RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage¶
This section contains the generic implementation of RFC6750.
Guide on Bearer Token¶
Bearer token is used in OAuth 2.0 framework to protect resources. You need
to implement the missing methods of BearerTokenValidator
before
using it. Learn how to use it in Resource Server.
API Reference¶
-
class
authlib.oauth2.rfc6750.
BearerTokenValidator
(realm=None)¶ -
authenticate_token
(token_string)¶ A method to query token from database with the given token string. Developers MUST re-implement this method. For instance:
def authenticate_token(self, token_string): return get_token_from_database(token_string)
- Parameters
token_string – A string to represent the access_token.
- Returns
token
-
request_invalid
(request)¶ Check if the HTTP request is valid or not. Developers MUST re-implement this method. For instance, your server requires a “X-Device-Version” in the header:
def request_invalid(self, request): return 'X-Device-Version' in request.headers
Usually, you don’t have to detect if the request is valid or not, you can just return a
False
.- Parameters
request – instance of HttpRequest
- Returns
Boolean
-
token_revoked
(token)¶ Check if this token is revoked. Developers MUST re-implement this method. If there is a column called
revoked
on the token table:def token_revoked(self, token): return token.revoked
- Parameters
token – token instance
- Returns
Boolean
-
-
class
authlib.oauth2.rfc6750.
BearerToken
(access_token_generator, refresh_token_generator=None, expires_generator=None)¶ Bearer Token generator which can create the payload for token response by OAuth 2 server. A typical token response would be:
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"mF_9.B5f-4.1JqM", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" }
- Parameters
access_token_generator – a function to generate access_token.
refresh_token_generator – a function to generate refresh_token, if not provided, refresh_token will not be added into token response.
expires_generator –
The expires_generator can be an int value or a function. If it is int, all token expires_in will be this value. If it is function, it can generate expires_in depending on client and grant_type:
def expires_generator(client, grant_type): if is_official_client(client): return 3600 * 1000 if grant_type == 'implicit': return 3600 return 3600 * 10
- Returns
Callable
When BearerToken is initialized, it will be callable:
token_generator = BearerToken(access_token_generator) token = token_generator(client, grant_type, expires_in=None, scope=None, include_refresh_token=True)
The callable function that BearerToken created accepts these parameters:
- Parameters
client – the client that making the request.
grant_type – current requested grant_type.
expires_in – if provided, use this value as expires_in.
scope – current requested scope.
include_refresh_token – should refresh_token be included.
- Returns
Token dict
-
DEFAULT_EXPIRES_IN
= 3600¶ default expires_in value
-
GRANT_TYPES_EXPIRES_IN
= {'authorization_code': 864000, 'client_credentials': 864000, 'implicit': 3600, 'password': 864000}¶ default expires_in value differentiate by grant_type