c2cgeoportal-geoportal 2.6.0__py2.py3-none-any.whl → 2.7.1.156__py2.py3-none-any.whl

c2cgeoportal_geoportal/lib/oauth2.py

@@ -1,6 +1,4 @@
-# -*- coding: utf-8 -*-
-
-# Copyright (c) 2021, Camptocamp SA
+# Copyright (c) 2021-2024, Camptocamp SA
 # All rights reserved.
 
 # Redistribution and use in source and binary forms, with or without
@@ -31,18 +29,22 @@ import logging
 from datetime import datetime, timedelta
 from typing import Any, Dict, List, Union
 
+import basicauth
 import oauthlib.common
 import oauthlib.oauth2
 import pyramid.threadlocal
 
+import c2cgeoportal_commons  # pylint: disable=unused-import
 from c2cgeoportal_geoportal.lib.caching import get_region
 
 LOG = logging.getLogger(__name__)
 OBJECT_CACHE_REGION = get_region("obj")
 
 
-class RequestValidator(oauthlib.oauth2.RequestValidator):
-    def __init__(self, authorization_expires_in):
+class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
+    """The oauth2 request validator implementation."""
+
+    def __init__(self, authorization_expires_in: int) -> None:
         # in minutes
         self.authorization_expires_in = authorization_expires_in
 
@@ -63,8 +65,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         both body and query can be obtained by direct attribute access, i.e.
         request.client_id for client_id in the URL query.
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
+        Arguments:
+
+            request: oauthlib.common.Request
+
+        Returns: True or False
 
         Method is used by:
             - Authorization Code Grant
@@ -72,23 +77,13 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             - Client Credentials Grant
             - Refresh Token Grant
 
-        .. _`HTTP Basic Authentication Scheme`: http://tools.ietf.org/html/rfc1945#section-11.1
+        .. _`HTTP Basic Authentication Scheme`: https://tools.ietf.org/html/rfc1945#section-11.1
         """
         del args, kwargs
 
-        LOG.debug("authenticate_client")
+        LOG.debug("authenticate_client => unimplemented")
 
-        from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
-
-        params = dict(request.decoded_body)
-
-        request.client = (
-            DBSession.query(static.OAuth2Client)
-            .filter(static.OAuth2Client.client_id == params["client_id"])
-            .one_or_none()
-        )
-
-        return request.client is not None
+        raise NotImplementedError("Not implemented, the method `authenticate_client_id` should be used.")
 
     def authenticate_client_id(  # pylint: disable=no-self-use,useless-suppression
         self,
@@ -107,9 +102,6 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         to set request.client to the client object associated with the
         given client_id.
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
-
         Method is used by:
             - Authorization Code Grant
         """
@@ -121,13 +113,24 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         params = dict(request.decoded_body)
 
+        if "client_secret" in params:
+            client_secret = params["client_secret"]
+        elif "Authorization" in request.headers:
+            username, password = basicauth.decode(request.headers["Authorization"])
+            assert client_id == username
+            client_secret = password
+        else:
+            # Unable to get the client secret
+            return False
+
         request.client = (
             DBSession.query(static.OAuth2Client)
             .filter(static.OAuth2Client.client_id == client_id)
-            .filter(static.OAuth2Client.secret == params["client_secret"])
+            .filter(static.OAuth2Client.secret == client_secret)
             .one_or_none()
         )
 
+        LOG.debug("authenticate_client_id => %s", request.client is not None)
         return request.client is not None
 
     def client_authentication_required(  # pylint: disable=no-self-use,useless-suppression
@@ -150,23 +153,26 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
               client credentials or whenever Client provided client authentication, see
               `Section 6`_
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
+        Arguments:
+
+            request: oauthlib.common.Request
+
+        Returns: True or False
 
         Method is used by:
             - Authorization Code Grant
             - Resource Owner Password Credentials Grant
             - Refresh Token Grant
 
-        .. _`Section 4.3.2`: http://tools.ietf.org/html/rfc6749#section-4.3.2
-        .. _`Section 4.1.3`: http://tools.ietf.org/html/rfc6749#section-4.1.3
-        .. _`Section 6`: http://tools.ietf.org/html/rfc6749#section-6
+        .. _`Section 4.3.2`: https://tools.ietf.org/html/rfc6749#section-4.3.2
+        .. _`Section 4.1.3`: https://tools.ietf.org/html/rfc6749#section-4.1.3
+        .. _`Section 6`: https://tools.ietf.org/html/rfc6749#section-6
         """
         del request, args, kwargs
 
-        LOG.debug("client_authentication_required")
+        LOG.debug("client_authentication_required => False")
 
-        return True
+        return False
 
     def confirm_redirect_uri(  # pylint: disable=no-self-use,useless-suppression
         self,
@@ -178,8 +184,10 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         **kwargs: Any,
     ) -> bool:
         """
-        Ensure that the authorization process represented by this authorization
-        code began with this 'redirect_uri'.
+        Ensure that the authorization process is correct.
+
+        Ensure that the authorization process represented by this authorization code began with this
+        ``redirect_uri``.
 
         If the client specifies a redirect_uri when obtaining code then that
         redirect URI must be bound to the code and verified equal in this
@@ -187,12 +195,15 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         the client's allowed redirect URIs, but against the URI used when the
         code was saved.
 
-        :param client_id: Unicode client identifier
-        :param code: Unicode authorization_code.
-        :param redirect_uri: Unicode absolute URI
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            client_id: Unicode client identifier
+            code: Unicode authorization_code.
+            redirect_uri: Unicode absolute URI
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
+
+        Returns: True or False
 
         Method is used by:
             - Authorization Code Grant (during token request)
@@ -212,20 +223,26 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             .filter(static.OAuth2AuthorizationCode.expire_at > datetime.now())
             .one_or_none()
         )
+        LOG.debug("confirm_redirect_uri => %s", authorization_code is not None)
         return authorization_code is not None
 
     def get_code_challenge_method(  # pylint: disable=no-self-use,useless-suppression
         self, code: str, request: oauthlib.common.Request
     ) -> None:
-        """Is called during the "token" request processing, when a
-        ``code_verifier`` and a ``code_challenge`` has been provided.
-        See ``.get_code_challenge``.
-        Must return ``plain`` or ``S256``. You can return a custom value if you have
-        implemented your own ``AuthorizationCodeGrant`` class.
-        :param code: Authorization code.
-        :param request: OAuthlib request.
-        :type request: oauthlib.common.Request
-        :rtype: code_challenge_method string
+        """
+        Is called during the "token" request processing.
+
+        When a ``code_verifier`` and a ``code_challenge`` has
+        been provided. See ``.get_code_challenge``. Must return ``plain`` or ``S256``. You can return a custom
+        value if you have implemented your own ``AuthorizationCodeGrant`` class.
+
+        Arguments:
+
+            code: Authorization code.
+            request: OAuthlib request.
+
+        Returns: code_challenge_method string
+
         Method is used by:
             - Authorization Code Grant - when PKCE is active
         """
@@ -245,9 +262,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Get the default redirect URI for the client.
 
-        :param client_id: Unicode client identifier
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: The default redirect URI for the client
+        Arguments:
+
+            client_id: Unicode client identifier
+            request: The HTTP Request
+
+        Returns: The default redirect URI for the client
 
         Method is used by:
             - Authorization Code Grant
@@ -269,9 +289,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Get the default scopes for the client.
 
-        :param client_id: Unicode client identifier
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: List of default scopes
+        Arguments:
+
+            client_id: Unicode client identifier
+            request: The HTTP Request
+
+        Returns: List of default scopes
 
         Method is used by all core grant types:
             - Authorization Code Grant
@@ -295,9 +318,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Get the list of scopes associated with the refresh token.
 
-        :param refresh_token: Unicode refresh token
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: List of scopes.
+        Arguments:
+
+            refresh_token: Unicode refresh token
+            request: The HTTP Request
+
+        Returns: List of scopes.
 
         Method is used by:
             - Refresh token grant
@@ -316,11 +342,13 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         *args: Any,
         **kwargs: Any,
     ) -> None:
-        """Introspect an access or refresh token.
-        Called once the introspect request is validated. This method should
-        verify the *token* and either return a dictionary with the list of
-        claims associated, or `None` in case the token is unknown.
-        Below the list of registered claims you should be interested in:
+        """
+        Introspect an access or refresh token.
+
+        Called once the introspect request is validated. This method
+        should verify the *token* and either return a dictionary with the list of claims associated, or `None`
+        in case the token is unknown. Below the list of registered claims you should be interested in:
+
         - scope : space-separated list of scopes
         - client_id : client identifier
         - username : human-readable identifier for the resource owner
@@ -337,12 +365,16 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         The implementation can use *token_type_hint* to improve lookup
         efficiency, but must fallback to other types to be compliant with RFC.
         The dict of claims is added to request.token after this method.
-        :param token: The token string.
-        :param token_type_hint: access_token or refresh_token.
-        :param request: OAuthlib request.
-        :type request: oauthlib.common.Request
+
+        Arguments:
+
+            token: The token string.
+            token_type_hint: access_token or refresh_token.
+            request: OAuthlib request.
+
         Method is used by:
             - Introspect Endpoint (all grants are compatible)
+
         .. _`Introspect Claims`: https://tools.ietf.org/html/rfc7662#section-2.2
         .. _`JWT Claims`: https://tools.ietf.org/html/rfc7519#section-4
         """
@@ -363,9 +395,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Invalidate an authorization code after use.
 
-        :param client_id: Unicode client identifier
-        :param code: The authorization code grant (request.code).
-        :param request: The HTTP Request (oauthlib.common.Request)
+        Arguments:
+
+            client_id: Unicode client identifier
+            code: The authorization code grant (request.code).
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -404,10 +438,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         used in situations where returning all valid scopes from the
         get_original_scopes is not practical.
 
-        :param request_scopes: A list of scopes that were requested by client
-        :param refresh_token: Unicode refresh_token
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            request_scopes: A list of scopes that were requested by client
+            refresh_token: Unicode refresh_token
+            request: The HTTP Request
 
         Method is used by:
             - Refresh token grant
@@ -429,9 +464,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Revoke an access or refresh token.
 
-        :param token: The token string.
-        :param token_type_hint: access_token or refresh_token.
-        :param request: The HTTP Request (oauthlib.common.Request)
+        Arguments:
+
+            token: The token string.
+            token_type_hint: access_token or refresh_token.
+            request: The HTTP Request
 
         Method is used by:
             - Revocation Endpoint
@@ -452,8 +489,9 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         or replaced with a new one (rotated). Return True to rotate and
         and False for keeping original.
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
+        Arguments:
+
+            request: oauthlib.common.Request
 
         Method is used by:
             - Refresh Token Grant
@@ -491,9 +529,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         chose to send one.  That value should be saved and used in
         'validate_code'.
 
-        :param client_id: Unicode client identifier
-        :param code: A dict of the authorization code grant and, optionally, state.
-        :param request: The HTTP Request (oauthlib.common.Request)
+        Arguments:
+
+            client_id: Unicode client identifier
+            code: A dict of the authorization code grant and, optionally, state.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -559,10 +599,13 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         Note that while "scope" is a string-separated list of authorized scopes,
         the original list is still available in request.scopes
 
-        :param client_id: Unicode client identifier
-        :param token: A Bearer token dict
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: The default redirect URI for the client
+        Arguments:
+
+            client_id: Unicode client identifier
+            token: A Bearer token dict
+            request: The HTTP Request
+
+        Returns: The default redirect URI for the client
 
         Method is used by all core grant types issuing Bearer tokens:
             - Authorization Code Grant
@@ -607,9 +650,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Ensure the Bearer token is valid and authorized access to scopes.
 
-        :param token: A string of random characters.
-        :param scopes: A list of scopes associated with the protected resource.
-        :param request: The HTTP Request (oauthlib.common.Request)
+        Arguments:
+
+            token: A string of random characters.
+            scopes: A list of scopes associated with the protected resource.
+            request: The HTTP Request
 
         A key to OAuth 2 security and restricting impact of leaked tokens is
         the short expiration time of tokens, *always ensure the token has not
@@ -641,10 +686,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         one provided for django these attributes will be made available
         in all protected views as keyword arguments.
 
-        :param token: Unicode Bearer token
-        :param scopes: List of scopes (defined by you)
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            token: Unicode Bearer token
+            scopes: List of scopes (defined by you)
+            request: The HTTP Request
 
         Method is indirectly used by all core Bearer token issuing grant types:
             - Authorization Code Grant
@@ -666,6 +712,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         if bearer_token is not None:
             request.user = bearer_token.user
 
+        LOG.debug("validate_bearer_token => %s", bearer_token is not None)
         return bearer_token is not None
 
     def validate_client_id(  # pylint: disable=no-self-use,useless-suppression
@@ -682,8 +729,10 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         to set request.client to the client object associated with the
         given client_id.
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
+        Arguments:
+
+            client_id: Unicode client identifier
+            request: oauthlib.common.Request
 
         Method is used by:
             - Authorization Code Grant
@@ -714,8 +763,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         **kwargs: Any,
     ) -> bool:
         """
-        Verify that the authorization_code is valid and assigned to the given
-        client.
+        Verify that the authorization_code is valid and assigned to the given client.
 
         Before returning true, set the following based on the information stored
         with the code in 'save_authorization_code':
@@ -727,11 +775,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         associated with this authorization code. Similarly request.scopes
         must also be set.
 
-        :param client_id: Unicode client identifier
-        :param code: Unicode authorization code
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            client_id: Unicode client identifier
+            code: Unicode authorization code
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -752,13 +801,14 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         )
         if authorization_code is not None:
             request.user = authorization_code.user
+        LOG.debug("validate_code => %s", authorization_code is not None)
         return authorization_code is not None
 
     def validate_grant_type(  # pylint: disable=no-self-use,useless-suppression
         self,
         client_id: str,
         grant_type: str,
-        client,
+        client: "c2cgeoportal_commons.models.static.OAuth2Client",
         request: oauthlib.common.Request,
         *args: Any,
         **kwargs: Any,
@@ -766,11 +816,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Ensure client is authorized to use the grant_type requested.
 
-        :param client_id: Unicode client identifier
-        :param grant_type: Unicode grant type, i.e. authorization_code, password.
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            client_id: Unicode client identifier
+            grant_type: Unicode grant type, i.e. authorization_code, password.
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -778,9 +829,14 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             - Client Credentials Grant
             - Refresh Token Grant
         """
-        del request, args, kwargs
+        del client, request, args, kwargs
 
-        LOG.debug("validate_grant_type %s %s", client_id, grant_type)
+        LOG.debug(
+            "validate_grant_type %s %s => %s",
+            client_id,
+            grant_type,
+            grant_type in ("authorization_code", "refresh_token"),
+        )
 
         return grant_type in ("authorization_code", "refresh_token")
 
@@ -798,10 +854,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         All clients should register the absolute URIs of all URIs they intend
         to redirect to. The registration is outside of the scope of oauthlib.
 
-        :param client_id: Unicode client identifier
-        :param redirect_uri: Unicode absolute URI
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            client_id: Unicode client identifier
+            redirect_uri: Unicode absolute URI
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -836,10 +893,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         OBS! The request.user attribute should be set to the resource owner
         associated with this refresh token.
 
-        :param refresh_token: Unicode refresh token
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            refresh_token: Unicode refresh token
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant (indirectly by issuing refresh tokens)
@@ -856,7 +914,6 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             DBSession.query(static.OAuth2BearerToken)
             .filter(static.OAuth2BearerToken.refresh_token == refresh_token)
             .filter(static.OAuth2BearerToken.client_id == request.client.id)
-            .filter(static.OAuth2BearerToken.expire_at > datetime.now())
             .one_or_none()
         )
 
@@ -869,7 +926,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         self,
         client_id: str,
         response_type: str,
-        client,
+        client: "c2cgeoportal_commons.models.static.OAuth2Client",
         request: oauthlib.common.Request,
         *args: Any,
         **kwargs: Any,
@@ -877,17 +934,18 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Ensure client is authorized to use the response_type requested.
 
-        :param client_id: Unicode client identifier
-        :param response_type: Unicode response type, i.e. code, token.
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            client_id: Unicode client identifier
+            response_type: Unicode response type, i.e. code, token.
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
             - Implicit Grant
         """
-        del request, args, kwargs
+        del client, request, args, kwargs
 
         LOG.debug("validate_response_type %s %s", client_id, response_type)
 
@@ -897,7 +955,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         self,
         client_id: str,
         scopes: List[str],
-        client,
+        client: "c2cgeoportal_commons.models.static.OAuth2Client",
         request: oauthlib.common.Request,
         *args: Any,
         **kwargs: Any,
@@ -905,11 +963,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Ensure the client is authorized access to requested scopes.
 
-        :param client_id: Unicode client identifier
-        :param scopes: List of scopes (defined by you)
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            client_id: Unicode client identifier
+            scopes: List of scopes (defined by you)
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by all core grant types:
             - Authorization Code Grant
@@ -917,7 +976,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             - Resource Owner Password Credentials Grant
             - Client Credentials Grant
         """
-        del request, args, kwargs
+        del client, request, args, kwargs
 
         LOG.debug("validate_scopes %s %s", client_id, scopes)
 
@@ -925,8 +984,8 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
     def validate_user(  # pylint: disable=no-self-use,useless-suppression
         self,
-        username,
-        password,
+        username: str,
+        password: str,
         client: "c2cgeoportal_commons.models.static.OAuth2Client",  # noqa: F821
         request: oauthlib.common.Request,
         *args: Any,
@@ -940,11 +999,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         not set you will be unable to associate a token with a user in the
         persistence method used (commonly, save_bearer_token).
 
-        :param username: Unicode username
-        :param password: Unicode password
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Arguments:
+
+            username: Unicode username
+            password: Unicode password
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Resource Owner Password Credentials Grant
@@ -956,12 +1016,21 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         raise NotImplementedError("Not implemented.")
 
 
-@OBJECT_CACHE_REGION.cache_on_arguments()
-def get_oauth_client(settings):
+def get_oauth_client(settings: Dict[str, Any]) -> oauthlib.oauth2.WebApplicationServer:
+    """Get the oauth2 client, with a cache."""
     authentication_settings = settings.get("authentication", {})
+    return _get_oauth_client_cache(
+        authentication_settings.get("oauth2_authorization_expire_minutes", 10),
+        authentication_settings.get("oauth2_token_expire_minutes", 60),
+    )
+
+
+@OBJECT_CACHE_REGION.cache_on_arguments()  # type: ignore
+def _get_oauth_client_cache(
+    authorization_expire_minutes: int, token_expire_minutes: int
+) -> oauthlib.oauth2.WebApplicationServer:
+    """Get the oauth2 client, with a cache."""
     return oauthlib.oauth2.WebApplicationServer(
-        RequestValidator(
-            authorization_expires_in=authentication_settings.get("oauth2_authorization_expire_minutes", 10)
-        ),
-        token_expires_in=authentication_settings.get("oauth2_token_expire_minutes", 60) * 60,
+        RequestValidator(authorization_expires_in=authorization_expire_minutes),
+        token_expires_in=token_expire_minutes * 60,
     )