revocation

oauthlib.oauth2.rfc6749.endpoint.revocation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

An implementation of the OAuth 2 Token Revocation_ spec (draft 11).

.. _Token Revocation: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11

`RevocationEndpoint`

Bases: BaseEndpoint

Token revocation endpoint.

Endpoint used by authenticated clients to revoke access and refresh tokens. Commonly this will be part of the Authorization Endpoint.

Source code in server/vendor/oauthlib/oauth2/rfc6749/endpoints/revocation.py

class RevocationEndpoint(BaseEndpoint):

    """Token revocation endpoint.

    Endpoint used by authenticated clients to revoke access and refresh tokens.
    Commonly this will be part of the Authorization Endpoint.
    """

    valid_token_types = ('access_token', 'refresh_token')
    valid_request_methods = ('POST',)

    def __init__(self, request_validator, supported_token_types=None,
            enable_jsonp=False):
        BaseEndpoint.__init__(self)
        self.request_validator = request_validator
        self.supported_token_types = (
            supported_token_types or self.valid_token_types)
        self.enable_jsonp = enable_jsonp

    @catch_errors_and_unavailability
    def create_revocation_response(self, uri, http_method='POST', body=None,
                                   headers=None):
        """Revoke supplied access or refresh token.


        The authorization server responds with HTTP status code 200 if the
        token has been revoked successfully or if the client submitted an
        invalid token.

        Note: invalid tokens do not cause an error response since the client
        cannot handle such an error in a reasonable way.  Moreover, the purpose
        of the revocation request, invalidating the particular token, is
        already achieved.

        The content of the response body is ignored by the client as all
        necessary information is conveyed in the response code.

        An invalid token type hint value is ignored by the authorization server
        and does not influence the revocation response.
        """
        resp_headers = {
            'Content-Type': 'application/json',
            'Cache-Control': 'no-store',
            'Pragma': 'no-cache',
        }
        request = Request(
            uri, http_method=http_method, body=body, headers=headers)
        try:
            self.validate_revocation_request(request)
            log.debug('Token revocation valid for %r.', request)
        except OAuth2Error as e:
            log.debug('Client error during validation of %r. %r.', request, e)
            response_body = e.json
            if self.enable_jsonp and request.callback:
                response_body = '{}({});'.format(request.callback, response_body)
            resp_headers.update(e.headers)
            return resp_headers, response_body, e.status_code

        self.request_validator.revoke_token(request.token,
                                            request.token_type_hint, request)

        response_body = ''
        if self.enable_jsonp and request.callback:
            response_body = request.callback + '();'
        return {}, response_body, 200

    def validate_revocation_request(self, request):
        """Ensure the request is valid.

        The client constructs the request by including the following parameters
        using the "application/x-www-form-urlencoded" format in the HTTP
        request entity-body:

        token (REQUIRED).  The token that the client wants to get revoked.

        token_type_hint (OPTIONAL).  A hint about the type of the token
        submitted for revocation.  Clients MAY pass this parameter in order to
        help the authorization server to optimize the token lookup.  If the
        server is unable to locate the token using the given hint, it MUST
        extend its search across all of its supported token types.  An
        authorization server MAY ignore this parameter, particularly if it is
        able to detect the token type automatically.  This specification
        defines two such values:

                *  access_token: An Access Token as defined in [RFC6749],
                    `section 1.4`_

                *  refresh_token: A Refresh Token as defined in [RFC6749],
                    `section 1.5`_

                Specific implementations, profiles, and extensions of this
                specification MAY define other values for this parameter using
                the registry defined in `Section 4.1.2`_.

        The client also includes its authentication credentials as described in
        `Section 2.3`_. of [`RFC6749`_].

        .. _`section 1.4`: https://tools.ietf.org/html/rfc6749#section-1.4
        .. _`section 1.5`: https://tools.ietf.org/html/rfc6749#section-1.5
        .. _`section 2.3`: https://tools.ietf.org/html/rfc6749#section-2.3
        .. _`Section 4.1.2`: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11#section-4.1.2
        .. _`RFC6749`: https://tools.ietf.org/html/rfc6749
        """
        self._raise_on_bad_method(request)
        self._raise_on_bad_post_request(request)
        self._raise_on_missing_token(request)
        self._raise_on_invalid_client(request)
        self._raise_on_unsupported_token(request)

`create_revocation_response(uri, http_method='POST', body=None, headers=None)`

Revoke supplied access or refresh token.

The authorization server responds with HTTP status code 200 if the token has been revoked successfully or if the client submitted an invalid token.

Note: invalid tokens do not cause an error response since the client cannot handle such an error in a reasonable way. Moreover, the purpose of the revocation request, invalidating the particular token, is already achieved.

The content of the response body is ignored by the client as all necessary information is conveyed in the response code.

An invalid token type hint value is ignored by the authorization server and does not influence the revocation response.

Source code in server/vendor/oauthlib/oauth2/rfc6749/endpoints/revocation.py

@catch_errors_and_unavailability
def create_revocation_response(self, uri, http_method='POST', body=None,
                               headers=None):
    """Revoke supplied access or refresh token.


    The authorization server responds with HTTP status code 200 if the
    token has been revoked successfully or if the client submitted an
    invalid token.

    Note: invalid tokens do not cause an error response since the client
    cannot handle such an error in a reasonable way.  Moreover, the purpose
    of the revocation request, invalidating the particular token, is
    already achieved.

    The content of the response body is ignored by the client as all
    necessary information is conveyed in the response code.

    An invalid token type hint value is ignored by the authorization server
    and does not influence the revocation response.
    """
    resp_headers = {
        'Content-Type': 'application/json',
        'Cache-Control': 'no-store',
        'Pragma': 'no-cache',
    }
    request = Request(
        uri, http_method=http_method, body=body, headers=headers)
    try:
        self.validate_revocation_request(request)
        log.debug('Token revocation valid for %r.', request)
    except OAuth2Error as e:
        log.debug('Client error during validation of %r. %r.', request, e)
        response_body = e.json
        if self.enable_jsonp and request.callback:
            response_body = '{}({});'.format(request.callback, response_body)
        resp_headers.update(e.headers)
        return resp_headers, response_body, e.status_code

    self.request_validator.revoke_token(request.token,
                                        request.token_type_hint, request)

    response_body = ''
    if self.enable_jsonp and request.callback:
        response_body = request.callback + '();'
    return {}, response_body, 200

`validate_revocation_request(request)`

Ensure the request is valid.

The client constructs the request by including the following parameters using the "application/x-www-form-urlencoded" format in the HTTP request entity-body:

token (REQUIRED). The token that the client wants to get revoked.

token_type_hint (OPTIONAL). A hint about the type of the token submitted for revocation. Clients MAY pass this parameter in order to help the authorization server to optimize the token lookup. If the server is unable to locate the token using the given hint, it MUST extend its search across all of its supported token types. An authorization server MAY ignore this parameter, particularly if it is able to detect the token type automatically. This specification defines two such values:

    *  access_token: An Access Token as defined in [RFC6749],
        `section 1.4`_

    *  refresh_token: A Refresh Token as defined in [RFC6749],
        `section 1.5`_

    Specific implementations, profiles, and extensions of this
    specification MAY define other values for this parameter using
    the registry defined in `Section 4.1.2`_.

The client also includes its authentication credentials as described in Section 2.3. of [RFC6749].

.. section 1.4: https://tools.ietf.org/html/rfc6749#section-1.4 .. section 1.5: https://tools.ietf.org/html/rfc6749#section-1.5 .. section 2.3: https://tools.ietf.org/html/rfc6749#section-2.3 .. Section 4.1.2: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11#section-4.1.2 .. _RFC6749: https://tools.ietf.org/html/rfc6749

Source code in server/vendor/oauthlib/oauth2/rfc6749/endpoints/revocation.py

def validate_revocation_request(self, request):
    """Ensure the request is valid.

    The client constructs the request by including the following parameters
    using the "application/x-www-form-urlencoded" format in the HTTP
    request entity-body:

    token (REQUIRED).  The token that the client wants to get revoked.

    token_type_hint (OPTIONAL).  A hint about the type of the token
    submitted for revocation.  Clients MAY pass this parameter in order to
    help the authorization server to optimize the token lookup.  If the
    server is unable to locate the token using the given hint, it MUST
    extend its search across all of its supported token types.  An
    authorization server MAY ignore this parameter, particularly if it is
    able to detect the token type automatically.  This specification
    defines two such values:

            *  access_token: An Access Token as defined in [RFC6749],
                `section 1.4`_

            *  refresh_token: A Refresh Token as defined in [RFC6749],
                `section 1.5`_

            Specific implementations, profiles, and extensions of this
            specification MAY define other values for this parameter using
            the registry defined in `Section 4.1.2`_.

    The client also includes its authentication credentials as described in
    `Section 2.3`_. of [`RFC6749`_].

    .. _`section 1.4`: https://tools.ietf.org/html/rfc6749#section-1.4
    .. _`section 1.5`: https://tools.ietf.org/html/rfc6749#section-1.5
    .. _`section 2.3`: https://tools.ietf.org/html/rfc6749#section-2.3
    .. _`Section 4.1.2`: https://tools.ietf.org/html/draft-ietf-oauth-revocation-11#section-4.1.2
    .. _`RFC6749`: https://tools.ietf.org/html/rfc6749
    """
    self._raise_on_bad_method(request)
    self._raise_on_bad_post_request(request)
    self._raise_on_missing_token(request)
    self._raise_on_invalid_client(request)
    self._raise_on_unsupported_token(request)