From 64609c0e33b3c33233f605013b0e7b7b83bf4287 Mon Sep 17 00:00:00 2001
From: Adam Charnock <adam@omniwiki.co.uk>
Date: Sat, 14 Sep 2013 14:16:03 +0100
Subject: [PATCH] Not sending a refresh_token to public clients requesting
 password_grants

---
 provider/oauth2/tests.py |  2 ++
 provider/views.py        | 27 ++++++++++++++++++++-------
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/provider/oauth2/tests.py b/provider/oauth2/tests.py
index 34e0b92..daafce4 100644
--- a/provider/oauth2/tests.py
+++ b/provider/oauth2/tests.py
@@ -348,6 +348,7 @@ class AccessTokenTest(BaseOAuth2TestCase):
         })
 
         self.assertEqual(200, response.status_code, response.content)
+        self.assertNotIn('refresh_token', json.loads(response.content))
 
     def test_password_grant_confidential(self):
         c = self.get_client()
@@ -363,6 +364,7 @@ class AccessTokenTest(BaseOAuth2TestCase):
         })
 
         self.assertEqual(200, response.status_code, response.content)
+        self.assertTrue(json.loads(response.content)['refresh_token'])
 
     def test_password_grant_confidential_no_secret(self):
         c = self.get_client()
diff --git a/provider/views.py b/provider/views.py
index a774d4d..780f5fd 100644
--- a/provider/views.py
+++ b/provider/views.py
@@ -4,6 +4,7 @@ from django.http import HttpResponse
 from django.http import HttpResponseRedirect, QueryDict
 from django.utils.translation import ugettext as _
 from django.views.generic.base import TemplateView
+from django.core.exceptions import ObjectDoesNotExist
 from . import constants, scope
 
 
@@ -447,13 +448,23 @@ class AccessToken(OAuthView, Mixin):
         Returns a successful response after creating the access token
         as defined in :rfc:`5.1`.
         """
+
+        response_data = {
+            'access_token': access_token.token,
+            'expires_in': access_token.get_expire_delta(),
+            'scope': ' '.join(scope.names(access_token.scope)),
+        }
+
+        # Not all access_tokens are given a refresh_token
+        # (for example, public clients doing password auth)
+        try:
+            rt = access_token.refresh_token
+            response_data['refresh_token'] = rt.token
+        except ObjectDoesNotExist:
+            pass
+
         return HttpResponse(
-            json.dumps({
-                'access_token': access_token.token,
-                'expires_in': access_token.get_expire_delta(),
-                'refresh_token': access_token.refresh_token.token,
-                'scope': ' '.join(scope.names(access_token.scope)),
-            }), mimetype='application/json'
+            json.dumps(response_data), mimetype='application/json'
         )
 
     def authorization_code(self, request, data, client):
@@ -502,7 +513,9 @@ class AccessToken(OAuthView, Mixin):
             at = self.get_access_token(request, user, scope, client)
         else:
             at = self.create_access_token(request, user, scope, client)
-            rt = self.create_refresh_token(request, user, scope, at, client)
+            # Public clients don't get refresh tokens
+            if client.client_type != 1:
+                rt = self.create_refresh_token(request, user, scope, at, client)
 
         return self.access_token_response(at)