search

jazzband / django-oauth-toolkit

OAuth2 goodies for the Djangonauts!
https://django-oauth-toolkit.readthedocs.io
Other
3.13k stars 792 forks source link

Custom validator is being ignored? #1167

Closed DNTM2802 closed 11 months ago

DNTM2802 commented 2 years ago

I want to implement a custom validator, in order to verify that a token was used only once to read, and only once to write.

In my settings.py I have the following:

OAUTH2_PROVIDER = {
    'SCOPES': {
        'read': 'Read',
        'write': 'Write',
        'other' : 'Dummy scope',
    },
    'OAUTH2_VALIDATOR_CLASS': 'oauth.validators.CustomValidator.CustomValidator',
}

And my custom validator class is the following:

from oauth2_provider.oauth2_validators import OAuth2Validator
from oauth2_provider.settings import oauth2_settings

class CustomValidator(OAuth2Validator):
    def validate_bearer_token(self, token, scopes, request):
        """
        When users try to access resources, check that provided token is valid
        """
        print("Test.")
        if not token:
            return False

        introspection_url = oauth2_settings.RESOURCE_SERVER_INTROSPECTION_URL
        introspection_token = oauth2_settings.RESOURCE_SERVER_AUTH_TOKEN
        introspection_credentials = oauth2_settings.RESOURCE_SERVER_INTROSPECTION_CREDENTIALS

        access_token = self._load_access_token(token)

        # if there is no token or it's invalid then introspect the token if there's an external OAuth server
        if not access_token or not access_token.is_valid(scopes):
            if introspection_url and (introspection_token or introspection_credentials):
                access_token = self._get_token_from_authentication_server(
                    token, introspection_url, introspection_token, introspection_credentials
                )

        if access_token and access_token.is_valid(scopes):
            request.client = access_token.application
            request.user = access_token.user
            request.scopes = scopes

            # this is needed by django rest framework
            request.access_token = access_token
            return True
        else:
            self._set_oauth2_error_on_request(request, access_token, scopes)
            return False

I want to override the above method but the execution is not reaching the print. Instead, it is using the default provider oauth2_provider.oauth2_validators import OAuth2Validator.

The setting OAUTH2_VALIDATOR_CLASS is not being ignored since it throws an error if the validator class location is invalid.

Am I missing something here? Thanks.

Note: I am using the 1.7.1 version and a custom model for the Access Tokens.

sandeshnaroju commented 1 year ago

Fixed this problem ?

dopry commented 11 months ago

@DNTM2802, I suspect 'oauth.validators.CustomValidator.CustomValidator' is not the correct namespace for you validator class.

If this is still impacting you please re-open.