django-oidc-provider/oidc_provider/lib/utils/token.py

from datetime import timedelta
import time
import uuid

from Crypto.PublicKey.RSA import importKey
from django.utils import timezone
from hashlib import md5
from jwkest.jwk import RSAKey as jwk_RSAKey
from jwkest.jws import JWS

from oidc_provider.lib.utils.common import get_issuer
from oidc_provider.models import *
from oidc_provider import settings


def create_id_token(user, aud, nonce):
    """
    Receives a user object and aud (audience).
    Then creates the id_token dictionary.
    See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken

    Return a dic.
    """
    sub = settings.get('OIDC_IDTOKEN_SUB_GENERATOR', import_str=True)(user=user)

    expires_in = settings.get('OIDC_IDTOKEN_EXPIRE')

    # Convert datetimes into timestamps.
    now = timezone.now()
    iat_time = int(time.mktime(now.timetuple()))
    exp_time = int(time.mktime((now + timedelta(seconds=expires_in)).timetuple()))
    user_auth_time = user.last_login or user.date_joined
    auth_time = int(time.mktime(user_auth_time.timetuple()))

    dic = {
        'iss': get_issuer(),
        'sub': sub,
        'aud': str(aud),
        'exp': exp_time,
        'iat': iat_time,
        'auth_time': auth_time,
    }

    if nonce:
        dic['nonce'] = str(nonce)

    dic = settings.get('OIDC_ID_TOKEN_PROCESSING_HOOK', import_str=True)(dic)

    return dic


def encode_id_token(payload):
    """
    Represent the ID Token as a JSON Web Token (JWT).

    Return a hash.
    """
    keys = []

    for rsakey in RSAKey.objects.all():
        keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))

    if not keys:
        raise Exception('You must add at least one RSA Key.')
    
    _jws = JWS(payload, alg='RS256')

    return _jws.sign_compact(keys)


def create_token(user, client, id_token_dic, scope):
    """
    Create and populate a Token object.

    Return a Token object.
    """
    token = Token()
    token.user = user
    token.client = client
    token.access_token = uuid.uuid4().hex

    token.id_token = id_token_dic

    token.refresh_token = uuid.uuid4().hex
    token.expires_at = timezone.now() + timedelta(
        seconds=settings.get('OIDC_TOKEN_EXPIRE'))
    token.scope = scope

    return token


def create_code(user, client, scope, nonce):
    """
    Create and populate a Code object.

    Return a Code object.
    """
    code = Code()
    code.user = user
    code.client = client
    code.code = uuid.uuid4().hex
    code.expires_at = timezone.now() + timedelta(
        seconds=settings.get('OIDC_CODE_EXPIRE'))
    code.scope = scope
    code.nonce = nonce

    return code
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`from datetime import timedelta`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00			`import time`
			`import uuid`

Use pyjwkest in encode_id_token function. 2015-07-27 14:33:28 +00:00			`from Crypto.PublicKey.RSA import importKey`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`from django.utils import timezone`
Fxed: ID token does not contain kid #42 2015-08-12 03:50:05 +00:00			`from hashlib import md5`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`from jwkest.jwk import RSAKey as jwk_RSAKey`
Use pyjwkest in encode_id_token function. 2015-07-27 14:33:28 +00:00			`from jwkest.jws import JWS`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`from oidc_provider.lib.utils.common import get_issuer`
Change name of the package. 2015-02-18 18:07:22 +00:00			`from oidc_provider.models import *`
			`from oidc_provider import settings`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00

Modify create_id_token function for supporting nonce. 2015-07-15 19:18:34 +00:00			`def create_id_token(user, aud, nonce):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`Receives a user object and aud (audience).`
			`Then creates the id_token dictionary.`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken`

			`Return a dic.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 18:17:22 +00:00			`sub = settings.get('OIDC_IDTOKEN_SUB_GENERATOR', import_str=True)(user=user)`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00
Change "DOP" with "OIDC" in settings. 2015-02-26 19:14:36 +00:00			`expires_in = settings.get('OIDC_IDTOKEN_EXPIRE')`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`# Convert datetimes into timestamps.`
Modify create_id_token function for supporting nonce. 2015-07-15 19:18:34 +00:00			`now = timezone.now()`
Convert times to int Make iat_time, exp_time, auth_time an integer, not a float. The spec does not explicitly forbit float times, but some clients don't accept this (mod_auth_openidc), and `timetuple()` has second precision anyway so we don't loose any information. 2015-07-15 10:06:02 +00:00			`iat_time = int(time.mktime(now.timetuple()))`
			`exp_time = int(time.mktime((now + timedelta(seconds=expires_in)).timetuple()))`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`user_auth_time = user.last_login or user.date_joined`
Convert times to int Make iat_time, exp_time, auth_time an integer, not a float. The spec does not explicitly forbit float times, but some clients don't accept this (mod_auth_openidc), and `timetuple()` has second precision anyway so we don't loose any information. 2015-07-15 10:06:02 +00:00			`auth_time = int(time.mktime(user_auth_time.timetuple()))`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`dic = {`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`'iss': get_issuer(),`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00			`'sub': sub,`
Convert "aud" to str in create_id_token function. 2015-07-27 18:50:02 +00:00			`'aud': str(aud),`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`'exp': exp_time,`
			`'iat': iat_time,`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`'auth_time': auth_time,`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`}`

Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`if nonce:`
Convert "aud" to str in create_id_token function. 2015-07-27 18:50:02 +00:00			`dic['nonce'] = str(nonce)`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00			`dic = settings.get('OIDC_ID_TOKEN_PROCESSING_HOOK', import_str=True)(dic)`

Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`return dic`

Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Use pyjwkest in encode_id_token function. 2015-07-27 14:33:28 +00:00			`def encode_id_token(payload):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`Represent the ID Token as a JSON Web Token (JWT).`

			`Return a hash.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`keys = []`

			`for rsakey in RSAKey.objects.all():`
			`keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))`

			`if not keys:`
			`raise Exception('You must add at least one RSA Key.')`

Use pyjwkest in encode_id_token function. 2015-07-27 14:33:28 +00:00			`_jws = JWS(payload, alg='RS256')`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00
Upgrade pyjwkest to version > 1.0.3 There have been some issues in Python 3 where elements of the id_token were left when encoding the token. Cause was incorrect encoding logic in pyjwkest. Version 1.0.3 has improved encoding handling. 2015-09-30 15:31:49 +00:00			`return _jws.sign_compact(keys)`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`def create_token(user, client, id_token_dic, scope):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`Create and populate a Token object.`

			`Return a Token object.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`token = Token()`
			`token.user = user`
			`token.client = client`
			`token.access_token = uuid.uuid4().hex`

			`token.id_token = id_token_dic`

			`token.refresh_token = uuid.uuid4().hex`
A few changes in settings. Add more variables to it. 2015-01-28 20:00:04 +00:00			`token.expires_at = timezone.now() + timedelta(`
Change "DOP" with "OIDC" in settings. 2015-02-26 19:14:36 +00:00			`seconds=settings.get('OIDC_TOKEN_EXPIRE'))`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`token.scope = scope`

Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`return token`


Add nonce to Code model. Modify create_code function. 2015-07-15 19:23:36 +00:00			`def create_code(user, client, scope, nonce):`
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`"""`
			`Create and populate a Code object.`

			`Return a Code object.`
			`"""`
			`code = Code()`
			`code.user = user`
			`code.client = client`
			`code.code = uuid.uuid4().hex`
			`code.expires_at = timezone.now() + timedelta(`
			`seconds=settings.get('OIDC_CODE_EXPIRE'))`
			`code.scope = scope`
Add nonce to Code model. Modify create_code function. 2015-07-15 19:23:36 +00:00			`code.nonce = nonce`
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`return code`