HTTP Basic Auth support for introspection (Fix issue #709)

AUTHORS

@@ -7,6 +7,7 @@ Federico Frenguelli
 Contributors
 ============
 
+Abhishek Patel
 Alessandro De Angelis
 Alan Crosswell
 Asif Saif Uddin

CHANGELOG.md

@@ -15,11 +15,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  -->
 
 ## [1.3.1] unreleased
+### Added
+* #725: HTTP Basic Auth support for introspection (Fix issue #709)
+
 ### Fixed
 * #812: Reverts #643 pass wrong request object to authenticate function.
 * Fix concurrency issue with refresh token requests (#[810](https://github.com/jazzband/django-oauth-toolkit/pull/810))
 * #817: Reverts #734 tutorial documentation error.
 
+
 ## [1.3.0] 2020-03-02
 
 ### Added

docs/settings.rst

@@ -198,12 +198,18 @@ Only applicable when used with `Django REST Framework <http://django-rest-framew
 
 RESOURCE_SERVER_INTROSPECTION_URL
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-The introspection endpoint for validating token remotely (RFC7662).
+The introspection endpoint for validating token remotely (RFC7662). This URL requires either an authorization
+token (RESOURCE_SERVER_AUTH_TOKEN)
+or HTTP Basic Auth client credentials (RESOURCE_SERVER_INTROSPECTION_CREDENTIALS):
 
 RESOURCE_SERVER_AUTH_TOKEN
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 The bearer token to authenticate the introspection request towards the introspection endpoint (RFC7662).
 
+RESOURCE_SERVER_INTROSPECTION_CREDENTIALS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The HTTP Basic Auth Client_ID and Client_Secret to authenticate the introspection request
+towards the introspect endpoint (RFC7662) as a tuple: (client_id,client_secret).
 
 RESOURCE_SERVER_TOKEN_CACHING_SECONDS
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

oauth2_provider/oauth2_backends.py

@@ -2,6 +2,7 @@
 from urllib.parse import urlparse, urlunparse
 
 from oauthlib import oauth2
+from oauthlib.common import Request as OauthlibRequest
 from oauthlib.common import quote, urlencode, urlencoded
 
 from .exceptions import FatalClientError, OAuthToolkitError
@@ -15,6 +16,7 @@ class OAuthLibCore(object):
  Meant for things like extracting request data and converting
  everything to formats more palatable for oauthlib's Server.
  """
+
  def __init__(self, server=None):
  """
  :params server: An instance of oauthlib.oauth2.Server class
@@ -128,9 +130,11 @@ def create_authorization_response(self, request, scopes, credentials, allow):
  return uri, headers, body, status
 
  except oauth2.FatalClientError as error:
- raise FatalClientError(error=error, redirect_uri=credentials["redirect_uri"])
+ raise FatalClientError(
+ error=error, redirect_uri=credentials["redirect_uri"])
  except oauth2.OAuth2Error as error:
- raise OAuthToolkitError(error=error, redirect_uri=credentials["redirect_uri"])
+ raise OAuthToolkitError(
+ error=error, redirect_uri=credentials["redirect_uri"])
 
  def create_token_response(self, request):
  """
@@ -171,14 +175,25 @@ def verify_request(self, request, scopes):
  """
  uri, http_method, body, headers = self._extract_params(request)
 
- valid, r = self.server.verify_request(uri, http_method, body, headers, scopes=scopes)
+ valid, r = self.server.verify_request(
+ uri, http_method, body, headers, scopes=scopes)
  return valid, r
 
+ def authenticate_client(self, request):
+ """Wrapper to call `authenticate_client` on `server_class` instance.
+
+ :param request: The current django.http.HttpRequest object
+ """
+ uri, http_method, body, headers = self._extract_params(request)
+ oauth_request = OauthlibRequest(uri, http_method, body, headers)
+ return self.server.request_validator.authenticate_client(oauth_request)
+
 
 class JSONOAuthLibCore(OAuthLibCore):
  """
  Extends the default OAuthLibCore to parse correctly application/json requests
  """
+
  def extract_body(self, request):
  """
  Extracts the JSON body from the Django request object

oauth2_provider/views/__init__.py

@@ -2,6 +2,8 @@
 from .base import AuthorizationView, TokenView, RevokeTokenView
 from .application import ApplicationRegistration, ApplicationDetail, ApplicationList, \
  ApplicationDelete, ApplicationUpdate
-from .generic import ProtectedResourceView, ScopedProtectedResourceView, ReadWriteScopedResourceView
+from .generic import (
+ ProtectedResourceView, ScopedProtectedResourceView, ReadWriteScopedResourceView,
+ ClientProtectedResourceView, ClientProtectedScopedResourceView)
 from .token import AuthorizedTokensListView, AuthorizedTokenDeleteView
 from .introspect import IntrospectTokenView

oauth2_provider/views/generic.py

@@ -2,19 +2,28 @@
 
 from ..settings import oauth2_settings
 from .mixins import (
- ProtectedResourceMixin, ReadWriteScopedResourceMixin, ScopedResourceMixin
+ ClientProtectedResourceMixin, OAuthLibMixin, ProtectedResourceMixin,
+ ReadWriteScopedResourceMixin, ScopedResourceMixin
 )
 
 
-class ProtectedResourceView(ProtectedResourceMixin, View):
- """
-Generic view protecting resources by providing OAuth2 authentication out of the box
+class InitializationMixin(OAuthLibMixin):
+
+"""Initializer for OauthLibMixin
  """
+
  server_class = oauth2_settings.OAUTH2_SERVER_CLASS
  validator_class = oauth2_settings.OAUTH2_VALIDATOR_CLASS
  oauthlib_backend_class = oauth2_settings.OAUTH2_BACKEND_CLASS
 
 
+class ProtectedResourceView(ProtectedResourceMixin, InitializationMixin, View):
+ """
+ Generic view protecting resources by providing OAuth2 authentication out of the box
+ """
+ pass
+
+
 class ScopedProtectedResourceView(ScopedResourceMixin, ProtectedResourceView):
  """
  Generic view protecting resources by providing OAuth2 authentication and Scopes handling
@@ -29,3 +38,20 @@ class ReadWriteScopedResourceView(ReadWriteScopedResourceMixin, ProtectedResourc
  GET, HEAD, OPTIONS http methods require "read" scope. Otherwise "write" scope is required.
  """
  pass
+
+
+class ClientProtectedResourceView(ClientProtectedResourceMixin, InitializationMixin, View):
+
+ """View for protecting a resource with client-credentials method.
+ This involves allowing access tokens, Basic Auth and plain credentials in request body.
+ """
+
+ pass
+
+
+class ClientProtectedScopedResourceView(ScopedResourceMixin, ClientProtectedResourceView):
+
+ """Impose scope restrictions if client protection fallsback to access token.
+ """
+
+ pass

oauth2_provider/views/introspect.py

@@ -7,11 +7,11 @@
 from django.views.decorators.csrf import csrf_exempt
 
 from oauth2_provider.models import get_access_token_model
-from oauth2_provider.views import ScopedProtectedResourceView
+from oauth2_provider.views import ClientProtectedScopedResourceView
 
 
 @method_decorator(csrf_exempt, name="dispatch")
-class IntrospectTokenView(ScopedProtectedResourceView):
+class IntrospectTokenView(ClientProtectedScopedResourceView):
  """
  Implements an endpoint for token introspection based
  on RFC 7662 https://tools.ietf.org/html/rfc7662

oauth2_provider/views/mixins.py

@@ -174,6 +174,15 @@ def error_response(self, error, **kwargs):
 
  return redirect, error_response
 
+ def authenticate_client(self, request):
+ """Returns a boolean representing if client is authenticated with client credentials
+ method. Returns `True` if authenticated.
+
+ :param request: The current django.http.HttpRequest object
+ """
+ core = self.get_oauthlib_core()
+ return core.authenticate_client(request)
+
 
 class ScopedResourceMixin(object):
  """
@@ -200,6 +209,7 @@ class ProtectedResourceMixin(OAuthLibMixin):
  Helper mixin that implements OAuth2 protection on request dispatch,
  specially useful for Django Generic Views
  """
+
  def dispatch(self, request, *args, **kwargs):
  # let preflight OPTIONS requests pass
  if request.method.upper() == "OPTIONS":
@@ -223,12 +233,14 @@ class ReadWriteScopedResourceMixin(ScopedResourceMixin, OAuthLibMixin):
 
  def __new__(cls, *args, **kwargs):
  provided_scopes = get_scopes_backend().get_all_scopes()
- read_write_scopes = [oauth2_settings.READ_SCOPE, oauth2_settings.WRITE_SCOPE]
+ read_write_scopes = [oauth2_settings.READ_SCOPE,
+ oauth2_settings.WRITE_SCOPE]
 
  if not set(read_write_scopes).issubset(set(provided_scopes)):
  raise ImproperlyConfigured(
  "ReadWriteScopedResourceMixin requires following scopes{}"
- ' to be in OAUTH2_PROVIDER["SCOPES"] list in settings'.format(read_write_scopes)
+ ' to be in OAUTH2_PROVIDER["SCOPES"] list in settings'.format(
+ read_write_scopes)
  )
 
  return super().__new__(cls, *args, **kwargs)
@@ -246,3 +258,30 @@ def get_scopes(self, *args, **kwargs):
 
  # this returns a copy so that self.required_scopes is not modified
  return scopes + [self.read_write_scope]
+
+
+class ClientProtectedResourceMixin(OAuthLibMixin):
+
+ """Mixin for protecting resources with client authentication as mentioned in rfc:`3.2.1`
+ This involves authenticating with any of: HTTP Basic Auth, Client Credentials and
+ Access token in that order. Breaks off after first validation.
+ """
+
+ def dispatch(self, request, *args, **kwargs):
+ # let preflight OPTIONS requests pass
+ if request.method.upper() == "OPTIONS":
+ return super().dispatch(request, *args, **kwargs)
+ # Validate either with HTTP basic or client creds in request body.
+ # TODO: Restrict to POST.
+ valid = self.authenticate_client(request)
+ if not valid:
+ # Alternatively allow access tokens
+ # check if the request is valid and the protected resource may be accessed
+ valid, r = self.verify_request(request)
+ if valid:
+ request.resource_owner = r.user
+ return super().dispatch(request, *args, **kwargs)
+ else:
+ return HttpResponseForbidden()
+ else:
+ return super().dispatch(request, *args, **kwargs)

tests/test_introspection_view.py

@@ -9,6 +9,8 @@
 from oauth2_provider.models import get_access_token_model, get_application_model
 from oauth2_provider.settings import oauth2_settings
 
+from .utils import get_basic_auth_header
+
 
 Application = get_application_model()
 AccessToken = get_access_token_model()
@@ -19,9 +21,12 @@ class TestTokenIntrospectionViews(TestCase):
  """
  Tests for Authorized Token Introspection Views
  """
+
  def setUp(self):
- self.resource_server_user = UserModel.objects.create_user("resource_server", "[email protected]")
- self.test_user = UserModel.objects.create_user("bar_user", "[email protected]")
+ self.resource_server_user = UserModel.objects.create_user(
+ "resource_server", "[email protected]")
+ self.test_user = UserModel.objects.create_user(
+ "bar_user", "[email protected]")
 
  self.application = Application.objects.create(
  name="Test Application",
@@ -256,3 +261,63 @@ def test_view_post_notexisting_token(self):
  self.assertDictEqual(content,{
  "active": False,
  })
+
+ def test_view_post_valid_client_creds_basic_auth(self):
+ """Test HTTP basic auth working
+ """
+ auth_headers = get_basic_auth_header(
+ self.application.client_id, self.application.client_secret)
+ response = self.client.post(
+ reverse("oauth2_provider:introspect"),
+{"token": self.valid_token.token},
+ **auth_headers)
+ self.assertEqual(response.status_code, 200)
+ content = response.json()
+ self.assertIsInstance(content, dict)
+ self.assertDictEqual(content,{
+ "active": True,
+ "scope": self.valid_token.scope,
+ "client_id": self.valid_token.application.client_id,
+ "username": self.valid_token.user.get_username(),
+ "exp": int(calendar.timegm(self.valid_token.expires.timetuple())),
+ })
+
+ def test_view_post_invalid_client_creds_basic_auth(self):
+ """Must fail for invalid client credentials
+ """
+ auth_headers = get_basic_auth_header(
+ self.application.client_id, self.application.client_secret + "_so_wrong")
+ response = self.client.post(
+ reverse("oauth2_provider:introspect"),
+{"token": self.valid_token.token},
+ **auth_headers)
+ self.assertEqual(response.status_code, 403)
+
+ def test_view_post_valid_client_creds_plaintext(self):
+ """Test introspecting with credentials in request body
+ """
+ response = self.client.post(
+ reverse("oauth2_provider:introspect"),
+{"token": self.valid_token.token,
+ "client_id": self.application.client_id,
+ "client_secret": self.application.client_secret})
+ self.assertEqual(response.status_code, 200)
+ content = response.json()
+ self.assertIsInstance(content, dict)
+ self.assertDictEqual(content,{
+ "active": True,
+ "scope": self.valid_token.scope,
+ "client_id": self.valid_token.application.client_id,
+ "username": self.valid_token.user.get_username(),
+ "exp": int(calendar.timegm(self.valid_token.expires.timetuple())),
+ })
+
+ def test_view_post_invalid_client_creds_plaintext(self):
+ """Must fail for invalid creds in request body.
+ """
+ response = self.client.post(
+ reverse("oauth2_provider:introspect"),
+{"token": self.valid_token.token,
+ "client_id": self.application.client_id,
+ "client_secret": self.application.client_secret + "_so_wrong"})
+ self.assertEqual(response.status_code, 403)