Unique Access Tokens¶
This page explains the concepts of unique access tokens and how to enable this feature.
What are unique access tokens?¶
When the use of unique access tokens is enabled the Provider will respond with an existing access token to subsequent requests of a client instead of issuing a new token on each request.
An existing access token will be returned if the following conditions are met:
- The access token has been issued for the requesting client
- The access token has been issued for the same user as in the current request
- The requested scope is the same as in the existing access token
- The requested type is the same as in the existing access token
Note
Unique access tokens are currently supported by
oauth2.grant.AuthorizationCodeGrant
and
oauth2.grant.ResourceOwnerGrant
.
Preconditions¶
As stated in the previous section, a unique access token is bound not only to a
client but also to a user. To make this work the Provider needs some kind of
identifier that is unique for each user (typically the ID of a user in the
database). The identifier is stored along with all the other information of an
access token. It has to be returned as the second item of a tuple by your
implementation of oauth2.web.AuthenticatingSiteAdapter.authenticate
:
class MySiteAdapter(SiteAdapter):
def authenticate(self, request, environ, scopes):
// Your logic here
return None, user["id"]
Enabling the feature¶
Unique access tokens are turned off by default. They can be turned on for each grant individually:
auth_code_grant = oauth2.grant.AuthorizationCodeGrant(unique_token=True)
provider = oauth2.Provider() // Parameters omitted for readability
provider.add_grant(auth_code_grant)
or you can enable them for all grants that support this feature after
initialization of oauth2.Provider
:
provider = oauth2.Provider() // Parameters omitted for readability
provider.enable_unique_tokens()
Note
If you enable the feature but forgot to make
oauth2.web.AuthenticatingSiteAdapter.authenticate
return a user
identifier, the Provider will respond with an error to requests for a
token.