diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py index 47c8b1c7e..cc669f04f 100644 --- a/oauth2_provider/oauth2_validators.py +++ b/oauth2_provider/oauth2_validators.py @@ -55,7 +55,10 @@ def _authenticate_basic_auth(self, request): if not auth_string: return False - encoding = request.encoding or 'utf-8' + try: + encoding = request.encoding + except AttributeError: + encoding = 'utf-8' try: b64_decoded = base64.b64decode(auth_string) @@ -91,10 +94,10 @@ def _authenticate_request_body(self, request): directly utilize the HTTP Basic authentication scheme. See rfc:`2.3.1` for more details. """ # TODO: check if oauthlib has already unquoted client_id and client_secret - client_id = request.client_id - client_secret = request.client_secret - - if not client_id or not client_secret: + try: + client_id = request.client_id + client_secret = request.client_secret + except AttributeError: return False if self._load_application(client_id, request) is None: @@ -143,8 +146,12 @@ def client_authentication_required(self, request, *args, **kwargs): if self._extract_basic_auth(request): return True - if request.client_id and request.client_secret: - return True + try: + if request.client_id and request.client_secret: + return True + except AttributeError: + log.debug("Client id or client secret not provided, proceed evaluating if authentication is required...") + pass self._load_application(request.client_id, request) if request.client: diff --git a/oauth2_provider/tests/test_authorization_code.py b/oauth2_provider/tests/test_authorization_code.py index c00400f37..5c51c35cf 100644 --- a/oauth2_provider/tests/test_authorization_code.py +++ b/oauth2_provider/tests/test_authorization_code.py @@ -261,7 +261,7 @@ def test_pre_auth_wrong_response_type(self): response = self.client.get(url) self.assertEqual(response.status_code, 302) - self.assertIn("error=unauthorized_client", response['Location']) + self.assertIn("error=unsupported_response_type", response['Location']) def test_code_post_auth_allow(self): """ diff --git a/oauth2_provider/tests/test_token_revocation.py b/oauth2_provider/tests/test_token_revocation.py index b5aca044c..ce8024fa9 100644 --- a/oauth2_provider/tests/test_token_revocation.py +++ b/oauth2_provider/tests/test_token_revocation.py @@ -60,6 +60,30 @@ def test_revoke_access_token(self): self.assertEqual(response.content, b'') self.assertFalse(AccessToken.objects.filter(id=tok.id).exists()) + def test_revoke_access_token_public(self): + public_app = Application( + name="Test Application", + redirect_uris="http://localhost http://example.com http://example.it", + user=self.dev_user, + client_type=Application.CLIENT_PUBLIC, + authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE, + ) + public_app.save() + + tok = AccessToken.objects.create(user=self.test_user, token='1234567890', + application=public_app, + expires=timezone.now() + datetime.timedelta(days=1), + scope='read write') + + query_string = urlencode({ + 'client_id': public_app.client_id, + 'token': tok.token, + }) + + url = "{url}?{qs}".format(url=reverse('oauth2_provider:revoke-token'), qs=query_string) + response = self.client.post(url) + self.assertEqual(response.status_code, 200) + def test_revoke_access_token_with_hint(self): """ diff --git a/requirements/base.txt b/requirements/base.txt index 0c2dca010..1dd139d74 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -1,5 +1,5 @@ Sphinx==1.3.1 South==1.0 -oauthlib>=0.6.2 +oauthlib==1.0.1 django-braces==1.4.0 six