1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
#!/usr/bin/env python3

import json
import webbrowser
import secrets
from os import environ
from urllib.request import Request, urlopen
from urllib.parse import urlencode, urlparse, parse_qs
from pprint import pprint


def openid_discovery():
    """Perform OpenID Discovery

    SciStarter supports OpenID Connect Discovery, so there is a
    standardized, machine readable description of our OpendID/OAuth
    configuration which can be retrieved at any time.

    Normally, there is no need to perform discovery very often. Just
    cache the results.

    """

    r = urlopen("https://scistarter.org/.well-known/openid-configuration")

    if r.status != 200:
        raise Exception(r.status, r.reason)

    return json.loads(r.read())


def authorize(config):
    """Perform the OAuth flow to retrieve an access token

    Authorization in OpenID Connect is via OAuth 2.

    """

    # If we were writing a server-side request handler, it would be a
    # good idea to save the URL for the next page the user expects to
    # see at this time. Usually, we would store it in the session.
    # Then, once the authorization was complete, it would be easy to
    # forward user to where they expected to go.

    # This is a nonce which has no purpose or meaning except to make
    # it impossible for a hostile middleman to replay the request. The
    # state, too, should be saved in the session so as to accessible
    # later in the process.
    state = secrets.token_hex(16)

    # Normally we would be doing this in a server-side HTTP request
    # handler rather than in a standalone program, in which case we
    # would simply return a redirect response rather than messing
    # about with the webbrowser module.
    webbrowser.open_new_tab(
        config["authorization_endpoint"]
        + "?"
        + urlencode(
            {
                # The client_id is provided by SciStarter, email us at
                # info@scistarter.org to get one.
                "client_id": environ["SCISTARTER_CLIENT_ID"],
                "response_type": "code",
                # Requesting the openid scope is a protocol requirement
                # Requesting the profile scope gives us read access to
                # basic user information, if the user grants it.
                # Requesting the participation scope gives us the
                # right to add participation events to the user's
                # record, if the user grants it.
                "scope": "openid profile participation",
                "state": state,
                "redirect_uri":
                # This URL would never be the one you really use.
                # Instead, you will have provided one or more URLs on
                # your own domain to us when you requested a
                # client_id. The redirect_uri parameter must be one of
                # those URLs.
                "https://example.com/openid/scistarter",
            }
        )
    )

    # Once the user has granted permissions, scistarter will redirect
    # the user to the specified redirect_uri. That would result in
    # another request handler on your server processing that request to
    # complete the authorization. Since we're not in a server here, we
    # do this instead:
    redirected_to = input(
        "Please perform the authorization in your browser, then copy and paste the URL you get redirected to here: "
    )
    params = parse_qs(urlparse(redirected_to).query)

    try:
        code = params["code"][0]
    except (KeyError, IndexError):
        raise Exception("No authorization code was provided")

    # Now that the user has identified themself to SciStarter and
    # granted permissions, we have to identify ourself as the rightful
    # recipient of those permissions and retrieve an access token.

    req = Request(
        method="POST",
        url=config["token_endpoint"],
        data=urlencode(
            {
                "client_id": environ["SCISTARTER_CLIENT_ID"],
                "client_secret": environ["SCISTARTER_CLIENT_SECRET"],
                # redirect_uri must match the redirect_uri used above
                "redirect_uri": "https://example.com/openid/scistarter",
                "grant_type": "authorization_code",
                "code": code,
                "state": state,
            }
        ).encode("utf8"),
    )

    r = urlopen(req)

    if r.status != 200:
        raise Exception(r.status, r.reason)

    authorization = json.loads(r.read())

    # Now we have an access token, which will be good for several
    # hours and which will allow us to access SciStarter on the user's
    # behalf.
    access_token = authorization["access_token"]

    # We also have a refresh token, which can be used to retrieve a
    # new access token after the current one expires, as long as the
    # user does not have it revoked.
    refresh_token = authorization["refresh_token"]

    return access_token, refresh_token


def refresh(config, refresh_token):
    """Retrieve a new access token, given a refresh token

    Access tokens expire after a time. Refresh tokens don't expire
    until they are used or revoked. For use cases where you're not
    using OpenID Connect as your primary way of authenticating the
    user, it's quite possible for the user to come back to your site
    and authenticate through other means long after the access token
    is no longer valid. When this happens, you can use the refresh
    token to renew your access to SciStarter, without interrupting the
    user to ask for permissions that you have already been granted.

    Refresh tokens should never leave your server, except to be sent
    to ours over an encrypted connection.

    SciStarter's refresh tokens are single use. Using a refresh token
    consumes it, and issues a new one along with an access token.

    """

    req = Request(
        method="POST",
        url=config["token_endpoint"],
        data=urlencode(
            {
                "client_id": environ["SCISTARTER_CLIENT_ID"],
                "client_secret": environ["SCISTARTER_CLIENT_SECRET"],
                "grant_type": "refresh_token",
                "refresh_token": refresh_token,
            }
        ).encode("utf8"),
    )

    r = urlopen(req)

    if r.status != 200:
        raise Exception(r.status, r.reason)

    authorization = json.loads(r.read())

    return authorization['access_token'], authorization['refresh_token']


def get_profile(config, token):

    """Retrieve user information

    In the process of granting the token, the user was prompted to
    allow (or deny) us access to their information. The specific
    information depends on the scopes we requested, but whatever
    information they allowed is available via the userinfo endpoint.

    If participation API access was granted, the
    'participation_api_granted' field in the return value will be
    true.

    It's not necessary to retrieve the profile information every time
    you are authorized. Once is usually sufficient.

    """

    req = Request(
        method="GET",
        url=config["userinfo_endpoint"],
        # Any request that is authorized by the token should have this
        # Authorization HTTP header
        headers={"Authorization": "Bearer " + token},
    )

    r = urlopen(req)

    if r.status != 200:
        raise Exception(r.status, r.reason)

    return json.loads(r.read())


def record_participation(config, token, project_slug=None):
    """Record a participation event for the user

    This will only work if the participation scope is available, which
    means that the user specifically granted permission to share
    information with SciStarter.

    There are two variations on this process: if we only have one
    project associated with the client_id, all we need is our token.
    On the other hand, if have more than one project for the same
    client_id, we also need to provide the slug which identifies the
    specific project that the user participated in.

    The project_slug parameter should contain the textual unique
    identifier of the project. It is easily accesible from the project
    URL. In the URL https://scistarter.org/airborne-walrus-capture the
    slug is the string airborne-walrus-capture

    """

    if project_slug is None:
        endpoint = "https://scistarter.org/api/participation/openid"
    else:
        endpoint = "https://scistarter.org/api/participation/openid/" + project_slug

    req = Request(
        method="POST",
        url=endpoint,
        headers={"Authorization": "Bearer " + token},
        data=urlencode(
            {
                "type": "classification",  # other options: 'collection', 'signup'
                "duration": 31,  # Seconds the user spent participating, or an estimate
            }
        ).encode("utf8"),
    )

    r = urlopen(req)

    if r.status != 200:
        raise Exception(r.status, r.reason)

    return json.loads(r.read())


if __name__ == "__main__":
    config = openid_discovery()

    print("CONFIG")
    pprint(config)

    access_token, refresh_token = authorize(config)

    print("REFRESH_TOKEN")
    print(refresh_token)

    # We don't need to do this at this time, except to demonstrate
    # how. The current access token is valid, since we just retrieved
    # it, and does not need to be refreshed.
    access_token, refresh_token = refresh(config, refresh_token)

    print("ACCESS TOKEN")
    pprint(access_token)

    profile = get_profile(config, access_token)

    print("PROFILE")
    pprint(profile)

    result = record_participation(config, access_token)

    print("RESULT")
    pprint(result)
Website Security Test