Skip to main content

OAuth PAS Plugin, OAuth 1.0 provider for Plone.

Project description


This module provides OAuth support for Zope/Plone, with the option to be extensible through the Zope Component Architecture to allow the addition of more feature-rich components. Features core to OAuth are fully supported, this includes the full OAuth authentication workflow, client (consumer) management for site managers and access token management for resource owners. Scope restriction is also supported; site managers can define content types and subpaths that are available for client usage using scope profiles, and clients can specify a list of them to better inform the resource owners of what will be accessed under their access rights.

While the test coverage is fairly complete and demonstrates that access permissions and scope restriction function as intended, the author does not currently endorse the usage of this package in a mission critical environment where absolute security is required, as there are no audits have been done on this package by security experts. Otherwise, please ensure that your users are aware of who the trusted third-party clients are and that your site’s privacy and security policies are updated to fully inform your users of risks that may be associated with the usage of OAuth with this package.



This package requires Plone 4.1 or later.

Installing with buildout

You can install pmr2.oauth using buildout by adding an entry for this package in both eggs and zcml sections.




eggs =

zcml =

Run buildout, then restart the Zope/Plone instance. This package must also be activated using the Add-ons panel under Site Setup within the Plone instance where OAuth based authorization is to be used.

Further information and usage instructions

If the add-on is correctly installed and activated, an index of views made available as part of this add-on can be found at ${portal_url}/@@pmr2-oauth.

If you are upgrading from a previously installed version of this add-on, please refer to docs/UPGRADE.rst for some important information.

For more detailed information, please refer to the doctest file at pmr2/oauth/README.rst.


This add-on was created as part of the Physiome Model Repository in order to enable it to provide secured web-service access using a well supported, industry-standard authorization method for third-party clients.


0.6.1 - 2017-01-13

  • Ensure the tests work with plone.protect>=3, and bumped dependencies.

0.6.0 - 2015-08-21

  • Usability enhancements; reworded the user facing form and added a user action for easier linkage to their approved applications.
  • Updated dependency to oauthlib>=1.0.2.

0.5.1 - 2013-11-22

  • Bug Fix: Corrected the handling of application/x-www-form-urlencoded for the signature verification. [PMR/pmr2.oauth#4]

0.5 - 2013-10-24

  • Updated the supported oauthlib to 0.6.0
  • The design has been refactored to rely on the token endpoint classes for the validation.
  • Support OAuth requests encoded using URL query strings.
  • Addition of new content types into portal should no longer result in z3c.form-3.0.0 breaking on <NO_VALUE>.
  • Updated a large amounts of text and even an internal management endpoint to be more clear and reflective of the terminology used in RFC 5849.
  • More usability fixes. The entire management interface should now be easily accessible through the Site Setup menu, and also the inner management pages should link back to the main OAuth management page.

0.4.5 - 2013-07-09

  • Removed deprecated imports from*.

0.4.4 - 2013-04-04

  • URL encoding/decoding workaround to ensure the query parameters are being processed correctly.
  • Bug fix: Deleting a client (consumer) no longer prevents user from managing their list of issued tokens.
  • Depends on oauthlib 0.4.0

0.4.3 - 2013-02-01

  • Pin the minimum supported oauthlib version to 0.3.5 to maintain consistency of the require_callback parameter.

0.4.2 - 2013-01-31

  • Security Fix: Correctly apply CSRF protection to all forms.
  • Denying a non-existent token will no longer show a stack trace.

Note: 0.4.1 was aborted due to incomplete fix.

0.4 - 2013-01-22

Major architectural changes

  • Removal of python-oauth2 and use oauthlib. Significant changes to the PAS OAuthPlugin, including the removal of all private methods, replacement of the OAuthUtility with an adapter, with nearly all authentication and verification functions moved into this adapter, which extends the oauthlib server class.
  • Scope manager completely redefined to accept any identifiers, which can be client (consumer), temporary or access keys. Specific implementations can then make use of this change.
  • Default scope manager no longer manages permitted URIs based directly on regex, but views and subpaths within specific content types.
  • Consumer keys now randomly generated. For identification purposes the title and domain fields are introduced. Domain field serves an additional purpose for verification of callbacks by the default callback manager.

New features

  • Introduction of callback manager. This manages permitted targets for callbacks, so that resource owners will not be redirected to untrusted hosts especially for oob clients.
  • Default scope manager provides the concept of scope profiles, which are concise representations of access that will be granted by the resource owner to clients.
  • Base classes for extending/replacing provided functionalities.
  • An index of all valid endpoints (views) made available by this add-on.

Bugs (and maybe fixes)

  • The missing permissions.zcml is now included. (noted by ngi644)
  • Translations are not included with this release as there were too many new and modified text.

0.3a - 2012-11-23

  • Scope manager now permit POST requests.
  • Corrected the scope verification to be based on the resolved internal script URL.
  • Corrected the signature verification method to use the actual URL, not the internal script URL.
  • Workaround the adherence to legacy part of the spec in python-oauth2.

Note: This is a special release for development of PMR2-0.7 (or Release 7), as this package now depends on some packages not yet released. This release is made regardless as it is needed for demonstration purposes.

0.2 - 2012-10-16

  • Completing i18n coverage and added Italian support. [giacomos]
  • Added intermediate form class to eliminate the need to define wrapper classes for compatibility between Plone and z3c.form.

0.1 - 2011-10-20

  • Provide the core functionality of OAuth into Zope/Plone, through the use of custom forms and the Pluggable Authentication System.
  • Contain just the basic storage for all associated data types, but extensibility is allowed.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for pmr2.oauth, version 0.6.1
Filename, size File type Python version Upload date Hashes
Filename, size pmr2.oauth-0.6.1.tar.gz (72.2 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page