Hello! I'm new to the OAuth world, and I've been reading the oauthlib docs, as well as oauth.com. It's not clear to me the difference between a Grant Type and Response Type, specially when reading this: https://oauthlib.readthedocs.io/en/latest/oauth2/server.html#client-or-consumer
Required, if using a grant type with an associated response type (eg. Authorization Code Grant) or using a grant which only utilizes response types (eg. Implicit Grant)
Aren't all grant types associated with a response type, somehow? In the authorization request, the Client WILL send in a
response_type parameter, which is directly related to the grant type it wants to obtain, right? Could someone please break this down to me?
Basically the "Grant Type" is the name of the Authorization flow. "grant_type" is the name of the field when sending request to the Token endpoint; "response_type" is the name of the field when sending request to the Authorization endpoint.
Nice! Thanks for the clarification!