Preliminary token revocation support #7
Conversation
|
Hi! Sorry! I wasn't watching this repo, apparently. I'm taking a look! Thanks! |
|
The general pattern so far has been to add request parameters so that a lot of the OAuthLib endpoints might not care that it's a |
|
Thanks for getting back on this. We have a project where we're using a slightly modified version of I'd be interested in seeing full support in |
| @@ -63,7 +69,15 @@ def create_authorization_response(self, request, | |||
|
|
|||
| @base.catch_errors_and_unavailability | |||
| def create_revocation_response(self, request): | |||
| pass | |||
| handler = self.response_types.get( | |||
There was a problem hiding this comment.
I don't think the revocation handler has to know about response types. It needs to validate the revocation request (the base class implementation of oauth2.RevocationEndpoint.validate_revocation_request should handle that).
What's confusing is that I the revocation endpoint is the only endpoint that needs to know about the RequestValidator directly. The rest of the endpoints all delegate to token, response, and grant types, which may use the validator. These built in handlers all take a request_validator keyword to their constructor.
Since pyramid-oauthlib creates exactly one Server instance when it's included and cannot know what implementation of RequestValidator is needed, what do you think of a directive like config.set_request_validator(). You must call it before you register any of the handlers and whatever you pass will be given implicitly as an extra keyword argument to all of their constructors.
config.set_request_validator('my.validator')
config.add_grant_type('oauthlib.oauth2.ResourceOwnerPasswordCredentialsGrant', 'password')It means that, while the OAuthLib servers are usually configured to have one class be both a grant type and response type handler, we would actually probably instantiate the grant type twice (once in each role). I don't think that's a problem.
There was a problem hiding this comment.
The revocation endpoint does seem like the odd man out here. If we have config.set_request_validator define a default request validator, would the methods (e.g. config.add_grant_type) currently accepting a request_validator parameter still accept one as an override or would it go away? I don't see it such a problem if it goes away but it does change how it is now where you can provide a different request validator for each call.
Would the parameter for config.set_request_validator accept both a python import path to a callable producing the validator and a direct object reference to one?
There was a problem hiding this comment.
I don't see it such a problem if it goes away but it does change how it is now where you can provide a different request validator for each call.
I'm don't know that I see a use case for different request validators, but maybe there is one. If there is such a use case, one clear response is to just require the user to make some subclass mixing in the various request validator pieces they need so they can create one composite validator.
Would the parameter for
config.set_request_validatoraccept both a python import path to a callable producing the validator and a direct object reference to one?
Definitely. All the directives accept dotted string references.
|
@dokai I'd like to finish this up sometime soon. |
|
+1 for a simpler, encapsulated approach. Could you show a minimal example how this would be wired in with your proposed approach? |
Hi
I've started testing
pyramid-oauthliband would like to use it in a project. I have interest in supporting token revocation and have managed to get it roughly working with the given changes. I'd be interested in knowing your plans on how to properly implement it and would be happy to work on this part.One issue I noticed is that the
RevocationEndPoint.create_revocation_responsebuilds the request object itself and passes that to theRequestValidator.validate_revocation_requestmethod. This breaks the promise that the request parameters passed to the custom validator would bepyramid.request.Requestinstead ofoauthlib.common.Request.Looking forward to your comments.