TechQA.

Limit token scope server-side

90 views Asked by At

My login procedure allows admins to select an account that they would like to login-as. For that I can login as that particular user and issue the authorization code, as usual.

Now, what I would like is to extend this setup to allow some other admins to login with "read-only" access. This can easily be mapped to our API by use of certain scopes and removing some other scope.

For the oauth process to work, I do need a way to issue oauth tokens that come with a scope that has been limited server side (less scope than the actual client - server-side because read-only is enforced).

I imagine that I might need to write a new GrantType and probably also have to track state somehow, but I am unclear on how exactly I should use create_authorization_response() in this case.

authlib
Original Q&A
1

There are 1 answers

0
Fabian Schuh On

Ok, after some fiddling around, I found a solution. It essentially creates a custom Oauth2Request (usually client-provided, in our case, modified server-side).

Some rough outline of the code:

from urllib.parse import urlencode, parse_qs, urlparse

# obtain query string as dictionary
query_dict = parse_qs(request.query_string.decode("utf-8"))

# customize scope for this request
query_dict["scope"] = ["profile"]

# We here setup a custom Oauth2Request as we have change the scope in
# the query_dict
req = OAuth2Request(
   "POST", request.base_url + "?" + urlencode(query_dict, doseq=True)
)
return authorization.create_authorization_response(grant_user=user, request=req)

Related Questions in AUTHLIB

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions