handle oauthlib errors on create token and revoke token requests

Author: AndrejZbin

AUTHORS

@@ -16,6 +16,7 @@ Aleksander Vaskevich
 Alessandro De Angelis
 Alex Szabó
 Allisson Azevedo
+Andrej Zbín
 Andrew Chen Wang
 Anvesh Agarwal
 Aristóbulo Meneses

CHANGELOG.md

@@ -27,6 +27,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 * Remove upper version bound on Django, to allow upgrading to Django 4.1.1 bugfix release.
+* Handle oauthlib errors on create token and revoke token requests
 
 ## [2.1.0] 2022-06-19
 

oauth2_provider/oauth2_backends.py

@@ -152,12 +152,14 @@ def create_token_response(self, request):
 uri, http_method, body, headers=self._extract_params(request)
 extra_credentials=self._get_extra_credentials(request)
 
-headers, body, status=self.server.create_token_response(
-uri, http_method, body, headers, extra_credentials
- )
-uri=headers.get("Location", None)
-
-returnuri, headers, body, status
+try:
+headers, body, status=self.server.create_token_response(
+uri, http_method, body, headers, extra_credentials
+ )
+uri=headers.get("Location", None)
+returnuri, headers, body, status
+exceptOAuth2Errorasexc:
+returnNone, exc.headers, exc.json, exc.status_code
 
 defcreate_revocation_response(self, request):
 """
@@ -168,10 +170,12 @@ def create_revocation_response(self, request):
  """
 uri, http_method, body, headers=self._extract_params(request)
 
-headers, body, status=self.server.create_revocation_response(uri, http_method, body, headers)
-uri=headers.get("Location", None)
-
-returnuri, headers, body, status
+try:
+headers, body, status=self.server.create_revocation_response(uri, http_method, body, headers)
+uri=headers.get("Location", None)
+returnuri, headers, body, status
+exceptOAuth2Errorasexc:
+returnNone, exc.headers, exc.json, exc.status_code
 
 defcreate_userinfo_response(self, request):
 """

tests/test_oauth2_backends.py

@@ -1,10 +1,14 @@
+importbase64
 importjson
 
 importpytest
+fromdjango.contrib.authimportget_user_model
 fromdjango.testimportRequestFactory, TestCase
+fromdjango.utils.timezoneimportnow, timedelta
+fromoauthlib.oauth2importOAuth2Error
 
 fromoauth2_provider.backendsimportget_oauthlib_core
-fromoauth2_provider.modelsimportredirect_to_uri_allowed
+fromoauth2_provider.modelsimportget_access_token_model, get_application_model, redirect_to_uri_allowed
 fromoauth2_provider.oauth2_backendsimportJSONOAuthLibCore, OAuthLibCore
 
 
@@ -50,6 +54,126 @@ def test_application_json_extract_params(self):
 self.assertNotIn("password=123456", body)
 
 
+UserModel=get_user_model()
+ApplicationModel=get_application_model()
+AccessTokenModel=get_access_token_model()
+
+
+@pytest.mark.usefixtures("oauth2_settings")
+classTestOAuthLibCoreBackendErrorHandling(TestCase):
+defsetUp(self):
+self.factory=RequestFactory()
+self.oauthlib_core=OAuthLibCore()
+self.user=UserModel.objects.create_user("john", "[email protected]", "123456")
+self.app=ApplicationModel.objects.create(
+name="app",
+client_id="app_id",
+client_secret="app_secret",
+client_type=ApplicationModel.CLIENT_CONFIDENTIAL,
+authorization_grant_type=ApplicationModel.GRANT_PASSWORD,
+user=self.user,
+ )
+
+deftearDown(self):
+self.user.delete()
+self.app.delete()
+
+deftest_create_token_response_valid(self):
+payload= (
+"grant_type=password&username=john&password=123456&client_id=app_id&client_secret=app_secret"
+ )
+request=self.factory.post(
+"/o/token/",
+payload,
+content_type="application/x-www-form-urlencoded",
+HTTP_AUTHORIZATION="Basic %s"%base64.b64encode(b"john:123456").decode(),
+ )
+
+uri, headers, body, status=self.oauthlib_core.create_token_response(request)
+self.assertEqual(status, 200)
+
+deftest_create_token_response_raise_exception(self):
+payload= (
+"grant_type=password&username=john&password=123456&client_id=app_id&client_secret=app_secret"
+ )
+request=self.factory.post(
+"/o/token/",
+payload,
+content_type="application/x-www-form-urlencoded",
+HTTP_AUTHORIZATION="Basic %s"%base64.b64encode(b"john:123456").decode(),
+ )
+withmock.patch("oauthlib.oauth2.Server.create_token_response") ascreate_token_response:
+create_token_response.side_effect=OAuth2Error("test error description")
+uri, headers, body, status=self.oauthlib_core.create_token_response(request)
+
+self.assertEqual(json.loads(body)['error_description'], "test error description")
+
+deftest_create_token_response_query_params(self):
+payload= (
+"grant_type=password&username=john&password=123456&client_id=app_id&client_secret=app_secret"
+ )
+request=self.factory.post(
+"/o/token/?test=foo",
+payload,
+content_type="application/x-www-form-urlencoded",
+HTTP_AUTHORIZATION="Basic %s"%base64.b64encode(b"john:123456").decode(),
+ )
+uri, headers, body, status=self.oauthlib_core.create_token_response(request)
+
+self.assertEqual(status, 400)
+self.assertDictEqual(
+json.loads(body),
+{"error": "invalid_request", "error_description": "URL query parameters are not allowed"},
+ )
+
+deftest_create_revocation_response_valid(self):
+AccessTokenModel.objects.create(
+user=self.user, token="tokstr", application=self.app, expires=now() +timedelta(days=365)
+ )
+payload="client_id=app_id&client_secret=app_secret&token=tokstr"
+request=self.factory.post(
+"/o/revoke_token/",
+payload,
+content_type="application/x-www-form-urlencoded",
+HTTP_AUTHORIZATION="Basic %s"%base64.b64encode(b"john:123456").decode(),
+ )
+uri, headers, body, status=self.oauthlib_core.create_revocation_response(request)
+self.assertEqual(status, 200)
+
+deftest_create_revocation_response_raise_exception(self):
+payload="client_id=app_id&client_secret=app_secret&token=tokstr"
+request=self.factory.post(
+"/o/revoke_token/",
+payload,
+content_type="application/x-www-form-urlencoded",
+HTTP_AUTHORIZATION="Basic %s"%base64.b64encode(b"john:123456").decode(),
+ )
+withmock.patch("oauthlib.oauth2.Server.create_revocation_response") ascreate_revocation_response:
+create_revocation_response.side_effect=OAuth2Error("test error description")
+uri, headers, body, status=self.oauthlib_core.create_revocation_response(request)
+
+self.assertEqual(json.loads(body)['error_description'], "test error description")
+
+deftest_create_revocation_response_query_params(self):
+token=AccessTokenModel.objects.create(
+user=self.user, token="tokstr", application=self.app, expires=now() +timedelta(days=365)
+ )
+payload="client_id=app_id&client_secret=app_secret&token=tokstr"
+request=self.factory.post(
+"/o/revoke_token/?test=foo",
+payload,
+content_type="application/x-www-form-urlencoded",
+HTTP_AUTHORIZATION="Basic %s"%base64.b64encode(b"john:123456").decode(),
+ )
+uri, headers, body, status=self.oauthlib_core.create_revocation_response(request)
+self.assertEqual(status, 400)
+self.assertDictEqual(
+json.loads(body),
+{"error": "invalid_request", "error_description": "URL query parameters are not allowed"},
+ )
+token.delete()
+
+
 classTestCustomOAuthLibCoreBackend(TestCase):
 """
  Tests that the public API behaves as expected when we override