django-oidc-provider/oidc_provider/lib/utils/token.py

from datetime import timedelta
import time
import uuid

from Cryptodome.PublicKey.RSA import importKey
from django.utils import dateformat, timezone
from jwkest.jwk import RSAKey as jwk_RSAKey
from jwkest.jwk import SYMKey
from jwkest.jws import JWS
from jwkest.jwt import JWT

from oidc_provider.lib.utils.common import get_issuer, run_processing_hook
from oidc_provider.lib.claims import StandardScopeClaims
from oidc_provider.models import (
    Code,
    RSAKey,
    Token,
)
from oidc_provider import settings


def create_id_token(token, user, aud, nonce='', at_hash='', request=None, scope=None):
    """
    Creates the id_token dictionary.
    See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken
    Return a dic.
    """
    if scope is None:
        scope = []
    sub = settings.get('OIDC_IDTOKEN_SUB_GENERATOR', import_str=True)(user=user)

    expires_in = settings.get('OIDC_IDTOKEN_EXPIRE')

    # Convert datetimes into timestamps.
    now = int(time.time())
    iat_time = now
    exp_time = int(now + expires_in)
    user_auth_time = user.last_login or user.date_joined
    auth_time = int(dateformat.format(user_auth_time, 'U'))

    dic = {
        'iss': get_issuer(request=request),
        'sub': sub,
        'aud': str(aud),
        'exp': exp_time,
        'iat': iat_time,
        'auth_time': auth_time,
    }

    if nonce:
        dic['nonce'] = str(nonce)

    if at_hash:
        dic['at_hash'] = at_hash

    # Inlude (or not) user standard claims in the id_token.
    if settings.get('OIDC_IDTOKEN_INCLUDE_CLAIMS'):
        if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):
            custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(token)
            claims = custom_claims.create_response_dic()
        else:
            claims = StandardScopeClaims(token).create_response_dic()
        dic.update(claims)

    dic = run_processing_hook(dic, 'OIDC_IDTOKEN_PROCESSING_HOOK', user=user)

    return dic


def encode_id_token(payload, client):
    """
    Represent the ID Token as a JSON Web Token (JWT).
    Return a hash.
    """
    keys = get_client_alg_keys(client)
    _jws = JWS(payload, alg=client.jwt_alg)
    return _jws.sign_compact(keys)


def decode_id_token(token, client):
    """
    Represent the ID Token as a JSON Web Token (JWT).
    Return a hash.
    """
    keys = get_client_alg_keys(client)
    return JWS().verify_compact(token, keys=keys)


def client_id_from_id_token(id_token):
    """
    Extracts the client id from a JSON Web Token (JWT).
    Returns a string or None.
    """
    payload = JWT().unpack(id_token).payload()
    aud = payload.get('aud', None)
    if aud is None:
        return None
    if isinstance(aud, list):
        return aud[0]
    return aud


def create_token(user, client, scope, id_token_dic=None):
    """
    Create and populate a Token object.
    Return a Token object.
    """
    token = Token()
    token.user = user
    token.client = client
    token.access_token = uuid.uuid4().hex

    if id_token_dic is not None:
        token.id_token = id_token_dic

    token.refresh_token = uuid.uuid4().hex
    token.expires_at = timezone.now() + timedelta(
        seconds=settings.get('OIDC_TOKEN_EXPIRE'))
    token.scope = scope

    return token


def create_code(user, client, scope, nonce, is_authentication,
                code_challenge=None, code_challenge_method=None):
    """
    Create and populate a Code object.
    Return a Code object.
    """
    code = Code()
    code.user = user
    code.client = client

    code.code = uuid.uuid4().hex

    if code_challenge and code_challenge_method:
        code.code_challenge = code_challenge
        code.code_challenge_method = code_challenge_method

    code.expires_at = timezone.now() + timedelta(
        seconds=settings.get('OIDC_CODE_EXPIRE'))
    code.scope = scope
    code.nonce = nonce
    code.is_authentication = is_authentication

    return code


def get_client_alg_keys(client):
    """
    Takes a client and returns the set of keys associated with it.
    Returns a list of keys.
    """
    if client.jwt_alg == 'RS256':
        keys = []
        for rsakey in RSAKey.objects.all():
            keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))
        if not keys:
            raise Exception('You must add at least one RSA Key.')
    elif client.jwt_alg == 'HS256':
        keys = [SYMKey(key=client.client_secret, alg=client.jwt_alg)]
    else:
        raise Exception('Unsupported key algorithm.')

    return keys
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`from datetime import timedelta`
Revert "Fix timestamps computing in tokens" This reverts commit 975eb0163fce63d47f4556accc4f0e6ba79b9811. 2016-12-07 11:15:47 +00:00			`import time`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00			`import uuid`

Update pyjwkest to version 1.3.0. 2016-10-03 15:54:54 +00:00			`from Cryptodome.PublicKey.RSA import importKey`
utils.token: Use time.time to generate the timestamps Use `time.time()` rather than `timezone.now()` for generating the unix timestamps. This avoids conversion between year-month-day-hh-mm-ss formatted timestamp vs. unix timestamp and is therefore simpler and more robust. Add a test case for this too and amend test_token_endpoint, since it used to mock timezone.now, but now it needs to mock time.time. 2016-12-07 12:14:37 +00:00			`from django.utils import dateformat, timezone`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`from jwkest.jwk import RSAKey as jwk_RSAKey`
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00			`from jwkest.jwk import SYMKey`
Use pyjwkest in encode_id_token function. 2015-07-27 14:33:28 +00:00			`from jwkest.jws import JWS`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`from jwkest.jwt import JWT`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00
Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 2018-02-05 15:29:08 +00:00			`from oidc_provider.lib.utils.common import get_issuer, run_processing_hook`
Made token and token_refresh endpoint return requested claims. 2017-12-14 17:03:15 +00:00			`from oidc_provider.lib.claims import StandardScopeClaims`
Fix global imports Global imports ("from X import *") are discouraged in Python. 2016-08-11 22:05:13 +00:00			`from oidc_provider.models import (`
			`Code,`
			`RSAKey,`
			`Token,`
			`)`
Change name of the package. 2015-02-18 18:07:22 +00:00			`from oidc_provider import settings`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00

Merge branch 'feature/token_retun_claims' of https://github.com/dhrp/django-oidc-provider into dhrp-feature/token_retun_claims 2018-04-10 21:41:38 +00:00			`def create_id_token(token, user, aud, nonce='', at_hash='', request=None, scope=None):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add user email into id_token. Fix missing OIDC_TOKEN_EXPIRE setting. 2016-09-09 14:43:28 +00:00			`Creates the id_token dictionary.`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken`
			`Return a dic.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00			`if scope is None:`
			`scope = []`
Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 18:17:22 +00:00			`sub = settings.get('OIDC_IDTOKEN_SUB_GENERATOR', import_str=True)(user=user)`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00
Change "DOP" with "OIDC" in settings. 2015-02-26 19:14:36 +00:00			`expires_in = settings.get('OIDC_IDTOKEN_EXPIRE')`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`# Convert datetimes into timestamps.`
utils.token: Use time.time to generate the timestamps Use `time.time()` rather than `timezone.now()` for generating the unix timestamps. This avoids conversion between year-month-day-hh-mm-ss formatted timestamp vs. unix timestamp and is therefore simpler and more robust. Add a test case for this too and amend test_token_endpoint, since it used to mock timezone.now, but now it needs to mock time.time. 2016-12-07 12:14:37 +00:00			`now = int(time.time())`
			`iat_time = now`
			`exp_time = int(now + expires_in)`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`user_auth_time = user.last_login or user.date_joined`
utils.token: Use time.time to generate the timestamps Use `time.time()` rather than `timezone.now()` for generating the unix timestamps. This avoids conversion between year-month-day-hh-mm-ss formatted timestamp vs. unix timestamp and is therefore simpler and more robust. Add a test case for this too and amend test_token_endpoint, since it used to mock timezone.now, but now it needs to mock time.time. 2016-12-07 12:14:37 +00:00			`auth_time = int(dateformat.format(user_auth_time, 'U'))`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`dic = {`
Make `SITE_URL` optional. 2016-05-25 21:58:58 +00:00			`'iss': get_issuer(request=request),`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00			`'sub': sub,`
Convert "aud" to str in create_id_token function. 2015-07-27 18:50:02 +00:00			`'aud': str(aud),`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`'exp': exp_time,`
			`'iat': iat_time,`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`'auth_time': auth_time,`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`}`

Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`if nonce:`
Convert "aud" to str in create_id_token function. 2015-07-27 18:50:02 +00:00			`dic['nonce'] = str(nonce)`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`if at_hash:`
			`dic['at_hash'] = at_hash`

Merge branch 'feature/token_retun_claims' of https://github.com/dhrp/django-oidc-provider into dhrp-feature/token_retun_claims 2018-04-10 21:41:38 +00:00			`# Inlude (or not) user standard claims in the id_token.`
			`if settings.get('OIDC_IDTOKEN_INCLUDE_CLAIMS'):`
			`if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):`
			`custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(token)`
			`claims = custom_claims.create_response_dic()`
			`else:`
			`claims = StandardScopeClaims(token).create_response_dic()`
			`dic.update(claims)`
Add user email into id_token. Fix missing OIDC_TOKEN_EXPIRE setting. 2016-09-09 14:43:28 +00:00
Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 2018-02-05 15:29:08 +00:00			`dic = run_processing_hook(dic, 'OIDC_IDTOKEN_PROCESSING_HOOK', user=user)`
Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`return dic`

Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00			`def encode_id_token(payload, client):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`Represent the ID Token as a JSON Web Token (JWT).`
			`Return a hash.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`keys = get_client_alg_keys(client)`
			`_jws = JWS(payload, alg=client.jwt_alg)`
Upgrade pyjwkest to version > 1.0.3 There have been some issues in Python 3 where elements of the id_token were left when encoding the token. Cause was incorrect encoding logic in pyjwkest. Version 1.0.3 has improved encoding handling. 2015-09-30 15:31:49 +00:00			`return _jws.sign_compact(keys)`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`def decode_id_token(token, client):`
			`"""`
			`Represent the ID Token as a JSON Web Token (JWT).`
			`Return a hash.`
			`"""`
			`keys = get_client_alg_keys(client)`
			`return JWS().verify_compact(token, keys=keys)`

Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`def client_id_from_id_token(id_token):`
			`"""`
			`Extracts the client id from a JSON Web Token (JWT).`
			`Returns a string or None.`
			`"""`
			`payload = JWT().unpack(id_token).payload()`
Fixed client id retrieval when aud is a list of str. (#210) * Fixed client id retrievel when aud is a list of str. * Split tests. 2017-11-09 11:05:20 +00:00			`aud = payload.get('aud', None)`
			`if aud is None:`
			`return None`
			`if isinstance(aud, list):`
			`return aud[0]`
			`return aud`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`def create_token(user, client, scope, id_token_dic=None):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`Create and populate a Token object.`
			`Return a Token object.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`token = Token()`
			`token.user = user`
			`token.client = client`
			`token.access_token = uuid.uuid4().hex`

Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`if id_token_dic is not None:`
			`token.id_token = id_token_dic`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`token.refresh_token = uuid.uuid4().hex`
A few changes in settings. Add more variables to it. 2015-01-28 20:00:04 +00:00			`token.expires_at = timezone.now() + timedelta(`
Change "DOP" with "OIDC" in settings. 2015-02-26 19:14:36 +00:00			`seconds=settings.get('OIDC_TOKEN_EXPIRE'))`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`token.scope = scope`

Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`return token`

Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
First intent to implement PKCE. 2016-04-06 21:03:30 +00:00			`def create_code(user, client, scope, nonce, is_authentication,`
			`code_challenge=None, code_challenge_method=None):`
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`"""`
			`Create and populate a Code object.`
			`Return a Code object.`
			`"""`
			`code = Code()`
			`code.user = user`
			`code.client = client`
First intent to implement PKCE. 2016-04-06 21:03:30 +00:00
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`code.code = uuid.uuid4().hex`
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00
Remplace AES encryption with database. For saving PKCE parameters. 2016-04-07 19:18:47 +00:00			`if code_challenge and code_challenge_method:`
			`code.code_challenge = code_challenge`
			`code.code_challenge_method = code_challenge_method`
First intent to implement PKCE. 2016-04-06 21:03:30 +00:00
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`code.expires_at = timezone.now() + timedelta(`
			`seconds=settings.get('OIDC_CODE_EXPIRE'))`
			`code.scope = scope`
Add nonce to Code model. Modify create_code function. 2015-07-15 19:23:36 +00:00			`code.nonce = nonce`
Refactoring supporting OAuth2 flow. 2016-02-16 20:33:12 +00:00			`code.is_authentication = is_authentication`
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`return code`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00
Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`def get_client_alg_keys(client):`
			`"""`
			`Takes a client and returns the set of keys associated with it.`
			`Returns a list of keys.`
			`"""`
			`if client.jwt_alg == 'RS256':`
			`keys = []`
			`for rsakey in RSAKey.objects.all():`
			`keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))`
			`if not keys:`
			`raise Exception('You must add at least one RSA Key.')`
			`elif client.jwt_alg == 'HS256':`
			`keys = [SYMKey(key=client.client_secret, alg=client.jwt_alg)]`
			`else:`
			`raise Exception('Unsupported key algorithm.')`

			`return keys`