Limit Clients to a subset of Users

[jaap3]

Is there a way to restrict a client to a limited set of users?

Assuming I have a client models similar to this:

class AdminClient(ClientMixin):
    client_id = 'admin'
    users = [1, 2, 3]
    scope = 'admin'

    ... # etc.

Is it possible to deny an "authorization" requests by this 'admin' client if the logged in user id is not in the list of users (e.g. respond with a 403 or redirect with an error)?

I'm basically trying to prevent non-priviliged users from ever getting a token with the scope 'admin', so my initial thought was to user a special Client for this. I also want to be able to know that this user is not able to use this specific client in my frontend application, so I can display a message that this user is not allowed to use this application.

However, after looking at the ClientMixin methods, it seems that none of them ever get access to the user that is performing the authorization request.

Are there any other hooks I can use to achieve this?

[jaap3]

I ended up implementing this myself in the authorize view:

psuedo code:

class BaseClient(ClientMixin):
    def is_enabled_for_user(self, user):
        # Override this is clients with special access rules
        return not user.is_anonymous
    

def authorize(request):
    try:
        grant = oauth2_server.get_consent_grant(request, end_user=request.user)
    except OAuth2Error as error:
        return oauth2_server.handle_error_response(request, error)
        
    user = request.user if grant.client.is_enabled_for_user(request.user) else None
    return oauth2_server.create_authorization_response(request, grant_user=user)

[jaap3]

Still left wondering if this is the best approach though. Input appreciated.

[lepture]

@jaap3 I think your solution is ok. There is no such built-in logic checking.