Added support for client credentials grant

Author: clintonb

provider/__init__.py

@@ -1 +1 @@
-__version__ = '0.4.0'
+__version__ = '0.5.0'

provider/oauth2/forms.py

@@ -3,7 +3,7 @@
 from django.utils.encoding import smart_unicode
 from django.utils.translation import ugettext as _
 
-from provider import scope
+from provider import constants, scope
 from provider.constants import RESPONSE_TYPE_CHOICES, SCOPES
 from provider.forms import OAuthForm, OAuthValidationError
 from provider.oauth2.models import Client, Grant, RefreshToken
@@ -336,3 +336,14 @@ def clean(self):
 
         data['client'] = client
         return data
+
+
+class ClientCredentialsGrantForm(ScopeMixin, OAuthForm):
+    """ Validate a client credentials grant request. """
+
+    def clean(self):
+        cleaned_data = super(ClientCredentialsGrantForm, self).clean()
+        # We do not fully support scopes for this grant type; however, a scope is required
+        # in order to create an access token. Default to read-only access.
+        cleaned_data['scope'] = constants.READ
+        return cleaned_data

provider/oauth2/tests.py

@@ -588,6 +588,71 @@ def test_access_token_response_valid_token_type(self):
         self.assertEqual(token['token_type'], constants.TOKEN_TYPE, token)
 
 
+@ddt.ddt
+class ClientCredentialsAccessTokenTests(BaseOAuth2TestCase):
+    """ Tests for issuing access tokens using the client credentials grant. """
+    fixtures = ['test_oauth2.json']
+
+    def setUp(self):
+        super(ClientCredentialsAccessTokenTests, self).setUp()
+        AccessToken.objects.all().delete()
+
+    def request_access_token(self, client_id=None, client_secret=None):
+        """ Issues an access token request using the client credentials grant.
+
+        Arguments:
+            client_id (str): Optional override of the client ID credential.
+            client_secret (str): Optional override of the client secret credential.
+
+        Returns:
+            HttpResponse
+        """
+        client = self.get_client()
+        data = {
+            'grant_type': 'client_credentials',
+            'client_id': client_id or client.client_id,
+            'client_secret': client_secret or client.client_secret,
+        }
+
+        return self.client.post(self.access_token_url(), data)
+
+    def assert_valid_access_token_response(self, access_token, response):
+        """ Verifies the content of the response contains a JSON representation of the access token.
+
+        Note:
+            The access token should NOT have an associated refresh token.
+        """
+        expected = {
+            u'access_token': access_token.token,
+            u'token_type': constants.TOKEN_TYPE,
+            u'expires_in': access_token.get_expire_delta(),
+            u'scope': u' '.join(scope.names(access_token.scope)),
+        }
+
+        self.assertEqual(json.loads(response.content), expected)
+
+    def get_latest_access_token(self):
+        return AccessToken.objects.filter(client=self.get_client()).order_by('-id')[0]
+
+    def test_authorize_success(self):
+        """ Verify the endpoint successfully issues an access token using the client credentials grant. """
+        response = self.request_access_token()
+        self.assertEqual(200, response.status_code, response.content)
+
+        access_token = self.get_latest_access_token()
+        self.assert_valid_access_token_response(access_token, response)
+
+    @ddt.data(
+        {'client_id': 'invalid'},
+        {'client_secret': 'invalid'},
+    )
+    def test_authorize_with_invalid_credentials(self, credentials_override):
+        """ Verify the endpoint returns HTTP 400 if the credentials are invalid. """
+        response = self.request_access_token(**credentials_override)
+        self.assertEqual(400, response.status_code, response.content)
+        self.assertDictEqual(json.loads(response.content), {'error': 'invalid_client'})
+
+
 class AuthBackendTest(BaseOAuth2TestCase):
     fixtures = ['test_oauth2']
 

provider/oauth2/views.py

@@ -9,7 +9,7 @@
 from provider import constants
 from provider.oauth2.backends import BasicClientBackend, RequestParamsClientBackend, PublicPasswordBackend
 from provider.oauth2.forms import (AuthorizationCodeGrantForm, AuthorizationRequestForm, AuthorizationForm,
-                                   PasswordGrantForm, RefreshTokenGrantForm)
+                                   PasswordGrantForm, RefreshTokenGrantForm, ClientCredentialsGrantForm)
 from provider.oauth2.models import Client, RefreshToken, AccessToken
 from provider.utils import now
 from provider.views import AccessToken as AccessTokenView, OAuthError, AccessTokenMixin, Capture, Authorize, Redirect
@@ -139,6 +139,12 @@ def get_password_grant(self, request, data, client):
             raise OAuthError(form.errors)
         return form.cleaned_data
 
+    def get_client_credentials_grant(self, request, data, client):
+        form = ClientCredentialsGrantForm(data, client=client)
+        if not form.is_valid():
+            raise OAuthError(form.errors)
+        return form.cleaned_data
+
     def invalidate_grant(self, grant):
         if constants.DELETE_EXPIRED:
             grant.delete()

provider/views.py

@@ -521,7 +521,7 @@ class AccessToken(OAuthView, Mixin, AccessTokenMixin):
     Authentication backends used to authenticate a particular client.
     """
 
-    grant_types = ['authorization_code', 'refresh_token', 'password']
+    grant_types = ['authorization_code', 'refresh_token', 'password', 'client_credentials']
     """
     The default grant types supported by this view.
     """
@@ -550,6 +550,14 @@ def get_password_grant(self, request, data, client):
         """
         raise NotImplementedError  # pragma: no cover
 
+    def get_client_credentials_grant(self, request, data, client):
+        """
+        Return the optional parameters (scope) associated with this request.
+
+        :return: ``tuple`` - ``(True or False, options)``
+        """
+        raise NotImplementedError  # pragma: no cover
+
     def invalidate_grant(self, grant):
         """
         Override to handle grant invalidation. A grant is invalidated right
@@ -637,6 +645,21 @@ def password(self, request, data, client):
 
         return self.access_token_response(at)
 
+    def client_credentials(self, request, data, client):
+        """ Handle ``grant_type=client_credentials`` requests as defined in :rfc:`4.4`. """
+        data = self.get_client_credentials_grant(request, data, client)
+        kwargs = {
+            'request': request,
+            'user': client.user,
+            'scope': data.get('scope'),
+            'client': client,
+            'reuse_existing_access_token': constants.SINGLE_ACCESS_TOKEN,
+            'create_refresh_token': False,
+        }
+        at, rt = self.get_access_and_refresh_tokens(**kwargs)
+
+        return self.access_token_response(at)
+
     def get_handler(self, grant_type):
         """
         Return a function or method that is capable handling the ``grant_type``
@@ -649,6 +672,8 @@ def get_handler(self, grant_type):
             return self.refresh_token
         elif grant_type == 'password':
             return self.password
+        elif grant_type == 'client_credentials':
+            return self.client_credentials
         return None
 
     def get(self, request):