django-oidc-provider/oidc_provider/lib/utils/token.py

from datetime import timedelta
import time
import uuid

from Cryptodome.PublicKey.RSA import importKey
from django.utils import dateformat, timezone
from jwkest.jwk import RSAKey as jwk_RSAKey
from jwkest.jwk import SYMKey
from jwkest.jws import JWS
from jwkest.jwt import JWT

from oidc_provider.lib.utils.common import get_issuer, run_processing_hook
from oidc_provider.lib.claims import StandardScopeClaims
from oidc_provider.models import (
    Code,
    RSAKey,
    Token,
)
from oidc_provider import settings


def create_id_token(token, user, aud, nonce='', at_hash='', request=None, scope=None):
    """
    Creates the id_token dictionary.
    See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken
    Return a dic.
    """
    if scope is None:
        scope = []
    sub = settings.get('OIDC_IDTOKEN_SUB_GENERATOR', import_str=True)(user=user)

    expires_in = settings.get('OIDC_IDTOKEN_EXPIRE')

    # Convert datetimes into timestamps.
    now = int(time.time())
    iat_time = now
    exp_time = int(now + expires_in)
    user_auth_time = user.last_login or user.date_joined
    auth_time = int(dateformat.format(user_auth_time, 'U'))

    dic = {
        'iss': get_issuer(request=request),
        'sub': sub,
        'aud': str(aud),
        'exp': exp_time,
        'iat': iat_time,
        'auth_time': auth_time,
    }

    if nonce:
        dic['nonce'] = str(nonce)

    if at_hash:
        dic['at_hash'] = at_hash

    # Inlude (or not) user standard claims in the id_token.
    if settings.get('OIDC_IDTOKEN_INCLUDE_CLAIMS'):
        if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):
            custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(token)
            claims = custom_claims.create_response_dic()
        else:
            claims = StandardScopeClaims(token).create_response_dic()
        dic.update(claims)

    dic = run_processing_hook(
        dic, 'OIDC_IDTOKEN_PROCESSING_HOOK',
        user=user, token=token, request=request)

    return dic


def encode_id_token(payload, client):
    """
    Represent the ID Token as a JSON Web Token (JWT).
    Return a hash.
    """
    keys = get_client_alg_keys(client)
    _jws = JWS(payload, alg=client.jwt_alg)
    return _jws.sign_compact(keys)


def decode_id_token(token, client):
    """
    Represent the ID Token as a JSON Web Token (JWT).
    Return a hash.
    """
    keys = get_client_alg_keys(client)
    return JWS().verify_compact(token, keys=keys)


def client_id_from_id_token(id_token):
    """
    Extracts the client id from a JSON Web Token (JWT).
    Returns a string or None.
    """
    payload = JWT().unpack(id_token).payload()
    aud = payload.get('aud', None)
    if aud is None:
        return None
    if isinstance(aud, list):
        return aud[0]
    return aud


def create_token(user, client, scope, id_token_dic=None):
    """
    Create and populate a Token object.
    Return a Token object.
    """
    token = Token()
    token.user = user
    token.client = client
    token.access_token = uuid.uuid4().hex

    if id_token_dic is not None:
        token.id_token = id_token_dic

    token.refresh_token = uuid.uuid4().hex
    token.expires_at = timezone.now() + timedelta(
        seconds=settings.get('OIDC_TOKEN_EXPIRE'))
    token.scope = scope

    return token


def create_code(user, client, scope, nonce, is_authentication,
                code_challenge=None, code_challenge_method=None):
    """
    Create and populate a Code object.
    Return a Code object.
    """
    code = Code()
    code.user = user
    code.client = client

    code.code = uuid.uuid4().hex

    if code_challenge and code_challenge_method:
        code.code_challenge = code_challenge
        code.code_challenge_method = code_challenge_method

    code.expires_at = timezone.now() + timedelta(
        seconds=settings.get('OIDC_CODE_EXPIRE'))
    code.scope = scope
    code.nonce = nonce
    code.is_authentication = is_authentication

    return code


def get_client_alg_keys(client):
    """
    Takes a client and returns the set of keys associated with it.
    Returns a list of keys.
    """
    if client.jwt_alg == 'RS256':
        keys = []
        for rsakey in RSAKey.objects.all():
            keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))
        if not keys:
            raise Exception('You must add at least one RSA Key.')
    elif client.jwt_alg == 'HS256':
        keys = [SYMKey(key=client.client_secret, alg=client.jwt_alg)]
    else:
        raise Exception('Unsupported key algorithm.')

    return keys
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`from datetime import timedelta`
Revert "Fix timestamps computing in tokens" This reverts commit 975eb0163fce63d47f4556accc4f0e6ba79b9811. 2016-12-07 11:15:47 +00:00			`import time`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00			`import uuid`

Update pyjwkest to version 1.3.0. 2016-10-03 15:54:54 +00:00			`from Cryptodome.PublicKey.RSA import importKey`
utils.token: Use time.time to generate the timestamps Use `time.time()` rather than `timezone.now()` for generating the unix timestamps. This avoids conversion between year-month-day-hh-mm-ss formatted timestamp vs. unix timestamp and is therefore simpler and more robust. Add a test case for this too and amend test_token_endpoint, since it used to mock timezone.now, but now it needs to mock time.time. 2016-12-07 12:14:37 +00:00			`from django.utils import dateformat, timezone`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`from jwkest.jwk import RSAKey as jwk_RSAKey`
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00			`from jwkest.jwk import SYMKey`
Use pyjwkest in encode_id_token function. 2015-07-27 14:33:28 +00:00			`from jwkest.jws import JWS`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`from jwkest.jwt import JWT`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00
Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 2018-02-05 15:29:08 +00:00			`from oidc_provider.lib.utils.common import get_issuer, run_processing_hook`
Made token and token_refresh endpoint return requested claims. 2017-12-14 17:03:15 +00:00			`from oidc_provider.lib.claims import StandardScopeClaims`
Fix global imports Global imports ("from X import *") are discouraged in Python. 2016-08-11 22:05:13 +00:00			`from oidc_provider.models import (`
			`Code,`
			`RSAKey,`
			`Token,`
			`)`
Change name of the package. 2015-02-18 18:07:22 +00:00			`from oidc_provider import settings`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00

Merge branch 'feature/token_retun_claims' of https://github.com/dhrp/django-oidc-provider into dhrp-feature/token_retun_claims 2018-04-10 21:41:38 +00:00			`def create_id_token(token, user, aud, nonce='', at_hash='', request=None, scope=None):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add user email into id_token. Fix missing OIDC_TOKEN_EXPIRE setting. 2016-09-09 14:43:28 +00:00			`Creates the id_token dictionary.`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken`
			`Return a dic.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00			`if scope is None:`
			`scope = []`
Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 18:17:22 +00:00			`sub = settings.get('OIDC_IDTOKEN_SUB_GENERATOR', import_str=True)(user=user)`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00
Change "DOP" with "OIDC" in settings. 2015-02-26 19:14:36 +00:00			`expires_in = settings.get('OIDC_IDTOKEN_EXPIRE')`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`# Convert datetimes into timestamps.`
utils.token: Use time.time to generate the timestamps Use `time.time()` rather than `timezone.now()` for generating the unix timestamps. This avoids conversion between year-month-day-hh-mm-ss formatted timestamp vs. unix timestamp and is therefore simpler and more robust. Add a test case for this too and amend test_token_endpoint, since it used to mock timezone.now, but now it needs to mock time.time. 2016-12-07 12:14:37 +00:00			`now = int(time.time())`
			`iat_time = now`
			`exp_time = int(now + expires_in)`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`user_auth_time = user.last_login or user.date_joined`
utils.token: Use time.time to generate the timestamps Use `time.time()` rather than `timezone.now()` for generating the unix timestamps. This avoids conversion between year-month-day-hh-mm-ss formatted timestamp vs. unix timestamp and is therefore simpler and more robust. Add a test case for this too and amend test_token_endpoint, since it used to mock timezone.now, but now it needs to mock time.time. 2016-12-07 12:14:37 +00:00			`auth_time = int(dateformat.format(user_auth_time, 'U'))`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`dic = {`
Make `SITE_URL` optional. 2016-05-25 21:58:58 +00:00			`'iss': get_issuer(request=request),`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00			`'sub': sub,`
Convert "aud" to str in create_id_token function. 2015-07-27 18:50:02 +00:00			`'aud': str(aud),`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`'exp': exp_time,`
			`'iat': iat_time,`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`'auth_time': auth_time,`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`}`

Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`if nonce:`
Convert "aud" to str in create_id_token function. 2015-07-27 18:50:02 +00:00			`dic['nonce'] = str(nonce)`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`if at_hash:`
			`dic['at_hash'] = at_hash`

Merge branch 'feature/token_retun_claims' of https://github.com/dhrp/django-oidc-provider into dhrp-feature/token_retun_claims 2018-04-10 21:41:38 +00:00			`# Inlude (or not) user standard claims in the id_token.`
			`if settings.get('OIDC_IDTOKEN_INCLUDE_CLAIMS'):`
			`if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):`
			`custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(token)`
			`claims = custom_claims.create_response_dic()`
			`else:`
			`claims = StandardScopeClaims(token).create_response_dic()`
			`dic.update(claims)`
Add user email into id_token. Fix missing OIDC_TOKEN_EXPIRE setting. 2016-09-09 14:43:28 +00:00
Merge branch 'develop' of github.com:juanifioren/django-oidc-provider * 'develop' of github.com:juanifioren/django-oidc-provider: Update changelog.rst include request in password grant authenticate call Update setup.py Update changelog.rst Update changelog.rst Adjust import order and method order in introspection tests Replace resource with client in docs. Update settings docs to add extra introspection setting Update README.md Update README.md Remove the Resource model Skip csrf protection on introspection endpoint Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 Test docs with tox. Remove Django 1.7 for travis. Drop support for Django 1.7. Move extract_client_auth to oauth2 utils. Remove duplicate link in docs. Bump version v0.6.0. Fix BaseCodeTokenModel and user attr. Update README.md Edit README and contribute doc. Edit changelog. Update changelog.rst Add protected_resource_view test using client_credentials. Fix docs. Improve docs. Client credentials implementation. Move changelog into docs. Update README.md Update CHANGELOG.md Fixed infinite callback loop in check-session iframe Fix PEP8. New migration. Update example project. Fix PEP8. Fix PEP8. PEP8 errors and urls. PEP8 models. Fix contribute docs. Fix tox for checking PEP8 all files. Update README.md Update README.md Simplify test suit. Update CHANGELOG.md Bump version 0.5.3. Update installation.rst Update CHANGELOG.md Fixed wrong Object in Template Update project to support Django 2.0 Now passing along the token to create_id_token function. Made token and token_refresh endpoint return requested claims. Sphinx documentation fixes (#219) Use request.user.is_authenticated as a bool with recent Django (#216) Fixed client id retrieval when aud is a list of str. (#210) Add owner field to Client (#211) Update CHANGELOG removed tab char Add pep8 compliance and checker Bump version Update CHANGELOG.md Preparing v0.5.2 (#201) Fix Django 2.0 deprecation warnings (#185) Fix infinite login loop if "prompt=login" (#198) fixed typos Bump version Fix scope handling of token endpoint (#193) Fixes #192 Use stored user consent for public clients too (#189) Redirect URIs must match exactly. (#191) Bug #187 prompt handling (#188) Don't pin exact versions in install_requires. 2018-05-23 21:16:26 +00:00			`dic = run_processing_hook(`
			`dic, 'OIDC_IDTOKEN_PROCESSING_HOOK',`
Remove scope param from OIDC_IDTOKEN_PROCESSING_HOOK There is no need to pass in the scope parameter separately, since the scope is available via the token parameter already. 2018-05-31 07:23:58 +00:00			`user=user, token=token, request=request)`
Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`return dic`

Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00			`def encode_id_token(payload, client):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`Represent the ID Token as a JSON Web Token (JWT).`
			`Return a hash.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`keys = get_client_alg_keys(client)`
			`_jws = JWS(payload, alg=client.jwt_alg)`
Upgrade pyjwkest to version > 1.0.3 There have been some issues in Python 3 where elements of the id_token were left when encoding the token. Cause was incorrect encoding logic in pyjwkest. Version 1.0.3 has improved encoding handling. 2015-09-30 15:31:49 +00:00			`return _jws.sign_compact(keys)`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`def decode_id_token(token, client):`
			`"""`
			`Represent the ID Token as a JSON Web Token (JWT).`
			`Return a hash.`
			`"""`
			`keys = get_client_alg_keys(client)`
			`return JWS().verify_compact(token, keys=keys)`

Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`def client_id_from_id_token(id_token):`
			`"""`
			`Extracts the client id from a JSON Web Token (JWT).`
			`Returns a string or None.`
			`"""`
			`payload = JWT().unpack(id_token).payload()`
Fixed client id retrieval when aud is a list of str. (#210) * Fixed client id retrievel when aud is a list of str. * Split tests. 2017-11-09 11:05:20 +00:00			`aud = payload.get('aud', None)`
			`if aud is None:`
			`return None`
			`if isinstance(aud, list):`
			`return aud[0]`
			`return aud`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00

Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`def create_token(user, client, scope, id_token_dic=None):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`Create and populate a Token object.`
			`Return a Token object.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`token = Token()`
			`token.user = user`
			`token.client = client`
			`token.access_token = uuid.uuid4().hex`

Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`if id_token_dic is not None:`
			`token.id_token = id_token_dic`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`token.refresh_token = uuid.uuid4().hex`
A few changes in settings. Add more variables to it. 2015-01-28 20:00:04 +00:00			`token.expires_at = timezone.now() + timedelta(`
Change "DOP" with "OIDC" in settings. 2015-02-26 19:14:36 +00:00			`seconds=settings.get('OIDC_TOKEN_EXPIRE'))`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`token.scope = scope`

Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`return token`

Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
First intent to implement PKCE. 2016-04-06 21:03:30 +00:00			`def create_code(user, client, scope, nonce, is_authentication,`
			`code_challenge=None, code_challenge_method=None):`
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`"""`
			`Create and populate a Code object.`
			`Return a Code object.`
			`"""`
			`code = Code()`
			`code.user = user`
			`code.client = client`
First intent to implement PKCE. 2016-04-06 21:03:30 +00:00
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`code.code = uuid.uuid4().hex`
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00
Remplace AES encryption with database. For saving PKCE parameters. 2016-04-07 19:18:47 +00:00			`if code_challenge and code_challenge_method:`
			`code.code_challenge = code_challenge`
			`code.code_challenge_method = code_challenge_method`
First intent to implement PKCE. 2016-04-06 21:03:30 +00:00
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`code.expires_at = timezone.now() + timedelta(`
			`seconds=settings.get('OIDC_CODE_EXPIRE'))`
			`code.scope = scope`
Add nonce to Code model. Modify create_code function. 2015-07-15 19:23:36 +00:00			`code.nonce = nonce`
Refactoring supporting OAuth2 flow. 2016-02-16 20:33:12 +00:00			`code.is_authentication = is_authentication`
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`return code`
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00
Add pep8 compliance and checker 2017-08-08 22:41:42 +00:00
Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 20:07:06 +00:00			`def get_client_alg_keys(client):`
			`"""`
			`Takes a client and returns the set of keys associated with it.`
			`Returns a list of keys.`
			`"""`
			`if client.jwt_alg == 'RS256':`
			`keys = []`
			`for rsakey in RSAKey.objects.all():`
			`keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))`
			`if not keys:`
			`raise Exception('You must add at least one RSA Key.')`
			`elif client.jwt_alg == 'HS256':`
			`keys = [SYMKey(key=client.client_secret, alg=client.jwt_alg)]`
			`else:`
			`raise Exception('Unsupported key algorithm.')`

			`return keys`