Added support for client_credentials grant type

Author: brandon-miles

provider/__init__.py

@@ -1 +1 @@
-__version__ = '0.4.0'
+__version__ = '0.5.0'

provider/oauth2/forms.py

@@ -336,3 +336,10 @@ def clean(self):
 
         data['client'] = client
         return data
+
+
+class ClientCredentialsGrantForm(ScopeMixin, OAuthForm):
+    """
+    Validate a client credentials grant request.
+    """
+    scope = ScopeChoiceField(choices=SCOPE_NAMES, required=False)

provider/oauth2/tests.py

@@ -597,6 +597,25 @@ def test_access_token_response_valid_token_type(self):
         token = self._login_authorize_get_token()
         self.assertEqual(token['token_type'], constants.TOKEN_TYPE, token)
 
+    def test_client_credentials_grant(self):
+        response = self.client.post(self.access_token_url(), {
+            'grant_type': 'client_credentials',
+            'client_id': self.get_client().client_id,
+            'client_secret': self.get_client().client_secret,
+        })
+
+        self.assertEqual(200, response.status_code, response.content)
+
+        response = self.client.post(self.access_token_url(), {
+            'grant_type': 'client_credentials',
+            'client_id': self.get_client().client_id,
+            'client_secret': self.get_client().client_secret + 'invalid',
+        })
+
+        self.assertEqual(400, response.status_code, response.content)
+        self.assertEqual('invalid_client',
+                         json.loads(response.content)['error'])
+
 
 class AuthBackendTest(BaseOAuth2TestCase):
     fixtures = ['test_oauth2']

provider/oauth2/views.py

@@ -8,13 +8,11 @@
 
 from provider import constants
 from provider.oauth2.backends import BasicClientBackend, RequestParamsClientBackend, PublicPasswordBackend
-from provider.oauth2.forms import AuthorizationCodeGrantForm
-from provider.oauth2.forms import AuthorizationRequestForm, AuthorizationForm
-from provider.oauth2.forms import PasswordGrantForm, RefreshTokenGrantForm
+from provider.oauth2.forms import (AuthorizationCodeGrantForm, AuthorizationRequestForm, AuthorizationForm,
+                                   PasswordGrantForm, RefreshTokenGrantForm, ClientCredentialsGrantForm)
 from provider.oauth2.models import Client, RefreshToken, AccessToken
 from provider.utils import now
-from provider.views import AccessToken as AccessTokenView, OAuthError, AccessTokenMixin
-from provider.views import Capture, Authorize, Redirect
+from provider.views import AccessToken as AccessTokenView, OAuthError, AccessTokenMixin, Capture, Authorize, Redirect
 
 
 class OAuth2AccessTokenMixin(AccessTokenMixin):
@@ -143,6 +141,12 @@ def get_password_grant(self, request, data, client):
             raise OAuthError(form.errors)
         return form.cleaned_data
 
+    def get_client_credentials_grant(self, request, data, client):
+        form = ClientCredentialsGrantForm(data, client=client)
+        if not form.is_valid():
+            raise OAuthError(form.errors)
+        return form.cleaned_data
+
     def invalidate_grant(self, grant):
         if constants.DELETE_EXPIRED:
             grant.delete()

provider/views.py

@@ -503,7 +503,7 @@ class AccessToken(OAuthView, Mixin, AccessTokenMixin):
     Authentication backends used to authenticate a particular client.
     """
 
-    grant_types = ['authorization_code', 'refresh_token', 'password']
+    grant_types = ['authorization_code', 'refresh_token', 'password', 'client_credentials']
     """
     The default grant types supported by this view.
     """
@@ -532,6 +532,14 @@ def get_password_grant(self, request, data, client):
         """
         raise NotImplementedError  # pragma: no cover
 
+    def get_client_credentials_grant(self, request, data, client):
+        """
+        Return the optional parameters (scope) associated with this request.
+
+        :return: ``tuple`` - ``(True or False, options)``
+        """
+        raise NotImplementedError
+
     def invalidate_grant(self, grant):
         """
         Override to handle grant invalidation. A grant is invalidated right
@@ -610,6 +618,22 @@ def password(self, request, data, client):
 
         return self.access_token_response(at)
 
+    def client_credentials(self, request, data, client):
+        """
+         Handle ``grant_type=client_credentials`` requests as defined in
+         :rfc:`4.4`.
+         """
+        data = self.get_client_credentials_grant(request, data, client)
+        scope = data.get('scope')
+
+        if constants.SINGLE_ACCESS_TOKEN:
+            at = self.get_access_token(request, client.user, scope, client)
+        else:
+            at = self.create_access_token(request, client.user, scope, client)
+            rt = self.create_refresh_token(request, client.user, scope, at, client)
+
+        return self.access_token_response(at)
+
     def get_handler(self, grant_type):
         """
         Return a function or method that is capable handling the ``grant_type``
@@ -622,6 +646,8 @@ def get_handler(self, grant_type):
             return self.refresh_token
         elif grant_type == 'password':
             return self.password
+        elif grant_type == 'client_credentials':
+            return self.client_credentials
         return None
 
     def get(self, request):