Skip to content

Instantly share code, notes, and snippets.


lepture/ Secret

Last active September 21, 2022 23:08
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Authlib v1.0 Breaking Change

OAuth 2 Provider

Authorization Code Flow

Method .validate_consent_request has been replaced by .get_consent_grant. In your authorize view:

def authorize(request):
    if request.method == 'GET':
        # deprecated code before v1
        # grant = authorization_server.validate_consent_request(end_user=current_user)
        # new code in v1
        grant = authorization_server.get_consent_grant(end_user=current_user)

Token Model

Token model design has been changed. The required methods for TokenMixin are:

  • check_client (new)
  • get_scope
  • get_expires_in
  • is_expired (new)
  • is_revoked (new)

And these methods are deleted, you don't have to add them:

  • get_client_id
  • get_expires_at

So our Token model for OAuth2 will looks like:

class OAuth2Token(Model):
    # ....
    def check_client(self, client):
        return self.client_id == client.client_id

    def get_scope(self):
        return self.scope

    def get_expires_in(self):
        return self.expires_in

    def is_expired(self):
        if not self.expires_in:
            return True
        expired_at = self.issued_at + self.expires_in
        return expired_at < time.time()

    def is_revoked(self):
        return self.access_token_revoked_at or self.refresh_token_revoked_at

Device Code flow

Device Credential model (DeviceCredentialMixin) has changed too, it is using is_expired method instead of get_expires_at. So you should add a is_expired method:

class DeviceCredential(Model):
    # ...
    def is_expired(self):
        return expired_at < time.time()

Parameters of DeviceCodeGrant.should_slow_down are changed, it is now:

def should_slow_down(self, credential):
Copy link

lepture commented Nov 13, 2020

Copy link

azmeuk commented Apr 10, 2022

Among the other changes I encountered:

Copy link

lepture commented Apr 10, 2022

@azmeuk thanks for the updates. BTW, check_token_endpoint_auth_method is deprecated, not a breaking change.

Copy link

lepture commented Apr 14, 2022

Copy link

cbporch commented Aug 16, 2022

Additional changes that may be worth noting:

  • authlib.oauth2.rfc6749.authorization_server.AuthorizationServer.__init__ no longer supports generate_token or metadata kwargs
  • authlib.integrations.django_oauth2.ResourceProtector.__call__ no longer accepts an operator kwarg.
    • It seems to me like this functionality is now controlled by the scope_insufficient function on authlib.oauth2.rfc6749.resource_protector. TokenValidator (correct me if I'm wrong)

Copy link

fozzle commented Sep 21, 2022

May be worth noting:

AuthorizationServer.generate_token flipped client and grant_type positional arguments for BearerToken generation lepture/authlib@3d70e54#diff-deae955e8d6cb71997a22c9e5eb309fe08610ebfd364d10e4f050a40cc81a736R55

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment