Metadata endpoint¶
OAuth2.0 Authorization Server Metadata (RFC8414) endpoint provide the metadata of your authorization server. Since the metadata results can be a combination of OAuthlib’s Endpoint (see Preconfigured all-in-one servers), the MetadataEndpoint’s class takes a list of Endpoints in parameter, and aggregate the metadata in the response.
See below an example of usage with bottle-oauthlib when using a LegacyApplicationServer (password grant) endpoint:
import bottle
from bottle_oauthlib.oauth2 import BottleOAuth2
from oauthlib import oauth2
app = bottle.Bottle()
app.authmetadata = BottleOAuth2(app)
oauthlib_server = oauth2.LegacyApplicationServer(oauth2.RequestValidator())
app.authmetadata.initialize(oauth2.MetadataEndpoint([oauthlib_server], claims={
"issuer": "https://xx",
"token_endpoint": "https://xx/token",
"revocation_endpoint": "https://xx/revoke",
"introspection_endpoint": "https://xx/tokeninfo"
}))
@app.get('/.well-known/oauth-authorization-server')
@app.authmetadata.create_metadata_response()
def metadata():
pass
if __name__ == "__main__":
app.run() # pragma: no cover
Sample response’s output:
$ curl -s http://localhost:8080/.well-known/oauth-authorization-server|jq .
{
"issuer": "https://xx",
"token_endpoint": "https://xx/token",
"revocation_endpoint": "https://xx/revoke",
"introspection_endpoint": "https://xx/tokeninfo",
"grant_types_supported": [
"password",
"refresh_token"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"revocation_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"introspection_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
]
}
-
class
oauthlib.oauth2.
MetadataEndpoint
(endpoints, claims={}, raise_errors=True)[source]¶ OAuth2.0 Authorization Server Metadata endpoint.
This specification generalizes the metadata format defined by OpenID Connect Discovery 1.0 in a way that is compatible with OpenID Connect Discovery while being applicable to a wider set of OAuth 2.0 use cases. This is intentionally parallel to the way that OAuth 2.0 Dynamic Client Registration Protocol [RFC7591] generalized the dynamic client registration mechanisms defined by OpenID Connect Dynamic Client Registration 1.0 in a way that is compatible with it.
-
create_metadata_response
(uri, http_method='GET', body=None, headers=None)[source]¶ Create metadata response
-
validate_metadata_server
()[source]¶ - Authorization servers can have metadata describing their configuration. The following authorization server metadata values are used by this specification. More details can be found in RFC8414 section 2 :
- issuer
- REQUIRED
- authorization_endpoint
- URL of the authorization server’s authorization endpoint [RFC6749#Authorization]. This is REQUIRED unless no grant types are supported that use the authorization endpoint.
- token_endpoint
- URL of the authorization server’s token endpoint [RFC6749#Token]. This is REQUIRED unless only the implicit grant type is supported.
- scopes_supported
- RECOMMENDED.
- response_types_supported
- REQUIRED.
- Other OPTIONAL fields:
- jwks_uri, registration_endpoint, response_modes_supported
- grant_types_supported
- OPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the “grant_types” parameter defined by “OAuth 2.0 Dynamic Client Registration Protocol” [RFC7591]. If omitted, the default value is “[“authorization_code”, “implicit”]”.
token_endpoint_auth_methods_supported
token_endpoint_auth_signing_alg_values_supported
service_documentation
ui_locales_supported
op_policy_uri
op_tos_uri
revocation_endpoint
revocation_endpoint_auth_methods_supported
revocation_endpoint_auth_signing_alg_values_supported
introspection_endpoint
introspection_endpoint_auth_methods_supported
introspection_endpoint_auth_signing_alg_values_supported
code_challenge_methods_supported
Additional authorization server metadata parameters MAY also be used. Some are defined by other specifications, such as OpenID Connect Discovery 1.0 [OpenID.Discovery].
-