Skip to content

Models

Memory objects used throughout the project. 

from aioauth import models

AuthorizationCode dataclass

Source code in aioauth/models.py 
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
@dataclass
class AuthorizationCode:
    code: str
    """
    Authorization code that the client previously received from the
    authorization server.
    """

    client_id: str
    """
    Public identifier for the client. It must also be unique across all
    clients that the authorization server handles.
    """

    redirect_uri: str
    """
    After a user successfully authorizes an application, the
    authorization server will redirect the user back to the application
    with either an authorization code or access token in the URL.
    Because the redirect URL will contain sensitive information, it is
    critical that the service doesn’t redirect the user to arbitrary
    locations.
    """

    response_type: str
    """A string containing the type of the response expected."""

    scope: str
    """
    Scope is a mechanism that limit an application's access to a user's
    account. An application can request one or more scopes, this
    information is then presented to the user in the consent screen, and
    the access token issued to the application will be limited to the
    scopes granted.
    """

    auth_time: int
    """
    JSON Web Token Claim indicating the time when the authentication
    occurred.
    """

    expires_in: int
    """
    Time delta in which authorization_code will expire.
    """

    code_challenge: Optional[str] = None
    """
    Only used when [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636),
    Proof Key for Code Exchange, is used.
    PKCE works by having the app generate a random value at the
    beginning of the flow called a Code Verifier. The app hashes the
    Code Verifier and the result is called the Code Challenge. The app
    then kicks off the flow in the normal way, except that it includes
    the Code Challenge in the query string for the request to the
    Authorization Server.
    """

    code_challenge_method: Optional[CodeChallengeMethod] = None
    """
    Only used when [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636>),
    Proof Key for Code Exchange, is used.
    Method used to transform the code verifier into the code challenge.
    """

    nonce: Optional[str] = None
    """
    Only used when [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636),
    Proof Key for Code Exchange, is used.
    Random piece of data.
    """

    def check_code_challenge(self, code_verifier: str) -> bool:
        is_valid_code_challenge = False

        if self.code_challenge_method == "plain":
            # If the "code_challenge_method" was "plain", they are compared directly
            # Use constant-time comparison to prevent timing attacks
            is_valid_code_challenge = secrets.compare_digest(
                code_verifier, self.code_challenge or ""
            )

        if self.code_challenge_method == "S256":
            # base64url(sha256(ascii(code_verifier))) == code_challenge
            # Use constant-time comparison to prevent timing attacks
            computed_challenge = create_s256_code_challenge(code_verifier)
            is_valid_code_challenge = secrets.compare_digest(
                computed_challenge, self.code_challenge or ""
            )

        return is_valid_code_challenge

    @property
    def is_expired(self) -> bool:
        """Checks if the authorization_code has expired."""
        return self.auth_time + self.expires_in < time.time()

auth_time instance-attribute

JSON Web Token Claim indicating the time when the authentication occurred.

client_id instance-attribute

Public identifier for the client. It must also be unique across all clients that the authorization server handles.

code instance-attribute

Authorization code that the client previously received from the authorization server.

code_challenge = None class-attribute instance-attribute

Only used when RFC 7636, Proof Key for Code Exchange, is used. PKCE works by having the app generate a random value at the beginning of the flow called a Code Verifier. The app hashes the Code Verifier and the result is called the Code Challenge. The app then kicks off the flow in the normal way, except that it includes the Code Challenge in the query string for the request to the Authorization Server.

code_challenge_method = None class-attribute instance-attribute

Only used when RFC 7636, Proof Key for Code Exchange, is used. Method used to transform the code verifier into the code challenge.

expires_in instance-attribute

Time delta in which authorization_code will expire.

is_expired property

Checks if the authorization_code has expired.

nonce = None class-attribute instance-attribute

Only used when RFC 7636, Proof Key for Code Exchange, is used. Random piece of data.

redirect_uri instance-attribute

After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.

response_type instance-attribute

A string containing the type of the response expected.

scope instance-attribute

Scope is a mechanism that limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

Client dataclass

OAuth2.0 client model object.

Source code in aioauth/models.py 
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
@dataclass
class Client:
    """OAuth2.0 client model object."""

    client_id: str
    """
    Public identifier for the client. It must also be unique across all
    clients that the authorization server handles.
    """

    client_secret: str
    """
    Client secret is a secret known only to the client and the
    authorization server. Used for secure communication between the
    client and authorization server.
    """

    grant_types: List[GrantType]
    """
    The method(s) in which an application gets an access token from the
    provider. Each grant type is optimized for a particular use case,
    whether that’s a web app, a native app, a device without the ability
    to launch a web browser, or server-to-server applications.
    """

    response_types: List[ResponseType]
    """A list containing the types of the response expected."""

    redirect_uris: List[str]
    """
    After a user successfully authorizes an application, the
    authorization server will redirect the user back to the application
    with either an authorization code or access token in the URL.
    Because the redirect URL will contain sensitive information, it is
    critical that the service doesn’t redirect the user to arbitrary
    locations.
    """

    scope: str = ""
    """
    Scope is a mechanism that limit an application's access to a user's
    account. An application can request one or more scopes, this
    information is then presented to the user in the consent screen, and
    the access token issued to the application will be limited to the
    scopes granted.
    """

    def check_redirect_uri(self, redirect_uri) -> bool:
        """
        Verifies passed `redirect_uri` is part of the Clients's
        `redirect_uris` list.
        """
        return redirect_uri in self.redirect_uris

    def check_grant_type(self, grant_type: Optional[GrantType]) -> bool:
        """
        Verifies passed `grant_type` is part of the client's
        `grant_types` list.
        """
        return grant_type in self.grant_types if grant_type else False

    def check_response_type(
        self, response_type: Optional[Union[ResponseType, str]]
    ) -> bool:
        """
        Verifies passed `response_type` is part of the client's
        `response_types` list.
        """
        return not (set(enforce_list(response_type)) - set(self.response_types))

    def get_allowed_scope(self, scope: str) -> str:
        """
        Returns the allowed `scope` given the passed `scope`.

        Note:
            Note that the passed `scope` may contain multiple scopes
            seperated by a space character.
        """
        if not scope:
            return ""
        allowed = set(self.scope.split())
        scopes = enforce_list(scope)
        return enforce_str([s for s in scopes if s in allowed])

    def check_scope(self, scope: str) -> bool:
        allowed_scope = self.get_allowed_scope(scope)
        return not (set(enforce_list(scope)) - set(enforce_list(allowed_scope)))

client_id instance-attribute

Public identifier for the client. It must also be unique across all clients that the authorization server handles.

client_secret instance-attribute

Client secret is a secret known only to the client and the authorization server. Used for secure communication between the client and authorization server.

grant_types instance-attribute

The method(s) in which an application gets an access token from the provider. Each grant type is optimized for a particular use case, whether that’s a web app, a native app, a device without the ability to launch a web browser, or server-to-server applications.

redirect_uris instance-attribute

After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.

response_types instance-attribute

A list containing the types of the response expected.

scope = '' class-attribute instance-attribute

Scope is a mechanism that limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

check_grant_type(grant_type)

Verifies passed grant_type is part of the client's grant_types list.

Source code in aioauth/models.py 
71
72
73
74
75
76
def check_grant_type(self, grant_type: Optional[GrantType]) -> bool:
    """
    Verifies passed `grant_type` is part of the client's
    `grant_types` list.
    """
    return grant_type in self.grant_types if grant_type else False

check_redirect_uri(redirect_uri)

Verifies passed redirect_uri is part of the Clients's redirect_uris list.

Source code in aioauth/models.py 
64
65
66
67
68
69
def check_redirect_uri(self, redirect_uri) -> bool:
    """
    Verifies passed `redirect_uri` is part of the Clients's
    `redirect_uris` list.
    """
    return redirect_uri in self.redirect_uris

check_response_type(response_type)

Verifies passed response_type is part of the client's response_types list.

Source code in aioauth/models.py 
78
79
80
81
82
83
84
85
def check_response_type(
    self, response_type: Optional[Union[ResponseType, str]]
) -> bool:
    """
    Verifies passed `response_type` is part of the client's
    `response_types` list.
    """
    return not (set(enforce_list(response_type)) - set(self.response_types))

get_allowed_scope(scope)

Returns the allowed scope given the passed scope.

Note

Note that the passed scope may contain multiple scopes seperated by a space character.

Source code in aioauth/models.py 
87
88
89
90
91
92
93
94
95
96
97
98
99
def get_allowed_scope(self, scope: str) -> str:
    """
    Returns the allowed `scope` given the passed `scope`.

    Note:
        Note that the passed `scope` may contain multiple scopes
        seperated by a space character.
    """
    if not scope:
        return ""
    allowed = set(self.scope.split())
    scopes = enforce_list(scope)
    return enforce_str([s for s in scopes if s in allowed])

Token dataclass

Source code in aioauth/models.py 
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
@dataclass
class Token:
    access_token: str
    """
    Token that clients use to make API requests on behalf of the
    resource owner.
    """

    refresh_token: Optional[str]
    """
    Token used by clients to exchange a refresh token for an access
    token when the access token has expired.
    """

    scope: str
    """
    Scope is a mechanism that limit an application's access to a user's
    account. An application can request one or more scopes, this
    information is then presented to the user in the consent screen, and
    the access token issued to the application will be limited to the
    scopes granted.
    """

    issued_at: int
    """
    Time date in which token was issued at.
    """

    expires_in: int
    """
    Time delta in which token will expire.
    """

    refresh_token_expires_in: int
    """
    Time delta in which refresh token will expire.
    """

    client_id: str
    """
    Public identifier for the client. It must also be unique across all
    clients that the authorization server handles.
    """

    token_type: TokenType = "Bearer"
    """
    Type of token expected.
    """

    revoked: bool = False
    """
    Flag that indicates whether or not the token has been revoked.
    """

    @property
    def is_expired(self) -> bool:
        """Checks if the token has expired."""
        return (self.issued_at + self.expires_in) < time.time()

    @property
    def refresh_token_expired(self) -> bool:
        """Checks if refresh token has expired."""
        return (self.issued_at + self.refresh_token_expires_in) < time.time()

access_token instance-attribute

Token that clients use to make API requests on behalf of the resource owner.

client_id instance-attribute

Public identifier for the client. It must also be unique across all clients that the authorization server handles.

expires_in instance-attribute

Time delta in which token will expire.

is_expired property

Checks if the token has expired.

issued_at instance-attribute

Time date in which token was issued at.

refresh_token instance-attribute

Token used by clients to exchange a refresh token for an access token when the access token has expired.

refresh_token_expired property

Checks if refresh token has expired.

refresh_token_expires_in instance-attribute

Time delta in which refresh token will expire.

revoked = False class-attribute instance-attribute

Flag that indicates whether or not the token has been revoked.

scope instance-attribute

Scope is a mechanism that limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

token_type = 'Bearer' class-attribute instance-attribute

Type of token expected.