Creating a Provider

OAuthLib is a dependency free library that may be used with any web framework. That said, there are framework specific helper libraries to make your life easier.

If there is no support for your favourite framework and you are interested in providing it then you have come to the right place. OAuthLib can handle the OAuth logic and leave you to support a few framework and setup specific tasks such as marshalling request objects into URI, headers and body arguments as well as provide an interface for a backend to store tokens, clients, etc.

1. OAuth2.0 Provider flows

OAuthLib interface between web framework and provider implementation are not always easy to follow, it’s why a graph below has been done to better understand the implication of OAuthLib in the request’s lifecycle.

digraph oauthlib_legend {

    subgraph cluster_legend {
        label="Legend";

        /*
        method [ shape=record; label="{{RequestValidator\nmethod name|arguments}|return values}" ];
        endpoint [ shape=record; label="{Endpoint name|{function name|arguments}|grant type}" ];
        webframework [ shape=hexagon; label="Upstream functions" ];
        */

        flow_code_token [shape=none,label="Authorization Code\nAccess Token Request"];
        flow_code_auth [shape=none,label="Authorization Code\nAuthorization Request"];
        flow_implicit [shape=none,label="Implicit Grant"];
        flow_password [shape=none,label="Resource Owner Password\nCredentials Grant"];
        flow_clicreds [shape=none,label="Client Credentials Grant"];
        flow_refresh [shape=none,label="Refresh Grant"];
        flow_introspect [shape=none,label="Token Introspection"];
        flow_revoke [shape=none,label="Token Revoke"];
        flow_resource [shape=none,label="Resource Access"];
        flow_code_token -> a [style=bold,color=darkgreen];
        flow_code_auth -> b [style=bold,color=green];
        flow_implicit -> c [style=bold,color=orange];
        flow_password -> d [style=bold,color=red];
        flow_clicreds -> e [style=bold,color=blue];
        flow_refresh -> f [style=bold,color=brown];
        flow_introspect -> g [style=bold,color=yellow];
        flow_revoke -> h [style=bold,color=purple];
        flow_resource -> i [style=bold,color=pink];
        a, b, c, d, e, f, g, h, i [shape=none,label=""];
    }
}
digraph oauthlib {
    /* Naming conventions:
    f_ : functions in shape=record
    endpoint_ : endpoints in shape=record
    webapi_ : oauthlib entry/exit points in shape=hexagon
    if_ : internal conditions
    r_ : used when returning from two functions into one for improving clarity
    h_ : callbacks/hooks available but not required
    */
    center="1"
    edge [ style=bold ];

    /* Web Framework Entry and Exit points */
    {
        node [ shape=hexagon ];
        edge [ style=normal ];
        
        webapi_request [ label="WebFramework\nHTTP request" ];
        webapi_request:s ->
                endpoint_authorize:top:n,
                endpoint_token:top:n,
                endpoint_introspect:top:n,
                endpoint_revoke:top:n,
                endpoint_resource:top:n;
        webapi_response [ label="WebFramework\nHTTP response" ];
    }

    /* OAuthlib Endpoints */
    {
        rank=same;

        endpoint_authorize [ shape=record; label="{<top>Authorize Endpoint|{create_authorize_response|{uri|method|body|headers|credentials}}|{<token>token|<code>code}}" ];
        endpoint_token [ shape=record; label="{<top>Token Endpoint|{create_token_response|{uri|method|body|headers|credentials}}|{<authorization_code>authorization_code|<password>password|<client_credentials>client_credentials|<refresh_token>refresh_token}}" ];
        endpoint_revoke [ shape=record; label="{<top>Revocation Endpoint|{create_revocation_response|{uri|method|body|headers}}}" ];
        endpoint_introspect [ shape=record; label="{<top>Introspect Endpoint|{create_introspect_response|{uri|method|body|headers}}}" ];
        endpoint_resource [ shape=record; label="{<top>Resource Endpoint|{verify_request|{uri|method|body|headers|scopes_list}}}" ];
    }

    /* OAuthlib RequestValidator Methods */
    {
        node [ shape=record ];

        f_client_authentication_required [ label="{{<top>client_authentication_required|request}|{<true>True|<false>False}}"; ];
        f_authenticate_client [ label="{{<top>authenticate_client|request}|{<true>True|<false>False}}";];
        f_authenticate_client_id [ label="{{<top>authenticate_client_id|{client_id|request}}|{<true>True|<false>False}}"; ];
        f_validate_grant_type [ label="{{<top>validate_grant_type|{client_id|grant_type|client|request}}|{<true>True|<false>False}}"; ];
        f_validate_code [ label="{{<top>validate_code|{client_id|code|request}}|{<true>True|<false>False}}"; ];
        f_confirm_redirect_uri [ label="{{<top>confirm_redirect_uri|{client_id|code|redirect_uri|client|request}}|{<true>True|<false>False}}"; ];
        f_get_default_redirect_uri [ label="{{<top>get_default_redirect_uri|{client_id|request}}|{<redirect_uri>redirect_uri|<none>None}}"; ];
        f_invalidate_authorization_code [ label="{{<top>invalidate_authorization_code|{client_id|code|request}}|None}"; ];
        f_validate_scopes [ label="{{<top>validate_scopes|{client_id|scopes|client|request}}|{<true>True|<false>False}}"; ];
        f_save_bearer_token [ label="{{<top>save_bearer_token|{token|request}}|None}"; ];
        f_revoke_token [ label="{{<top>revoke_token|{token|token_type_hint|request}}|None}"; ];
        f_validate_client_id [ label="{{<top>validate_client_id|{client_id|request}}|{<true>True|<false>False}}"; ];
        f_validate_redirect_uri [ label="{{<top>validate_redirect_uri|{client_id|redirect_uri|request}}|{<true>True|<false>False}}"; ];
        f_is_pkce_required [ label="{{<top>is_pkce_required|{client_id|request}}|{<true>True|<false>False}}"; ];
        f_validate_response_type [ label="{{<top>validate_response_type|{client_id|response_type|client|request}}|{<true>True|<false>False}}"; ];
        f_save_authorization_code [ label="{{<top>save_authorization_code|{client_id|code|request}}|None}"; ];
        f_validate_bearer_token [ label="{{<top>validate_bearer_token|{token|scopes|request}}|{<true>True|<false>False}}"; ];
        f_validate_refresh_token [ label="{{<top>validate_refresh_token|{refresh_token|client|request}}|{<true>True|<false>False}}"; ];
        f_get_default_scopes [ label="{{<top>get_default_scopes|{client_id|request}}|{<scopes>[scopes]}}"; ];
        f_get_original_scopes [ label="{{<top>get_original_scopes|{refresh_token|request}}|{<scopes>[scopes]}}"; ];
        f_is_within_original_scope [ label="{{<top>is_within_original_scope|{refresh_scopes|refresh_token|request}}|{<true>True|<false>False}}"; ];
        f_validate_user [ label="{{<top>validate_user|{username|password|client|request}}|{<true>True|<false>False}}"; ];
        f_introspect_token [ label="{{<top>introspect_token|{token|token_type_hint|request}}|{<claims>\{claims\}|<none>None}}"; ];
        f_rotate_refresh_token [ label="{{<top>rotate_refresh_token|{request}}|{<true>True|<false>False}}"; ];
    }

    /* OAuthlib Conditions */

    if_code_challenge [ label="if code_challenge"; ];
    if_redirect_uri [ label="if redirect_uri"; ];
    if_redirect_uri_present [ shape=none;label="present"; ];
    if_redirect_uri_missing [ shape=none;label="missing"; ];
    if_scopes [ label="if scopes"; ];
    if_all [ label="all(request_scopes not in scopes)"; ];

    /* OAuthlib functions returns helpers */
    r_client_authenticated [ shape=none,label="client authenticated"; ];

    /* OAuthlib errors */
    e_normal [ shape=none,label="ERROR" ];

    /* Ranking by functional roles */
    {
        rank = same;
        f_validate_client_id;
        f_validate_code;
        /* f_validate_user; */
        f_validate_bearer_token;
        f_validate_refresh_token;
        f_introspect_token;
        f_revoke_token;
    }
    {
        rank = same;
        f_validate_redirect_uri;
        f_confirm_redirect_uri;
    }
    {
        rank = same;
        f_save_bearer_token;
        f_save_authorization_code;
    }
    {
        rank = same;
        f_invalidate_authorization_code;
    }
    {
        rank = same;
        f_validate_scopes;
        f_get_original_scopes;
        f_get_default_scopes;
    }
    {
        rank = same;
        f_is_within_original_scope;
    }

    {
        node [ shape=record,color=grey ];
        edge [ color=grey ];

        h_pre_auth [ label="{{<top>pre_auth|<arg>request}|<resp>\{credentials\}}}"; ];
        h_post_auth [ label="{{<top>post_auth|<arg>request}|<resp>\{credentials\}}}"; ];
        h_pre_token [ label="{{<top>pre_token|<arg>request}|<resp>}}"; ];
        h_pre_token_password [ label="{{<top>pre_token|<arg>request}|<resp>}}"; ];
        h_pre_token_implicit [ label="{{<top>pre_token|<arg>request}|<resp>}}"; ];
        h_post_token [ label="{{<top>post_token|<arg>request}|<resp>}}"; ];
        h_token_modifiers [ label="{{<top>token_modifiers|{token|token_handler|<arg>request}}|<resp>\{token\}}}"; ];
        h_code_modifiers [ label="{{<top>code_modifiers|{grant|token_handler|<arg>request}}|<resp>\{grant\}}}"; ];
        h_generate_access_token [ label="{{<top>generate_access_token|<arg>request}|<resp>\{access token\}}}"; ];
        h_generate_refresh_token [ label="{{<top>generate_refresh_token|<arg>request}|<resp>\{refresh token\}}}"; ];

        h_pre_auth:resp:se -> h_pre_auth:arg:ne;
        h_post_auth:resp:se -> h_post_auth:arg:ne;
        h_pre_token:resp:se -> h_pre_token:arg:ne;
        h_pre_token_password:resp:se -> h_pre_token_password:arg:ne;
        h_pre_token_implicit:resp:se -> h_pre_token_implicit:arg:ne;
        h_post_token:resp:se -> h_post_token:arg:ne;
        h_token_modifiers:resp:se -> h_token_modifiers:arg:ne;
        h_code_modifiers:resp:se -> h_code_modifiers:arg:ne;
    }
    {
            rank = same;
            h_token_modifiers;
            h_code_modifiers;
    }

    /* Authorization Code - Access Token Request */
    {
        edge [ color=darkgreen ];

        endpoint_token:authorization_code:s -> h_pre_token -> f_client_authentication_required;
        f_client_authentication_required:true:s -> f_authenticate_client;
        f_client_authentication_required:false:s -> f_authenticate_client_id;
        f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ];
        f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ];
        r_client_authenticated -> f_validate_grant_type;
        f_validate_grant_type:true:s -> f_validate_code;

        f_validate_code:true:s -> if_redirect_uri;
        if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
        if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
        if_redirect_uri_present -> f_confirm_redirect_uri;
        if_redirect_uri_missing -> f_get_default_redirect_uri;
        f_get_default_redirect_uri:redirect_uri:s -> f_confirm_redirect_uri;

        f_confirm_redirect_uri:true:s -> h_post_token;

        h_post_token -> h_generate_access_token -> f_rotate_refresh_token;
        f_rotate_refresh_token:true:s -> h_generate_refresh_token -> h_token_modifiers;
        f_rotate_refresh_token:false:s -> h_token_modifiers;
        h_token_modifiers -> f_save_bearer_token ->
        f_invalidate_authorization_code -> webapi_response;
    }
    /* Authorization Code - Authorization Request */
    {
        edge [ color=green ];

        endpoint_authorize:code:s -> f_validate_client_id;
        f_validate_client_id:true:s -> if_redirect_uri;
        if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
        if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
        if_redirect_uri_present -> f_validate_redirect_uri;
        if_redirect_uri_missing -> f_get_default_redirect_uri;

        f_validate_redirect_uri:true:s -> h_pre_auth;
        f_get_default_redirect_uri:redirect_uri:s -> h_pre_auth;
        h_pre_auth -> f_validate_response_type;
        f_validate_response_type:true:s -> f_is_pkce_required;
        f_is_pkce_required:true:s -> if_code_challenge;
        f_is_pkce_required:false:s -> f_validate_scopes;

        if_code_challenge -> f_validate_scopes [ label="present" ];
        if_code_challenge -> e_normal [ label="missing",style=dashed ];

        f_validate_scopes:true:s -> h_post_auth;
        h_post_auth -> h_code_modifiers -> f_save_authorization_code;
        f_save_authorization_code -> webapi_response;
    }

    /* Implicit */ 
    {
        edge [ color=orange ];

        endpoint_authorize:token:s -> f_validate_client_id;
        f_validate_client_id:true:s -> if_redirect_uri;
        if_redirect_uri -> if_redirect_uri_present [ arrowhead=none ];
        if_redirect_uri -> if_redirect_uri_missing [ arrowhead=none ];
        if_redirect_uri_present -> f_validate_redirect_uri;
        if_redirect_uri_missing -> f_get_default_redirect_uri;

        f_validate_redirect_uri:true:s -> h_pre_auth;
        f_get_default_redirect_uri:redirect_uri:s -> h_pre_auth;
        h_pre_auth -> h_pre_token_implicit -> f_validate_response_type;

        f_validate_response_type:true:s -> f_validate_scopes;
        f_validate_scopes:true:s -> h_post_auth -> h_post_token ->
        h_generate_access_token -> h_token_modifiers ->
        f_save_bearer_token -> webapi_response;
    }

    /* Resource Owner Password Grant */
    {
        edge [ color=red ];

        endpoint_token:password:s -> f_client_authentication_required;
        f_client_authentication_required:true:s -> f_authenticate_client;
        f_client_authentication_required:false:s -> f_authenticate_client_id;
        f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ];
        f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ];
        r_client_authenticated -> h_pre_token_password -> f_validate_user;
        f_validate_user:true:s -> f_validate_grant_type;

        f_validate_grant_type:true:s -> if_scopes;
        if_scopes -> f_validate_scopes [ label="present" ];
        if_scopes -> f_get_default_scopes [ label="missing" ];

        f_validate_scopes:true:s -> h_post_token;
        f_get_default_scopes -> h_post_token;

        h_post_token -> h_generate_access_token -> f_rotate_refresh_token;
        f_rotate_refresh_token:true:s -> h_generate_refresh_token -> h_token_modifiers;
        f_rotate_refresh_token:false:s -> h_token_modifiers ->
        f_save_bearer_token -> webapi_response;
    }

    /* Client Credentials Grant */
    {
        edge [ color=blue ];

        endpoint_token:client_credentials:s -> h_pre_token -> f_authenticate_client;

        f_authenticate_client:true:s -> f_validate_grant_type;
        f_validate_grant_type:true:s -> f_validate_scopes;
        f_validate_scopes:true:s -> h_post_token;

        h_post_token -> h_generate_access_token -> h_token_modifiers ->
        f_save_bearer_token -> webapi_response;
    }

    /* Refresh Grant */
    {
        edge [ color=brown ];

        endpoint_token:refresh_token:s -> h_pre_token -> f_client_authentication_required;
        f_client_authentication_required:true:s -> f_authenticate_client;
        f_client_authentication_required:false:s -> f_authenticate_client_id;
        f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ];
        f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ];
        r_client_authenticated -> f_validate_grant_type;

        f_validate_grant_type:true:s -> f_validate_refresh_token;
        f_validate_refresh_token:true:s -> f_get_original_scopes;
        f_get_original_scopes -> if_all;
        if_all -> f_is_within_original_scope [ label="True" ];
        if_all -> h_post_token [ label="False" ];
        f_is_within_original_scope:true:s -> h_post_token;
        h_post_token -> h_generate_access_token -> f_rotate_refresh_token;
        f_rotate_refresh_token:true:s -> h_generate_refresh_token -> h_token_modifiers;
        f_rotate_refresh_token:false:s -> h_token_modifiers;
        h_token_modifiers -> f_save_bearer_token -> webapi_response;
    }

    /* Introspect Endpoint  */
    {
        edge [ color=yellow ];

        endpoint_introspect:s -> f_client_authentication_required;
        f_client_authentication_required:true:s -> f_authenticate_client;
        f_client_authentication_required:false:s -> f_authenticate_client_id;
        f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ];
        f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ];
        r_client_authenticated -> f_introspect_token;
        f_introspect_token:claims -> webapi_response;
    }

    /* Revocation Endpoint */
    {
        edge [ color=purple ];

        endpoint_revoke:s -> f_client_authentication_required;
        f_client_authentication_required:true:s -> f_authenticate_client;
        f_client_authentication_required:false:s -> f_authenticate_client_id;
        f_authenticate_client:true:s -> r_client_authenticated [ arrowhead=none ];
        f_authenticate_client_id:true:s -> r_client_authenticated [ arrowhead=none ];
        r_client_authenticated -> f_revoke_token;
        f_revoke_token:s -> webapi_response;
    }

    /* Resource Access - Verify Request */
    {
        edge [ color=pink ];

        endpoint_resource:s -> f_validate_bearer_token;
        f_validate_bearer_token:true -> webapi_response;
    }
}

2. Create your datastore models

These models will represent various OAuth specific concepts. There are a few important links between them that the security of OAuth is based on. Below is a suggestion for models and why you need certain properties. There is also example Django model fields which should be straightforward to translate to other ORMs such as SQLAlchemy and the Appengine Datastore.

User (or Resource Owner)

The user of your site which resources might be accessed by clients upon authorization from the user. In our example we will re-use the User model provided in django.contrib.auth.models. How the user authenticates is orthogonal from OAuth and may be any way you prefer:

from django.contrib.auth.models import User

Client (or Consumer)

The client interested in accessing protected resources.

Client Identifier:

Required. The identifier the client will use during the OAuth workflow. Structure is up to you and may be a simple UUID.

client_id = django.db.models.CharField(max_length=100, unique=True)

User:

Recommended. It is common practice to link each client with one of your existing users. Whether you do associate clients and users or not, ensure you are able to protect yourself against malicious clients.

user = django.db.models.ForeignKey(User)

Grant Type:

Required. The grant type the client may utilize. This should only be one per client as each grant type has different security properties and it is best to keep them separate to avoid mistakes.

# max_length and choices depend on which response types you support
grant_type = django.db.models.CharField(max_length=18,
choices=[('authorization_code', 'Authorization code')])

Response Type:

Required, if using a grant type with an associated response type (eg. Authorization Code Grant) or using a grant which only utilizes response types (eg. Implicit Grant).

# max_length and choices depend on which response types you support
response_type = django.db.models.CharField(max_length=4,
choices=[('code', 'Authorization code')])

Scopes:

Required. The list of scopes the client may request access to. If you allow multiple types of grants this will vary related to their different security properties. For example, the Implicit Grant might only allow read-only scopes but the Authorization Grant also allow writes.

# You could represent it either as a list of keys or by serializing
# the scopes into a string.
scopes = django.db.models.TextField()

# You might also want to mark a certain set of scopes as default
# scopes in case the client does not specify any in the authorization
default_scopes = django.db.models.TextField()

Redirect URIs:

These are the absolute URIs that a client may use to redirect to after authorization. You should never allow a client to redirect to a URI that has not previously been registered.

# You could represent the URIs either as a list of keys or by
# serializing them into a string.
redirect_uris = django.db.models.TextField()

# You might also want to mark a certain URI as default in case the
# client does not specify any in the authorization
default_redirect_uri = django.db.models.TextField()

Bearer Token (OAuth 2 Standard Token)

The most common type of OAuth 2 token. Through the documentation this will be considered an object with several properties, such as token type and expiration date, and distinct from the access token it contains. Think of OAuth 2 tokens as containers and access tokens and refresh tokens as text.

Client:

Association with the client to whom the token was given.

client = django.db.models.ForeignKey(Client)

User:

Association with the user to which protected resources this token grants access.

user = django.db.models.ForeignKey(User)

Scopes:

Scopes to which the token is bound. Attempt to access protected resources outside these scopes will be denied.

# You could represent it either as a list of keys or by serializing
# the scopes into a string.
scopes = django.db.models.TextField()

Access Token:

An unguessable unique string of characters.

access_token = django.db.models.CharField(max_length=100, unique=True)

Refresh Token:

An unguessable unique string of characters. This token is only supplied to confidential clients. For example the Authorization Code Grant or the Resource Owner Password Credentials Grant.

refresh_token = django.db.models.CharField(max_length=100, unique=True)

Expiration time:

Exact time of expiration. Commonly this is one hour after creation.

expires_at = django.db.models.DateTimeField()

Authorization Code

This is specific to the Authorization Code grant and represent the temporary credential granted to the client upon successful authorization. It will later be exchanged for an access token, when that is done it should cease to exist. It should have a limited life time, less than ten minutes. This model is similar to the Bearer Token as it mainly acts a temporary storage of properties to later be transferred to the token.

Client:

Association with the client to whom the token was given.

client = django.db.models.ForeignKey(Client)

User:

Association with the user to which protected resources this token grants access.

user = django.db.models.ForeignKey(User)

Scopes:

Scopes to which the token is bound. Attempt to access protected resources outside these scopes will be denied.

# You could represent it either as a list of keys or by serializing
# the scopes into a string.
scopes = django.db.models.TextField()

Redirect URI:

If the client specifies a redirect_uri when obtaining code then that redirect URI must be bound to the code and verified equal in this method, according to RFC 6749 section 4.1. This field holds that bound value.

redirect_uri = django.db.models.TextField()

Authorization Code:

An unguessable unique string of characters.

code = django.db.models.CharField(max_length=100, unique=True)

Expiration time:

Exact time of expiration. Commonly this is under ten minutes after creation.

expires_at = django.db.models.DateTimeField()

PKCE Challenge (optional)

If you want to support PKCE, you have to associate a code_challenge and a code_challenge_method to the actual Authorization Code.

challenge = django.db.models.CharField(max_length=128)
challenge_method = django.db.models.CharField(max_length=6)

3. Implement a validator

The majority of the work involved in implementing an OAuth 2 provider relates to mapping various validation and persistence methods to a storage backend. The not very accurately named interface you will need to implement is called a RequestValidator (name suggestions welcome).

An example of a very basic implementation of the validate_client_id method can be seen below.

from oauthlib.oauth2 import RequestValidator

# From the previous section on models
from my_models import Client

class MyRequestValidator(RequestValidator):

    def validate_client_id(self, client_id, request):
        try:
            Client.objects.get(client_id=client_id)
            return True
        except Client.DoesNotExist:
            return False

The full API you will need to implement is available in the RequestValidator section. You might not need to implement all methods depending on which grant types you wish to support. A skeleton validator listing the methods required for the WebApplicationServer is available in the examples folder on GitHub.

Relevant sections include:

4. Create your composite endpoint

Each of the endpoints can function independently from each other, however for this example it is easier to consider them as one unit. An example of a pre-configured all-in-one Authorization Code Grant endpoint is given below.

# From the previous section on validators
from my_validator import MyRequestValidator

from oauthlib.oauth2 import WebApplicationServer

validator = MyRequestValidator()
server = WebApplicationServer(validator)

Relevant sections include:

5. Create your endpoint views

We are implementing support for the Authorization Code Grant and will therefore need two views for the authorization, pre- and post-authorization together with the token view. We also include an error page to redirect users to if the client supplied invalid credentials in their redirection, for example an invalid redirect URI.

The example using Django but should be transferable to any framework.

# Handles GET and POST requests to /authorize
class AuthorizationView(View):

    def __init__(self):
        # Using the server from previous section
        self._authorization_endpoint = server

    def get(self, request):
        # You need to define extract_params and make sure it does not
        # include file like objects waiting for input. In Django this
        # is request.META['wsgi.input'] and request.META['wsgi.errors']
        uri, http_method, body, headers = extract_params(request)

        try:
            scopes, credentials = self._authorization_endpoint.validate_authorization_request(
                uri, http_method, body, headers)

            # Not necessarily in session but they need to be
            # accessible in the POST view after form submit.
            request.session['oauth2_credentials'] = credentials

            # You probably want to render a template instead.
            response = HttpResponse()
            response.write('<h1> Authorize access to %s </h1>' % client_id)
            response.write('<form method="POST" action="/authorize">')
            for scope in scopes or []:
                response.write('<input type="checkbox" name="scopes" ' +
                'value="%s"/> %s' % (scope, scope))
                response.write('<input type="submit" value="Authorize"/>')
            return response

        # Errors that should be shown to the user on the provider website
        except errors.FatalClientError as e:
            return response_from_error(e)

        # Errors embedded in the redirect URI back to the client
        except errors.OAuth2Error as e:
            return HttpResponseRedirect(e.in_uri(e.redirect_uri))

    @csrf_exempt
    def post(self, request):
        uri, http_method, body, headers = extract_params(request)

        # The scopes the user actually authorized, i.e. checkboxes
        # that were selected.
        scopes = request.POST.getlist(['scopes'])

        # Extra credentials we need in the validator
        credentials = {'user': request.user}

        # The previously stored (in authorization GET view) credentials
        credentials.update(request.session.get('oauth2_credentials', {}))

        try:
            headers, body, status = self._authorization_endpoint.create_authorization_response(
            uri, http_method, body, headers, scopes, credentials)
            return response_from_return(headers, body, status)

        except errors.FatalClientError as e:
            return response_from_error(e)

# Handles requests to /token
class TokenView(View):

    def __init__(self):
        # Using the server from previous section
        self._token_endpoint = server

    def post(self, request):
        uri, http_method, body, headers = extract_params(request)

        # If you wish to include request specific extra credentials for
        # use in the validator, do so here.
        credentials = {'foo': 'bar'}

        headers, body, status = self._token_endpoint.create_token_response(
                uri, http_method, body, headers, credentials)

        # All requests to /token will return a json response, no redirection.
        return response_from_return(headers, body, status)

def response_from_return(headers, body, status):
    response = HttpResponse(content=body, status=status)
    for k, v in headers.items():
        response[k] = v
    return response

def response_from_error(e):
    return HttpResponseBadRequest('Evil client is unable to send a proper request. Error is: ' + e.description)

6. Protect your APIs using scopes

Let’s define a decorator we can use to protect the views.

class OAuth2ProviderDecorator(object):

    def __init__(self, resource_endpoint):
        self._resource_endpoint = resource_endpoint

    def protected_resource_view(self, scopes=None):
        def decorator(f):
            @functools.wraps(f)
            def wrapper(request):
                # Get the list of scopes
                try:
                    scopes_list = scopes(request)
                except TypeError:
                    scopes_list = scopes

                uri, http_method, body, headers = extract_params(request)

                valid, r = self._resource_endpoint.verify_request(
                        uri, http_method, body, headers, scopes_list)

                # For convenient parameter access in the view
                add_params(request, {
                    'client': r.client,
                    'user': r.user,
                    'scopes': r.scopes
                })
                if valid:
                    return f(request)
                else:
                    # Framework specific HTTP 403
                    return HttpResponseForbidden()
            return wrapper
        return decorator

provider = OAuth2ProviderDecorator(server)

At this point you are ready to protect your API views with OAuth. Take some time to come up with a good set of scopes as they can be very powerful in controlling access.

@provider.protected_resource_view(scopes=['images'])
def i_am_protected(request, client, resource_owner):
    # One of your many OAuth 2 protected resource views
    # Returns whatever you fancy
    # May be bound to various scopes of your choosing
    return HttpResponse('pictures of cats')

The set of scopes that protects a view may also be dynamically configured at runtime by a function, rather then by a list.

def dynamic_scopes(request):
    # Place code here to dynamically determine the scopes
    # and return as a list
    return ['images']

@provider.protected_resource_view(scopes=dynamic_scopes)
def i_am_also_protected(request, client, resource_owner, **kwargs)
    # A view that has its views functionally set.
    return HttpResponse('pictures of cats')

7. Let us know how it went!

Drop a line in our Gitter OAuthLib community or open a GitHub issue =)

If you run into issues it can be helpful to enable debug logging.

import logging
import oauthlib
import sys

oauthlib.set_debug(True)
log = logging.getLogger('oauthlib')
log.addHandler(logging.StreamHandler(sys.stdout))
log.setLevel(logging.DEBUG)