ref #37, add general oauth2 params to all authorize urls

heliumdatacommons · Mar 19, 2019 · b3a4fa5 · b3a4fa5
1 parent 1f5d1a6
commit b3a4fa5
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ Switch to this account, all app-specific operations will be executed as the serv
 which does not have admin privileges
 ```
 $ sudo su - auth_microservice
-[auth_microservice] $ 
+[auth_microservice] $
 ```
 
 Install python 2.7 or greater. This example uses 3.6.
@@ -119,6 +119,15 @@ first existing attribute wins) (default to `name`)
 
 * prompt: boolean (default True): adds `prompt` parameter for `login` and `consent` to the authorization url
 
+## Registering clients
+
+To enable authorized clients to perform privileged operations like fetching tokens, a client token must be generated at runtime for the particular server instance the client wants to use. Using the `/etc/auth_microservice/admin.key` value generated earlier at installation time, send a request to the `/admin/key` endpoint with an `owner` field which describes the client. This `owner` field is purely for auditing purposes as each authenticated request can be tied back to a client after the fact.
+
+```
+curl -H "Authorization: Basic <admin.key value>" "https://example.org/admin/key?owner=test-client"
+{"key": "<64 byte hex string>"}
+```
+
 # Development
 
 ## Unittests
@@ -187,7 +196,7 @@ Please select a fix:
 Select an option: 1
 Please enter the default value now, as valid Python
 The datetime and django.utils.timezone modules are available, so you can do e.g. timezone.now()
->>> ''      
+>>> ''
 You are trying to add a non-nullable field 'access_token_hash' to token without a default; we can't do that (the database needs something to populate existing rows).
 Please select a fix:
  1) Provide a one-off default now (will be set on all existing rows)

diff --git a/token_service/redirect_handler.py b/token_service/redirect_handler.py
@@ -465,7 +465,7 @@ def _handle_token_response(self, w, response):
 
         user_name, name = self.get_user_name_name(provider, id_token)
         user = get_user(provider, sub, user_name, name)
-        
+
         # add email
         for email_key in self.IDTOKEN_EMAIL:
             if email_key in id_token:
@@ -577,17 +577,17 @@ def _generate_authorization_url(self, state, nonce, scopes, provider_tag):
         redirect_uri = Config['redirect_uri']
 
         additional_params = '&' + provider_config.get('additional_params', '')
+        additional_params += '&response_type=code'
+        additional_params += '&access_type=offline' # Google-specific addition, should be ignored if not supported
+        scope = quote(' '.join(scopes))
+        additional_params += '&scope=' + scope
 
         # get auth endpoint
         if is_openid(provider_tag):
-            scope = quote(' '.join(scopes))
-
-            additional_params += '&scope=' + scope
-            additional_params += '&response_type=code'
-            additional_params += '&access_type=offline'
             if provider_config.get('prompt', True):
                 additional_params += '&prompt=login%20consent'
 
+
         if additional_params == '&':
             additional_params = ''