o Df4@sDddlZddlmZmZddlmZeeZGdddeeZ dS)N) BaseGrantTokenEndpointMixin)UnauthorizedClientErrorc@s$eZdZdZdZddZddZdS)ClientCredentialsGrantaThe client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server. The client credentials grant type MUST only be used by confidential clients:: +---------+ +---------------+ | | | | | |>--(A)- Client Authentication --->| Authorization | | Client | | Server | | |<--(B)---- Access Token ---------<| | | | | | +---------+ +---------------+ https://tools.ietf.org/html/rfc6749#section-4.4 client_credentialscCs:|}td|||jst||j_|dS)aThe client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format per Appendix B with a character encoding of UTF-8 in the HTTP request entity-body: grant_type REQUIRED. Value MUST be set to "client_credentials". scope OPTIONAL. The scope of the access request as described by Section 3.3. The client MUST authenticate with the authorization server as described in Section 3.2.1. For example, the client makes the following HTTP request using transport-layer security (with extra line breaks for display purposes only): .. code-block:: http POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials The authorization server MUST authenticate the client. zValidate token request of %rN) "authenticate_token_endpoint_clientlogdebugcheck_grant_type GRANT_TYPErrequestclientvalidate_requested_scope)selfrri/home/ubuntu/webapp/venv/lib/python3.10/site-packages/authlib/oauth2/rfc6749/grants/client_credentials.pyvalidate_token_requests "   z-ClientCredentialsGrant.validate_token_requestcCsH|j|jjdd}td||j|||jd||dd||jfS)a4If the access token request is valid and authorized, the authorization server issues an access token as described in Section 5.1. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2. An example successful response: .. code-block:: http HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "example_parameter":"example_value" } :returns: (status_code, body, headers) F)scopeinclude_refresh_tokenzIssue token %r to %r process_token)token) generate_tokenrrr r r save_token execute_hookTOKEN_RESPONSE_HEADER)rrrrrcreate_token_responseIs   z,ClientCredentialsGrant.create_token_responseN)__name__ __module__ __qualname____doc__r rrrrrrrs  +r) loggingbaserrerrorsr getLoggerrr rrrrrs