fixed client credential flow which now returns an access token not bound to an user. ref issue #38

synasius · synasius · commit 628f9e6ba980 · 2015-03-23T00:20:25.000+01:00
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -293,7 +293,7 @@ def save_bearer_token(self, token, request, *args, **kwargs):
 
         expires = timezone.now() + timedelta(seconds=oauth2_settings.ACCESS_TOKEN_EXPIRE_SECONDS)
         if request.grant_type == 'client_credentials':
-            request.user = request.client.user
+            request.user = None
 
         access_token = AccessToken(
             user=request.user,
diff --git a/oauth2_provider/tests/test_client_credential.py b/oauth2_provider/tests/test_client_credential.py
@@ -13,7 +13,7 @@
 
 from oauthlib.oauth2 import BackendApplicationServer
 
-from ..models import get_application_model
+from ..models import get_application_model, AccessToken
 from ..oauth2_validators import OAuth2Validator
 from ..settings import oauth2_settings
 from ..views import ProtectedResourceView
@@ -93,6 +93,17 @@ def test_client_credential_does_not_issue_refresh_token(self):
         content = json.loads(response.content.decode("utf-8"))
         self.assertNotIn("refresh_token", content)
 
+    def test_client_credential_user_is_none_on_access_token(self):
+        token_request_data = {'grant_type': 'client_credentials'}
+        auth_headers = self.get_basic_auth_header(self.application.client_id, self.application.client_secret)
+
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data, **auth_headers)
+        self.assertEqual(response.status_code, 200)
+
+        content = json.loads(response.content.decode("utf-8"))
+        access_token = AccessToken.objects.get(token=content["access_token"])
+        self.assertIsNone(access_token.user)
+
 
 class TestExtendedRequest(BaseTest):
     @classmethod
@@ -130,7 +141,7 @@ def get_scopes(self):
 
         valid, r = test_view.verify_request(request)
         self.assertTrue(valid)
-        self.assertEqual(r.user, self.dev_user)
+        self.assertIsNone(r.user)
         self.assertEqual(r.client, self.application)
         self.assertEqual(r.scopes, ['read', 'write'])
 
