Merge pull request #749 from azmeuk/724-jar

Implement RFC9101 JWT secured authentication requests (JAR)

Author: azmeuk

README.md

@@ -51,6 +51,7 @@ Generic, spec-compliant implementation to build clients and providers:
   - [RFC8414: OAuth 2.0 Authorization Server Metadata](https://docs.authlib.org/en/latest/specs/rfc8414.html)
   - [RFC8628: OAuth 2.0 Device Authorization Grant](https://docs.authlib.org/en/latest/specs/rfc8628.html)
   - [RFC9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://docs.authlib.org/en/latest/specs/rfc9068.html)
+  - [RFC9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)](https://docs.authlib.org/en/latest/specs/rfc9101.html)
   - [RFC9207: OAuth 2.0 Authorization Server Issuer Identification](https://docs.authlib.org/en/latest/specs/rfc9207.html)
 - [Javascript Object Signing and Encryption](https://docs.authlib.org/en/latest/jose/index.html)
   - [RFC7515: JSON Web Signature](https://docs.authlib.org/en/latest/jose/jws.html)

README.rst

@@ -30,12 +30,15 @@ Specifications
 - RFC7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
 - RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
 - RFC7591: OAuth 2.0 Dynamic Client Registration Protocol
+- RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol
 - RFC7636: Proof Key for Code Exchange by OAuth Public Clients
 - RFC7638: JSON Web Key (JWK) Thumbprint
 - RFC7662: OAuth 2.0 Token Introspection
 - RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
 - RFC8414: OAuth 2.0 Authorization Server Metadata
 - RFC8628: OAuth 2.0 Device Authorization Grant
+- RFC9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
+- RFC9207: OAuth 2.0 Authorization Server Issuer Identification
 - OpenID Connect 1.0
 - OpenID Connect Discovery 1.0
 - draft-madden-jose-ecdh-1pu-04: Public Key Authenticated Encryption for JOSE: ECDH-1PU

authlib/deprecate.py

@@ -8,9 +8,11 @@ class AuthlibDeprecationWarning(DeprecationWarning):
 warnings.simplefilter("always", AuthlibDeprecationWarning)
 
 
-def deprecate(message, version=None, link_uid=None, link_file=None):
+def deprecate(message, version=None, link_uid=None, link_file=None, stacklevel=3):
     if version:
         message += f"\nIt will be compatible before version {version}."
+
     if link_uid and link_file:
         message += f"\nRead more <https://git.io/{link_uid}#file-{link_file}-md>"
-    warnings.warn(AuthlibDeprecationWarning(message), stacklevel=2)
+
+    warnings.warn(AuthlibDeprecationWarning(message), stacklevel=stacklevel)

authlib/integrations/django_oauth2/requests.py

@@ -4,25 +4,16 @@
 from django.utils.functional import cached_property
 
 from authlib.common.encoding import json_loads
+from authlib.oauth2.rfc6749 import JsonPayload
 from authlib.oauth2.rfc6749 import JsonRequest
+from authlib.oauth2.rfc6749 import OAuth2Payload
 from authlib.oauth2.rfc6749 import OAuth2Request
 
 
-class DjangoOAuth2Request(OAuth2Request):
+class DjangoOAuth2Payload(OAuth2Payload):
     def __init__(self, request: HttpRequest):
-        super().__init__(
-            request.method, request.build_absolute_uri(), None, request.headers
-        )
         self._request = request
 
-    @property
-    def args(self):
-        return self._request.GET
-
-    @property
-    def form(self):
-        return self._request.POST
-
     @cached_property
     def data(self):
         data = {}
@@ -33,20 +24,38 @@ def data(self):
     @cached_property
     def datalist(self):
         values = defaultdict(list)
-        for k in self.args:
-            values[k].extend(self.args.getlist(k))
-        for k in self.form:
-            values[k].extend(self.form.getlist(k))
+        for k in self._request.GET:
+            values[k].extend(self._request.GET.getlist(k))
+        for k in self._request.POST:
+            values[k].extend(self._request.POST.getlist(k))
         return values
 
 
-class DjangoJsonRequest(JsonRequest):
+class DjangoOAuth2Request(OAuth2Request):
+    def __init__(self, request: HttpRequest):
+        super().__init__(request.method, request.build_absolute_uri(), request.headers)
+        self.payload = DjangoOAuth2Payload(request)
+        self._request = request
+
+    @property
+    def args(self):
+        return self._request.GET
+
+    @property
+    def form(self):
+        return self._request.POST
+
+
+class DjangoJsonPayload(JsonPayload):
     def __init__(self, request: HttpRequest):
-        super().__init__(
-            request.method, request.build_absolute_uri(), None, request.headers
-        )
         self._request = request
 
     @cached_property
     def data(self):
         return json_loads(self._request.body)
+
+
+class DjangoJsonRequest(JsonRequest):
+    def __init__(self, request: HttpRequest):
+        super().__init__(request.method, request.build_absolute_uri(), request.headers)
+        self.payload = DjangoJsonPayload(request)

authlib/integrations/flask_oauth2/requests.py

@@ -3,23 +3,16 @@
 
 from flask.wrappers import Request
 
+from authlib.oauth2.rfc6749 import JsonPayload
 from authlib.oauth2.rfc6749 import JsonRequest
+from authlib.oauth2.rfc6749 import OAuth2Payload
 from authlib.oauth2.rfc6749 import OAuth2Request
 
 
-class FlaskOAuth2Request(OAuth2Request):
+class FlaskOAuth2Payload(OAuth2Payload):
     def __init__(self, request: Request):
-        super().__init__(request.method, request.url, None, request.headers)
         self._request = request
 
-    @property
-    def args(self):
-        return self._request.args
-
-    @property
-    def form(self):
-        return self._request.form
-
     @property
     def data(self):
         return self._request.values
@@ -32,11 +25,31 @@ def datalist(self):
         return values
 
 
-class FlaskJsonRequest(JsonRequest):
+class FlaskOAuth2Request(OAuth2Request):
+    def __init__(self, request: Request):
+        super().__init__(request.method, request.url, request.headers)
+        self._request = request
+        self.payload = FlaskOAuth2Payload(request)
+
+    @property
+    def args(self):
+        return self._request.args
+
+    @property
+    def form(self):
+        return self._request.form
+
+
+class FlaskJsonPayload(JsonPayload):
     def __init__(self, request: Request):
-        super().__init__(request.method, request.url, None, request.headers)
         self._request = request
 
     @property
     def data(self):
         return self._request.get_json()
+
+
+class FlaskJsonRequest(JsonRequest):
+    def __init__(self, request: Request):
+        super().__init__(request.method, request.url, request.headers)
+        self.payload = FlaskJsonPayload(request)

authlib/oauth2/rfc6749/__init__.py

@@ -36,7 +36,9 @@
 from .models import AuthorizationCodeMixin
 from .models import ClientMixin
 from .models import TokenMixin
+from .requests import JsonPayload
 from .requests import JsonRequest
+from .requests import OAuth2Payload
 from .requests import OAuth2Request
 from .resource_protector import ResourceProtector
 from .resource_protector import TokenValidator
@@ -46,8 +48,10 @@
 from .wrappers import OAuth2Token
 
 __all__ = [
+    "OAuth2Payload",
     "OAuth2Token",
     "OAuth2Request",
+    "JsonPayload",
     "JsonRequest",
     "OAuth2Error",
     "AccessDeniedError",

authlib/oauth2/rfc6749/authenticate_client.py

@@ -89,8 +89,8 @@ def authenticate_none(query_client, request):
     """Authenticate public client by ``none`` method. The client
     does not have a client secret.
     """
-    client_id = request.client_id
-    if client_id and not request.data.get("client_secret"):
+    client_id = request.payload.client_id
+    if client_id and not request.payload.data.get("client_secret"):
         client = _validate_client(query_client, client_id)
         log.debug(f'Authenticate {client_id} via "none" success')
         return client

authlib/oauth2/rfc6749/authorization_server.py

@@ -1,29 +1,34 @@
 from authlib.common.errors import ContinueIteration
+from authlib.deprecate import deprecate
 
 from .authenticate_client import ClientAuthentication
 from .errors import InvalidScopeError
 from .errors import OAuth2Error
 from .errors import UnsupportedGrantTypeError
 from .errors import UnsupportedResponseTypeError
+from .hooks import Hookable
+from .hooks import hooked
 from .requests import JsonRequest
 from .requests import OAuth2Request
 from .util import scope_to_list
 
 
-class AuthorizationServer:
+class AuthorizationServer(Hookable):
     """Authorization server that handles Authorization Endpoint and Token
     Endpoint.
 
     :param scopes_supported: A list of supported scopes by this authorization server.
     """
 
     def __init__(self, scopes_supported=None):
+        super().__init__()
         self.scopes_supported = scopes_supported
         self._token_generators = {}
         self._client_auth = None
         self._authorization_grants = []
         self._token_grants = []
         self._endpoints = {}
+        self._extensions = []
 
     def query_client(self, client_id):
         """Query OAuth client by client_id. The client model class MUST
@@ -146,6 +151,9 @@ def authenticate_client_via_custom(query_client, request):
 
         self._client_auth.register(method, func)
 
+    def register_extension(self, extension):
+        self._extensions.append(extension(self))
+
     def get_error_uri(self, request, error):
         """Return a URI for the given error, framework may implement this method."""
         return None
@@ -222,6 +230,7 @@ def register_endpoint(self, endpoint):
         endpoints = self._endpoints.setdefault(endpoint.ENDPOINT_NAME, [])
         endpoints.append(endpoint)
 
+    @hooked
     def get_authorization_grant(self, request):
         """Find the authorization grant for current request.
 
@@ -233,9 +242,9 @@ def get_authorization_grant(self, request):
                 return _create_grant(grant_cls, extensions, request, self)
 
         raise UnsupportedResponseTypeError(
-            f"The response type '{request.response_type}' is not supported by the server.",
-            request.response_type,
-            redirect_uri=request.redirect_uri,
+            f"The response type '{request.payload.response_type}' is not supported by the server.",
+            request.payload.response_type,
+            redirect_uri=request.payload.redirect_uri,
         )
 
     def get_consent_grant(self, request=None, end_user=None):
@@ -254,7 +263,7 @@ def get_consent_grant(self, request=None, end_user=None):
             # REQUIRED if a "state" parameter was present in the client
             # authorization request.  The exact value received from the
             # client.
-            error.state = request.state
+            error.state = request.payload.state
             raise
         return grant
 
@@ -267,7 +276,7 @@ def get_token_grant(self, request):
         for grant_cls, extensions in self._token_grants:
             if grant_cls.check_token_endpoint(request):
                 return _create_grant(grant_cls, extensions, request, self)
-        raise UnsupportedGrantTypeError(request.grant_type)
+        raise UnsupportedGrantTypeError(request.payload.grant_type)
 
     def create_endpoint_response(self, name, request=None):
         """Validate endpoint request and create endpoint response.
@@ -289,7 +298,8 @@ def create_endpoint_response(self, name, request=None):
             except OAuth2Error as error:
                 return self.handle_error_response(request, error)
 
-    def create_authorization_response(self, request=None, grant_user=None):
+    @hooked
+    def create_authorization_response(self, request=None, grant_user=None, grant=None):
         """Validate authorization request and create authorization response.
 
         :param request: HTTP request instance.
@@ -300,18 +310,20 @@ def create_authorization_response(self, request=None, grant_user=None):
         if not isinstance(request, OAuth2Request):
             request = self.create_oauth2_request(request)
 
-        try:
-            grant = self.get_authorization_grant(request)
-        except UnsupportedResponseTypeError as error:
-            error.state = request.state
-            return self.handle_error_response(request, error)
+        if not grant:
+            deprecate("The 'grant' parameter will become mandatory.", version="1.8")
+            try:
+                grant = self.get_authorization_grant(request)
+            except UnsupportedResponseTypeError as error:
+                error.state = request.payload.state
+                return self.handle_error_response(request, error)
 
         try:
             redirect_uri = grant.validate_authorization_request()
             args = grant.create_authorization_response(redirect_uri, grant_user)
             response = self.handle_response(*args)
         except OAuth2Error as error:
-            error.state = request.state
+            error.state = request.payload.state
             response = self.handle_error_response(request, error)
 
         grant.execute_hook("after_authorization_response", response)