Models

class oauth2_provider.models.AbstractAccessToken(*args, **kwargs)

An AccessToken instance represents the actual access token to access user’s resources, as in RFC6749 Section 5.

Fields:

  • user The Django user representing resources” owner
  • source_refresh_token If from a refresh, the consumed RefeshToken
  • token Access token
  • application Application instance
  • expires Date and time of token expiration, in DateTime format
  • scope Allowed scopes
allow_scopes(scopes)

Check if the token allows the provided scopes

Parameters:scopes – An iterable containing the scopes to check
is_expired()

Check token expiration with timezone awareness

is_valid(scopes=None)

Checks if the access token is valid.

Parameters:scopes – An iterable containing the scopes to check or None
revoke()

Convenience method to uniform tokens” interface, for now simply remove this token from the database in order to revoke it.

scopes

Returns a dictionary of allowed scope names (as keys) with their descriptions (as values)

class oauth2_provider.models.AbstractApplication(*args, **kwargs)

An Application instance represents a Client on the Authorization server. Usually an Application is created manually by client’s developers after logging in on an Authorization Server.

Fields:

  • client_id The client identifier issued to the client during the
    registration process as described in RFC6749 Section 2.2
  • user ref to a Django user
  • redirect_uris The list of allowed redirect uri. The string
    consists of valid URLs separated by space
  • post_logout_redirect_uris The list of allowed redirect uris after
    an RP initiated logout. The string consists of valid URLs separated by space
  • client_type Client type as described in RFC6749 Section 2.1
  • authorization_grant_type Authorization flows available to the
    Application
  • client_secret Confidential secret issued to the client during
    the registration process as described in RFC6749 Section 2.2
  • name Friendly name for the Application
clean()

Hook for doing any extra model-wide validation after clean() has been called on every field by self.clean_fields. Any ValidationError raised by this method will not be associated with a particular field; it will have a special-case association with the field defined by NON_FIELD_ERRORS.

default_redirect_uri

Returns the default redirect_uri, if only one is registered.

get_allowed_schemes()

Returns the list of redirect schemes allowed by the Application. By default, returns ALLOWED_REDIRECT_URI_SCHEMES.

is_usable(request)

Determines whether the application can be used.

Parameters:request – The oauthlib.common.Request being processed.
post_logout_redirect_uri_allowed(uri)

Checks if given URI is one of the items in post_logout_redirect_uris string

Parameters:uri – URI to check
redirect_uri_allowed(uri)

Checks if given url is one of the items in redirect_uris string

Parameters:uri – Url to check
class oauth2_provider.models.AbstractGrant(*args, **kwargs)

A Grant instance represents a token with a short lifetime that can be swapped for an access token, as described in RFC6749 Section 4.1.2

Fields:

  • user The Django user who requested the grant
  • code The authorization code generated by the authorization server
  • application Application instance this grant was asked for
  • expires Expire time in seconds, defaults to
    settings.AUTHORIZATION_CODE_EXPIRE_SECONDS
  • redirect_uri Self explained
  • scope Required scopes, optional
  • code_challenge PKCE code challenge
  • code_challenge_method PKCE code challenge transform algorithm
is_expired()

Check token expiration with timezone awareness

class oauth2_provider.models.AbstractIDToken(*args, **kwargs)

An IDToken instance represents the actual token to access user’s resources, as in :openid:`2`.

Fields:

  • user The Django user representing resources’ owner
  • jti ID token JWT Token ID, to identify an individual token
  • application Application instance
  • expires Date and time of token expiration, in DateTime format
  • scope Allowed scopes
  • created Date and time of token creation, in DateTime format
  • updated Date and time of token update, in DateTime format
allow_scopes(scopes)

Check if the token allows the provided scopes

Parameters:scopes – An iterable containing the scopes to check
is_expired()

Check token expiration with timezone awareness

is_valid(scopes=None)

Checks if the access token is valid.

Parameters:scopes – An iterable containing the scopes to check or None
revoke()

Convenience method to uniform tokens’ interface, for now simply remove this token from the database in order to revoke it.

scopes

Returns a dictionary of allowed scope names (as keys) with their descriptions (as values)

class oauth2_provider.models.AbstractRefreshToken(*args, **kwargs)

A RefreshToken instance represents a token that can be swapped for a new access token when it expires.

Fields:

  • user The Django user representing resources” owner
  • token Token value
  • application Application instance
  • access_token AccessToken instance this refresh token is
    bounded to
  • revoked Timestamp of when this refresh token was revoked
revoke()

Mark this refresh token revoked and revoke related access token

class oauth2_provider.models.AccessToken(id, user, source_refresh_token, token, id_token, application, expires, scope, created, updated)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.Application(id, client_id, user, redirect_uris, post_logout_redirect_uris, client_type, authorization_grant_type, client_secret, name, skip_authorization, created, updated, algorithm)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.ClientSecretField(*args, db_collation=None, **kwargs)
pre_save(model_instance, add)

Return field’s value just before saving.

class oauth2_provider.models.Grant(id, user, code, application, expires, redirect_uri, scope, created, updated, code_challenge, code_challenge_method, nonce, claims)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.IDToken(id, user, jti, application, expires, scope, created, updated)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.RefreshToken(id, user, token, application, access_token, created, updated, revoked)
exception DoesNotExist
exception MultipleObjectsReturned
oauth2_provider.models.get_access_token_admin_class()

Return the AccessToken admin class that is active in this project.

oauth2_provider.models.get_access_token_model()

Return the AccessToken model that is active in this project.

oauth2_provider.models.get_application_admin_class()

Return the Application admin class that is active in this project.

oauth2_provider.models.get_application_model()

Return the Application model that is active in this project.

oauth2_provider.models.get_grant_admin_class()

Return the Grant admin class that is active in this project.

oauth2_provider.models.get_grant_model()

Return the Grant model that is active in this project.

oauth2_provider.models.get_id_token_admin_class()

Return the IDToken admin class that is active in this project.

oauth2_provider.models.get_id_token_model()

Return the AccessToken model that is active in this project.

oauth2_provider.models.get_refresh_token_admin_class()

Return the RefreshToken admin class that is active in this project.

oauth2_provider.models.get_refresh_token_model()

Return the RefreshToken model that is active in this project.

oauth2_provider.models.redirect_to_uri_allowed(uri, allowed_uris)

Checks if a given uri can be redirected to based on the provided allowed_uris configuration.

On top of exact matches, this function also handles loopback IPs based on RFC 8252.

Parameters:
  • uri – URI to check
  • allowed_uris – A list of URIs that are allowed