Models

class oauth2_provider.models.AbstractAccessToken(*args, **kwargs)

An AccessToken instance represents the actual access token to access user’s resources, as in RFC6749 Section 5.

Fields:

  • user The Django user representing resources” owner

  • source_refresh_token If from a refresh, the consumed RefeshToken

  • token Access token

  • application Application instance

  • expires Date and time of token expiration, in DateTime format

  • scope Allowed scopes

allow_scopes(scopes)

Check if the token allows the provided scopes

Parameters:

scopes – An iterable containing the scopes to check

is_expired()

Check token expiration with timezone awareness

is_valid(scopes=None)

Checks if the access token is valid.

Parameters:

scopes – An iterable containing the scopes to check or None

revoke()

Convenience method to uniform tokens” interface, for now simply remove this token from the database in order to revoke it.

property scopes

Returns a dictionary of allowed scope names (as keys) with their descriptions (as values)

class oauth2_provider.models.AbstractApplication(*args, **kwargs)

An Application instance represents a Client on the Authorization server. Usually an Application is created manually by client’s developers after logging in on an Authorization Server.

Fields:

  • client_id The client identifier issued to the client during the

    registration process as described in RFC6749 Section 2.2

  • user ref to a Django user

  • redirect_uris The list of allowed redirect uri. The string

    consists of valid URLs separated by space

  • post_logout_redirect_uris The list of allowed redirect uris after

    an RP initiated logout. The string consists of valid URLs separated by space

  • client_type Client type as described in RFC6749 Section 2.1

  • authorization_grant_type Authorization flows available to the

    Application

  • client_secret Confidential secret issued to the client during

    the registration process as described in RFC6749 Section 2.2

  • name Friendly name for the Application

clean()

Hook for doing any extra model-wide validation after clean() has been called on every field by self.clean_fields. Any ValidationError raised by this method will not be associated with a particular field; it will have a special-case association with the field defined by NON_FIELD_ERRORS.

property default_redirect_uri

Returns the default redirect_uri, if only one is registered.

get_allowed_schemes()

Returns the list of redirect schemes allowed by the Application. By default, returns ALLOWED_REDIRECT_URI_SCHEMES.

is_usable(request)

Determines whether the application can be used.

Parameters:

request – The oauthlib.common.Request being processed.

origin_allowed(origin)

Checks if given origin is one of the items in allowed_origins string

Parameters:

origin – Origin to check

post_logout_redirect_uri_allowed(uri)

Checks if given URI is one of the items in post_logout_redirect_uris string

Parameters:

uri – URI to check

redirect_uri_allowed(uri)

Checks if given url is one of the items in redirect_uris string

Parameters:

uri – Url to check

class oauth2_provider.models.AbstractDeviceGrant(*args, **kwargs)
is_expired()

Check device flow session expiration and set the status to “expired” if current time is past the “expires” deadline.

class oauth2_provider.models.AbstractGrant(*args, **kwargs)

A Grant instance represents a token with a short lifetime that can be swapped for an access token, as described in RFC6749 Section 4.1.2

Fields:

  • user The Django user who requested the grant

  • code The authorization code generated by the authorization server

  • application Application instance this grant was asked for

  • expires Expire time in seconds, defaults to

    settings.AUTHORIZATION_CODE_EXPIRE_SECONDS

  • redirect_uri Self explained

  • scope Required scopes, optional

  • code_challenge PKCE code challenge

  • code_challenge_method PKCE code challenge transform algorithm

is_expired()

Check token expiration with timezone awareness

class oauth2_provider.models.AbstractIDToken(*args, **kwargs)

An IDToken instance represents the actual token to access user’s resources, as in :openid:`2`.

Fields:

  • user The Django user representing resources’ owner

  • jti ID token JWT Token ID, to identify an individual token

  • application Application instance

  • expires Date and time of token expiration, in DateTime format

  • scope Allowed scopes

  • created Date and time of token creation, in DateTime format

  • updated Date and time of token update, in DateTime format

allow_scopes(scopes)

Check if the token allows the provided scopes

Parameters:

scopes – An iterable containing the scopes to check

is_expired()

Check token expiration with timezone awareness

is_valid(scopes=None)

Checks if the access token is valid.

Parameters:

scopes – An iterable containing the scopes to check or None

revoke()

Convenience method to uniform tokens’ interface, for now simply remove this token from the database in order to revoke it.

property scopes

Returns a dictionary of allowed scope names (as keys) with their descriptions (as values)

class oauth2_provider.models.AbstractRefreshToken(*args, **kwargs)

A RefreshToken instance represents a token that can be swapped for a new access token when it expires.

Fields:

  • user The Django user representing resources” owner

  • token Token value

  • application Application instance

  • access_token AccessToken instance this refresh token is

    bounded to

  • revoked Timestamp of when this refresh token was revoked

revoke()

Mark this refresh token revoked and revoke related access token

class oauth2_provider.models.AccessToken(id, user, source_refresh_token, token, token_checksum, id_token, application, expires, scope, created, updated)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.Application(id, client_id, user, redirect_uris, post_logout_redirect_uris, client_type, authorization_grant_type, client_secret, hash_client_secret, name, skip_authorization, created, updated, algorithm, allowed_origins)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.ClientSecretField(*args, db_collation=None, **kwargs)
pre_save(model_instance, add)

Return field’s value just before saving.

class oauth2_provider.models.DeviceCodeResponse(verification_uri: str, expires_in: int, user_code: int, device_code: str, interval: int, verification_uri_complete: str | Callable | NoneType = None)
class oauth2_provider.models.DeviceGrant(id, user, device_code, user_code, scope, interval, expires, status, client_id, last_checked)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.DeviceRequest(client_id: str, scope: str | None = None)
class oauth2_provider.models.Grant(id, user, code, application, expires, redirect_uri, scope, created, updated, code_challenge, code_challenge_method, nonce, claims)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.IDToken(id, user, jti, application, expires, scope, created, updated)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.RefreshToken(id, user, token, application, access_token, token_family, created, updated, revoked)
exception DoesNotExist
exception MultipleObjectsReturned
class oauth2_provider.models.TokenChecksumField(*args, db_collation=None, **kwargs)
pre_save(model_instance, add)

Return field’s value just before saving.

oauth2_provider.models.get_access_token_admin_class()

Return the AccessToken admin class that is active in this project.

oauth2_provider.models.get_access_token_model()

Return the AccessToken model that is active in this project.

oauth2_provider.models.get_application_admin_class()

Return the Application admin class that is active in this project.

oauth2_provider.models.get_application_model()

Return the Application model that is active in this project.

oauth2_provider.models.get_device_grant_model()

Return the DeviceGrant model that is active in this project.

oauth2_provider.models.get_grant_admin_class()

Return the Grant admin class that is active in this project.

oauth2_provider.models.get_grant_model()

Return the Grant model that is active in this project.

oauth2_provider.models.get_id_token_admin_class()

Return the IDToken admin class that is active in this project.

oauth2_provider.models.get_id_token_model()

Return the IDToken model that is active in this project.

oauth2_provider.models.get_refresh_token_admin_class()

Return the RefreshToken admin class that is active in this project.

oauth2_provider.models.get_refresh_token_model()

Return the RefreshToken model that is active in this project.

oauth2_provider.models.is_origin_allowed(origin, allowed_origins)

Checks if a given origin uri is allowed based on the provided allowed_origins configuration.

Parameters:

  • origin – Origin URI to check

  • allowed_origins – A list of Origin URIs that are allowed

oauth2_provider.models.redirect_to_uri_allowed(uri, allowed_uris)

Checks if a given uri can be redirected to based on the provided allowed_uris configuration.

On top of exact matches, this function also handles loopback IPs based on RFC 8252.

Parameters:

  • uri – URI to check

  • allowed_uris – A list of URIs that are allowed