Resource authorization

Resource endpoints verify that the token presented is valid and granted access to the scopes associated with the resource in question.

Request Verification

Each view may set certain scopes under which it is bound. Only requests that present an access token bound to the correct scopes may access the view. Access tokens are commonly embedded in the authorization header but may appear in the query or the body as well.

# Initial setup
from your_validator import your_validator
server = WebApplicationServer(your_validator)

# Per view scopes
required_scopes = ['https://example.com/userProfile']

# Validate request
uri = 'https://example.com/userProfile?access_token=sldafh309sdf'
headers, body, http_method = {}, '', 'GET'

valid, oauthlib_request = server.verify_request(
    uri, http_method, body, headers, required_scopes)

# oauthlib_request has a few convenient attributes set such as
# oauthlib_request.client = the client associated with the token
# oauthlib_request.user = the user associated with the token
# oauthlib_request.scopes = the scopes bound to this token

if valid:
    # return the protected resource / view
else:
    # return an http forbidden 403
class oauthlib.oauth2.ResourceEndpoint(default_token, token_types)[source]

Authorizes access to protected resources.

The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource. The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server:

# For most cases, returning a 403 should suffice.

The method in which the client utilizes the access token to authenticate with the resource server depends on the type of access token issued by the authorization server. Typically, it involves using the HTTP “Authorization” request header field [RFC2617] with an authentication scheme defined by the specification of the access token type used, such as [RFC6750]:

# Access tokens may also be provided in query and body
https://example.com/protected?access_token=kjfch2345sdf   # Query
access_token=sdf23409df   # Body
find_token_type(request)[source]

Token type identification.

RFC 6749 does not provide a method for easily differentiating between different token types during protected resource access. We estimate the most likely token type (if any) by asking each known token type to give an estimation based on the request.

verify_request(uri, http_method='GET', body=None, headers=None, scopes=None)[source]

Validate client, code etc, return body + headers