Solax/myenv/lib/python3.12/site-packages/authlib/oauth2/rfc7591/claims.py

from authlib.jose import BaseClaims, JsonWebKey
from authlib.jose.errors import InvalidClaimError
from authlib.common.urls import is_valid_url


class ClientMetadataClaims(BaseClaims):
    # https://tools.ietf.org/html/rfc7591#section-2
    REGISTERED_CLAIMS = [
        'redirect_uris',
        'token_endpoint_auth_method',
        'grant_types',
        'response_types',
        'client_name',
        'client_uri',
        'logo_uri',
        'scope',
        'contacts',
        'tos_uri',
        'policy_uri',
        'jwks_uri',
        'jwks',
        'software_id',
        'software_version',
    ]

    def validate(self):
        self._validate_essential_claims()
        self.validate_redirect_uris()
        self.validate_token_endpoint_auth_method()
        self.validate_grant_types()
        self.validate_response_types()
        self.validate_client_name()
        self.validate_client_uri()
        self.validate_logo_uri()
        self.validate_scope()
        self.validate_contacts()
        self.validate_tos_uri()
        self.validate_policy_uri()
        self.validate_jwks_uri()
        self.validate_jwks()
        self.validate_software_id()
        self.validate_software_version()

    def validate_redirect_uris(self):
        """Array of redirection URI strings for use in redirect-based flows
        such as the authorization code and implicit flows.  As required by
        Section 2 of OAuth 2.0 [RFC6749], clients using flows with
        redirection MUST register their redirection URI values.
        Authorization servers that support dynamic registration for
        redirect-based flows MUST implement support for this metadata
        value.
        """
        uris = self.get('redirect_uris')
        if uris:
            for uri in uris:
                self._validate_uri('redirect_uris', uri)

    def validate_token_endpoint_auth_method(self):
        """String indicator of the requested authentication method for the
        token endpoint.
        """
        # If unspecified or omitted, the default is "client_secret_basic"
        if 'token_endpoint_auth_method' not in self:
            self['token_endpoint_auth_method'] = 'client_secret_basic'
        self._validate_claim_value('token_endpoint_auth_method')

    def validate_grant_types(self):
        """Array of OAuth 2.0 grant type strings that the client can use at
        the token endpoint.
        """
        self._validate_claim_value('grant_types')

    def validate_response_types(self):
        """Array of the OAuth 2.0 response type strings that the client can
        use at the authorization endpoint.
        """
        self._validate_claim_value('response_types')

    def validate_client_name(self):
        """Human-readable string name of the client to be presented to the
        end-user during authorization.  If omitted, the authorization
        server MAY display the raw "client_id" value to the end-user
        instead.  It is RECOMMENDED that clients always send this field.
        The value of this field MAY be internationalized, as described in
        Section 2.2.
        """

    def validate_client_uri(self):
        """URL string of a web page providing information about the client.
        If present, the server SHOULD display this URL to the end-user in
        a clickable fashion.  It is RECOMMENDED that clients always send
        this field.  The value of this field MUST point to a valid web
        page.  The value of this field MAY be internationalized, as
        described in Section 2.2.
        """
        self._validate_uri('client_uri')

    def validate_logo_uri(self):
        """URL string that references a logo for the client.  If present, the
        server SHOULD display this image to the end-user during approval.
        The value of this field MUST point to a valid image file.  The
        value of this field MAY be internationalized, as described in
        Section 2.2.
        """
        self._validate_uri('logo_uri')

    def validate_scope(self):
        """String containing a space-separated list of scope values (as
        described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
        can use when requesting access tokens.  The semantics of values in
        this list are service specific.  If omitted, an authorization
        server MAY register a client with a default set of scopes.
        """
        self._validate_claim_value('scope')

    def validate_contacts(self):
        """Array of strings representing ways to contact people responsible
        for this client, typically email addresses.  The authorization
        server MAY make these contact addresses available to end-users for
        support requests for the client.  See Section 6 for information on
        Privacy Considerations.
        """
        if 'contacts' in self and not isinstance(self['contacts'], list):
            raise InvalidClaimError('contacts')

    def validate_tos_uri(self):
        """URL string that points to a human-readable terms of service
        document for the client that describes a contractual relationship
        between the end-user and the client that the end-user accepts when
        authorizing the client.  The authorization server SHOULD display
        this URL to the end-user if it is provided.  The value of this
        field MUST point to a valid web page.  The value of this field MAY
        be internationalized, as described in Section 2.2.
        """
        self._validate_uri('tos_uri')

    def validate_policy_uri(self):
        """URL string that points to a human-readable privacy policy document
        that describes how the deployment organization collects, uses,
        retains, and discloses personal data.  The authorization server
        SHOULD display this URL to the end-user if it is provided.  The
        value of this field MUST point to a valid web page.  The value of
        this field MAY be internationalized, as described in Section 2.2.
        """
        self._validate_uri('policy_uri')

    def validate_jwks_uri(self):
        """URL string referencing the client's JSON Web Key (JWK) Set
        [RFC7517] document, which contains the client's public keys.  The
        value of this field MUST point to a valid JWK Set document.  These
        keys can be used by higher-level protocols that use signing or
        encryption.  For instance, these keys might be used by some
        applications for validating signed requests made to the token
        endpoint when using JWTs for client authentication [RFC7523].  Use
        of this parameter is preferred over the "jwks" parameter, as it
        allows for easier key rotation.  The "jwks_uri" and "jwks"
        parameters MUST NOT both be present in the same request or
        response.
        """
        # TODO: use real HTTP library
        self._validate_uri('jwks_uri')

    def validate_jwks(self):
        """Client's JSON Web Key Set [RFC7517] document value, which contains
        the client's public keys.  The value of this field MUST be a JSON
        object containing a valid JWK Set.  These keys can be used by
        higher-level protocols that use signing or encryption.  This
        parameter is intended to be used by clients that cannot use the
        "jwks_uri" parameter, such as native clients that cannot host
        public URLs.  The "jwks_uri" and "jwks" parameters MUST NOT both
        be present in the same request or response.
        """
        if 'jwks' in self:
            if 'jwks_uri' in self:
                #  The "jwks_uri" and "jwks" parameters MUST NOT both  be present
                raise InvalidClaimError('jwks')

            jwks = self['jwks']
            try:
                key_set = JsonWebKey.import_key_set(jwks)
                if not key_set:
                    raise InvalidClaimError('jwks')
            except ValueError:
                raise InvalidClaimError('jwks')

    def validate_software_id(self):
        """A unique identifier string (e.g., a Universally Unique Identifier
        (UUID)) assigned by the client developer or software publisher
        used by registration endpoints to identify the client software to
        be dynamically registered.  Unlike "client_id", which is issued by
        the authorization server and SHOULD vary between instances, the
        "software_id" SHOULD remain the same for all instances of the
        client software.  The "software_id" SHOULD remain the same across
        multiple updates or versions of the same piece of software.  The
        value of this field is not intended to be human readable and is
        usually opaque to the client and authorization server.
        """

    def validate_software_version(self):
        """A version identifier string for the client software identified by
        "software_id".  The value of the "software_version" SHOULD change
        on any update to the client software identified by the same
        "software_id".  The value of this field is intended to be compared
        using string equality matching and no other comparison semantics
        are defined by this specification.  The value of this field is
        outside the scope of this specification, but it is not intended to
        be human readable and is usually opaque to the client and
        authorization server.  The definition of what constitutes an
        update to client software that would trigger a change to this
        value is specific to the software itself and is outside the scope
        of this specification.
        """

    def _validate_uri(self, key, uri=None):
        if uri is None:
            uri = self.get(key)
        if uri and not is_valid_url(uri):
            raise InvalidClaimError(key)