Merge 83eee3b into 80de602

.gitignore

@@ -66,3 +66,6 @@ target/
 examples/*.db
 examples/*.key
 examples/*.crt
+
+# Vscode
+.vscode/

CHANGES.rst

@@ -8,6 +8,15 @@
 Changes
 =======
 
+Version 1.3.0 (released 2020-05-15)
+
+- Introduce `InvenioOAuthClientREST` extension.
+- The module can be used as a full REST OAuth service. For example, from
+  an SPA application. All responses are being handled by redirecting to
+  user's configured endpoints.
+- The new configuration variable `OAUTHCLIENT_REST_REMOTE_APPS` defines the
+  registered applications that are using the REST OAuth workflow.
+
 Version 1.2.1 (released 2020-04-17)
 
 - Fix args from redirect target' encoding

examples/cern_app_rest.py

@@ -0,0 +1,157 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Invenio.
+# Copyright (C) 2015-2018 CERN.
+#
+# Invenio is free software; you can redistribute it and/or modify it
+# under the terms of the MIT License; see LICENSE file for more details.
+
+r"""Minimal Flask application example for development with CERN handler.
+
+SPHINX-START
+
+1. Register a CERN application in
+   `https://sso-management.web.cern.ch/OAuth/RegisterOAuthClient.aspx` with
+   `redirect_uri` as
+   `https://localhost:5000/oauth/authorized/cern/` and filling all the other
+   fields:
+
+
+2. Ensure you have ``gunicorn`` package installed:
+
+   .. code-block:: console
+
+      cdvirtualenv src/invenio-oauthclient
+      pip install -e gunicorn
+
+
+3. Ensure you have ``openssl`` installed in your system (Most of the Linux
+   distributions has it by default.).
+
+
+3. Grab the *client_id* and *secret_uri* after registering the application
+   and add them to your instance configuration as `consumer_key` and
+   `consumer_secret`.
+
+   .. code-block:: console
+
+       $ export CERN_APP_CREDENTIALS_KEY=my_cern_client_id
+       $ export CERN_APP_CREDENTIALS_SECRET=my_cern_secret_uri
+
+4. Create database and tables:
+
+   .. code-block:: console
+
+       $ pip install -e .[all]
+       $ cd examples
+       $ export FLASK_APP=cern_app_rest.py
+       $ ./app-setup.sh
+
+You can find the database in `examples/cern_app.db`.
+
+5. Create the key and the certificate in order to run a HTTPS server:
+
+   .. code-block:: console
+
+       $ openssl genrsa 1024 > ssl.key
+       $ openssl req -new -x509 -nodes -sha1 -key ssl.key > ssl.crt
+
+6. Run gunicorn server:
+
+   .. code-block:: console
+
+       $ gunicorn -b :5000 --certfile=ssl.crt --keyfile=ssl.key cern_app:app
+
+7. Open in a browser the page `https://localhost:5000/cern`.
+
+   You will be redirected to CERN to authorize the application.
+
+   Click on `Grant` and you will be redirected back to
+   `https://localhost:5000/oauth/authorized/cern/`
+
+   Now, you will be again in homepage but this time it say:
+   `hello youremail@cern.ch`.
+
+   You have completed the user authorization.
+
+8. To be able to uninstall the example app:
+
+   .. code-block:: console
+
+       $ ./app-teardown.sh
+
+SPHINX-END
+
+"""
+
+from __future__ import absolute_import, print_function
+
+import os
+
+from flask import Flask, redirect, url_for
+from flask_babelex import Babel
+from flask_login import current_user
+from flask_menu import Menu as FlaskMenu
+from invenio_accounts import InvenioAccounts
+from invenio_accounts.views import blueprint as blueprint_user
+from invenio_db import InvenioDB
+
+from invenio_oauthclient import InvenioOAuthClientREST
+from invenio_oauthclient.contrib import cern
+from invenio_oauthclient.views.client import rest_blueprint as blueprint_client
+
+from invenio_oauthclient._compat import monkey_patch_werkzeug  # noqa isort:skip
+monkey_patch_werkzeug()  # noqa isort:skip
+
+from flask_oauthlib.client import OAuth as FlaskOAuth  # noqa isort:skip
+
+# [ Configure application credentials ]
+CERN_APP_CREDENTIALS = dict(
+    consumer_key=os.environ.get('CERN_APP_CREDENTIALS_KEY'),
+    consumer_secret=os.environ.get('CERN_APP_CREDENTIALS_SECRET'),
+)
+
+# Create Flask application
+app = Flask(__name__)
+
+app.config.update(
+    SQLALCHEMY_DATABASE_URI=os.environ.get(
+        'SQLALCHEMY_DATABASE_URI', 'sqlite:///cern_app_rest.db'
+    ),
+    OAUTHCLIENT_REST_REMOTE_APPS=dict(
+        cern=cern.REMOTE_REST_APP
+    ),
+    CERN_APP_CREDENTIALS=CERN_APP_CREDENTIALS,
+    DEBUG=True,
+    SECRET_KEY='TEST',
+    SECURITY_PASSWORD_SALT='security-password-salt',
+    SECURITY_SEND_REGISTER_EMAIL=False,
+    SQLALCHEMY_TRACK_MODIFICATIONS=False,
+)
+
+Babel(app)
+FlaskMenu(app)
+InvenioDB(app)
+InvenioAccounts(app)
+FlaskOAuth(app)
+InvenioOAuthClientREST(app)
+
+app.register_blueprint(blueprint_user)
+app.register_blueprint(blueprint_client)
+principal = app.extensions['security'].principal
+
+
+@app.route('/')
+def index():
+    """Homepage."""
+    return 'Home page (without any restrictions)'
+
+
+@app.route('/cern')
+def cern():
+    """Home page: try to print user email or redirect to login with cern."""
+    if not current_user.is_authenticated:
+        return redirect(url_for('invenio_oauthclient.rest_login',
+                                remote_app='cern'))
+
+    return 'hello {}'.format(current_user.email)

examples/github_app_rest.py

@@ -0,0 +1,151 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of Invenio.
+# Copyright (C) 2015-2018 CERN.
+#
+# Invenio is free software; you can redistribute it and/or modify it
+# under the terms of the MIT License; see LICENSE file for more details.
+
+r"""Minimal Flask application example for development with github handler.
+
+SPHINX-START
+
+1. Register a github application with `Authorization callback URL` as
+   `http://localhost:5000/oauth/authorized/github/`
+
+2. Ensure you have ``github3.py`` package installed:
+
+   .. code-block:: console
+
+       $ cdvirtualenv src/invenio-oauthclient
+       $ pip install -e .[github]
+
+3. Grab the *Client ID* and *Client Secret* after registering the application
+   and add them to your instance configuration as `consumer_key` and
+   `consumer_secret`.
+
+   .. code-block:: console
+
+       $ export GITHUB_APP_CREDENTIALS_KEY=my_github_client_id
+       $ export GITHUB_APP_CREDENTIALS_SECRET=my_github_client_secret
+
+4. Create database and tables:
+
+   .. code-block:: console
+
+       $ pip install -e .[all]
+       $ cd examples
+       $ export FLASK_APP=github_app_rest.py
+       $ ./app-setup.sh
+
+You can find the database in `examples/github_app.db`.
+
+5. Run the development server:
+
+   .. code-block:: console
+
+       $ flask run -p 5000 -h '0.0.0.0'
+
+6. Open in a browser the page `http://0.0.0.0:5000/github`.
+
+   You will be redirected to github to authorize the application.
+
+   Click on `Authorize application` and you will be redirected back to
+   `http://localhost:5000/oauth/signup/github/`, where you will be able to
+   finalize the local user registration, inserting email address.
+
+   Insert e.g. `fuu@bar.it` as email address and send the form.
+
+   Now, you will be again in homepage but this time it say: `hello fuu@bar.it`.
+
+   You have completed the user registration.
+
+7. To be able to uninstall the example app:
+
+   .. code-block:: console
+
+       $ ./app-teardown.sh
+
+SPHINX-END
+
+"""
+
+from __future__ import absolute_import, print_function
+
+import os
+
+from flask import Flask, redirect, url_for
+from flask_babelex import Babel
+from flask_login import current_user
+from flask_menu import Menu as FlaskMenu
+from invenio_accounts import InvenioAccounts
+from invenio_accounts.views import blueprint as blueprint_user
+from invenio_db import InvenioDB
+from invenio_mail import InvenioMail
+from invenio_userprofiles import InvenioUserProfiles
+from invenio_userprofiles.views import \
+    blueprint_ui_init as blueprint_userprofile_init
+
+from invenio_oauthclient import InvenioOAuthClientREST
+from invenio_oauthclient.contrib import github
+from invenio_oauthclient.views.client import rest_blueprint as blueprint_client
+
+from invenio_oauthclient._compat import monkey_patch_werkzeug  # noqa isort:skip
+monkey_patch_werkzeug()  # noqa isort:skip
+
+from flask_oauthlib.client import OAuth as FlaskOAuth  # noqa isort:skip
+
+# [ Configure application credentials ]
+GITHUB_APP_CREDENTIALS = dict(
+    consumer_key=os.environ.get('GITHUB_APP_CREDENTIALS_KEY'),
+    consumer_secret=os.environ.get('GITHUB_APP_CREDENTIALS_SECRET'),
+)
+
+# Create Flask application
+app = Flask(__name__)
+
+app.config.update(
+    SQLALCHEMY_DATABASE_URI=os.environ.get(
+        'SQLALCHEMY_DATABASE_URI', 'sqlite:///github_app_rest.db'
+    ),
+    OAUTHCLIENT_REST_REMOTE_APPS=dict(
+        github=github.REMOTE_REST_APP,
+    ),
+    GITHUB_APP_CREDENTIALS=GITHUB_APP_CREDENTIALS,
+    DEBUG=True,
+    SECRET_KEY='TEST',
+    SQLALCHEMY_ECHO=False,
+    SECURITY_PASSWORD_SALT='security-password-salt',
+    MAIL_SUPPRESS_SEND=True,
+    TESTING=True,
+    USERPROFILES_EXTEND_SECURITY_FORMS=True,
+    SQLALCHEMY_TRACK_MODIFICATIONS=False,
+)
+
+Babel(app)
+FlaskMenu(app)
+InvenioDB(app)
+InvenioAccounts(app)
+InvenioUserProfiles(app)
+FlaskOAuth(app)
+InvenioOAuthClientREST(app)
+InvenioMail(app)
+
+app.register_blueprint(blueprint_user)
+app.register_blueprint(blueprint_client)
+app.register_blueprint(blueprint_userprofile_init)
+
+
+@app.route('/')
+def index():
+    """Homepage."""
+    return 'Home page (without any restrictions)'
+
+
+@app.route('/github')
+def github():
+    """Try to print user email or redirect to login with github."""
+    if not current_user.is_authenticated:
+        return redirect(url_for('invenio_oauthclient.rest_login',
+                                remote_app='github'))
+    return 'hello {}'.format(current_user.email)