Merge pull request #61 from Colin-b/develop

Colin-b · web-flow · commit 53e063c338ea · 2023-04-26T18:14:48.000+02:00
Release 0.17.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,11 +1,19 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.17.0] - 2023-04-26
+### Changed
+- `httpx_auth.OAuth2ResourceOwnerPasswordCredentials` does not send basic authentication by default.
+
+### Added
+- `client_auth` as a parameter of `httpx_auth.OAuth2ResourceOwnerPasswordCredentials`. Allowing to provide any kind of optional authentication.
+- `httpx_auth.OktaResourceOwnerPasswordCredentials` providing Okta resource owner password credentials flow easy setup.
+
 ## [0.16.0] - 2023-04-25
 ### Changed
 - Requires [`httpx`](https://www.python-httpx.org)==0.24.\*
@@ -170,7 +178,8 @@ Note that a few changes were made:
 ### Added
 - Placeholder for port of requests_auth to httpx
 
-[Unreleased]: https://github.com/Colin-b/httpx_auth/compare/v0.16.0...HEAD
+[Unreleased]: https://github.com/Colin-b/httpx_auth/compare/v0.17.0...HEAD
+[0.17.0]: https://github.com/Colin-b/httpx_auth/compare/v0.16.0...v0.17.0
 [0.16.0]: https://github.com/Colin-b/httpx_auth/compare/v0.15.0...v0.16.0
 [0.15.0]: https://github.com/Colin-b/httpx_auth/compare/v0.14.1...v0.15.0
 [0.14.1]: https://github.com/Colin-b/httpx_auth/compare/v0.14.0...v0.14.1
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 <a href="https://github.com/Colin-b/httpx_auth/actions"><img alt="Build status" src="https://github.com/Colin-b/httpx_auth/workflows/Release/badge.svg"></a>
 <a href="https://github.com/Colin-b/httpx_auth/actions"><img alt="Coverage" src="https://img.shields.io/badge/coverage-100%25-brightgreen"></a>
 <a href="https://github.com/psf/black"><img alt="Code style: black" src="https://img.shields.io/badge/code%20style-black-000000.svg"></a>
-<a href="https://github.com/Colin-b/httpx_auth/actions"><img alt="Number of tests" src="https://img.shields.io/badge/tests-307 passed-blue"></a>
+<a href="https://github.com/Colin-b/httpx_auth/actions"><img alt="Number of tests" src="https://img.shields.io/badge/tests-335 passed-blue"></a>
 <a href="https://pypi.org/project/httpx-auth/"><img alt="Number of downloads" src="https://img.shields.io/pypi/dm/httpx_auth"></a>
 </p>
 
@@ -282,7 +282,7 @@ Usual extra parameters are:
 | `client_secret`        | If client is not authenticated with the authorization server     |
 | `nonce`        | Refer to [OpenID ID Token specifications][3] for more details     |
 
-### Resource Owner Password Credentials flow 
+### Resource Owner Password Credentials flow
 
 Resource Owner Password Credentials Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.3).
 
@@ -298,21 +298,64 @@ with httpx.Client() as client:
 
 #### Parameters
 
-| Name               | Description                                  | Mandatory | Default value |
-|:-------------------|:---------------------------------------------|:----------|:--------------|
-| `token_url`        | OAuth 2 token URL.                           | Mandatory |               |
-| `username`         | Resource owner user name.                    | Mandatory |               |
-| `password`         | Resource owner password.                     | Mandatory |               |
-| `timeout`          | Maximum amount of seconds to wait for a token to be received once requested. | Optional | 60            |
-| `header_name`      | Name of the header field used to send token. | Optional  | Authorization |
-| `header_value`     | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token. | Optional | Bearer {token} |
-| `scope`            | Scope parameter sent to token URL as body. Can also be a list of scopes. | Optional |  |
-| `token_field_name` | Field name containing the token.             | Optional  | access_token  |
-| `early_expiry`     | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0  |
-| `client`           | `httpx.Client` instance that will be used to request the token. Use it to provide a custom proxying rule for instance. | Optional |  |
+| Name                 | Description                                                                                                                                                                                                                                                                                       | Mandatory | Default value |
+|:---------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:--------------|
+| `token_url`          | OAuth 2 token URL.                                                                                                                                                                                                                                                                                | Mandatory |               |
+| `username`           | Resource owner user name.                                                                                                                                                                                                                                                                         | Mandatory |               |
+| `password`           | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory |               |
+| `client_auth`        | Client authentication if the client type is confidential or the client was issued client credentials (or assigned other authentication requirements). Can be a tuple or any httpx authentication class instance.                                                                                  | Optional  |               |
+| `timeout`            | Maximum amount of seconds to wait for a token to be received once requested.                                                                                                                                                                                                                      | Optional  | 60            |
+| `header_name`        | Name of the header field used to send token.                                                                                                                                                                                                                                                      | Optional  | Authorization |
+| `header_value`       | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token.                                                                                                                                                                                        | Optional  | Bearer {token} |
+| `scope`              | Scope parameter sent to token URL as body. Can also be a list of scopes.                                                                                                                                                                                                                          | Optional  |  |
+| `token_field_name`   | Field name containing the token.                                                                                                                                                                                                                                                                  | Optional  | access_token  |
+| `early_expiry`       | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0  |
+| `client`             | `httpx.Client` instance that will be used to request the token. Use it to provide a custom proxying rule for instance.                                                                                                                                                                            | Optional  |  |
 
 Any other parameter will be put as body parameter in the token URL.
 
+#### Common providers
+
+Most of [OAuth2](https://oauth.net/2/) Resource Owner Password Credentials providers are supported.
+
+If the one you are looking for is not yet supported, feel free to [ask for its implementation](https://github.com/Colin-b/httpx_auth/issues/new).
+
+##### Okta (OAuth2 Resource Owner Password Credentials)
+
+[Okta Resource Owner Password Credentials](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/) providing access tokens is supported.
+
+Use `httpx_auth.OktaResourceOwnerPasswordCredentials` to configure this kind of authentication.
+
+```python
+import httpx
+from httpx_auth import OktaResourceOwnerPasswordCredentials
+
+
+okta = OktaResourceOwnerPasswordCredentials(instance='testserver.okta-emea.com', username='user name', password='user password', client_id='54239d18-c68c-4c47-8bdd-ce71ea1d50cd', client_secret="0c5MB")
+with httpx.Client() as client:
+    client.get('https://www.example.com', auth=okta)
+```
+
+###### Parameters
+
+| Name                    | Description                | Mandatory | Default value |
+|:------------------------|:---------------------------|:----------|:--------------|
+| `instance`              | Okta instance (like "testserver.okta-emea.com"). | Mandatory |               |
+| `username`           | Resource owner user name.                                                                                                                                                                                                                                                                         | Mandatory |               |
+| `password`           | Resource owner password.                                                                                                                                                                                                                                                                          | Mandatory |               |
+| `client_id`             | Okta Application Identifier (formatted as an Universal Unique Identifier). | Mandatory |               |
+| `client_secret`        | Resource owner password.     | Mandatory |               |
+| `timeout`               | Maximum amount of seconds to wait for a token to be received once requested. | Optional | 60 |
+| `header_name`           | Name of the header field used to send token. | Optional | Authorization |
+| `header_value`          | Format used to send the token value. "{token}" must be present as it will be replaced by the actual token. | Optional | Bearer {token} |
+| `scope`                 | Scope parameter sent in query. Can also be a list of scopes. | Optional | openid |
+| `token_field_name`      | Field name containing the token. | Optional | access_token |
+| `early_expiry`          | Number of seconds before actual token expiry where token will be considered as expired. Used to ensure token will not expire between the time of retrieval and the time the request reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry. | Optional  | 30.0  |
+| `client`                | `httpx.Client` instance that will be used to request the token. Use it to provide a custom proxying rule for instance. | Optional |  |
+
+Any other parameter will be put as body parameters in the token URL.        
+
+
 ### Client Credentials flow
 
 Client Credentials Grant is implemented following [rfc6749](https://tools.ietf.org/html/rfc6749#section-4.4).
diff --git a/httpx_auth/__init__.py b/httpx_auth/__init__.py
@@ -15,6 +15,7 @@
     OAuth2ClientCredentials,
     OktaClientCredentials,
     OAuth2ResourceOwnerPasswordCredentials,
+    OktaResourceOwnerPasswordCredentials,
     WakaTimeAuthorizationCode,
 )
 from httpx_auth.oauth2_tokens import JsonTokenFileCache
@@ -47,6 +48,7 @@
     "OAuth2ClientCredentials",
     "OktaClientCredentials",
     "OAuth2ResourceOwnerPasswordCredentials",
+    "OktaResourceOwnerPasswordCredentials",
     "WakaTimeAuthorizationCode",
     "JsonTokenFileCache",
     "AWS4Auth",
diff --git a/httpx_auth/authentication.py b/httpx_auth/authentication.py
@@ -149,6 +149,9 @@ def __init__(self, token_url: str, username: str, password: str, **kwargs):
         :param token_url: OAuth 2 token URL.
         :param username: Resource owner user name.
         :param password: Resource owner password.
+        :param client_auth: Client authentication if the client type is confidential
+        or the client was issued client credentials (or assigned other authentication requirements).
+        Can be a tuple or any httpx authentication class instance.
         :param timeout: Maximum amount of seconds to wait for a token to be received once requested.
         Wait for 1 minute by default.
         :param header_name: Name of the header field used to send token.
@@ -186,6 +189,7 @@ def __init__(self, token_url: str, username: str, password: str, **kwargs):
         # Time is expressed in seconds
         self.timeout = int(kwargs.pop("timeout", None) or 60)
         self.client = kwargs.pop("client", None)
+        self.client_auth = kwargs.pop("client_auth", None)
 
         # As described in https://tools.ietf.org/html/rfc6749#section-4.3.2
         self.data = {
@@ -228,7 +232,8 @@ def request_new_token(self) -> tuple:
         return (self.state, token, expires_in) if expires_in else (self.state, token)
 
     def _configure_client(self, client: httpx.Client):
-        client.auth = (self.username, self.password)
+        if self.client_auth:
+            client.auth = self.client_auth
         client.timeout = self.timeout
 
 
@@ -1223,6 +1228,64 @@ def __init__(self, instance: str, client_id: str, client_secret: str, **kwargs):
         )
 
 
+class OktaResourceOwnerPasswordCredentials(OAuth2ResourceOwnerPasswordCredentials):
+    """
+    Describes an Okta (OAuth 2) resource owner password credentials (also called password) flow requests authentication.
+    """
+
+    def __init__(
+        self,
+        instance: str,
+        username: str,
+        password: str,
+        client_id: str,
+        client_secret: str,
+        **kwargs,
+    ):
+        """
+        :param instance: Okta instance (like "testserver.okta-emea.com")
+        :param username: Resource owner user name.
+        :param password: Resource owner password.
+        :param client_id: Okta Application Identifier (formatted as an Universal Unique Identifier)
+        :param client_secret: Resource owner password.
+        :param authorization_server: Okta authorization server
+        default by default.
+        :param timeout: Maximum amount of seconds to wait for a token to be received once requested.
+        Wait for 1 minute by default.
+        :param header_name: Name of the header field used to send token.
+        Token will be sent in Authorization header field by default.
+        :param header_value: Format used to send the token value.
+        "{token}" must be present as it will be replaced by the actual token.
+        Token will be sent as "Bearer {token}" by default.
+        :param scope: Scope parameter sent to token URL as body. Can also be a list of scopes.
+        Request 'openid' by default.
+        :param token_field_name: Field name containing the token. access_token by default.
+        :param early_expiry: Number of seconds before actual token expiry where token will be considered as expired.
+        Default to 30 seconds to ensure token will not expire between the time of retrieval and the time the request
+        reaches the actual server. Set it to 0 to deactivate this feature and use the same token until actual expiry.
+        :param client: httpx.Client instance that will be used to request the token.
+        Use it to provide a custom proxying rule for instance.
+        :param kwargs: all additional authorization parameters that should be put as body parameters in the token URL.
+        """
+        if not instance:
+            raise Exception("Instance is mandatory.")
+        if not client_id:
+            raise Exception("Client ID is mandatory.")
+        if not client_secret:
+            raise Exception("Client secret is mandatory.")
+        authorization_server = kwargs.pop("authorization_server", None) or "default"
+        scopes = kwargs.pop("scope", "openid")
+        kwargs["scope"] = " ".join(scopes) if isinstance(scopes, list) else scopes
+        OAuth2ResourceOwnerPasswordCredentials.__init__(
+            self,
+            f"https://{instance}/oauth2/{authorization_server}/v1/token",
+            username=username,
+            password=password,
+            client_auth=(client_id, client_secret),
+            **kwargs,
+        )
+
+
 class HeaderApiKey(httpx.Auth, SupportMultiAuth):
     """Describes an API Key requests authentication."""
 
diff --git a/httpx_auth/version.py b/httpx_auth/version.py
@@ -3,4 +3,4 @@
 # Major should be incremented in case there is a breaking change. (eg: 2.5.8 -> 3.0.0)
 # Minor should be incremented in case there is an enhancement. (eg: 2.5.8 -> 2.6.0)
 # Patch should be incremented in case there is a bug fix. (eg: 2.5.8 -> 2.5.9)
-__version__ = "0.16.0"
+__version__ = "0.17.0"
diff --git a/tests/test_oauth2_resource_owner_password.py b/tests/test_oauth2_resource_owner_password.py
@@ -96,6 +96,62 @@ def test_oauth2_password_credentials_flow_token_is_sent_in_authorization_header_
     )
 
 
+def test_oauth2_password_credentials_flow_does_not_authenticate_by_default(
+    token_cache, httpx_mock: HTTPXMock
+):
+    auth = httpx_auth.OAuth2ResourceOwnerPasswordCredentials(
+        "https://provide_access_token", username="test_user", password="test_pwd"
+    )
+    httpx_mock.add_response(
+        method="POST",
+        url="https://provide_access_token",
+        json={
+            "access_token": "2YotnFZFEjr1zCsicMWpAA",
+            "token_type": "example",
+            "expires_in": 3600,
+            "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
+            "example_parameter": "example_value",
+        },
+        match_content=b"grant_type=password&username=test_user&password=test_pwd",
+    )
+    assert (
+        get_header(httpx_mock, auth).get("Authorization")
+        == "Bearer 2YotnFZFEjr1zCsicMWpAA"
+    )
+    assert (
+        "Authorization"
+        not in httpx_mock.get_request(url="https://provide_access_token").headers
+    )
+
+
+def test_oauth2_password_credentials_flow_authentication(
+    token_cache, httpx_mock: HTTPXMock
+):
+    auth = httpx_auth.OAuth2ResourceOwnerPasswordCredentials(
+        "https://provide_access_token",
+        username="test_user",
+        password="test_pwd",
+        client_auth=("test_user2", "test_pwd2"),
+    )
+    httpx_mock.add_response(
+        method="POST",
+        url="https://provide_access_token",
+        json={
+            "access_token": "2YotnFZFEjr1zCsicMWpAA",
+            "token_type": "example",
+            "expires_in": 3600,
+            "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
+            "example_parameter": "example_value",
+        },
+        match_headers={"Authorization": "Basic dGVzdF91c2VyMjp0ZXN0X3B3ZDI="},
+        match_content=b"grant_type=password&username=test_user&password=test_pwd",
+    )
+    assert (
+        get_header(httpx_mock, auth).get("Authorization")
+        == "Bearer 2YotnFZFEjr1zCsicMWpAA"
+    )
+
+
 def test_oauth2_password_credentials_flow_token_is_expired_after_30_seconds_by_default(
     token_cache, httpx_mock: HTTPXMock
 ):
diff --git a/tests/test_oauth2_resource_owner_password_okta.py b/tests/test_oauth2_resource_owner_password_okta.py
