django-oidc-provider/oidc_provider/views.py

import logging
try:
    from urllib import urlencode
    from urlparse import urlsplit, parse_qs, urlunsplit
except ImportError:
    from urllib.parse import urlsplit, parse_qs, urlunsplit, urlencode

from Cryptodome.PublicKey import RSA
from django.contrib.auth.views import (
    redirect_to_login,
    logout,
)
from django.core.urlresolvers import reverse
from django.http import JsonResponse
from django.shortcuts import render
from django.template.loader import render_to_string
from django.utils.decorators import method_decorator
from django.views.decorators.clickjacking import xframe_options_exempt
from django.views.decorators.http import require_http_methods
from django.views.generic import View
from jwkest import long_to_base64

from oidc_provider.lib.claims import StandardScopeClaims
from oidc_provider.lib.endpoints.authorize import AuthorizeEndpoint
from oidc_provider.lib.endpoints.token import TokenEndpoint
from oidc_provider.lib.errors import (
    AuthorizeError,
    ClientIdError,
    RedirectUriError,
    TokenError,
)
from oidc_provider.lib.utils.common import (
    redirect,
    get_site_url,
    get_issuer,
)
from oidc_provider.lib.utils.oauth2 import protected_resource_view
from oidc_provider.lib.utils.token import client_id_from_id_token
from oidc_provider.models import (
    Client,
    RESPONSE_TYPE_CHOICES,
    RSAKey,
)
from oidc_provider import settings


logger = logging.getLogger(__name__)


class AuthorizeView(View):

    def get(self, request, *args, **kwargs):

        authorize = AuthorizeEndpoint(request)

        try:
            authorize.validate_params()

            if request.user.is_authenticated():
                # Check if there's a hook setted.
                hook_resp = settings.get('OIDC_AFTER_USERLOGIN_HOOK', import_str=True)(
                    request=request, user=request.user,
                    client=authorize.client)
                if hook_resp:
                    return hook_resp

                if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public') \
                and not (authorize.params['prompt'] == 'consent'):
                    return redirect(authorize.create_response_uri())

                if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
                    # Check if user previously give consent.
                    if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public') \
                    and not (authorize.params['prompt'] == 'consent'):
                        return redirect(authorize.create_response_uri())

                if authorize.params['prompt'] == 'none':
                    raise AuthorizeError(authorize.params['redirect_uri'], 'interaction_required', authorize.grant_type)

                if authorize.params['prompt'] == 'login':
                    return redirect_to_login(request.get_full_path())

                if authorize.params['prompt'] == 'select_account':
                    # TODO: see how we can support multiple accounts for the end-user.
                    raise AuthorizeError(authorize.params['redirect_uri'], 'account_selection_required', authorize.grant_type)

                # Generate hidden inputs for the form.
                context = {
                    'params': authorize.params,
                }
                hidden_inputs = render_to_string('oidc_provider/hidden_inputs.html', context)

                # Remove `openid` from scope list
                # since we don't need to print it.
                if 'openid' in authorize.params['scope']:
                    authorize.params['scope'].remove('openid')

                context = {
                    'client': authorize.client,
                    'hidden_inputs': hidden_inputs,
                    'params': authorize.params,
                    'scopes': authorize.get_scopes_information(),
                }

                return render(request, 'oidc_provider/authorize.html', context)
            else:
                if authorize.params['prompt'] == 'none':
                    raise AuthorizeError(authorize.params['redirect_uri'], 'login_required', authorize.grant_type)

                return redirect_to_login(request.get_full_path())

        except (ClientIdError, RedirectUriError) as error:
            context = {
                'error': error.error,
                'description': error.description,
            }

            return render(request, 'oidc_provider/error.html', context)

        except (AuthorizeError) as error:
            uri = error.create_uri(
                authorize.params['redirect_uri'],
                authorize.params['state'])

            return redirect(uri)

    def post(self, request, *args, **kwargs):
        authorize = AuthorizeEndpoint(request)

        try:
            authorize.validate_params()

            if not request.POST.get('allow'):
                raise AuthorizeError(authorize.params['redirect_uri'],
                                     'access_denied',
                                     authorize.grant_type)

            # Save the user consent given to the client.
            authorize.set_client_user_consent()

            uri = authorize.create_response_uri()

            return redirect(uri)

        except (AuthorizeError) as error:
            uri = error.create_uri(
                authorize.params['redirect_uri'],
                authorize.params['state'])

            return redirect(uri)


class TokenView(View):

    def post(self, request, *args, **kwargs):
        token = TokenEndpoint(request)

        try:
            token.validate_params()

            dic = token.create_response_dic()

            return TokenEndpoint.response(dic)

        except (TokenError) as error:
            return TokenEndpoint.response(error.create_dict(), status=400)


@require_http_methods(['GET', 'POST'])
@protected_resource_view(['openid'])
def userinfo(request, *args, **kwargs):
    """
    Create a diccionary with all the requested claims about the End-User.
    See: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

    Return a diccionary.
    """
    token = kwargs['token']

    dic = {
        'sub': token.id_token.get('sub'),
    }

    standard_claims = StandardScopeClaims(token)
    dic.update(standard_claims.create_response_dic())

    if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):
        extra_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(token)
        dic.update(extra_claims.create_response_dic())

    response = JsonResponse(dic, status=200)
    response['Access-Control-Allow-Origin'] = '*'
    response['Cache-Control'] = 'no-store'
    response['Pragma'] = 'no-cache'

    return response


class ProviderInfoView(View):

    def get(self, request, *args, **kwargs):
        dic = dict()

        site_url = get_site_url(request=request)
        dic['issuer'] = get_issuer(site_url=site_url, request=request)

        dic['authorization_endpoint'] = site_url + reverse('oidc_provider:authorize')
        dic['token_endpoint'] = site_url + reverse('oidc_provider:token')
        dic['userinfo_endpoint'] = site_url + reverse('oidc_provider:userinfo')
        dic['end_session_endpoint'] = site_url + reverse('oidc_provider:end-session')

        types_supported = [x[0] for x in RESPONSE_TYPE_CHOICES]
        dic['response_types_supported'] = types_supported

        dic['jwks_uri'] = site_url + reverse('oidc_provider:jwks')

        dic['id_token_signing_alg_values_supported'] = ['HS256', 'RS256']

        # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
        dic['subject_types_supported'] = ['public']

        dic['token_endpoint_auth_methods_supported'] = ['client_secret_post',
                                                        'client_secret_basic']

        if settings.get('OIDC_SESSION_MANAGEMENT_ENABLE'):
            dic['check_session_iframe'] = site_url + reverse('oidc_provider:check-session-iframe')

        response = JsonResponse(dic)
        response['Access-Control-Allow-Origin'] = '*'

        return response


class JwksView(View):

    def get(self, request, *args, **kwargs):
        dic = dict(keys=[])

        for rsakey in RSAKey.objects.all():
            public_key = RSA.importKey(rsakey.key).publickey()
            dic['keys'].append({
                'kty': 'RSA',
                'alg': 'RS256',
                'use': 'sig',
                'kid': rsakey.kid,
                'n': long_to_base64(public_key.n),
                'e': long_to_base64(public_key.e),
            })

        response = JsonResponse(dic)
        response['Access-Control-Allow-Origin'] = '*'

        return response


class EndSessionView(View):

    def get(self, request, *args, **kwargs):
        id_token_hint = request.GET.get('id_token_hint', '')
        post_logout_redirect_uri = request.GET.get('post_logout_redirect_uri', '')
        state = request.GET.get('state', '')

        next_page = settings.get('LOGIN_URL')

        if id_token_hint:
            client_id = client_id_from_id_token(id_token_hint)
            try:
                client = Client.objects.get(client_id=client_id)
                if post_logout_redirect_uri in client.post_logout_redirect_uris:
                    if state:
                        uri = urlsplit(post_logout_redirect_uri)
                        query_params = parse_qs(uri.query)
                        query_params['state'] = state
                        uri = uri._replace(query=urlencode(query_params, doseq=True))
                        next_page = urlunsplit(uri)
                    else:
                        next_page = post_logout_redirect_uri
            except Client.DoesNotExist:
                pass

        return logout(request, next_page=next_page)


class CheckSessionIframeView(View):

    @method_decorator(xframe_options_exempt)
    def dispatch(self, request, *args, **kwargs):
        return super(CheckSessionIframeView, self).dispatch(request, *args, **kwargs)

    def get(self, request, *args, **kwargs):
        return render(request, 'oidc_provider/check_session_iframe.html', kwargs)
Fix global imports Global imports ("from X import *") are discouraged in Python. 2016-08-11 22:05:13 +00:00			`import logging`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`try:`
			`from urllib import urlencode`
			`from urlparse import urlsplit, parse_qs, urlunsplit`
			`except ImportError:`
			`from urllib.parse import urlsplit, parse_qs, urlunsplit, urlencode`
Fix global imports Global imports ("from X import *") are discouraged in Python. 2016-08-11 22:05:13 +00:00
Update pyjwkest to version 1.3.0. 2016-10-03 15:54:54 +00:00			`from Cryptodome.PublicKey import RSA`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`from django.contrib.auth.views import (`
			`redirect_to_login,`
			`logout,`
			`)`
Refactoring in discovery. 2015-07-31 17:19:53 +00:00			`from django.core.urlresolvers import reverse`
Replace django redirect with custom HttpResponse object. 2015-11-12 20:12:18 +00:00			`from django.http import JsonResponse`
Initial commit. 2014-12-19 15:27:43 +00:00			`from django.shortcuts import render`
Clean authorize template. Separate hidden inputs. 2015-01-29 17:03:17 +00:00			`from django.template.loader import render_to_string`
Initial Session Management version. 2016-10-28 18:25:52 +00:00			`from django.utils.decorators import method_decorator`
			`from django.views.decorators.clickjacking import xframe_options_exempt`
Initial commit. 2014-12-19 15:27:43 +00:00			`from django.views.decorators.http import require_http_methods`
			`from django.views.generic import View`
Add Jwks view to views.py. 2015-07-13 20:34:43 +00:00			`from jwkest import long_to_base64`
Add Provider Configuration Information endpoint. 2015-03-04 19:24:41 +00:00
Add StandardScopeClaims import. 2016-02-15 20:21:46 +00:00			`from oidc_provider.lib.claims import StandardScopeClaims`
Fix global imports Global imports ("from X import *") are discouraged in Python. 2016-08-11 22:05:13 +00:00			`from oidc_provider.lib.endpoints.authorize import AuthorizeEndpoint`
			`from oidc_provider.lib.endpoints.token import TokenEndpoint`
			`from oidc_provider.lib.errors import (`
			`AuthorizeError,`
			`ClientIdError,`
			`RedirectUriError,`
			`TokenError,`
			`)`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`from oidc_provider.lib.utils.common import (`
			`redirect,`
			`get_site_url,`
			`get_issuer,`
			`)`
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00			`from oidc_provider.lib.utils.oauth2 import protected_resource_view`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`from oidc_provider.lib.utils.token import client_id_from_id_token`
			`from oidc_provider.models import (`
			`Client,`
			`RESPONSE_TYPE_CHOICES,`
			`RSAKey,`
			`)`
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00			`from oidc_provider import settings`
Initial commit. 2014-12-19 15:27:43 +00:00

Refactoring error logging. 2015-06-19 20:46:00 +00:00			`logger = logging.getLogger(__name__)`


Initial commit. 2014-12-19 15:27:43 +00:00			`class AuthorizeView(View):`

			`def get(self, request, args, *kwargs):`

			`authorize = AuthorizeEndpoint(request)`

			`try:`
			`authorize.validate_params()`

			`if request.user.is_authenticated():`
Add OIDC_AFTER_USERLOGIN_HOOK setting. 2015-03-19 17:04:32 +00:00			`# Check if there's a hook setted.`
Make OIDC_AFTER_USERLOGIN_HOOK to be lazy imported by string. 2016-01-19 20:37:32 +00:00			`hook_resp = settings.get('OIDC_AFTER_USERLOGIN_HOOK', import_str=True)(`
Add OIDC_AFTER_USERLOGIN_HOOK setting. 2015-03-19 17:04:32 +00:00			`request=request, user=request.user,`
			`client=authorize.client)`
			`if hook_resp:`
			`return hook_resp`
Refactoring. Add views for client creation. 2015-01-12 22:13:48 +00:00
Add support for the other values of the prompt param. 2016-04-13 21:38:38 +00:00			`if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public') \`
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`and not (authorize.params['prompt'] == 'consent'):`
Add OIDC_SKIP_CONSENT_ALWAYS setting. 2016-02-01 17:34:39 +00:00			`return redirect(authorize.create_response_uri())`

Rename setting. 2015-06-24 15:40:00 +00:00			`if settings.get('OIDC_SKIP_CONSENT_ENABLE'):`
Add user consent logic to authorize endpoint. 2015-06-22 21:42:42 +00:00			`# Check if user previously give consent.`
Add support for the other values of the prompt param. 2016-04-13 21:38:38 +00:00			`if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public') \`
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`and not (authorize.params['prompt'] == 'consent'):`
Add OIDC_SKIP_CONSENT_ALWAYS setting. 2016-02-01 17:34:39 +00:00			`return redirect(authorize.create_response_uri())`
Add user consent logic to authorize endpoint. 2015-06-22 21:42:42 +00:00
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`if authorize.params['prompt'] == 'none':`
			`raise AuthorizeError(authorize.params['redirect_uri'], 'interaction_required', authorize.grant_type)`
Refactoring views.py. 2016-06-01 15:09:40 +00:00
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`if authorize.params['prompt'] == 'login':`
Refactoring views.py. 2016-06-01 15:09:40 +00:00			`return redirect_to_login(request.get_full_path())`

Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`if authorize.params['prompt'] == 'select_account':`
Refactoring views.py. 2016-06-01 15:09:40 +00:00			`# TODO: see how we can support multiple accounts for the end-user.`
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`raise AuthorizeError(authorize.params['redirect_uri'], 'account_selection_required', authorize.grant_type)`
Refactoring views.py. 2016-06-01 15:09:40 +00:00
Clean authorize template. Separate hidden inputs. 2015-01-29 17:03:17 +00:00			`# Generate hidden inputs for the form.`
Changes login redirect in authorize view. 2015-01-19 18:25:16 +00:00			`context = {`
Initial commit. 2014-12-19 15:27:43 +00:00			`'params': authorize.params,`
Clean authorize template. Separate hidden inputs. 2015-01-29 17:03:17 +00:00			`}`
Refactoring views.py. 2016-06-01 15:09:40 +00:00			`hidden_inputs = render_to_string('oidc_provider/hidden_inputs.html', context)`
Clean authorize template. Separate hidden inputs. 2015-01-29 17:03:17 +00:00
Add OIDC_AFTER_USERLOGIN_HOOK setting. 2015-03-19 17:04:32 +00:00			# Remove `openid` from scope list
			`# since we don't need to print it.`
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`if 'openid' in authorize.params['scope']:`
			`authorize.params['scope'].remove('openid')`
Clean authorize template. Separate hidden inputs. 2015-01-29 17:03:17 +00:00
			`context = {`
Initial commit. 2014-12-19 15:27:43 +00:00			`'client': authorize.client,`
Clean authorize template. Separate hidden inputs. 2015-01-29 17:03:17 +00:00			`'hidden_inputs': hidden_inputs,`
			`'params': authorize.params,`
Add verbose name and description for scopes. 2016-06-16 20:18:39 +00:00			`'scopes': authorize.get_scopes_information(),`
Initial commit. 2014-12-19 15:27:43 +00:00			`}`

Change name of the package. 2015-02-18 18:07:22 +00:00			`return render(request, 'oidc_provider/authorize.html', context)`
Initial commit. 2014-12-19 15:27:43 +00:00			`else:`
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`if authorize.params['prompt'] == 'none':`
			`raise AuthorizeError(authorize.params['redirect_uri'], 'login_required', authorize.grant_type)`
Refactoring prompt=none logic. 2016-04-13 20:19:37 +00:00
			`return redirect_to_login(request.get_full_path())`
Initial commit. 2014-12-19 15:27:43 +00:00
			`except (ClientIdError, RedirectUriError) as error:`
Changes login redirect in authorize view. 2015-01-19 18:25:16 +00:00			`context = {`
Add custom template errors. (ClientID and RedirectURI) 2015-01-09 17:59:23 +00:00			`'error': error.error,`
			`'description': error.description,`
			`}`

Change name of the package. 2015-02-18 18:07:22 +00:00			`return render(request, 'oidc_provider/error.html', context)`
Initial commit. 2014-12-19 15:27:43 +00:00
			`except (AuthorizeError) as error:`
Refactoring. Add views for client creation. 2015-01-12 22:13:48 +00:00			`uri = error.create_uri(`
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`authorize.params['redirect_uri'],`
			`authorize.params['state'])`
Initial commit. 2014-12-19 15:27:43 +00:00
Replace django redirect with custom HttpResponse object. 2015-11-12 20:12:18 +00:00			`return redirect(uri)`
Initial commit. 2014-12-19 15:27:43 +00:00
			`def post(self, request, args, *kwargs):`
			`authorize = AuthorizeEndpoint(request)`

Move allow logic to authorize view. 2015-06-15 19:04:44 +00:00			`try:`
Move validate_params function to views (on POST authorize). 2015-06-15 20:34:36 +00:00			`authorize.validate_params()`
Refactoring views.py. 2016-06-01 15:09:40 +00:00
Refactoring prompt=none logic. 2016-04-13 20:19:37 +00:00			`if not request.POST.get('allow'):`
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`raise AuthorizeError(authorize.params['redirect_uri'],`
Move allow logic to authorize view. 2015-06-15 19:04:44 +00:00			`'access_denied',`
			`authorize.grant_type)`

Add user consent logic to authorize endpoint. 2015-06-22 21:42:42 +00:00			`# Save the user consent given to the client.`
			`authorize.set_client_user_consent()`
Initial commit. 2014-12-19 15:27:43 +00:00
Add user consent logic to authorize endpoint. 2015-06-22 21:42:42 +00:00			`uri = authorize.create_response_uri()`
Replace django redirect with custom HttpResponse object. 2015-11-12 20:12:18 +00:00
			`return redirect(uri)`
Initial commit. 2014-12-19 15:27:43 +00:00
			`except (AuthorizeError) as error:`
Add custom scope claims feature. 2015-01-30 20:20:36 +00:00			`uri = error.create_uri(`
Remove Params() object from endpoints classes. 2016-09-09 17:49:41 +00:00			`authorize.params['redirect_uri'],`
			`authorize.params['state'])`
Initial commit. 2014-12-19 15:27:43 +00:00
Replace django redirect with custom HttpResponse object. 2015-11-12 20:12:18 +00:00			`return redirect(uri)`
Initial commit. 2014-12-19 15:27:43 +00:00
Add Provider Configuration Information endpoint. 2015-03-04 19:24:41 +00:00
Initial commit. 2014-12-19 15:27:43 +00:00			`class TokenView(View):`

			`def post(self, request, args, *kwargs):`
			`token = TokenEndpoint(request)`

			`try:`
			`token.validate_params()`

			`dic = token.create_response_dic()`

			`return TokenEndpoint.response(dic)`

			`except (TokenError) as error:`
			`return TokenEndpoint.response(error.create_dict(), status=400)`

Add Provider Configuration Information endpoint. 2015-03-04 19:24:41 +00:00
Initial commit. 2014-12-19 15:27:43 +00:00			`@require_http_methods(['GET', 'POST'])`
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00			`@protected_resource_view(['openid'])`
			`def userinfo(request, args, *kwargs):`
			`"""`
			`Create a diccionary with all the requested claims about the End-User.`
			`See: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse`
Initial commit. 2014-12-19 15:27:43 +00:00
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00			`Return a diccionary.`
			`"""`
			`token = kwargs['token']`
Initial commit. 2014-12-19 15:27:43 +00:00
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00			`dic = {`
			`'sub': token.id_token.get('sub'),`
			`}`
Initial commit. 2014-12-19 15:27:43 +00:00
Make Client available when using OIDC_EXTRA_SCOPE_CLAIMS Now it's passed the Token to the ScopeClaims constructor so that it can make Client avaialble to implementors 2016-10-12 19:23:57 +00:00			`standard_claims = StandardScopeClaims(token)`
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00			`dic.update(standard_claims.create_response_dic())`

Change setting OIDC_USERINFO. 2016-07-07 15:50:27 +00:00			`if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):`
Make Client available when using OIDC_EXTRA_SCOPE_CLAIMS Now it's passed the Token to the ScopeClaims constructor so that it can make Client avaialble to implementors 2016-10-12 19:23:57 +00:00			`extra_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(token)`
Change setting OIDC_USERINFO. 2016-07-07 15:50:27 +00:00			`dic.update(extra_claims.create_response_dic())`
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00
			`response = JsonResponse(dic, status=200)`
Add CORS fix to userinfo view. 2016-09-06 18:37:23 +00:00			`response['Access-Control-Allow-Origin'] = '*'`
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00			`response['Cache-Control'] = 'no-store'`
			`response['Pragma'] = 'no-cache'`
Modify scope claims class. 2016-05-30 16:28:07 +00:00
Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 20:13:19 +00:00			`return response`
Add Provider Configuration Information endpoint. 2015-03-04 19:24:41 +00:00

			`class ProviderInfoView(View):`

			`def get(self, request, args, *kwargs):`
Refactoring in discovery. 2015-07-31 17:19:53 +00:00			`dic = dict()`
Add Provider Configuration Information endpoint. 2015-03-04 19:24:41 +00:00
Make `SITE_URL` optional. 2016-05-25 21:58:58 +00:00			`site_url = get_site_url(request=request)`
			`dic['issuer'] = get_issuer(site_url=site_url, request=request)`
Refactoring in discovery. 2015-07-31 17:19:53 +00:00
Make `SITE_URL` optional. 2016-05-25 21:58:58 +00:00			`dic['authorization_endpoint'] = site_url + reverse('oidc_provider:authorize')`
			`dic['token_endpoint'] = site_url + reverse('oidc_provider:token')`
			`dic['userinfo_endpoint'] = site_url + reverse('oidc_provider:userinfo')`
Fix urls and names. 2016-11-01 15:15:48 +00:00			`dic['end_session_endpoint'] = site_url + reverse('oidc_provider:end-session')`
Refactoring in discovery. 2015-07-31 17:19:53 +00:00
Create migrations. Improve docs. 2016-04-25 20:33:52 +00:00			`types_supported = [x[0] for x in RESPONSE_TYPE_CHOICES]`
Refactoring in discovery. 2015-07-31 17:19:53 +00:00			`dic['response_types_supported'] = types_supported`

Make `SITE_URL` optional. 2016-05-25 21:58:58 +00:00			`dic['jwks_uri'] = site_url + reverse('oidc_provider:jwks')`
Refactoring in discovery. 2015-07-31 17:19:53 +00:00
Update provider info supporting HS256 id_token sign alg. 2016-03-22 23:48:30 +00:00			`dic['id_token_signing_alg_values_supported'] = ['HS256', 'RS256']`
Refactoring in discovery. 2015-07-31 17:19:53 +00:00
			`# See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes`
			`dic['subject_types_supported'] = ['public']`
Add Provider Configuration Information endpoint. 2015-03-04 19:24:41 +00:00
flake8 fixes 2016-08-08 17:54:40 +00:00			`dic['token_endpoint_auth_methods_supported'] = ['client_secret_post',`
			`'client_secret_basic']`
Add token_endpoint_auth_methods_supported to discovery. 2015-07-31 17:59:33 +00:00
Initial Session Management version. 2016-10-28 18:25:52 +00:00			`if settings.get('OIDC_SESSION_MANAGEMENT_ENABLE'):`
			`dic['check_session_iframe'] = site_url + reverse('oidc_provider:check-session-iframe')`

Add Access-Control-Allow-Origin to ProviderInfoView. 2016-09-06 16:21:29 +00:00			`response = JsonResponse(dic)`
			`response['Access-Control-Allow-Origin'] = '*'`

			`return response`
Add Jwks view to views.py. 2015-07-13 20:34:43 +00:00

			`class JwksView(View):`

			`def get(self, request, args, *kwargs):`
			`dic = dict(keys=[])`

Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`for rsakey in RSAKey.objects.all():`
flake8 fixes 2016-08-08 17:54:40 +00:00			`public_key = RSA.importKey(rsakey.key).publickey()`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`dic['keys'].append({`
			`'kty': 'RSA',`
			`'alg': 'RS256',`
			`'use': 'sig',`
			`'kid': rsakey.kid,`
			`'n': long_to_base64(public_key.n),`
			`'e': long_to_base64(public_key.e),`
			`})`
Add Jwks view to views.py. 2015-07-13 20:34:43 +00:00
Add "Allow-Origin" header to jwks endpoint. 2016-01-20 20:08:47 +00:00			`response = JsonResponse(dic)`
			`response['Access-Control-Allow-Origin'] = '*'`

			`return response`
Add logout view to enable minimal session mgmt This implements a very small part of the OIDC session management as described in http://openid.net/specs/openid-connect-session-1_0-17.html#rfc.section.5. It does not implement the full session management (using iframes) and does not implement the registration and verification of logout redirect uri's. 2015-07-24 09:36:45 +00:00

Fix urls and names. 2016-11-01 15:15:48 +00:00			`class EndSessionView(View):`
Refactoring in discovery. 2015-07-31 17:19:53 +00:00
Add logout view to enable minimal session mgmt This implements a very small part of the OIDC session management as described in http://openid.net/specs/openid-connect-session-1_0-17.html#rfc.section.5. It does not implement the full session management (using iframes) and does not implement the registration and verification of logout redirect uri's. 2015-07-24 09:36:45 +00:00			`def get(self, request, args, *kwargs):`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`id_token_hint = request.GET.get('id_token_hint', '')`
			`post_logout_redirect_uri = request.GET.get('post_logout_redirect_uri', '')`
			`state = request.GET.get('state', '')`

			`next_page = settings.get('LOGIN_URL')`

			`if id_token_hint:`
			`client_id = client_id_from_id_token(id_token_hint)`
			`try:`
			`client = Client.objects.get(client_id=client_id)`
			`if post_logout_redirect_uri in client.post_logout_redirect_uris:`
			`if state:`
			`uri = urlsplit(post_logout_redirect_uri)`
			`query_params = parse_qs(uri.query)`
			`query_params['state'] = state`
			`uri = uri._replace(query=urlencode(query_params, doseq=True))`
			`next_page = urlunsplit(uri)`
			`else:`
			`next_page = post_logout_redirect_uri`
			`except Client.DoesNotExist:`
			`pass`

			`return logout(request, next_page=next_page)`
Initial Session Management version. 2016-10-28 18:25:52 +00:00

			`class CheckSessionIframeView(View):`

			`@method_decorator(xframe_options_exempt)`
			`def dispatch(self, request, args, *kwargs):`
			`return super(CheckSessionIframeView, self).dispatch(request, args, *kwargs)`

			`def get(self, request, args, *kwargs):`
			`return render(request, 'oidc_provider/check_session_iframe.html', kwargs)`