API

Handlers

Handlers for customizing oauthclient endpoints.

invenio_oauthclient.handlers.authorized_default_handler(*args, **kwargs)[source]

Store access token in session.

Default authorized handler.

Parameters:
  • remote – The remote application.
  • resp – The response.
Returns:

Redirect response.

invenio_oauthclient.handlers.authorized_signup_handler(*args, **kwargs)[source]

Handle sign-in/up functionality.

Parameters:
  • remote – The remote application.
  • resp – The response.
Returns:

Redirect response.

invenio_oauthclient.handlers.disconnect_handler(remote, *args, **kwargs)[source]

Handle unlinking of remote account.

This default handler will just delete the remote account link. You may wish to extend this module to perform clean-up in the remote service before removing the link (e.g. removing install webhooks).

Parameters:remote – The remote application.
Returns:Redirect response.
invenio_oauthclient.handlers.get_session_next_url(remote_app)[source]

Return redirect url stored in session.

Parameters:remote_app – The remote application.
Returns:The redirect URL.
invenio_oauthclient.handlers.make_handler(f, remote, with_response=True)[source]

Make a handler for authorized and disconnect callbacks.

Parameters:f – Callable or an import path to a callable
invenio_oauthclient.handlers.make_token_getter(remote)[source]

Make a token getter for a remote application.

invenio_oauthclient.handlers.oauth1_token_setter(remote, resp, token_type='', extra_data=None)[source]

Set an OAuth1 token.

Parameters:
  • remote – The remote application.
  • resp – The response.
  • token_type – The token type. (Default: '')
  • extra_data – Extra information. (Default: None)
Returns:

A invenio_oauthclient.models.RemoteToken instance.

invenio_oauthclient.handlers.oauth2_handle_error(remote, resp, error_code, error_uri, error_description)[source]

Handle errors during exchange of one-time code for an access tokens.

invenio_oauthclient.handlers.oauth2_token_setter(remote, resp, token_type='', extra_data=None)[source]

Set an OAuth2 token.

The refresh_token can be used to obtain a new access_token after the old one is expired. It is saved in the database for long term use. A refresh_token will be present only if access_type=offline is included in the authorization code request.

Parameters:
  • remote – The remote application.
  • resp – The response.
  • token_type – The token type. (Default: '')
  • extra_data – Extra information. (Default: None)
Returns:

A invenio_oauthclient.models.RemoteToken instance.

invenio_oauthclient.handlers.oauth_error_handler(f)[source]

Decorator to handle exceptions.

invenio_oauthclient.handlers.oauth_logout_handler(sender_app, user=None)[source]

Remove all access tokens from session on logout.

invenio_oauthclient.handlers.response_token_setter(remote, resp)[source]

Extract token from response and set it for the user.

Parameters:
  • remote – The remote application.
  • resp – The response.
Raises:
Returns:

The token.

invenio_oauthclient.handlers.set_session_next_url(remote_app, url)[source]

Store redirect url in session for security reasons.

Parameters:
  • remote_app – The remote application.
  • url – the redirect URL.
invenio_oauthclient.handlers.signup_handler(remote, *args, **kwargs)[source]

Handle extra signup information.

Parameters:remote – The remote application.
Returns:Redirect response or the template rendered.
invenio_oauthclient.handlers.token_delete(remote, token='')[source]

Remove OAuth access tokens from session.

Parameters:
  • remote – The remote application.
  • token – Type of token to get. Data passed from oauth.request() to identify which token to retrieve. (Default: '')
Returns:

The token.

invenio_oauthclient.handlers.token_getter(remote, token='')[source]

Retrieve OAuth access token.

Used by flask-oauthlib to get the access token when making requests.

Parameters:
  • remote – The remote application.
  • token – Type of token to get. Data passed from oauth.request() to identify which token to retrieve. (Default: '')
Returns:

The token.

invenio_oauthclient.handlers.token_session_key(remote_app)[source]

Generate a session key used to store the token for a remote app.

Parameters:remote_app – The remote application.
Returns:The session key.
invenio_oauthclient.handlers.token_setter(remote, token, secret='', token_type='', extra_data=None, user=None)[source]

Set token for user.

Parameters:
  • remote – The remote application.
  • token – The token to set.
  • token_type – The token type. (Default: '')
  • extra_data – Extra information. (Default: None)
  • user – The user owner of the remote token. If it’s not defined, the current user is used automatically. (Default: None)
Returns:

A invenio_oauthclient.models.RemoteToken instance or None.

Models

Models for storing access tokens and links between users and remote apps.

class invenio_oauthclient.models.RemoteAccount(**kwargs)[source]

Storage for remote linked accounts.

A simple constructor that allows initialization from kwargs.

Sets attributes on the constructed instance using the names and values in kwargs.

Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.

client_id

Client ID of remote application (defined in OAUTHCLIENT_REMOTE_APPS).

classmethod create(user_id, client_id, extra_data)[source]

Create new remote account for user.

Parameters:
  • user_id – User id.
  • client_id – Client id.
  • extra_data – JSON-serializable dictionary of any extra data that needs to be save together with this link.
Returns:

A invenio_oauthclient.models.RemoteAccount instance.

delete()[source]

Delete remote account together with all stored tokens.

extra_data

Extra data associated with this linked account.

classmethod get(user_id, client_id)[source]

Get RemoteAccount object for user.

Parameters:
  • user_id – User id
  • client_id – Client id.
Returns:

A invenio_oauthclient.models.RemoteAccount instance.

id

Primary key.

user

SQLAlchemy relationship to user.

user_id

Local user linked with a remote app via the access token.

class invenio_oauthclient.models.RemoteToken(**kwargs)[source]

Storage for the access tokens for linked accounts.

A simple constructor that allows initialization from kwargs.

Sets attributes on the constructed instance using the names and values in kwargs.

Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.

access_token

Access token to remote application.

classmethod create(user_id, client_id, token, secret, token_type='', extra_data=None)[source]

Create a new access token.

Note

Creates RemoteAccount as well if it does not exists.

Parameters:
  • user_id – The user id.
  • client_id – The client id.
  • token – The token.
  • secret – The secret key.
  • token_type – The token type. (Default: '')
  • extra_data – Extra data to set in the remote account if the remote account doesn’t exists. (Default: None)
Returns:

A invenio_oauthclient.models.RemoteToken instance.

classmethod get(user_id, client_id, token_type='', access_token=None)[source]

Get RemoteToken for user.

Parameters:
  • user_id – The user id.
  • client_id – The client id.
  • token_type – The token type. (Default: '')
  • access_token – If set, will filter also by access token. (Default: None)
Returns:

A invenio_oauthclient.models.RemoteToken instance.

classmethod get_by_token(client_id, access_token, token_type='')[source]

Get RemoteAccount object for token.

Parameters:
  • client_id – The client id.
  • access_token – The access token.
  • token_type – The token type. (Default: '')
Returns:

A invenio_oauthclient.models.RemoteToken instance.

id_remote_account

Foreign key to account.

remote_account

SQLAlchemy relationship to RemoteAccount objects.

secret

Used only by OAuth 1.

token()[source]

Get token as expected by Flask-OAuthlib.

token_type

Type of token.

update_token(token, secret)[source]

Update token with new values.

Parameters:
  • token – The token value.
  • secret – The secret key.
class invenio_oauthclient.models.UserIdentity(**kwargs)[source]

Represent a UserIdentity record.

A simple constructor that allows initialization from kwargs.

Sets attributes on the constructed instance using the names and values in kwargs.

Only keys that are present as attributes of the instance’s class are allowed. These could be, for example, any mapped columns or relationships.

Views

Blueprints for oauthclient.

Client

Client blueprint used to handle OAuth callbacks.

invenio_oauthclient.views.client.authorized(remote_app=None)[source]

Authorized handler callback.

invenio_oauthclient.views.client.disconnect(remote_app)[source]

Disconnect user from remote application.

Removes application as well as associated information.

invenio_oauthclient.views.client.login(remote_app)[source]

Send user to remote application for authentication.

invenio_oauthclient.views.client.signup(remote_app)[source]

Extra signup step.

Settings

Account settings blueprint for oauthclient.

invenio_oauthclient.views.settings.index(*args, **kwargs)[source]

List linked accounts.

Signals

Signals used together with various handlers.

invenio_oauthclient.signals.account_info_received = <blinker.base.NamedSignal object at 0x7f4022dc0990; 'oauthclient-account-info-received'>

Signal is sent after account info handler response.

Example subscriber:

from invenio_oauthclient.signals import account_info_received

# During overlay initialization.
@account_info_received.connect
def load_extra_information(remote, token=None, response=None,
                           account_info=None):
    response = remote.get('https://example.org/api/resource')
    # process response
invenio_oauthclient.signals.account_setup_committed = <blinker.base.NamedSignal object at 0x7f4022dc0a10; 'oauthclient-account-setup-committed'>

Signal is sent after account setup has been committed to database.

Example subscriber:

from invenio_oauthclient.signals import account_setup_committed

# During overlay initialization.
@account_setup_committed.connect
def fetch_info(remote):
    response = remote.get('https://example.org/api/resource')
    # process response
invenio_oauthclient.signals.account_setup_received = <blinker.base.NamedSignal object at 0x7f4022dc09d0; 'oauthclient-account-setup-received'>

Signal is sent after account info handler response.

Example subscriber:

from invenio_oauthclient.signals import account_setup_received

# During overlay initialization.
@account_setup_received.connect
def load_extra_information(remote, token=None, response=None,
                           account_setup=None):
    response = remote.get('https://example.org/api/resource')
    # process response

Utils

Utility methods to help find, authenticate or register a remote user.

invenio_oauthclient.utils.disable_csrf(form)[source]

Disable CSRF protection.

invenio_oauthclient.utils.fill_form(form, data)[source]

Prefill form with data.

Parameters:
  • form – The form to fill.
  • data – The data to insert in the form.
Returns:

A pre-filled form.

invenio_oauthclient.utils.get_safe_redirect_target(arg='next')[source]

Get URL to redirect to and ensure that it is local.

Parameters:arg – URL argument.
Returns:The redirect target or None.
invenio_oauthclient.utils.is_local_url(target)[source]

Determine if URL is a local.

Parameters:target – The URL to check.
Returns:True if the target is a local url.
invenio_oauthclient.utils.load_or_import_from_config(key, app=None, default=None)[source]

Load or import value from config.

invenio_oauthclient.utils.oauth_authenticate(client_id, user, require_existing_link=False, remember=False)[source]

Authenticate an oauth authorized callback.

Parameters:
  • client_id – The client id.
  • user – A user instance.
  • require_existing_link – If True, check if remote account exists. (Default: False)
Returns:

True if the user is successfully authenticated.

invenio_oauthclient.utils.oauth_get_user(client_id, account_info=None, access_token=None)[source]

Retrieve user object for the given request.

Uses either the access token or extracted account information to retrieve the user object.

Parameters:
  • client_id – The client id.
  • account_info – The dictionary with the account info. (Default: None)
  • access_token – The access token. (Default: None)
Returns:

A invenio_accounts.models.User instance or None.

Link a user to an external id.

Parameters:
Raises:

invenio_oauthclient.errors.AlreadyLinkedError – Raised if already exists a link.

invenio_oauthclient.utils.oauth_register(form)[source]

Register user if possible.

Parameters:form – A form instance.
Returns:A invenio_accounts.models.User instance.

Unlink a user from an external id.

Parameters:external_id – The external id associated with the user.
invenio_oauthclient.utils.obj_or_import_string(value, default=None)[source]

Import string or return object.

invenio_oauthclient.utils.registrationform_cls()[source]

Make a registration form.

Errors

Module level errors.

exception invenio_oauthclient.errors.AlreadyLinkedError(user, external_id)[source]

Signifies that an account was already linked to another account.

Initialize exception.

exception invenio_oauthclient.errors.OAuthClientError(message, remote, response)[source]

Define OAuth client exception.

Client errors happens when the client (i.e. Invenio) creates an invalid request.

Initialize exception.

Parameters:
  • message – Error message.
  • remote – Remote application.
  • response – OAuth response object. Used to extract error, error_uri and error_description.
exception invenio_oauthclient.errors.OAuthError(message, remote)[source]

Base class for OAuth exceptions.

Initialize exception.

Parameters:
  • message – Error message.
  • message – Remote application.
exception invenio_oauthclient.errors.OAuthRejectedRequestError(message, remote, response)[source]

Define exception of rejected response during OAuth process.

Initialize exception.

Parameters:
  • message – Error message.
  • remote – Remote application.
  • response – OAuth response object.
exception invenio_oauthclient.errors.OAuthResponseError(message, remote, response)[source]

Define response exception during OAuth process.

Initialize exception.

Parameters:
  • message – Error message.
  • remote – Remote application.
  • response – OAuth response object.