o RDiܡ@sddlZddlZddlZddlZddlZddlZddlZddlZddl m Z ddl m Z m Z ddl mZddlZddlmZddlmZmZddlmZmZddlmZdd lmZmZdd lmZdd lm Z m!Z!dd l"m#Z#dd l$m%Z%ddl&m'Z(ddl)m*Z*m+Z+ddl,m-Z-ddl.m/Z/ddl0m1Z1m2Z2ddl3m4Z4ddl5m6Z6ddl7m8Z8m9Z9m:Z:m;Z;mm?Z?ddlm@Z@ddl2mAZAeBdZCe8jDe8jEfe8jFfe8jGfe8jDe8jFe8jGe8jEfdZHe:ZIe9ZJe<ZKe;ZLe=ZMeZNGddde4ZOdS)N) OrderedDict)datetime timedelta) unquote_plus)settings) authenticateget_user_model)check_passwordidentify_hasher)ObjectDoesNotExist)router transaction) HttpRequest) dateformattimezone)constant_time_compare) make_aware) gettext_lazy)jwsjwt) JWException) JWTExpired)errorsutils)RequestValidator)FatalClientError)AbstractApplicationget_access_token_modelget_application_modelget_grant_modelget_id_token_modelget_refresh_token_model)get_scopes_backend)oauth2_settings) get_timezoneoauth2_provider)authorization_codepasswordclient_credentials refresh_tokencsZeZdZiddddddddddddd dddd dd dd dd dddddddddddddddZddZddZddZddZddZd d!Z fd"d#Z d$d%Z d&d'Z d(d)Z d*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Zdd?Zd@dAZdBdCZdDdEZdFdGZdHdIZdJdKZdLdMZdNdOZ dPdQZ!dRdSZ"ddUdVZ#ddWdXZ$dYdZZ%d[d\Z&d]d^Z'd_d`Z(dadbZ)dcddZ*e+dedfZ,dgdhZ-didjZ.dkdlZ/dmdnZ0dodpZ1dqdrZ2dsdtZ3dudvZ4dwdxZ5dydzZ6d{d|Z7d}d~Z8ddZ9ddZ:ddZ;ddZS)OAuth2Validatorsubopenidnameprofile family_name given_name middle_namenicknamepreferred_usernamepicturewebsitegender birthdatezoneinfolocale updated_atemailemail_verifiedaddressphone)r> phone_numberphone_number_verifiedcCsJ|jdd}|s dS|dd}t|dkrdS|\}}|dkr#dS|S)zx Return authentication string if request contains basic auth credentials, otherwise return None HTTP_AUTHORIZATIONN rBasic)headersgetsplitlen)selfrequestauthrH auth_type auth_stringrOZ/var/www/Datamplify/venv/lib/python3.10/site-packages/oauth2_provider/oauth2_validators.py_extract_basic_authbs  z#OAuth2Validator._extract_basic_authcCs2z t|t||WStyt||YSw)zy Checks whether the provided client secret is valid. Supports both hashed and unhashed secrets. )r r ValueErrorr)rJprovided_secret stored_secretrOrOrP _check_secretus   zOAuth2Validator._check_secretc CsF||}|s dSz |jptjpd}Wn tyd}Ynwzt|}Wnttj fy9t d|YdSwz| |}Wnt yRt d||YdSwz tt|dd\}}Wntyot dYdSw|||durt d |dS|jj|krt d |dS|||jjst d |dSd S) z Authenticates with HTTP Basic Auth. Note: as stated in rfc:`2.3.1`, client_id and client_secret must be encoded with "application/x-www-form-urlencoded" encoding algorithm. Futf-8z0Failed basic auth: %r can't be decoded as base64z7Failed basic auth: %r can't be decoded as unicode by %r:rz+Failed basic auth, Invalid base64 encoding.Nz0Failed basic auth: Application %s does not existz%Failed basic auth: wrong client id %sz)Failed basic auth: wrong client secret %sT)rQencodingrDEFAULT_CHARSETAttributeErrorbase64 b64decode TypeErrorbinasciiErrorlogdebugdecodeUnicodeDecodeErrormaprrHrR_load_applicationclient client_idrU client_secret)rJrKrNrX b64_decodedauth_string_decodedrgrhrOrOrP_authenticate_basic_authsH       z(OAuth2Validator._authenticate_basic_authcCsxz |j}t|ddp d}Wn tyYdSw|||dur)td|dS|||jjs:td|dSdS)aA Try to authenticate the client using client_id and client_secret parameters included in body. Remember that this method is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme. See rfc:`2.3.1` for more details. rhFNz0Failed body auth: Application %s does not existsz(Failed body auth: wrong client secret %sT) rggetattrrZrer`rarUrfrh)rJrKrgrhrOrOrP_authenticate_request_bodys  z*OAuth2Validator._authenticate_request_bodycCsvt|ds Jdz|jptjj|d|_|j|s%td|WdS|jWStjy:td|YdSw)z If request.client was not set, load application instance for given client_id and store it in request.client rfz,"request" instance has no "client" attribute)rgz6Failed body authentication: Application %r is disabledNz9Failed body authentication: Application %r does not exist) hasattrrf ApplicationobjectsrG is_usabler`ra DoesNotExistrJrgrKrOrOrPres z!OAuth2Validator._load_applicationcCsz|durtddtdfg}n)|rtddtdfg}n||s.tddtdfg}n tdtdg}||_|S)N)error invalid_tokenerror_descriptionzThe access token is invalid.zThe access token has expired.)ruinsufficient_scopez9The access token is valid but does not have enough scope.z5OAuth2 access token is invalid for an unknown reason.)r_ is_expired allow_scopesr`warning oauth2_error)rJrK access_tokenscopesrurOrOrP_set_oauth2_error_on_requests2     z,OAuth2Validator._set_oauth2_error_on_requestcs~||rdSz |jr|jrWdSWnty tdYnw||j||jr2|jjt j kSt j |g|Ri|S)ah Determine if the client has to be authenticated This method is called only for grant types that supports client authentication: * Authorization code grant * Resource owner password grant * Refresh token grant If the request contains authorization headers, always authenticate the client no matter the grant type. If the request does not contain authorization headers, proceed with authentication only if the client is of type `Confidential`. If something goes wrong, call oauthlib implementation of the method. Tz*Client ID or client secret not provided...) rQrgrhrZr`rarerf client_typerCLIENT_CONFIDENTIALsuperclient_authentication_required)rJrKargskwargs __class__rOrPrs    z.OAuth2Validator.client_authentication_requiredcOs||}|s ||}|S)a Check if client exists and is authenticating itself as in rfc:`3.2.1` First we try to authenticate with HTTP Basic Auth, and that is the PREFERRED authentication method. Whether this fails we support including the client credentials in the request-body, but this method is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme. See rfc:`2.3.1` for more details )rkrn)rJrKrr authenticatedrOrOrPauthenticate_clients  z#OAuth2Validator.authenticate_clientcOs"|||dur|jjtjkSdS)z If we are here, the client did not authenticate itself as in rfc:`3.2.1` and we can proceed only if the client exists and is not of type "Confidential". NF)rerfrrrrJrgrKrrrOrOrPauthenticate_client_id/sz&OAuth2Validator.authenticate_client_idcOstjj||d}||S)zc Ensure the redirect_uri is listed in the Application instance redirect_uris field code application)GrantrqrGredirect_uri_allowed)rJrgr redirect_urirfrrgrantrOrOrPconfirm_redirect_uri8s z$OAuth2Validator.confirm_redirect_uricOs>ztjj||jd}|WdStjytj|dw)z Remove the temporary grant used to swap the authorization token. :raises: InvalidGrantError if the grant does not exist. r)rKN)rrqrGrfdeletersrInvalidGrantError)rJrgrrKrrrrOrOrPinvalidate_authorization_code?s  z-OAuth2Validator.invalidate_authorization_codecOs|||duS)z{ Ensure an Application exists with given client_id. If it exists, it's assigned to request.client. N)rerrOrOrPvalidate_client_idKsz"OAuth2Validator.validate_client_idcOs|jjSN)rfdefault_redirect_urirrOrOrPget_default_redirect_uriRsz(OAuth2Validator.get_default_redirect_uricCs$tjjditj|di\}}|S)a6 An optional layer to define where to store the profile in `UserModel` or a separate model. For example `UserOAuth`, where `user = models.OneToOneField(UserModel)` . The function is called after checking that username is in the content. Returns an UserModel instance; usernameNrO) UserModelrq get_or_createUSERNAME_FIELD)rJcontentuserryrOrOrPget_or_create_user_from_contentUs z/OAuth2Validator.get_or_create_user_from_contentcCsd}|r dd|i}n#|r/|dd}|dd}t|d|}dd|di}z tj|d |i|d } WntjjyMt d |YdSw| j t j jkrbt d | j | jdSz| } Wntywt d YdSwd| vr| ddurd| vr|| } nd} tttjd} d| vrt| d} | | kr| } n| } | dd}tjrt| ttjd} tj j!|| d|| dd\}}|SdSdS)aUse external introspection endpoint to "crack open" the token. :param introspection_url: introspection endpoint URL :param introspection_token: Bearer token :param introspection_credentials: Basic Auth credentials (id,secret) :return: :class:`models.AccessToken` Some RFC 7662 implementations (including this one) use a Bearer token while others use Basic Auth. Depending on the external AS's implementation, provide either the introspection_token or the introspection_credentials. If the resulting access_token identifies a username (e.g. Authorization Code grant), add that user to the UserModel. Also cache the access_token up until its expiry time or a configured maximum time. N Authorizationz Bearer {}rrVr:zBasic {}token)datarFz0Introspection: Failed POST to %r in token lookupzfIntrospection: Failed to get a valid response from authentication server. Status code: {}, Reason: {}.z/Introspection: Failed to parse response as jsonactiveTrsecondsexpscoperl)r)rrrexpires)rdefaults)"formatencoder[ b64encoderbrequestspost exceptionsRequestExceptionr` exception status_codehttprfOKreasonjsonrRrrnowrr$%RESOURCE_SERVER_TOKEN_CACHING_SECONDSutcfromtimestamprGrUSE_TZrr%#AUTHENTICATION_SERVER_EXP_TIME_ZONE AccessTokenrqupdate_or_create)rJrintrospection_urlintrospection_tokenintrospection_credentialsrFrgrh basic_authresponserrmax_caching_timerrr~_createdrOrOrP%_get_token_from_authentication_serverasl          z5OAuth2Validator._get_token_from_authentication_servercCs|sdStj}tj}tj}||}|r||s'|r'|s|r'|||||}|rA||rA|j|_|j |_ t |j |_ ||_ dS| |||dS)zX When users try to access resources, check that provided token is valid FT)r$!RESOURCE_SERVER_INTROSPECTION_URLRESOURCE_SERVER_AUTH_TOKEN)RESOURCE_SERVER_INTROSPECTION_CREDENTIALS_load_access_tokenis_validrrrfrlistrr~r)rJrrrKrrrr~rOrOrPvalidate_bearer_tokens&   z%OAuth2Validator.validate_bearer_tokencCs.t|d}tjddj|dS)NrVrr)token_checksum) hashlibsha256r hexdigestrrqselect_relatedfilterfirst)rJrrrOrOrPrs  z"OAuth2Validator._load_access_tokencOstz.tjj||d}|s,|jd|_|j|_|jr|j|_|j r)t |j |_ WdSWdStj y9YdSw)NrrCTF) rrqrGrzrrHrrnonceclaimsrloadsrs)rJrgrrfrKrrrrOrOrP validate_codeszOAuth2Validator.validate_codecOs|tvsJ|jjt|S)zk Validate both grant_type is a valid string and grant_type is allowed for current workflow )GRANT_TYPE_MAPPINGrfallows_grant_type)rJrg grant_typerfrKrrrOrOrPvalidate_grant_types z#OAuth2Validator.validate_grant_typecOs|dkr |tjS|dkr|tjS|dkr|tjS|dkr(|tjS|dkr2|tjS|dkr<|tjS|dkrF|tjSdS) z We currently do not support the Authorization Endpoint Response Types registry as in rfc:`8.4`, so validate the response_type only if it matches "code" or "token" rrid_tokenzid_token tokenz code id_tokenz code tokenzcode id_token tokenF)rrGRANT_AUTHORIZATION_CODEGRANT_IMPLICITGRANT_OPENID_HYBRID)rJrg response_typerfrKrrrOrOrPvalidate_response_types       z&OAuth2Validator.validate_response_typecOs"tj||d}t|t|S)zZ Ensure required scopes are permitted (as specified in the settings file) rrK)r#get_available_scopessetissubset)rJrgrrfrKrravailable_scopesrOrOrPvalidate_scopes szOAuth2Validator.validate_scopescOstj|j|d}|S)Nr)r#get_default_scopesrf)rJrgrKrrdefault_scopesrOrOrPrsz"OAuth2Validator.get_default_scopescO |j|Sr)rfr)rJrgrrKrrrOrOrPvalidate_redirect_uris z%OAuth2Validator.validate_redirect_uricCsttjr t|StjS)z Enables or disables PKCE verification. Uses the setting PKCE_REQUIRED, which can be either a bool or a callable that receives the client id and returns a bool. )callabler$ PKCE_REQUIREDrtrOrOrPis_pkce_requireds  z OAuth2Validator.is_pkce_requiredcCtjj||jd}|jp dSNr)rrqrGrfcode_challengerJrrKrrOrOrPget_code_challenge# z"OAuth2Validator.get_code_challengecCrr)rrqrGrfcode_challenge_methodrrOrOrPget_code_challenge_method'rz)OAuth2Validator.get_code_challenge_methodcOs|||dSr)_create_authorization_code)rJrgrrKrrrOrOrPsave_authorization_code+sz'OAuth2Validator.save_authorization_codecCs.tjj|djddd}|rt|SgS)NrrTflat)rrqr values_listrr scope_to_list)rJrgrrrKrrOrOrPget_authorization_code_scopes.s z-OAuth2Validator.get_authorization_code_scopescCstjS)z; Checks if rotate refresh token is enabled )r$ROTATE_REFRESH_TOKENrJrKrOrOrProtate_refresh_token4sz$OAuth2Validator.rotate_refresh_tokencOsPtjttd|j||g|Ri|WdS1s!wYdS)z Save access and refresh token. Override _save_bearer_token and not this function when adding custom logic for the storing of these token. This allows the transaction logic to be separate from the token handling. usingN)r atomicr db_for_writer_save_bearer_token)rJrrKrrrOrOrPsave_bearer_token:s $z!OAuth2Validator.save_bearer_tokenc Osd|vrtdtt|dtjd}|jdkrd|_|dd}|rt |dd}| |s_t |t r_|j r_tjj|j jd }|j|_|d|_||_|d |_|j|_|dSt |t rt jj|jd }||_tjj|d } z|Wn tjt jfyYn wt|ddnd} | s|j||||d }|||||dS| j|d <t jj| d j|d<| j|d<dS||||dS) z Save access and refresh token. If refresh token is issued, remove or reuse old refresh token as in rfc:`6`. @see: https://rfc-editor.org/rfc/rfc6749.html#section-6 rz+Failed to renew access token: missing scope expires_inrr)Nr*refresh_token_instance)pkr~)source_refresh_token)r~) rrrrrGr$ACCESS_TOKEN_EXPIRE_SECONDSrrrmr isinstance RefreshTokenr~rrqselect_for_updaterrrrrfrsaver rrrevokerssetattr_create_access_token_create_refresh_token) rJrrKrrrrefresh_token_coder r~previous_access_tokenrOrOrPr Fsx            z"OAuth2Validator._save_bearer_tokenNc Cs@|dd}|r ||}tjj|j|d||d||j|dS)Nrrr~)rrrrrrr)rG_load_id_tokenrrqcreaterrf)rJrrKrrrrOrOrPrs  z$OAuth2Validator._create_access_tokenc Csh|s tttjd}tjj|j|j |d||j d |j |j p"d|jp&d|jp*dt|jp0id S)NrrrCrl) rrrrrrrrrr)rrrr$!AUTHORIZATION_CODE_EXPIRE_SECONDSrrqrrfrrjoinrrrrrdumpsr)rJrKrrrOrOrPrs z*OAuth2Validator._create_authorization_codecCs.|r|j}nt}tjj|j||j||dS)N)rrrr~ token_family)r uuiduuid4rrqrrrf)rJrKrr~previous_refresh_tokenr rOrOrPrsz%OAuth2Validator._create_refresh_tokenc s|dvrd}ttd}||tz jj|dWdStyCfdd|DD]}ttdd|jj |dq/YdSw)z Revoke an access or refresh token. :param token: The token string. :param token_type_hint: access_token or refresh_token. :param request: The HTTP Request (oauthlib.common.Request) )r~r*Nrcsg|]}|kr|qSrOrO).0_t token_typerOrP sz0OAuth2Validator.revoke_token..cSs|Sr)r)trOrOrPsz.OAuth2Validator.revoke_token..) rrrGrqrr valuesrrdr)rJrtoken_type_hintrKrr token_types other_typerOr'rP revoke_tokens  zOAuth2Validator.revoke_tokenc Os`t}|j|_|j|_t||jt|j|j |_ t |||d}|dur.|j r.||_ dSdS)zS Check username and password correspond to a valid and active User )rr(NTF)ruripath http_methodmethodrmupdatedict decoded_bodyrFMETAr is_activer) rJrr(rfrKrr http_requesturOrOrP validate_userszOAuth2Validator.validate_usercOsB|j}|jsz tjj|jdjWStjygYSw|jjS)N)source_refresh_token_id) r access_token_idrrqrGrrrsr~)rJr*rKrrrtrOrOrPget_original_scopessz#OAuth2Validator.get_original_scopesc Ostjj|dd}|sdS|jdur=|jttt j dkr=t j r;|j r;tjj|j d}| D]}|q4dS|j|_|j|_||_|j|kS)z Check refresh_token exists and refers to the right client. Also attach User instance to the request object r$r~FNr)r )rrqrrrrevokedrrrr$"REFRESH_TOKEN_GRACE_PERIOD_SECONDSREFRESH_TOKEN_REUSE_PROTECTIONr allrrrr*r r) rJr*rfrKrrr?rt_token_family related_rtrOrOrPvalidate_refresh_token s    z&OAuth2Validator.validate_refresh_tokencOs0|jpd|j}tjj|j||||jd}|S)NrC)rrrjtir)rrrIDTokenrqrrrf)rJrHrKrrrrrrOrOrP_save_id_token(szOAuth2Validator._save_id_tokencCstt|jjdkS)Nr)rIinspect signatureget_additional_claims parameters)clsrOrOrP*_get_additional_claims_is_request_agnostic4sz:OAuth2Validator._get_additional_claims_is_request_agnosticcC||||Sr) get_id_token)rJr token_handlerrKrOrOrPget_jwt_bearer_token8z$OAuth2Validator.get_jwt_bearer_tokencCsP|r dddi}ndt|jji}|r|}n||}|||S)Nr,cSs t|jjSr)strrr)rrOrOrPr+=s z0OAuth2Validator.get_claim_dict..)rPrVrrrMr5)rJrKraddrOrOrPget_claim_dict;s   zOAuth2Validator.get_claim_dictcCs(dg}|r|t||7}|S)Nr,)rPrrYkeys)rJrKrrOrOrPget_discovery_claimsJsz$OAuth2Validator.get_discovery_claimscCsT||}i}|D]\}}|jr|j||jvr't|r#||n|||<q |Sr)rYitemsoidc_claim_scoperGrr)rJrrSrKrrkvrOrOrPget_oidc_claimsPs zOAuth2Validator.get_oidc_claimsc Csn||||}tttjd}|jdi||tt |dtt |j j dt td||fS)a4 Get the claims to put in the ID Token. These claims are in addition to the claims automatically added by ``oauthlib`` - aud, iat, nonce, at_hash, c_hash. This function adds in iss, exp and auth_time, plus any claims added from calling ``get_oidc_claims()`` rU)issr auth_timerHNrO)r`rrrr$ID_TOKEN_EXPIRE_SECONDSr5get_oidc_issuer_endpointintrrr last_loginrVr!r")rJrrSrKrexpiration_timerOrOrPget_id_token_dictionary[s   z'OAuth2Validator.get_id_token_dictionarycCs t|Sr)r$ oidc_issuerrrOrOrPrets z(OAuth2Validator.get_oidc_issuer_endpointc Cs||||\}}|jd i|d|vr|jr|j|d<d|jjd}|jjtjkr3|jj|d<t j t j |t dt j |t dd}||jjtjttd||d||}Wdn1shwY||_||_|S) NrJWT)typalgkid)default)headerrrrHrO)rir5rrf algorithmrRS256_ALGORITHMjwk_key thumbprintrrkrrrVmake_signed_tokenr rr r rIrJr~r serialize) rJrrrSrKrrhrp jwt_tokenrOrOrPfinalize_id_tokenws(   z!OAuth2Validator.finalize_id_tokencCrQr)validate_id_token)rJrrrKrOrOrPvalidate_jwt_bearer_tokenrUz)OAuth2Validator.validate_jwt_bearer_tokencCsH|sdS||}|s dS||sdS|j|_|j|_||_||_dS)z[ When users try to access resources, check that provided id_token is valid FT)rr{rrfrrr~)rJrrrKrrOrOrPrys  z!OAuth2Validator.validate_id_tokenc Cs^||}|s dSztj||d}t|j}tjj|ddWSt t tj fy.YdSw)N)keyrrH)rH) _get_key_for_tokenrrkrrrrIrqrGrrrs)rJrr{rwrrOrOrPrs  zOAuth2Validator._load_id_tokencCsPt}||t|jdd}d|vrdS||d}|r&|jSdS)z Peek at the unvalidated token to discover who it was issued for and then use that to load that application and its key. payloadrVaudN) rJWS deserializerrrqrb_get_client_by_audiencers)rJrunverified_tokenrrrOrOrPr|s z"OAuth2Validator._get_key_for_tokencCs"t|tr|g}tjj|dS)z Load a client by the aud claim in a JWT. aud may be multi-valued, if your provider makes it so. This function is separate to allow further customization. ) client_id__in)rrVrprqrr)rJaudiencerOrOrPrs z'OAuth2Validator._get_client_by_audiencecCsdS)NTrO)rJ id_token_hintrrrKrOrOrPvalidate_user_matchsz#OAuth2Validator.validate_user_matchcCs(tjj|djddd}|r|SdS)ajExtracts nonce from saved authorization code. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case-sensitive string. Only code param should be sufficient to retrieve grant code from any storage you are using. However, `client_id` and `redirect_uri` have been validated and can be used also. :param client_id: Unicode client identifier :param code: Unicode authorization code grant :param redirect_uri: Unicode absolute URI :return: Unicode nonce Method is used by: - Authorization Token Grant Dispatcher rrTrN)rrqrrr)rJrgrrrKrrOrOrPget_authorization_code_noncesz,OAuth2Validator.get_authorization_code_noncecCs||jd|S)zw Generates and saves a new JWT for this request, and returns it as the current user's claims. N)r`r~rrOrOrPget_userinfo_claimssz#OAuth2Validator.get_userinfo_claimscCsiSrrOrrOrOrPrMsz%OAuth2Validator.get_additional_claimscOr)aVIndicate if the given origin is allowed to access the token endpoint via Cross-Origin Resource Sharing (CORS). CORS is used by browser-based clients, such as Single-Page Applications, to perform the Authorization Code Grant. Verifies if request's origin is within Application's allowed origins list. )rforigin_allowed)rJrgoriginrKrrrOrOrPis_origin_alloweds z!OAuth2Validator.is_origin_allowedr)?__name__ __module__ __qualname__r]rQrUrkrnrerrrrrrrrrrrrrrrrrrrrrrrrr r rrrr0r<r@rGrJ classmethodrPrTrYr[r`rirerxrzryrr|rrrrrMr __classcell__rOrOrrPr+Es      . !   T   g       r+)Pr[r^r http.clientrrKrloggingr! collectionsrrr urllib.parserr django.confrdjango.contrib.authrrdjango.contrib.auth.hashersr r django.core.exceptionsr django.dbr r django.httpr django.utilsrrdjango.utils.cryptordjango.utils.timezonerdjango.utils.translationrryjwcryptorrjwcrypto.commonr jwcrypto.jwtroauthlib.oauth2.rfc6749rroauthlib.openidrrrmodelsrrrr r!r"rr#r$r% getLoggerr`rrGRANT_PASSWORDGRANT_CLIENT_CREDENTIALSrrprrIrrrr+rOrOrOrPsf