Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should external introspection's client_id be stuffed into application? #664

Open
n2ygk opened this issue Nov 8, 2018 · 1 comment
Open

Should external introspection's client_id be stuffed into application? #664

n2ygk opened this issue Nov 8, 2018 · 1 comment
Assignees
@n2ygk
Labels
enhancement

Comments

@n2ygk
Copy link
Member

n2ygk commented Nov 8, 2018

If the introspection endpoint is external (not using oauth2_provider as the OAuth 2 AS) the
application gets set to None here:

django-oauth-toolkit/oauth2_provider/oauth2_validators.py

Lines 335 to 344 in 5b51da7

access_token, _created = AccessToken\
.objects.select_related("application", "user")\
.update_or_create(token=token,
defaults={
"user": user,
"application": None,
"scope": scope,
"expires": expires,
})

In the case of Implicit or Authorization Code grants, the external introspected username is potentially added to the UserModel here if it doesn't already exist:

django-oauth-toolkit/oauth2_provider/oauth2_validators.py

Lines 313 to 317 in 5b51da7

if "active" in content and content["active"] is True:
if "username" in content:
user, _created = UserModel.objects.get_or_create(
**{UserModel.USERNAME_FIELD: content["username"]}
)

Should the external introspected client_id also cause a similar thing to happen, creating an Application instance if one is not defined?

Currently, because AccessToken.application is None, there is no consistent way to identify which OAuth2 Client was used. If the internal introspection server was used, application is set but if the external introspection server was used, application is not.

This is especially a concern when the Client Credentials grant type is used as there is no user.

Would it break anything to dummy up an application instance in a manner similar to what is currently done for user? Something along these lines right around the same lines referenced above:

application, _created = Application.objects.get_or_create(
    client_id=content["client_id"],
    user=None,
    redirect_uris="",
    client_type="Public",
    authorization_grant_type="", # what to put here?
    client_secret="",
    name=content["client_id"],
)
@n2ygk n2ygk self-assigned this Nov 8, 2018
@n2ygk n2ygk mentioned this issue Nov 9, 2018
Closed
@n2ygk
Copy link
Member Author

n2ygk commented Feb 7, 2019

A workaround is to assign each Client Credentials client a unique scope in the external OAuth2 AS that only it is allowed to request and to check for that scope in TokenMatchesOASRequirements

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@n2ygk n2ygk

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@n2ygk