From 89cf685d0299744fe3be6d7c0fa8429b945a4d67 Mon Sep 17 00:00:00 2001
From: Braedon Vickers <braedon.vickers@gmail.com>
Date: Tue, 21 Jan 2020 19:45:29 +0800
Subject: [PATCH] Rework client authentication in SkeletonValidator for clarity

SkeletonValidator was seemingly written to not support public clients at
all. Its authenticate_client_id() explicitly returned `False`, rather than
`pass`-ing like the other methods, and client_authentication_required()
was missing entirely (the default implementation always returns `True`).

This opinionated approach is confusing, especially when writing an
implementation that allows public clients.

The comment on the authenticate_client_id() method is particularly
confusing. Unlike the comments on other methods, which explain the method,
it explains the implementation (returning `False`). As a result, it appears
to say the method should return `False` for public clients, when it should
actually return `False` for confidential clients (and `True` for valid
public clients).

To reduce this confusion, include a client_authentication_required() stub,
`pass` rather than returning `False` in authenticate_client_id(), and
update its comment to describe the method.
---
 examples/skeleton_oauth2_web_application_server.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/examples/skeleton_oauth2_web_application_server.py b/examples/skeleton_oauth2_web_application_server.py
index 9a303735..91859fc3 100644
--- a/examples/skeleton_oauth2_web_application_server.py
+++ b/examples/skeleton_oauth2_web_application_server.py
@@ -54,13 +54,18 @@ def save_authorization_code(self, client_id, code, request, *args, **kwargs):
 
     # Token request
 
+    def client_authentication_required(self, request, *args, **kwargs):
+        # Check if the client provided authentication information that needs to
+        # be validated, e.g. HTTP Basic auth
+        pass
+
     def authenticate_client(self, request, *args, **kwargs):
         # Whichever authentication method suits you, HTTP Basic might work
         pass
 
     def authenticate_client_id(self, client_id, request, *args, **kwargs):
-        # Don't allow public (non-authenticated) clients
-        return False
+        # The client_id must match an existing public (non-confidential) client
+        pass
 
     def validate_code(self, client_id, code, client, request, *args, **kwargs):
         # Validate the code belongs to the client. Add associated scopes

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/oauthlib/oauthlib/pull/716.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/oauthlib/oauthlib/pull/716.patch" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/oauthlib/oauthlib/pull/716.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/oauthlib/oauthlib/pull/716.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>