Models

from aioauth import models

Memory objects used throughout the project.

class Client(client_id: str, client_secret: str, grant_types: List[Literal['authorization_code', 'password', 'client_credentials', 'refresh_token']], response_types: List[Literal['token', 'code', 'none', 'id_token']], redirect_uris: List[str], scope: str = '', user: Any | None = None)[source]

OAuth2.0 client model object.

client_id: str: Public identifier for the client. It must also be unique across all clients that the authorization server handles.

client_secret: str: Client secret is a secret known only to the client and the authorization server. Used for secure communication between the client and authorization server.

grant_types: List[Literal['authorization_code', 'password', 'client_credentials', 'refresh_token']]: The method(s) in which an application gets an access token from the provider. Each grant type is optimized for a particular use case, whether that’s a web app, a native app, a device without the ability to launch a web browser, or server-to-server applications.

response_types: List[Literal['token', 'code', 'none', 'id_token']]: A list containing the types of the response expected.

redirect_uris: List[str]: After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.

scope: str = '': Scope is a mechanism that limit an application’s access to a user’s account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

user: Any | None = None: The user who is the creator of the Client. This optional attribute can be useful if you are creating a server that can be managed by multiple users.

check_redirect_uri(redirect_uri) → bool[source]: Verifies passed redirect_uri is part of the Clients’s redirect_uris list.

check_grant_type(grant_type: Literal['authorization_code', 'password', 'client_credentials', 'refresh_token'] | None) → bool[source]: Verifies passed grant_type is part of the client’s grant_types list.

check_response_type(response_type: Literal['token', 'code', 'none', 'id_token'] | str | None) → bool[source]: Verifies passed response_type is part of the client’s response_types list.

get_allowed_scope(scope: str) → str[source]: Returns the allowed scope given the passed scope.

Note

Note that the passed scope may contain multiple scopes seperated by a space character.

check_scope(scope: str) → bool[source]

class AuthorizationCode(code: str, client_id: str, redirect_uri: str, response_type: str, scope: str, auth_time: int, expires_in: int, code_challenge: str | None = None, code_challenge_method: Literal['plain', 'S256'] | None = None, nonce: str | None = None, user: Any | None = None)[source]

code: str: Authorization code that the client previously received from the authorization server.

client_id: str: Public identifier for the client. It must also be unique across all clients that the authorization server handles.

redirect_uri: str: After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.

response_type: str: A string containing the type of the response expected.

scope: str: Scope is a mechanism that limit an application’s access to a user’s account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

auth_time: int: JSON Web Token Claim indicating the time when the authentication occurred.

expires_in: int: Time delta in which authorization_code will expire.

code_challenge: str | None = None: Only used when RFC 7636, Proof Key for Code Exchange, is used. PKCE works by having the app generate a random value at the beginning of the flow called a Code Verifier. The app hashes the Code Verifier and the result is called the Code Challenge. The app then kicks off the flow in the normal way, except that it includes the Code Challenge in the query string for the request to the Authorization Server.

code_challenge_method: Literal['plain', 'S256'] | None = None: Only used when RFC 7636, Proof Key for Code Exchange, is used. Method used to transform the code verifier into the code challenge.

nonce: str | None = None: Only used when RFC 7636, Proof Key for Code Exchange, is used. Random piece of data.

user: Any | None = None: The user who owns the AuthorizationCode.

check_code_challenge(code_verifier: str) → bool[source]

property is_expired: bool: Checks if the authorization_code has expired.

class Token(access_token: str, refresh_token: str, scope: str, issued_at: int, expires_in: int, refresh_token_expires_in: int, client_id: str, token_type: str = 'Bearer', revoked: bool = False, user: Any | None = None)[source]

access_token: str: Token that clients use to make API requests on behalf of the resource owner.

refresh_token: str: Token used by clients to exchange a refresh token for an access token when the access token has expired.

scope: str: Scope is a mechanism that limit an application’s access to a user’s account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

issued_at: int: Time date in which token was issued at.

expires_in: int: Time delta in which token will expire.

refresh_token_expires_in: int: Time delta in which refresh token will expire.

client_id: str: Public identifier for the client. It must also be unique across all clients that the authorization server handles.

token_type: str = 'Bearer': Type of token expected.

revoked: bool = False: Flag that indicates whether or not the token has been revoked.

user: Any | None = None: The user who owns the Token.

property is_expired: bool: Checks if the token has expired.

property refresh_token_expired: bool: Checks if refresh token has expired.