Ignore:
Timestamp:
30/10/12 16:34:39 (8 years ago)
Author:
pjkersha
Message:
  • Preparing revised simple bearer token example
  • fixed resource server middleware to take token from Authorization header.
Location:
trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/examples/bearer_tok/bearer_tok_server_app.ini

    r8143 r8251  
    55# * a resource server.  This is a specialised one which enables delegated  
    66#   clients to obtain short-lived X.509 certificate credentials.  It does this 
    7 #   by using MyProxyCA as a backend certificate issuing service.  A MyProxyCA 
    8 #   instance is required to demonstrate this but not to demonstrate the  
    9 #   authorisation service. 
     7#   by using the Contrail Online CA package 
    108# 
    119# The %(here)s variable will be replaced with the parent directory of this file 
     
    1816error_email_from = paste@localhost 
    1917 
     18# These are common variables referenced by more than one section below.  They 
     19# set the paths for the OAuth services and the protected resources (just one in 
     20# this case - the OnlineCA's certificate issuing path) 
     21oauth_server_basepath = /oauth 
     22secured_resource_path = /resource1.html 
     23 
     24# The OAuth client to this service will request a resource on behalf of a user 
     25# based on an access token passed.  The resource server checks the token looking 
     26# it up in cached session information.  This session also holds the id of the  
     27# user who granted the token.  This id can be made available from the resource  
     28# server to the downstream application being protected.  In this case, this is  
     29# the OnlineCA service.  The OnlineCA needs the id in order to create the  
     30# correct certificate subject for the certificate to be issued. 
     31claimed_userid_environ_key = oauth_granting_userid 
     32 
    2033beakerSessionKeyName = beaker.session.oauth2server 
    2134 
     
    3043pipeline = BeakerSessionFilter 
    3144           repoze_who 
    32            AuthnForm 
    33            MyProxyClient 
    34            OAuth2Authz 
    35            OAuth2ServerFilterApp 
     45           AuthenticationFormFilter 
     46           OAuth2AuthorisationFilter 
     47           OAuth2ServerFilter 
     48           OAuth2ResourceServerFilter 
     49           FilterApp 
    3650 
    3751# This filter sets up a server side session linked to a cookie.  The session 
     
    5670log_level = debug 
    5771 
    58 [filter:AuthnForm] 
     72[filter:AuthenticationFormFilter] 
    5973paste.filter_app_factory = ndg.oauth.server.wsgi.authentication_filter:AuthenticationFormMiddleware.filter_app_factory 
    6074authenticationForm.base_url_path = /authentication 
     
    7690authenticationForm.layout.helpIcon = /layout/help.png 
    7791 
    78 [filter:OAuth2Authz] 
     92[filter:OAuth2AuthorisationFilter] 
    7993# Authorization filter configuration options - defaults are commented out. 
    8094paste.filter_app_factory = ndg.oauth.server.wsgi.authorization_filter:Oauth2AuthorizationMiddleware.filter_app_factory 
     
    94108oauth2authorization.layout.helpIcon = /layout/icons/help.png 
    95109 
    96 # Add a MyProxy Client into WSGI environ so that OAuth resource server can 
    97 # request certificates 
    98 [filter:MyProxyClient] 
    99 paste.filter_app_factory = myproxy.server.wsgi.middleware:MyProxyClientMiddleware.filter_app_factory 
    100 # Default environ key for MyProxy client 
    101 # myproxy.client.clientEnvKeyName=myproxy.server.wsgi.middleware.MyProxyClientMiddleware.myProxyClient 
    102  
    103 # MyProxy server which this MyProxy WSGI app is a client to.  Set here to the 
    104 # fully qualified domain name or else set the MYPROXY_SERVER environment 
    105 # variable.  See the documentation for the MyProxyClient egg for details 
    106 myproxy.client.hostname = pampero.badc.rl.ac.uk 
    107 #myproxy.client.port = 7512 
    108  
    109 # CA Certificate directory to enable this application to trust the MyProxy 
    110 # server that it fronts e.g. set to /etc/grid-security/certificates.  For these 
    111 # tests set to local ca directory 
    112 MyProxy.client.caCertDir = %(here)s/pki/ca 
    113  
    114 [app:OAuth2Server] 
    115 paste.app_factory = ndg.oauth.server.wsgi.oauth2_server:Oauth2ServerMiddleware.app_factory 
     110[filter:OAuth2ServerFilter] 
     111paste.filter_app_factory = ndg.oauth.server.wsgi.oauth2_server:Oauth2ServerMiddleware.filter_app_factory 
    116112 
    117113# OAuth2 server configuration options - defaults are commented out. 
     
    122118#oauth2server.access_token_type=bearer 
    123119#oauth2server.authorization_grant_lifetime=600 
    124 oauth2server.base_url_path=/oauth 
     120oauth2server.base_url_path=%(oauth_server_basepath)s 
    125121#oauth2server.certificate_request_parameter=certificate_request 
    126122# Allowed values: certificate (default) or none. 
     
    133129#oauth2server.user_identifier_key=REMOTE_USER 
    134130 
    135 # This is specific to the special configuration of a resource server protecting 
    136 # a MyProxyCA short-lived credential service (SLCS).  The resource server will  
    137 # accept a bearer token and SLCS specific input: a certificate signing request   
    138 # (CSR).  Provided that the token is accepted, the CSR is passed on to the  
    139 # underlying MyProxy server along with the special password below.  On success, 
    140 # the MyProxyCA server returns a signed certificate.  A MyProxyCA instance 
    141 # is required to support this resource request.  The OAuth app can be extended 
    142 # as needed to support access to other more generic resource types.  This is  
    143 # just an example 
    144 oauth2server.myproxy_global_password=testpassword 
    145  
    146131# Configuration of access token cache 
    147132oauth2server.cache.accesstokenregister.expire=86400 
     
    158143#oauth2server.cache.authorizationgrantregister.lock_dir 
    159144 
    160 [filter-app:OAuth2ServerFilterApp] 
     145[filter:OAuth2ResourceServerFilter] 
     146paste.filter_app_factory = ndg.oauth.server.wsgi.resource_server:Oauth2ResourceServerMiddleware.filter_app_factory 
     147 
     148# Sets which paths are protected by OAuth.  In this example, the OnlineCA's 
     149# certificate issuing service 
     150oauth2.resource_server.resource_uripaths: %(secured_resource_path)s 
     151     
     152# Scope required to access this resource.  More than one value can be set.   
     153# Values should be space delimited.  In this case, the value has been set to the 
     154# path of the certificate issuing path for the OnlineCA but this is just a 
     155# convenient value.  Any arbitrary string could have been set. 
     156oauth2.resource_server.required_scope: https://localhost:5000/resource1.html 
     157 
     158# Set the userid of the delegator as a key in environ.  This is useful for 
     159# access by the downstream app that the resource server middleware is  
     160# protecting.  In this case, the OnlineCA service. 
     161oauth2.resource_server.claimed_userid_environ_key: %(claimed_userid_environ_key)s 
     162 
     163[filter-app:FilterApp] 
    161164use = egg:Paste#httpexceptions 
    162165next = cascade 
     
    164167[composit:cascade] 
    165168use = egg:Paste#cascade 
    166 app1 = OAuth2Server 
    167 app2 = StaticContent 
     169app1 = StaticContent 
    168170catch = 404 
    169171 
     
    171173use = egg:Paste#static 
    172174document_root = %(here)s/static 
    173  
    174 # WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT* 
    175 # Debug mode will enable the interactive debugging tool, allowing ANYONE to 
    176 # execute malicious code after an exception is raised. 
    177 #set debug = false 
    178175 
    179176 
  • trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/lib/authorization_server.py

    r8195 r8251  
    3434    Provides the core OAuth 2.0 server functions. 
    3535    """ 
     36    AUTHZ_HDR_ENV_KEYNAME = 'HTTP_AUTHORIZATION' 
     37      
    3638    def __init__(self, client_register_file, authorizer, client_authenticator, 
    3739                 access_token_generator, config): 
     
    509511                 ) 
    510512        """ 
    511         params = request.params 
    512         token = None 
    513         if 'access_token' not in params: 
     513        authorization_hdr = request.environ.get( 
     514                                        self.__class__.AUTHZ_HDR_ENV_KEYNAME) 
     515        try: 
     516            token_type, access_token = authorization_hdr.split() 
     517             
     518        except AttributeError: 
     519            log.error('No Authorization header present for request to %r',  
     520                      request.path_url) 
    514521            error = 'invalid_request' 
     522             
     523        except ValueError: 
     524            log.error('Unexpected Authorization header values %r for request ' 
     525                      'to %r', authorization_hdr, request.path_url) 
     526            error = 'invalid_request' 
     527             
    515528        else: 
    516             access_token = params['access_token'] 
    517             if scope: 
    518                 required_scope = scope 
    519             else: 
    520                 required_scope = params.get('scope', None) 
    521                  
    522             token, error = self.access_token_register.get_token(access_token, 
    523                                                                 required_scope) 
     529            if token_type != 'Bearer': 
     530                log.error('Token type retrieved is %r, expecting "Bearer" type', 
     531                          token_type) 
     532                error = 'invalid_request' 
     533            else:    
     534                token, error = self.access_token_register.get_token( 
     535                                                                access_token,  
     536                                                                None) 
    524537 
    525538        status = {'invalid_request': httplib.BAD_REQUEST, 
  • trunk/ndg_oauth/ndg_oauth_server/ndg/oauth/server/wsgi/oauth2_server.py

    r8236 r8251  
    6767    USER_IDENTIFIER_GRANT_DATA_KEY = 'user_identifier' 
    6868 
    69     AUTHORISATION_SERVER_ENVIRON_KEYNAME = 'ndg.server.authorisation.server' 
     69    AUTHORISATION_SERVER_ENVIRON_KEYNAME = \ 
     70                                        'ndg.oauth.server.authorisation.server' 
    7071     
    7172    # Configuration option defaults 
     
    238239 
    239240        # User authorization for the client is also required. 
    240         (client_authorized, authz_uri) = self._check_client_authorization(user,  
    241                                                                           req) 
     241        client_authorized, authz_uri = self._check_client_authorization(user,  
     242                                                                        req) 
    242243        if authz_uri: 
    243244            log.debug("Redirecting to %s", authz_uri) 
Note: See TracChangeset for help on using the changeset viewer.