Like the technical community as a whole, the OAuthlib team and community is made up of a mixture of professionals and volunteers from all over the world, working on every aspect of the mission - including mentorship, teaching, and connecting people.

Diversity is one of our huge strengths, but it can also lead to communication issues and unhappiness. To that end, we have a few ground rules that we ask people to adhere to. This code applies equally to founders, mentors and those seeking help and guidance.

This isn't an exhaustive list of things that you can't do. Rather, take it in the spirit in which it's intended - a guide to make it easier to enrich all of us and the technical communities in which we participate.

This code of conduct applies to all spaces managed by the OAuthlib project. This includes Gitter, the mailing lists, the issue tracker, and any other forums created by the project team which the community uses for communication. In addition, violations of this code outside these spaces may affect a person's ability to participate within them.

If you believe someone is violating the code of conduct, we ask that you report it by contacting us.

Be friendly and patient.

Be welcoming. We strive to be a community that welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, colour, immigration status, social and economic class, educational level, sex, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability.

Be considerate. Your work will be used by other people, and you in turn will depend on the work of others. Any decision you take will affect users and colleagues, and you should take those consequences into account when making decisions. Remember that we're a world-wide community, so you might not be communicating in someone else's primary language.

Be respectful. Not all of us will agree all the time, but disagreement is no excuse for poor behavior and poor manners. We might all experience some frustration now and then, but we cannot allow that frustration to turn into a personal attack. It's important to remember that a community where people feel uncomfortable or threatened is not a productive one. Members of the OAuthlib community should be respectful when dealing with other members as well as with people outside the OAuthlib community.

Be careful in the words that you choose. We are a community of professionals, and we conduct ourselves professionally. Be kind to others. Do not insult or put down other participants. Harassment and other exclusionary behavior aren't acceptable. This includes, but is not limited to:

Violent threats or language directed against another person.

Discriminatory jokes and language.

Posting sexually explicit or violent material.

Posting (or threatening to post) other people's personally identifying information ("doxing").

Personal insults, especially those using racist or sexist terms.

Unwelcome sexual attention.

Advocating for, or encouraging, any of the above behavior.

Repeated harassment of others. In general, if someone asks you to stop, then stop.

When we disagree, try to understand why. Disagreements, both social and technical, happen all the time and OAuthlib is no exception. It is important that we resolve disagreements and differing views constructively. Remember that we're different. The strength of OAuthlib comes from its varied community, people from a wide range of backgrounds. Different people have different perspectives on issues. Being unable to understand why someone holds a viewpoint doesn't mean that they're wrong. Don't forget that it is human to err and blaming each other doesn't get us anywhere. Instead, focus on helping to resolve issues and learning from mistakes.

For reading the original text, please visit the [Django Code of Conduct](https://www.djangoproject.com/conduct/).

OAuthLib - Python Framework for OAuth1 & OAuth2

.. image:: https://app.fossa.io/api/projects/git%2Bgithub.com%2Foauthlib%2Foauthlib.svg?type=shield

:target: https://app.fossa.io/projects/git%2Bgithub.com%2Foauthlib%2Foauthlib?ref=badge_shield

:alt: FOSSA Status

OAuthLib is a framework which implements the logic of OAuth1 or OAuth2 without

*OAuthLib is in active development, with the core of both OAuth1 and OAuth2

oauthlib community rules

oauthlib is a community of developers which adheres to a very simple set of

rules.

Code of Conduct

This project adheres to a `Code of Conduct`_ based on Django. As a community

member you have to read and agree with it.

For more information please contact us and/or visit the original

`Django Code of Conduct`_ homepage.

.. _`Code of Conduct`: https://github.com/oauthlib/oauthlib/blob/master/CODE_OF_CONDUCT.md

.. _`Django Code of Conduct`: https://www.djangoproject.com/conduct/

Code of Merit

Please read the community's `Code of Merit`_. Every contributor will know the

real purpose of their contributions to this project.

.. _`Code of Merit`: http://code-of-merit.org/

JWT Profile for Client Authentication and Authorization Grants

If you're looking at JWT Tokens, please see :doc:`Bearer Tokens </oauth2/tokens/bearer>` instead.

The JWT Profile `RFC7523`_ implements the `RFC7521`_ abstract assertion

protocol. It aims to extend the OAuth2 protocol to use JWT as an

additional authorization grant.

Currently, this is not implemented but all PRs are welcome. See how to :doc:`Contribute </contributing>`.

.. _`RFC7521`: https://tools.ietf.org/html/rfc7521

.. _`RFC7523`: https://tools.ietf.org/html/rfc7523

If you prefer to construct tokens yourself you may pass a token generator (see

:doc:`Tokens <tokens/tokens>` for more examples like JWT) ::

.. autoclass:: oauthlib.oauth2.Server

:members:

The most common OAuth 2 token type.

Bearer tokens is the default setting for all configured endpoints. Generally

By default, :doc:`*Server </oauth2/preconfigured_servers>` generate Bearer tokens as

random strings. However, you can change the default behavior to generate JWT

instead. All preconfigured servers take as parameters `token_generator` and

`refresh_token_generator` to fit your needs.

.. contents:: Tutorial Contents

:depth: 3

1. Generate signed JWT

A function is available to generate signed JWT (with RS256 PEM key) with static

and dynamic claims.

.. code-block:: python

Note that you can add any custom claims in `RequestValidator` methods by adding them to

`request.claims` dictionary. Example below:

.. code-block:: python

Once completed, the token endpoint will generate access_token in JWT form:

.. code-block:: shell

And you will find all claims in its decoded form:

.. code-block:: javascript

2. Define your own implementation (text, JWT, JWE, ...)

Sometime you may want to generate custom `access_token` with a reference from a

database (as text) or use a HASH signature in JWT or use JWE (encrypted content).

Also, note that you can declare the generate function in your instanciated

validator to benefit of the `self` variables.

See the example below:

.. code-block:: python

Then associate it to your `Server`:

.. code-block:: python

3. BearerToken API

If none of the :doc:`/oauth2/preconfigured_servers` fit your needs, you can

declare your own Endpoints and use the `BearerToken` API as below.

currently supports. Other tokens, such as SAML and MAC can easily be added.

if request.redirect_uri is None:

request.using_default_redirect_uri = True

request.redirect_uri = self.request_validator.get_default_redirect_uri(

request.client_id, request)

log.debug('Using default redirect_uri %s.', request.redirect_uri)

if not request.redirect_uri:

raise errors.MissingRedirectURIError(request=request)

else:

request.using_default_redirect_uri = False

log.debug('Using provided redirect_uri %s', request.redirect_uri)

h, b, s = server.create_token_response(

'https://example.com?grant_type=authorization_code&code=abc'

)

def test_default_uri_in_token(self):

auth_uri = 'http://example.com/path?state=xyz&client_id=abc'

token_uri = 'http://example.com/path'

# authorization grant

h, _, s = self.web.create_authorization_response(

auth_uri + '&response_type=code', scopes=['random'])

self.assertEqual(s, 302)

self.assertIn('Location', h)

self.assertTrue(h['Location'].startswith(self.DEFAULT_REDIRECT_URI))

# confirm_redirect_uri should return true if the redirect uri

# was not given in the authorization AND not in the token request.

self.validator.confirm_redirect_uri.return_value = True

code = get_query_credentials(h['Location'])['code'][0]

self.validator.validate_code.side_effect = self.set_state('xyz')

_, body, s = self.web.create_token_response(token_uri,

body='grant_type=authorization_code&code=%s' % code)

self.assertEqual(s, 200)

self.assertEqual(self.validator.confirm_redirect_uri.call_args[0][2], self.DEFAULT_REDIRECT_URI)

self.validator.get_default_redirect_uri.return_value = 'https://i.b/cb'

def test_access_denied_no_default_redirecturi(self):

self.validator.authenticate_client.side_effect = self.set_client

self.validator.get_default_redirect_uri.return_value = None

token_uri = 'https://i.b/token'

# Authorization code grant

_, body, _ = self.web.create_token_response(token_uri,

body='grant_type=authorization_code&code=foo')

self.assertEqual('invalid_request', json.loads(body)['error'])