Owner and client are different things. :)

go_auth/bouncer.py

@@ -20,9 +20,11 @@
         # this is the service that needs authentication
         auth_request /auth/;
         auth_request_set $owner_id $upstream_http_x_owner_id;
+        auth_request_set $client_id $upstream_http_x_client_id;
         auth_request_set $scopes $upstream_http_x_scopes;
         proxy_pass http://localhost:8888/;
         proxy_set_header X-Owner-ID $owner_id;
+        proxy_set_header X-Client-ID $client_id;
         proxy_set_header X-Scopes $scopes;
     }
 
@@ -67,17 +69,20 @@ def check_oauth(self):
             self.raise_authorization_required("OAuth2 required.")
         if not valid:
             self.raise_denied("Auth failed.")
+        if not request.owner_id:
+            self.raise_denied("Invalid owner id.")
         if not request.client_id:
-            self.raise_denied("Invalid client id.")
+            self.raised_denied("Invalid client id.")
         if not request.scopes:
             self.raise_denied("Invalid scopes.")
-        return (request.client_id, request.scopes)
+        return (request.owner_id, request.client_id, request.scopes)
 
     def get(self, *args, **kw):
-        client_id, scopes = self.check_oauth()
-        self.set_header("X-Owner-ID", client_id)
+        owner_id, client_id,  scopes = self.check_oauth()
+        self.set_header("X-Owner-ID", owner_id)
+        self.set_header("X-Client-ID", client_id)
         self.set_header("X-Scopes", " ".join(scopes))
-        self.write("Authenticated as %r with scopes: %r.\n"
+        self.write("Authenticated client %r with scopes: %r.\n"
                    % (client_id, scopes))
 
 

go_auth/tests/test_bouncer.py

@@ -27,6 +27,7 @@ def mk_api(self):
         configfile = self.mk_config({
             "auth_store": {
                 "access-1": {
+                    "owner_id": "owner-1",
                     "client_id": "client-1",
                     "scopes": ["scope-a", "scope-b"],
                 },
@@ -46,18 +47,20 @@ def check_body(self, resp, body):
     def check_authorized(self, resp):
         self.assertEqual(resp.code, 200)
         self.assert_headers(resp, {
-            "X-Owner-ID": ["client-1"],
+            "X-Owner-ID": ["owner-1"],
+            "X-Client-ID": ["client-1"],
             "X-Scopes": ["scope-a scope-b"],
         })
         yield self.check_body(resp, (
-            "Authenticated as 'client-1' with scopes:"
+            "Authenticated client 'client-1' with scopes:"
             " ['scope-a', 'scope-b'].\n"))
 
     @inlineCallbacks
     def check_unauthorized(self, resp):
         self.assertEqual(resp.code, 401)
         self.assert_headers(resp, {
             "X-Owner-ID": None,
+            "X-Client-ID": None,
             "X-Scopes": None,
         })
         yield self.check_body(resp, (
@@ -69,6 +72,7 @@ def check_forbidden(self, resp):
         self.assertEqual(resp.code, 403)
         self.assert_headers(resp, {
             "X-Owner-ID": None,
+            "X-Client-ID": None,
             "X-Scopes": None,
         })
         yield self.check_body(resp, (

go_auth/tests/test_validator.py

@@ -25,15 +25,16 @@ def setUp(self):
         self.auth = static_web_authenticator(self.auth_store)
         self.validator = self.auth.request_validator
 
-    def mk_cred(self, client_id="client-1", access_token=None,
-                scopes=("scope-a", "scope-b")):
+    def mk_cred(self, owner_id="owner-1", client_id="client-1",
+                access_token=None, scopes=("scope-a", "scope-b")):
         if access_token is None:
             access_token = generate_token()
         self.auth_store[access_token] = {
+            "owner_id": owner_id,
             "client_id": client_id,
             "scopes": list(scopes),
         }
-        return client_id, access_token
+        return owner_id, client_id, access_token
 
     def mk_request(self, client_id):
         return Request("http://example.com/?client_id=%s" % (client_id,))
@@ -42,17 +43,18 @@ def test_subclasses_request_validator(self):
         self.assertTrue(isinstance(self.validator, RequestValidator))
 
     def test_valid_credentials_in_query(self):
-        client_id, access_token = self.mk_cred()
+        owner_id, client_id, access_token = self.mk_cred()
         uri = "http://example.com/?access_token=%s" % access_token
         valid, request = self.auth.verify_request(
             uri, http_method="GET", headers={}, scopes=None)
         self.assertEqual(valid, True)
         self.assertEqual(request.token, access_token)
+        self.assertEqual(request.owner_id, owner_id)
         self.assertEqual(request.client_id, client_id)
         self.assertEqual(request.scopes, ["scope-a", "scope-b"])
 
     def test_valid_credentials_in_headers(self):
-        client_id, access_token = self.mk_cred()
+        owner_id, client_id, access_token = self.mk_cred()
         uri = "http://example.com/"
         headers = {
             "Authorization": "Bearer %s" % (access_token,),
@@ -61,5 +63,6 @@ def test_valid_credentials_in_headers(self):
             uri, http_method="GET", headers=headers, scopes=None)
         self.assertEqual(valid, True)
         self.assertEqual(request.token, access_token)
+        self.assertEqual(request.owner_id, owner_id)
         self.assertEqual(request.client_id, client_id)
         self.assertEqual(request.scopes, ["scope-a", "scope-b"])

go_auth/validator.py

@@ -17,6 +17,7 @@ class StaticAuthValidator(RequestValidator):
 
        {
            "ac3sst0k3n": {
+               "owner_id": "0wn3r1d",
                "client_id": "cl13nt51d",
                "scopes": ["scope1", "scope2"],
            },
@@ -35,6 +36,7 @@ def validate_bearer_token(self, token, scopes, request):
         creds = self.auth_store.get(token)
         if creds is None:
             return False
+        request.owner_id = creds["owner_id"]
         request.client_id = creds["client_id"]
         request.scopes = creds["scopes"]
         return True