c2cgeoportal-geoportal 2.6.0__py2.py3-none-any.whl → 2.8.1.180__py2.py3-none-any.whl

c2cgeoportal_geoportal/lib/oauth2.py

@@ -1,6 +1,4 @@
-# -*- coding: utf-8 -*-
-
-# Copyright (c) 2021, Camptocamp SA
+# Copyright (c) 2021-2024, Camptocamp SA
 # All rights reserved.
 
 # Redistribution and use in source and binary forms, with or without
@@ -29,24 +27,29 @@
 
 import logging
 from datetime import datetime, timedelta
-from typing import Any, Dict, List, Union
+from typing import Any, Dict, List, Optional, Union
 
+import basicauth
 import oauthlib.common
 import oauthlib.oauth2
 import pyramid.threadlocal
+from pyramid.httpexceptions import HTTPBadRequest
 
+import c2cgeoportal_commons
 from c2cgeoportal_geoportal.lib.caching import get_region
 
 LOG = logging.getLogger(__name__)
 OBJECT_CACHE_REGION = get_region("obj")
 
 
-class RequestValidator(oauthlib.oauth2.RequestValidator):
-    def __init__(self, authorization_expires_in):
+class RequestValidator(oauthlib.oauth2.RequestValidator):  # type: ignore
+    """The oauth2 request validator implementation."""
+
+    def __init__(self, authorization_expires_in: int) -> None:
         # in minutes
         self.authorization_expires_in = authorization_expires_in
 
-    def authenticate_client(  # pylint: disable=no-self-use,useless-suppression
+    def authenticate_client(
         self,
         request: oauthlib.common.Request,
         *args: Any,
@@ -63,8 +66,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         both body and query can be obtained by direct attribute access, i.e.
         request.client_id for client_id in the URL query.
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
+        Keyword Arguments:
+
+            request: oauthlib.common.Request
+
+        Returns: True or False
 
         Method is used by:
             - Authorization Code Grant
@@ -72,25 +78,15 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             - Client Credentials Grant
             - Refresh Token Grant
 
-        .. _`HTTP Basic Authentication Scheme`: http://tools.ietf.org/html/rfc1945#section-11.1
+        .. _`HTTP Basic Authentication Scheme`: https://tools.ietf.org/html/rfc1945#section-11.1
         """
         del args, kwargs
 
-        LOG.debug("authenticate_client")
-
-        from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
-
-        params = dict(request.decoded_body)
-
-        request.client = (
-            DBSession.query(static.OAuth2Client)
-            .filter(static.OAuth2Client.client_id == params["client_id"])
-            .one_or_none()
-        )
+        LOG.debug("authenticate_client => unimplemented")
 
-        return request.client is not None
+        raise NotImplementedError("Not implemented, the method `authenticate_client_id` should be used.")
 
-    def authenticate_client_id(  # pylint: disable=no-self-use,useless-suppression
+    def authenticate_client_id(
         self,
         client_id: str,
         request: oauthlib.common.Request,
@@ -107,9 +103,6 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         to set request.client to the client object associated with the
         given client_id.
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
-
         Method is used by:
             - Authorization Code Grant
         """
@@ -121,16 +114,27 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         params = dict(request.decoded_body)
 
+        if "client_secret" in params:
+            client_secret = params["client_secret"]
+        elif "Authorization" in request.headers:
+            username, password = basicauth.decode(request.headers["Authorization"])
+            assert client_id == username
+            client_secret = password
+        else:
+            # Unable to get the client secret
+            return False
+
         request.client = (
             DBSession.query(static.OAuth2Client)
             .filter(static.OAuth2Client.client_id == client_id)
-            .filter(static.OAuth2Client.secret == params["client_secret"])
+            .filter(static.OAuth2Client.secret == client_secret)
             .one_or_none()
         )
 
+        LOG.debug("authenticate_client_id => %s", request.client is not None)
         return request.client is not None
 
-    def client_authentication_required(  # pylint: disable=no-self-use,useless-suppression
+    def client_authentication_required(
         self,
         request: oauthlib.common.Request,
         *args: Any,
@@ -150,25 +154,28 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
               client credentials or whenever Client provided client authentication, see
               `Section 6`_
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
+        Keyword Arguments:
+
+            request: oauthlib.common.Request
+
+        Returns: True or False
 
         Method is used by:
             - Authorization Code Grant
             - Resource Owner Password Credentials Grant
             - Refresh Token Grant
 
-        .. _`Section 4.3.2`: http://tools.ietf.org/html/rfc6749#section-4.3.2
-        .. _`Section 4.1.3`: http://tools.ietf.org/html/rfc6749#section-4.1.3
-        .. _`Section 6`: http://tools.ietf.org/html/rfc6749#section-6
+        .. _`Section 4.3.2`: https://tools.ietf.org/html/rfc6749#section-4.3.2
+        .. _`Section 4.1.3`: https://tools.ietf.org/html/rfc6749#section-4.1.3
+        .. _`Section 6`: https://tools.ietf.org/html/rfc6749#section-6
         """
         del request, args, kwargs
 
-        LOG.debug("client_authentication_required")
+        LOG.debug("client_authentication_required => False")
 
-        return True
+        return False
 
-    def confirm_redirect_uri(  # pylint: disable=no-self-use,useless-suppression
+    def confirm_redirect_uri(
         self,
         client_id: str,
         code: str,
@@ -178,8 +185,10 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         **kwargs: Any,
     ) -> bool:
         """
-        Ensure that the authorization process represented by this authorization
-        code began with this 'redirect_uri'.
+        Ensure that the authorization process is correct.
+
+        Ensure that the authorization process represented by this authorization code began with this
+        ``redirect_uri``.
 
         If the client specifies a redirect_uri when obtaining code then that
         redirect URI must be bound to the code and verified equal in this
@@ -187,12 +196,15 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         the client's allowed redirect URIs, but against the URI used when the
         code was saved.
 
-        :param client_id: Unicode client identifier
-        :param code: Unicode authorization_code.
-        :param redirect_uri: Unicode absolute URI
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            code: Unicode authorization_code.
+            redirect_uri: Unicode absolute URI
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
+
+        Returns: True or False
 
         Method is used by:
             - Authorization Code Grant (during token request)
@@ -212,30 +224,10 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             .filter(static.OAuth2AuthorizationCode.expire_at > datetime.now())
             .one_or_none()
         )
+        LOG.debug("confirm_redirect_uri => %s", authorization_code is not None)
         return authorization_code is not None
 
-    def get_code_challenge_method(  # pylint: disable=no-self-use,useless-suppression
-        self, code: str, request: oauthlib.common.Request
-    ) -> None:
-        """Is called during the "token" request processing, when a
-        ``code_verifier`` and a ``code_challenge`` has been provided.
-        See ``.get_code_challenge``.
-        Must return ``plain`` or ``S256``. You can return a custom value if you have
-        implemented your own ``AuthorizationCodeGrant`` class.
-        :param code: Authorization code.
-        :param request: OAuthlib request.
-        :type request: oauthlib.common.Request
-        :rtype: code_challenge_method string
-        Method is used by:
-            - Authorization Code Grant - when PKCE is active
-        """
-        del code, request
-
-        LOG.debug("get_code_challenge_method")
-
-        raise NotImplementedError("Not implemented.")
-
-    def get_default_redirect_uri(  # pylint: disable=no-self-use,useless-suppression
+    def get_default_redirect_uri(
         self,
         client_id: str,
         request: oauthlib.common.Request,
@@ -245,9 +237,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Get the default redirect URI for the client.
 
-        :param client_id: Unicode client identifier
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: The default redirect URI for the client
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            request: The HTTP Request
+
+        Returns: The default redirect URI for the client
 
         Method is used by:
             - Authorization Code Grant
@@ -259,7 +254,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         raise NotImplementedError("Not implemented.")
 
-    def get_default_scopes(  # pylint: disable=no-self-use,useless-suppression
+    def get_default_scopes(
         self,
         client_id: str,
         request: oauthlib.common.Request,
@@ -269,9 +264,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Get the default scopes for the client.
 
-        :param client_id: Unicode client identifier
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: List of default scopes
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            request: The HTTP Request
+
+        Returns: List of default scopes
 
         Method is used by all core grant types:
             - Authorization Code Grant
@@ -285,7 +283,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         return ["geomapfish"]
 
-    def get_original_scopes(  # pylint: disable=no-self-use,useless-suppression
+    def get_original_scopes(
         self,
         refresh_token: str,
         request: oauthlib.common.Request,
@@ -295,9 +293,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Get the list of scopes associated with the refresh token.
 
-        :param refresh_token: Unicode refresh token
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: List of scopes.
+        Keyword Arguments:
+
+            refresh_token: Unicode refresh token
+            request: The HTTP Request
+
+        Returns: List of scopes.
 
         Method is used by:
             - Refresh token grant
@@ -308,7 +309,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         return []
 
-    def introspect_token(  # pylint: disable=no-self-use,useless-suppression
+    def introspect_token(
         self,
         token: str,
         token_type_hint: str,
@@ -316,11 +317,13 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         *args: Any,
         **kwargs: Any,
     ) -> None:
-        """Introspect an access or refresh token.
-        Called once the introspect request is validated. This method should
-        verify the *token* and either return a dictionary with the list of
-        claims associated, or `None` in case the token is unknown.
-        Below the list of registered claims you should be interested in:
+        """
+        Introspect an access or refresh token.
+
+        Called once the introspect request is validated. This method
+        should verify the *token* and either return a dictionary with the list of claims associated, or `None`
+        in case the token is unknown. Below the list of registered claims you should be interested in:
+
         - scope : space-separated list of scopes
         - client_id : client identifier
         - username : human-readable identifier for the resource owner
@@ -337,12 +340,16 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         The implementation can use *token_type_hint* to improve lookup
         efficiency, but must fallback to other types to be compliant with RFC.
         The dict of claims is added to request.token after this method.
-        :param token: The token string.
-        :param token_type_hint: access_token or refresh_token.
-        :param request: OAuthlib request.
-        :type request: oauthlib.common.Request
+
+        Keyword Arguments:
+
+            token: The token string.
+            token_type_hint: access_token or refresh_token.
+            request: OAuthlib request.
+
         Method is used by:
             - Introspect Endpoint (all grants are compatible)
+
         .. _`Introspect Claims`: https://tools.ietf.org/html/rfc7662#section-2.2
         .. _`JWT Claims`: https://tools.ietf.org/html/rfc7519#section-4
         """
@@ -352,7 +359,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         raise NotImplementedError("Not implemented.")
 
-    def invalidate_authorization_code(  # pylint: disable=no-self-use,useless-suppression
+    def invalidate_authorization_code(
         self,
         client_id: str,
         code: str,
@@ -363,9 +370,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Invalidate an authorization code after use.
 
-        :param client_id: Unicode client identifier
-        :param code: The authorization code grant (request.code).
-        :param request: The HTTP Request (oauthlib.common.Request)
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            code: The authorization code grant (request.code).
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -385,7 +394,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             .one()
         )
 
-    def is_within_original_scope(  # pylint: disable=no-self-use,useless-suppression
+    def is_within_original_scope(
         self,
         request_scopes: List[str],
         refresh_token: str,
@@ -404,10 +413,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         used in situations where returning all valid scopes from the
         get_original_scopes is not practical.
 
-        :param request_scopes: A list of scopes that were requested by client
-        :param refresh_token: Unicode refresh_token
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            request_scopes: A list of scopes that were requested by client
+            refresh_token: Unicode refresh_token
+            request: The HTTP Request
 
         Method is used by:
             - Refresh token grant
@@ -418,7 +428,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         return False
 
-    def revoke_token(  # pylint: disable=no-self-use,useless-suppression
+    def revoke_token(
         self,
         token: str,
         token_type_hint: str,
@@ -429,9 +439,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Revoke an access or refresh token.
 
-        :param token: The token string.
-        :param token_type_hint: access_token or refresh_token.
-        :param request: The HTTP Request (oauthlib.common.Request)
+        Keyword Arguments:
+
+            token: The token string.
+            token_type_hint: access_token or refresh_token.
+            request: The HTTP Request
 
         Method is used by:
             - Revocation Endpoint
@@ -442,9 +454,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         raise NotImplementedError("Not implemented.")
 
-    def rotate_refresh_token(  # pylint: disable=no-self-use,useless-suppression
-        self, request: oauthlib.common.Request
-    ) -> bool:
+    def rotate_refresh_token(self, request: oauthlib.common.Request) -> bool:
         """
         Determine whether to rotate the refresh token. Default, yes.
 
@@ -452,8 +462,9 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         or replaced with a new one (rotated). Return True to rotate and
         and False for keeping original.
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
+        Keyword Arguments:
+
+            request: oauthlib.common.Request
 
         Method is used by:
             - Refresh Token Grant
@@ -464,7 +475,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         return True
 
-    def save_authorization_code(  # pylint: disable=no-self-use,useless-suppression
+    def save_authorization_code(
         self,
         client_id: str,
         code: Dict[str, str],
@@ -485,18 +496,25 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         The 'code' argument is actually a dictionary, containing at least a
         'code' key with the actual authorization code:
 
-            {'code': 'sdf345jsdf0934f'}
+            {'code': '<secret>'}
 
         It may also have a 'state' key containing a nonce for the client, if it
         chose to send one.  That value should be saved and used in
         'validate_code'.
 
-        :param client_id: Unicode client identifier
-        :param code: A dict of the authorization code grant and, optionally, state.
-        :param request: The HTTP Request (oauthlib.common.Request)
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            code: A dict of the authorization code grant and, optionally, state.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
+
+        To support PKCE, you MUST associate the code with:
+
+            Code Challenge (request.code_challenge) and
+            Code Challenge Method (request.code_challenge_method)
         """
         del args, kwargs
 
@@ -504,7 +522,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
 
-        user = pyramid.threadlocal.get_current_request().user_
+        user = pyramid.threadlocal.get_current_request().user
 
         # Don't allows to have two authentications for the same user and the same client
         authorization_code = (
@@ -515,20 +533,32 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         )
 
         if authorization_code is not None:
-            authorization_code.code = code["code"]
             authorization_code.expire_at = datetime.now() + timedelta(minutes=self.authorization_expires_in)
-            authorization_code.redirect_uri = request.redirect_uri
         else:
             authorization_code = static.OAuth2AuthorizationCode()
             authorization_code.client_id = request.client.id
-            authorization_code.code = code["code"]
             authorization_code.user_id = user.id
             authorization_code.expire_at = datetime.now() + timedelta(minutes=self.authorization_expires_in)
-            authorization_code.redirect_uri = request.redirect_uri
+            authorization_code.state = code.get("state")
+
+        authorization_code.code = code["code"]
+        authorization_code.redirect_uri = request.redirect_uri
+
+        client = (
+            DBSession.query(static.OAuth2Client)
+            .filter(static.OAuth2Client.client_id == client_id)
+            .one_or_none()
+        )
+        if client and client.state_required and not code.get("state"):
+            raise HTTPBadRequest("Client is missing the state parameter.")
+
+        if client and client.pkce_required:
+            authorization_code.challenge = request.code_challenge
+            authorization_code.challenge_method = request.code_challenge_method
 
         DBSession.add(authorization_code)
 
-    def save_bearer_token(  # pylint: disable=no-self-use,useless-suppression
+    def save_bearer_token(
         self,
         token: Dict[str, Union[str, int]],
         request: oauthlib.common.Request,
@@ -549,20 +579,23 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
             {
                 'token_type': 'Bearer',
-                'access_token': 'askfjh234as9sd8',
+                'access_token': '<secret>',
                 'expires_in': 3600,
                 'scope': 'string of space separated authorized scopes',
-                'refresh_token': '23sdf876234',  # if issued
+                'refresh_token': '<secret>',  # if issued
                 'state': 'given_by_client',  # if supplied by client
             }
 
         Note that while "scope" is a string-separated list of authorized scopes,
         the original list is still available in request.scopes
 
-        :param client_id: Unicode client identifier
-        :param token: A Bearer token dict
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: The default redirect URI for the client
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            token: A Bearer token dict
+            request: The HTTP Request
+
+        Returns: The default redirect URI for the client
 
         Method is used by all core grant types issuing Bearer tokens:
             - Authorization Code Grant
@@ -584,21 +617,18 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             .one_or_none()
         )
 
-        if bearer_token is not None:
-            bearer_token.access_token = token["access_token"]
-            bearer_token.refresh_token = token["refresh_token"]
-            bearer_token.expire_at = datetime.now() + timedelta(seconds=float(token["expires_in"]))
-        else:
+        if bearer_token is None:
             bearer_token = static.OAuth2BearerToken()
             bearer_token.client_id = request.client.id
             bearer_token.user_id = request.user.id
-            bearer_token.access_token = token["access_token"]
-            bearer_token.refresh_token = token["refresh_token"]
-            bearer_token.expire_at = datetime.now() + timedelta(seconds=float(token["expires_in"]))
-
             DBSession.add(bearer_token)
 
-    def validate_bearer_token(  # pylint: disable=no-self-use,useless-suppression
+        bearer_token.access_token = token["access_token"]
+        bearer_token.refresh_token = token["refresh_token"]
+        bearer_token.expire_at = datetime.now() + timedelta(seconds=float(token["expires_in"]))
+        bearer_token.state = token.get("state")
+
+    def validate_bearer_token(
         self,
         token: str,
         scopes: List[str],
@@ -607,9 +637,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Ensure the Bearer token is valid and authorized access to scopes.
 
-        :param token: A string of random characters.
-        :param scopes: A list of scopes associated with the protected resource.
-        :param request: The HTTP Request (oauthlib.common.Request)
+        Keyword Arguments:
+
+            token: A string of random characters.
+            scopes: A list of scopes associated with the protected resource.
+            request: The HTTP Request
 
         A key to OAuth 2 security and restricting impact of leaked tokens is
         the short expiration time of tokens, *always ensure the token has not
@@ -641,10 +673,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         one provided for django these attributes will be made available
         in all protected views as keyword arguments.
 
-        :param token: Unicode Bearer token
-        :param scopes: List of scopes (defined by you)
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            token: Unicode Bearer token
+            scopes: List of scopes (defined by you)
+            request: The HTTP Request
 
         Method is indirectly used by all core Bearer token issuing grant types:
             - Authorization Code Grant
@@ -659,6 +692,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         bearer_token = (
             DBSession.query(static.OAuth2BearerToken)
+            .join(static.User)
             .filter(static.OAuth2BearerToken.access_token == token)
             .filter(static.OAuth2BearerToken.expire_at > datetime.now())
         ).one_or_none()
@@ -666,9 +700,10 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         if bearer_token is not None:
             request.user = bearer_token.user
 
+        LOG.debug("validate_bearer_token => %s", bearer_token is not None)
         return bearer_token is not None
 
-    def validate_client_id(  # pylint: disable=no-self-use,useless-suppression
+    def validate_client_id(
         self,
         client_id: str,
         request: oauthlib.common.Request,
@@ -682,8 +717,10 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         to set request.client to the client object associated with the
         given client_id.
 
-        :param request: oauthlib.common.Request
-        :rtype: True or False
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            request: oauthlib.common.Request
 
         Method is used by:
             - Authorization Code Grant
@@ -704,7 +741,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             request.client = client
         return client is not None
 
-    def validate_code(  # pylint: disable=no-self-use,useless-suppression
+    def validate_code(
         self,
         client_id: str,
         code: str,
@@ -714,8 +751,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         **kwargs: Any,
     ) -> bool:
         """
-        Verify that the authorization_code is valid and assigned to the given
-        client.
+        Verify that the authorization_code is valid and assigned to the given client.
 
         Before returning true, set the following based on the information stored
         with the code in 'save_authorization_code':
@@ -727,11 +763,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         associated with this authorization code. Similarly request.scopes
         must also be set.
 
-        :param client_id: Unicode client identifier
-        :param code: Unicode authorization code
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            code: Unicode authorization code
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -742,23 +779,36 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
 
-        authorization_code = (
+        authorization_code_query = (
             DBSession.query(static.OAuth2AuthorizationCode)
             .join(static.OAuth2AuthorizationCode.client)
             .filter(static.OAuth2AuthorizationCode.code == code)
-            .filter(static.OAuth2Client.client_id == client_id)
+            .filter(static.OAuth2AuthorizationCode.client_id == client.id)
             .filter(static.OAuth2AuthorizationCode.expire_at > datetime.now())
-            .one_or_none()
         )
-        if authorization_code is not None:
-            request.user = authorization_code.user
-        return authorization_code is not None
+        if client.state_required:
+            authorization_code_query = authorization_code_query.filter(
+                static.OAuth2AuthorizationCode.state == request.state
+            )
+
+        authorization_code = authorization_code_query.one_or_none()
+        if authorization_code is None:
+            LOG.debug("validate_code => KO, no authorization_code found")
+            return False
+
+        if authorization_code.client.pkce_required:
+            request.code_challenge = authorization_code.challenge
+            request.code_challenge_method = authorization_code.challenge_method
+
+        request.user = authorization_code.user
+        LOG.debug("validate_code => OK")
+        return True
 
-    def validate_grant_type(  # pylint: disable=no-self-use,useless-suppression
+    def validate_grant_type(
         self,
         client_id: str,
         grant_type: str,
-        client,
+        client: "c2cgeoportal_commons.models.static.OAuth2Client",
         request: oauthlib.common.Request,
         *args: Any,
         **kwargs: Any,
@@ -766,11 +816,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Ensure client is authorized to use the grant_type requested.
 
-        :param client_id: Unicode client identifier
-        :param grant_type: Unicode grant type, i.e. authorization_code, password.
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            grant_type: Unicode grant type, i.e. authorization_code, password.
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -778,13 +829,18 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             - Client Credentials Grant
             - Refresh Token Grant
         """
-        del request, args, kwargs
+        del client, request, args, kwargs
 
-        LOG.debug("validate_grant_type %s %s", client_id, grant_type)
+        LOG.debug(
+            "validate_grant_type %s %s => %s",
+            client_id,
+            grant_type,
+            grant_type in ("authorization_code", "refresh_token"),
+        )
 
         return grant_type in ("authorization_code", "refresh_token")
 
-    def validate_redirect_uri(  # pylint: disable=no-self-use,useless-suppression
+    def validate_redirect_uri(
         self,
         client_id: str,
         redirect_uri: str,
@@ -798,10 +854,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         All clients should register the absolute URIs of all URIs they intend
         to redirect to. The registration is outside of the scope of oauthlib.
 
-        :param client_id: Unicode client identifier
-        :param redirect_uri: Unicode absolute URI
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            redirect_uri: Unicode absolute URI
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
@@ -822,7 +879,7 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         LOG.debug("validate_redirect_uri %s", client is not None)
         return client is not None
 
-    def validate_refresh_token(  # pylint: disable=no-self-use,useless-suppression
+    def validate_refresh_token(
         self,
         refresh_token: str,
         client: "c2cgeoportal_commons.models.static.OAuth2Client",  # noqa: F821
@@ -836,10 +893,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         OBS! The request.user attribute should be set to the resource owner
         associated with this refresh token.
 
-        :param refresh_token: Unicode refresh token
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            refresh_token: Unicode refresh token
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant (indirectly by issuing refresh tokens)
@@ -856,7 +914,6 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             DBSession.query(static.OAuth2BearerToken)
             .filter(static.OAuth2BearerToken.refresh_token == refresh_token)
             .filter(static.OAuth2BearerToken.client_id == request.client.id)
-            .filter(static.OAuth2BearerToken.expire_at > datetime.now())
             .one_or_none()
         )
 
@@ -865,11 +922,11 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         return bearer_token is not None
 
-    def validate_response_type(  # pylint: disable=no-self-use,useless-suppression
+    def validate_response_type(
         self,
         client_id: str,
         response_type: str,
-        client,
+        client: "c2cgeoportal_commons.models.static.OAuth2Client",
         request: oauthlib.common.Request,
         *args: Any,
         **kwargs: Any,
@@ -877,27 +934,28 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Ensure client is authorized to use the response_type requested.
 
-        :param client_id: Unicode client identifier
-        :param response_type: Unicode response type, i.e. code, token.
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            response_type: Unicode response type, i.e. code, token.
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Authorization Code Grant
             - Implicit Grant
         """
-        del request, args, kwargs
+        del client, request, args, kwargs
 
         LOG.debug("validate_response_type %s %s", client_id, response_type)
 
         return response_type == "code"
 
-    def validate_scopes(  # pylint: disable=no-self-use,useless-suppression
+    def validate_scopes(
         self,
         client_id: str,
         scopes: List[str],
-        client,
+        client: "c2cgeoportal_commons.models.static.OAuth2Client",
         request: oauthlib.common.Request,
         *args: Any,
         **kwargs: Any,
@@ -905,11 +963,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         """
         Ensure the client is authorized access to requested scopes.
 
-        :param client_id: Unicode client identifier
-        :param scopes: List of scopes (defined by you)
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            client_id: Unicode client identifier
+            scopes: List of scopes (defined by you)
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by all core grant types:
             - Authorization Code Grant
@@ -917,16 +976,16 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
             - Resource Owner Password Credentials Grant
             - Client Credentials Grant
         """
-        del request, args, kwargs
+        del client, request, args, kwargs
 
         LOG.debug("validate_scopes %s %s", client_id, scopes)
 
         return True
 
-    def validate_user(  # pylint: disable=no-self-use,useless-suppression
+    def validate_user(
         self,
-        username,
-        password,
+        username: str,
+        password: str,
         client: "c2cgeoportal_commons.models.static.OAuth2Client",  # noqa: F821
         request: oauthlib.common.Request,
         *args: Any,
@@ -940,11 +999,12 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
         not set you will be unable to associate a token with a user in the
         persistence method used (commonly, save_bearer_token).
 
-        :param username: Unicode username
-        :param password: Unicode password
-        :param client: Client object set by you, see authenticate_client.
-        :param request: The HTTP Request (oauthlib.common.Request)
-        :rtype: True or False
+        Keyword Arguments:
+
+            username: Unicode username
+            password: Unicode password
+            client: Client object set by you, see authenticate_client.
+            request: The HTTP Request
 
         Method is used by:
             - Resource Owner Password Credentials Grant
@@ -955,13 +1015,139 @@ class RequestValidator(oauthlib.oauth2.RequestValidator):
 
         raise NotImplementedError("Not implemented.")
 
+    def is_pkce_required(self, client_id: int, request: oauthlib.common.Request) -> bool:
+        """
+        Determine if current request requires PKCE.
+
+        Default, False. This is called for both “authorization” and “token” requests.
+
+        Override this method by return True to enable PKCE for everyone. You might want to enable it only
+        for public clients. Note that PKCE can also be used in addition of a client authentication.
+
+        OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to
+        the authorization code interception attack. This specification describes the attack as well as
+        a technique to mitigate against the threat through the use of Proof Key for Code Exchange
+        (PKCE, pronounced “pixy”). See RFC7636.
+
+        Keyword Arguments:
+
+            client_id: Client identifier.
+            request (oauthlib.common.Request): OAuthlib request.
+
+
+        Method is used by:
+
+                Authorization Code Grant
+
+
+        """
+        from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
+
+        client = (
+            DBSession.query(static.OAuth2Client)
+            .filter(static.OAuth2Client.client_id == client_id)
+            .one_or_none()
+        )
+
+        return client and client.pkce_required  # type: ignore
+
+    def get_code_challenge(self, code: str, request: oauthlib.common.Request) -> Optional[str]:
+        """
+        Is called for every “token” requests.
+
+        When the server issues the authorization code in the authorization response, it MUST associate the
+        code_challenge and code_challenge_method values with the authorization code so it can be
+        verified later.
+
+        Typically, the code_challenge and code_challenge_method values are stored in encrypted form in
+        the code itself but could alternatively be stored on the server associated with the code.
+        The server MUST NOT include the code_challenge value in client requests in a form that other
+        entities can extract.
+
+        Return the code_challenge associated to the code. If None is returned, code is considered to not
+        be associated to any challenges.
+
+        Keyword Arguments:
+
+            code: Authorization code.
+            request: OAuthlib request.
+
+        Return:
 
-@OBJECT_CACHE_REGION.cache_on_arguments()
-def get_oauth_client(settings):
+            code_challenge string
+
+        Method is used by:
+
+                Authorization Code Grant - when PKCE is active
+        """
+        from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
+
+        LOG.debug("get_code_challenge")
+
+        authorization_code = (
+            DBSession.query(static.OAuth2AuthorizationCode)
+            .filter(static.OAuth2AuthorizationCode.code == code)
+            .one_or_none()
+        )
+        if authorization_code:
+            return authorization_code.challenge  # type: ignore
+        LOG.debug("get_code_challenge authorization_code not found")
+        return None
+
+    def get_code_challenge_method(self, code: str, request: oauthlib.common.Request) -> Optional[str]:
+        """
+        Is called during the “token” request processing.
+
+        When a code_verifier and a code_challenge has been provided.
+
+        See .get_code_challenge.
+
+        Must return plain or S256. You can return a custom value if you have implemented your own
+        AuthorizationCodeGrant class.
+
+        Keyword Arguments:
+
+            code: Authorization code.
+            request: OAuthlib request.
+
+        Return type:
+
+            code_challenge_method string
+
+        Method is used by:
+
+                Authorization Code Grant - when PKCE is active
+        """
+        from c2cgeoportal_commons.models import DBSession, static  # pylint: disable=import-outside-toplevel
+
+        LOG.debug("get_code_challenge_method")
+
+        authorization_code = (
+            DBSession.query(static.OAuth2AuthorizationCode)
+            .filter(static.OAuth2AuthorizationCode.code == code)
+            .one_or_none()
+        )
+        if authorization_code:
+            return authorization_code.challenge_method  # type: ignore
+        LOG.debug("get_code_challenge_method authorization_code not found")
+        return None
+
+
+def get_oauth_client(settings: Dict[str, Any]) -> oauthlib.oauth2.WebApplicationServer:
+    """Get the oauth2 client, with a cache."""
     authentication_settings = settings.get("authentication", {})
+    return _get_oauth_client_cache(
+        authentication_settings.get("oauth2_authorization_expire_minutes", 10),
+        authentication_settings.get("oauth2_token_expire_minutes", 60),
+    )
+
+
+@OBJECT_CACHE_REGION.cache_on_arguments()  # type: ignore
+def _get_oauth_client_cache(
+    authorization_expire_minutes: int, token_expire_minutes: int
+) -> oauthlib.oauth2.WebApplicationServer:
+    """Get the oauth2 client, with a cache."""
     return oauthlib.oauth2.WebApplicationServer(
-        RequestValidator(
-            authorization_expires_in=authentication_settings.get("oauth2_authorization_expire_minutes", 10)
-        ),
-        token_expires_in=authentication_settings.get("oauth2_token_expire_minutes", 60) * 60,
+        RequestValidator(authorization_expires_in=authorization_expire_minutes),
+        token_expires_in=token_expire_minutes * 60,
     )