From e271336399efa863f47938559fbfb06b19a33770 Mon Sep 17 00:00:00 2001 From: John Williams Date: Tue, 16 Apr 2013 00:44:45 -0700 Subject: [PATCH 1/2] Failed to set access_token as attribute --- oauth2app/token.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oauth2app/token.py b/oauth2app/token.py index f2c2b4a..8a8b9fa 100644 --- a/oauth2app/token.py +++ b/oauth2app/token.py @@ -405,7 +405,7 @@ def _get_refresh_token(self): def _get_client_credentials_token(self): """Generate an access token after client_credentials authorization.""" - access_token = AccessToken.objects.create( + self.access_token = AccessToken.objects.create( user=self.client.user, client=self.client, refreshable=self.refreshable) From c4df1eee98a7e6ef921b656cd3bd85ab00be2a7b Mon Sep 17 00:00:00 2001 From: John Williams Date: Wed, 17 Apr 2013 00:04:15 -0700 Subject: [PATCH 2/2] Prevent unauthorized acces to client self grant --- oauth2app/models.py | 1 + oauth2app/token.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/oauth2app/models.py b/oauth2app/models.py index 585337b..0c16362 100644 --- a/oauth2app/models.py +++ b/oauth2app/models.py @@ -82,6 +82,7 @@ class Client(models.Model): unique=True, max_length=CLIENT_SECRET_LENGTH, default=KeyGenerator(CLIENT_SECRET_LENGTH)) + can_self_grant = models.BooleanField(default=False) redirect_uri = models.URLField(null=True) diff --git a/oauth2app/token.py b/oauth2app/token.py index 8a8b9fa..ff81763 100644 --- a/oauth2app/token.py +++ b/oauth2app/token.py @@ -210,6 +210,8 @@ def _validate(self): def _validate_access_credentials(self): """Validate the request's access credentials.""" + if not self.client.can_self_grant: + raise InvalidClient('Client authentication failed.') if self.client_secret is None and "HTTP_AUTHORIZATION" in self.request.META: authorization = self.request.META["HTTP_AUTHORIZATION"] auth_type, auth_value = authorization.split()[0:2]