Remove check_client_type for PKCE

lepture/authlib#146
coopfeathy · Sep 10, 2019 · efb2c2d · efb2c2d
1 parent 5bc42c5
commit efb2c2d
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 40 deletions.
diff --git a/authlib/oauth2/rfc6749/authenticate_client.py b/authlib/oauth2/rfc6749/authenticate_client.py
@@ -41,6 +41,7 @@ def authenticate(self, request, methods):
             func = self._methods[method]
             client = func(self.query_client, request)
             if client:
+                request.auth_method = method
                 return client
 
         if 'client_secret_basic' in methods:
@@ -100,8 +101,7 @@ def authenticate_none(query_client, request):
     client_id = request.client_id
     if client_id and 'client_secret' not in request.data:
         client = _validate_client(query_client, client_id, request.state)
-        if client.check_token_endpoint_auth_method('none') \
-                and client.check_client_type('public'):
+        if client.check_token_endpoint_auth_method('none'):
             log.debug(
                 'Authenticate %s via "none" '
                 'success', client_id

diff --git a/authlib/oauth2/rfc6749/authorization_server.py b/authlib/oauth2/rfc6749/authorization_server.py
@@ -10,14 +10,14 @@ class AuthorizationServer(object):
     :param query_client: A function to get client by client_id. The client
         model class MUST implement the methods described by
         :class:`~authlib.oauth2.rfc6749.ClientMixin`.
-    :param generate_token: A method to generate tokens.
     :param save_token: A method to save tokens.
+    :param generate_token: A method to generate tokens.
     :param metadata: A dict of Authorization Server Metadata
     """
-    def __init__(self, query_client, generate_token, save_token, metadata=None):
+    def __init__(self, query_client, save_token, generate_token=None, metadata=None):
         self.query_client = query_client
-        self.generate_token = generate_token
         self.save_token = save_token
+        self.generate_token = generate_token
         if query_client:
             self.authenticate_client = ClientAuthentication(query_client)
         else:

diff --git a/authlib/oauth2/rfc6749/models.py b/authlib/oauth2/rfc6749/models.py
@@ -140,33 +140,6 @@ def check_grant_type(self, grant_type):
         """
         raise NotImplementedError()
 
-    def check_client_type(self, client_type):
-        """Validate if the client is the given ``client_type``. The available
-        choices are:
-
-        * public:
-            Clients incapable of maintaining the confidentiality of their
-            credentials (e.g., clients executing on the device used by the
-            resource owner, such as an installed native application or a web
-            browser-based application), and incapable of secure client
-            authentication via any other means.
-        * confidential:
-            Clients capable of maintaining the confidentiality of their
-            credentials (e.g., client implemented on a secure server with
-            restricted access to the client credentials), or capable of secure
-            client authentication using other means.
-
-        Developers can overwrite this method to implement a new logic.
-
-        :param client_type: string of "public" or "confidential"
-        :return: bool
-        """
-        if client_type == 'public':
-            return not self.has_client_secret()
-        if client_type == 'confidential':
-            return self.has_client_secret()
-        raise ValueError('Invalid client_type: {!r}'.format(client_type))
-
 
 class AuthorizationCodeMixin(object):
     def get_redirect_uri(self):

diff --git a/authlib/oauth2/rfc6749/wrappers.py b/authlib/oauth2/rfc6749/wrappers.py
@@ -48,6 +48,8 @@ def __init__(self, method, uri, body=None, headers=None):
         data.update(self.form)
         self.data = data
 
+        #: authenticate method
+        self.auth_method = None
         #: authenticated user on this request
         self.user = None
         #: authorization_code or token model instance

diff --git a/authlib/oauth2/rfc7636/challenge.py b/authlib/oauth2/rfc7636/challenge.py
@@ -62,24 +62,21 @@ def validate_code_challenge(self, grant):
         request = grant.request
         challenge = request.args.get('code_challenge')
         method = request.args.get('code_challenge_method')
-        if not self.required and not challenge and not method:
+        if not challenge and not method:
             return
 
-        client = request.client
-        if client.check_client_type('public') and not challenge:
+        if not challenge:
             raise InvalidRequestError('Missing "code_challenge"')
 
         if method and method not in self.SUPPORTED_CODE_CHALLENGE_METHOD:
-            raise InvalidRequestError(
-                description='Unsupported "code_challenge_method"')
+            raise InvalidRequestError('Unsupported "code_challenge_method"')
 
     def validate_code_verifier(self, grant):
         request = grant.request
         verifier = request.form.get('code_verifier')
-        client = request.client
 
         # public client MUST verify code challenge
-        if self.required and client.check_client_type('public') and not verifier:
+        if self.required and request.auth_method == 'none' and not verifier:
             raise InvalidRequestError('Missing "code_verifier"')
 
         authorization_code = request.credential

diff --git a/tests/flask/test_oauth2/test_code_challenge.py b/tests/flask/test_oauth2/test_code_challenge.py
@@ -61,7 +61,7 @@ def prepare_data(self, token_endpoint_auth_method='none'):
 
     def test_missing_code_challenge(self):
         self.prepare_data()
-        rv = self.client.get(self.authorize_url)
+        rv = self.client.get(self.authorize_url + '&code_challenge_method=plain')
         self.assertIn(b'Missing', rv.data)
 
     def test_has_code_challenge(self):