Skip to content

Rework client authentication in SkeletonValidator for clarity #716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 22, 2020
Merged

Rework client authentication in SkeletonValidator for clarity #716

merged 3 commits into from
Apr 22, 2020

Conversation

braedon
Copy link
Contributor

@braedon braedon commented Jan 21, 2020

SkeletonValidator was seemingly written to not support public clients at
all. Its authenticate_client_id() explicitly returned False, rather than
pass-ing like the other methods, and client_authentication_required()
was missing entirely (the default implementation always returns True).

This opinionated approach is confusing, especially when writing an
implementation that allows public clients.

The comment on the authenticate_client_id() method is particularly
confusing. Unlike the comments on other methods, which explain the method,
it explains the implementation (returning False). As a result, it appears
to say the method should return False for public clients, when it should
actually return False for confidential clients (and True for valid
public clients).

To reduce this confusion, include a client_authentication_required() stub,
pass rather than returning False in authenticate_client_id(), and
update its comment to describe the method.

@braedon
Rework client authentication in SkeletonValidator for clarity
89cf685 
SkeletonValidator was seemingly written to not support public clients at
all. Its authenticate_client_id() explicitly returned `False`, rather than
`pass`-ing like the other methods, and client_authentication_required()
was missing entirely (the default implementation always returns `True`).

This opinionated approach is confusing, especially when writing an
implementation that allows public clients.

The comment on the authenticate_client_id() method is particularly
confusing. Unlike the comments on other methods, which explain the method,
it explains the implementation (returning `False`). As a result, it appears
to say the method should return `False` for public clients, when it should
actually return `False` for confidential clients (and `True` for valid
public clients).

To reduce this confusion, include a client_authentication_required() stub,
`pass` rather than returning `False` in authenticate_client_id(), and
update its comment to describe the method.
@JonathanHuot JonathanHuot added this to the 3.1.1 milestone Apr 22, 2020
@JonathanHuot JonathanHuot merged commit 82544c2 into oauthlib:master Apr 22, 2020
@braedon braedon deleted the improve-validator-skeleton branch April 22, 2020 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JonathanHuot JonathanHuot JonathanHuot approved these changes

@auvipy auvipy auvipy approved these changes

Assignees
No one assigned
Labels
Documentation
Projects
None yet
Milestone
3.1.1
Development

Successfully merging this pull request may close these issues.
3 participants
@braedon @JonathanHuot @auvipy
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy