Skip to content

Instantly share code, notes, and snippets.

@lepture

lepture/FC.md Secret

Last active Nov 13, 2020
Embed
What would you like to do?
Authlib v1.0 Breaking Change

Framework Clients

For Django, Flask, Starlette OAuth clients, method create_authorization_url's parameters has been changed.

Previously:

oauth.google.create_authorization_url(redirect_uri, **kwargs)

Now:

oauth.google.create_authorization_url(request, redirect_uri, **kwargs)

Usually, you would use .authorize_redirect, this change won't break your code. But if you are really using this .create_authorization_url, please note:

there is a request parameter now.

OAuth 2 Provider

Authorization Code Flow

Method .validate_consent_request has been replaced by .get_consent_grant. In your authorize view:

@app.route('/authorize')
def authorize(request):
    if request.method == 'GET':
        # deprecated code before v1
        # grant = authorization_server.validate_consent_request(end_user=current_user)
        
        # new code in v1
        grant = authorization_server.get_consent_grant(end_user=current_user)

Token Model

Token model design has been changed. The required methods for TokenMixin are:

  • check_client (new)
  • get_scope
  • get_expires_in
  • is_expired (new)
  • is_revoked (new)

And these methods are deleted, you don't have to add them:

  • get_client_id
  • get_expires_at

So our Token model for OAuth2 will looks like:

class OAuth2Token(Model):
    # ....
    def check_client(self, client):
        return self.client_id == client.client_id

    def get_scope(self):
        return self.scope

    def get_expires_in(self):
        return self.expires_in

    def is_expired(self):
        if not self.expires_in:
            return True
        expired_at = self.issued_at + self.expires_in
        return expired_at < time.time()

    def is_revoked(self):
        return self.access_token_revoked_at or self.refresh_token_revoked_at

Device Code flow

Device Credential model (DeviceCredentialMixin) has changed too, it is using is_expired method instead of get_expires_at. So you should add a is_expired method:

class DeviceCredential(Model):
    # ...
    def is_expired(self):
        return expired_at < time.time()

Parameters of DeviceCodeGrant.should_slow_down are changed, it is now:

def should_slow_down(self, credential):
@lepture

This comment has been minimized.

Copy link
Owner Author

@lepture lepture commented Nov 13, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.