feat(oauth): support client credentials grant

2025-08-13 14:12:29 +00:00
parent 7a6a548a65
commit 7817b7c59a
4 changed files with 171 additions and 11 deletions
--- a/app/router/auth.py
+++ b/app/router/auth.py
@@ -428,12 +428,48 @@ async def oauth_token(
            refresh_token=refresh_token_str,
            scope=" ".join(scopes),
        )
-    else:
-        return create_oauth_error_response(
-            error="unsupported_grant_type",
-            description=(
-                "The authorization grant type is not supported "
-                "by the authorization server."
-            ),
-            hint="Unsupported grant type",
+    elif grant_type == "client_credentials":
+        if client is None:
+            return create_oauth_error_response(
+                error="invalid_client",
+                description=(
+                    "Client authentication failed (e.g., unknown client, "
+                    "no client authentication included, "
+                    "or unsupported authentication method)."
+                ),
+                hint="Invalid client credentials",
+                status_code=401,
+            )
+        elif scopes != ["public"]:
+            return create_oauth_error_response(
+                error="invalid_scope",
+                description="The requested scope is invalid, unknown, or malformed.",
+                hint="Scope must be 'public'",
+                status_code=400,
+            )
+
+        # 生成令牌
+        access_token_expires = timedelta(minutes=settings.access_token_expire_minutes)
+        access_token = create_access_token(
+            data={"sub": "3"}, expires_delta=access_token_expires
+        )
+        refresh_token_str = generate_refresh_token()
+
+        # 存储令牌
+        await store_token(
+            db,
+            3,
+            client_id,
+            scopes,
+            access_token,
+            refresh_token_str,
+            settings.access_token_expire_minutes * 60,
+        )
+
+        return TokenResponse(
+            access_token=access_token,
+            token_type="Bearer",
+            expires_in=settings.access_token_expire_minutes * 60,
+            refresh_token=refresh_token_str,
+            scope=" ".join(scopes),
        )
--- a/app/router/private/oauth.py
+++ b/app/router/private/oauth.py
@@ -37,6 +37,7 @@ async def create_oauth_app(
    if next_id < 10:
        await session.execute(text("ALTER TABLE oauth_clients AUTO_INCREMENT = 10"))
        await session.commit()
+        await session.refresh(current_user)

    oauth_client = OAuthClient(
        name=name,