django-oidc-provider/oidc_provider/lib/utils/token.py

from datetime import timedelta
import time
import uuid

from Cryptodome.PublicKey.RSA import importKey
from django.utils import timezone
from jwkest.jwk import RSAKey as jwk_RSAKey
from jwkest.jwk import SYMKey
from jwkest.jws import JWS

from oidc_provider.lib.utils.common import get_issuer
from oidc_provider.models import (
    Code,
    RSAKey,
    Token,
)
from oidc_provider import settings


def create_id_token(user, aud, nonce, at_hash=None, request=None, scope=[]):
    """
    Creates the id_token dictionary.
    See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken

    Return a dic.
    """
    sub = settings.get('OIDC_IDTOKEN_SUB_GENERATOR', import_str=True)(user=user)

    expires_in = settings.get('OIDC_IDTOKEN_EXPIRE')

    # Convert datetimes into timestamps.
    now = timezone.now()
    iat_time = int(time.mktime(now.timetuple()))
    exp_time = int(time.mktime((now + timedelta(seconds=expires_in)).timetuple()))
    user_auth_time = user.last_login or user.date_joined
    auth_time = int(time.mktime(user_auth_time.timetuple()))

    dic = {
        'iss': get_issuer(request=request),
        'sub': sub,
        'aud': str(aud),
        'exp': exp_time,
        'iat': iat_time,
        'auth_time': auth_time,
    }

    if nonce:
        dic['nonce'] = str(nonce)

    if at_hash:
        dic['at_hash'] = at_hash

    if ('email' in scope) and getattr(user, 'email', None):
        dic['email'] = user.email

    processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')

    if isinstance(processing_hook, (list, tuple)):
        for hook in processing_hook:
            dic = settings.import_from_str(hook)(dic, user=user)
    else:
        dic = settings.import_from_str(processing_hook)(dic, user=user)

    return dic


def encode_id_token(payload, client):
    """
    Represent the ID Token as a JSON Web Token (JWT).

    Return a hash.
    """
    alg = client.jwt_alg
    if alg == 'RS256':
        keys = []
        for rsakey in RSAKey.objects.all():
            keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))

        if not keys:
            raise Exception('You must add at least one RSA Key.')
    elif alg == 'HS256':
        keys = [SYMKey(key=client.client_secret, alg=alg)]
    else:
        raise Exception('Unsupported key algorithm.')

    _jws = JWS(payload, alg=alg)

    return _jws.sign_compact(keys)


def create_token(user, client, scope, id_token_dic=None):
    """
    Create and populate a Token object.

    Return a Token object.
    """
    token = Token()
    token.user = user
    token.client = client
    token.access_token = uuid.uuid4().hex

    if id_token_dic is not None:
        token.id_token = id_token_dic

    token.refresh_token = uuid.uuid4().hex
    token.expires_at = timezone.now() + timedelta(
        seconds=settings.get('OIDC_TOKEN_EXPIRE'))
    token.scope = scope

    return token


def create_code(user, client, scope, nonce, is_authentication,
                code_challenge=None, code_challenge_method=None):
    """
    Create and populate a Code object.

    Return a Code object.
    """
    code = Code()
    code.user = user
    code.client = client

    code.code = uuid.uuid4().hex

    if code_challenge and code_challenge_method:
        code.code_challenge = code_challenge
        code.code_challenge_method = code_challenge_method

    code.expires_at = timezone.now() + timedelta(
        seconds=settings.get('OIDC_CODE_EXPIRE'))
    code.scope = scope
    code.nonce = nonce
    code.is_authentication = is_authentication

    return code
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`from datetime import timedelta`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00			`import time`
			`import uuid`

Update pyjwkest to version 1.3.0. 2016-10-03 15:54:54 +00:00			`from Cryptodome.PublicKey.RSA import importKey`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`from django.utils import timezone`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`from jwkest.jwk import RSAKey as jwk_RSAKey`
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00			`from jwkest.jwk import SYMKey`
Use pyjwkest in encode_id_token function. 2015-07-27 14:33:28 +00:00			`from jwkest.jws import JWS`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`from oidc_provider.lib.utils.common import get_issuer`
Fix global imports Global imports ("from X import *") are discouraged in Python. 2016-08-11 22:05:13 +00:00			`from oidc_provider.models import (`
			`Code,`
			`RSAKey,`
			`Token,`
			`)`
Change name of the package. 2015-02-18 18:07:22 +00:00			`from oidc_provider import settings`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00

Refactoring create_id_token function. 2016-09-09 16:10:12 +00:00			`def create_id_token(user, aud, nonce, at_hash=None, request=None, scope=[]):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add user email into id_token. Fix missing OIDC_TOKEN_EXPIRE setting. 2016-09-09 14:43:28 +00:00			`Creates the id_token dictionary.`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken`

			`Return a dic.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 18:17:22 +00:00			`sub = settings.get('OIDC_IDTOKEN_SUB_GENERATOR', import_str=True)(user=user)`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00
Change "DOP" with "OIDC" in settings. 2015-02-26 19:14:36 +00:00			`expires_in = settings.get('OIDC_IDTOKEN_EXPIRE')`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`# Convert datetimes into timestamps.`
Modify create_id_token function for supporting nonce. 2015-07-15 19:18:34 +00:00			`now = timezone.now()`
Convert times to int Make iat_time, exp_time, auth_time an integer, not a float. The spec does not explicitly forbit float times, but some clients don't accept this (mod_auth_openidc), and `timetuple()` has second precision anyway so we don't loose any information. 2015-07-15 10:06:02 +00:00			`iat_time = int(time.mktime(now.timetuple()))`
			`exp_time = int(time.mktime((now + timedelta(seconds=expires_in)).timetuple()))`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`user_auth_time = user.last_login or user.date_joined`
Convert times to int Make iat_time, exp_time, auth_time an integer, not a float. The spec does not explicitly forbit float times, but some clients don't accept this (mod_auth_openidc), and `timetuple()` has second precision anyway so we don't loose any information. 2015-07-15 10:06:02 +00:00			`auth_time = int(time.mktime(user_auth_time.timetuple()))`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`dic = {`
Make `SITE_URL` optional. 2016-05-25 21:58:58 +00:00			`'iss': get_issuer(request=request),`
Add custom SUB generator for ID TOKEN. 2015-03-02 20:37:54 +00:00			`'sub': sub,`
Convert "aud" to str in create_id_token function. 2015-07-27 18:50:02 +00:00			`'aud': str(aud),`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`'exp': exp_time,`
			`'iat': iat_time,`
Refactoring for create_id_token function. 2015-04-29 21:55:48 +00:00			`'auth_time': auth_time,`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`}`

Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`if nonce:`
Convert "aud" to str in create_id_token function. 2015-07-27 18:50:02 +00:00			`dic['nonce'] = str(nonce)`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`if at_hash:`
			`dic['at_hash'] = at_hash`

Refactoring create_id_token function. 2016-09-09 16:10:12 +00:00			`if ('email' in scope) and getattr(user, 'email', None):`
Add user email into id_token. Fix missing OIDC_TOKEN_EXPIRE setting. 2016-09-09 14:43:28 +00:00			`dic['email'] = user.email`

str or list or tuple for OIDC_ID_TOKEN_PROCESSING_HOOK 2016-03-01 17:54:57 +00:00			`processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')`

			`if isinstance(processing_hook, (list, tuple)):`
			`for hook in processing_hook:`
			`dic = settings.import_from_str(hook)(dic, user=user)`
			`else:`
			`dic = settings.import_from_str(processing_hook)(dic, user=user)`
Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`return dic`

Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00			`def encode_id_token(payload, client):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`Represent the ID Token as a JSON Web Token (JWT).`

			`Return a hash.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00			`alg = client.jwt_alg`
			`if alg == 'RS256':`
			`keys = []`
			`for rsakey in RSAKey.objects.all():`
			`keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))`

			`if not keys:`
			`raise Exception('You must add at least one RSA Key.')`
			`elif alg == 'HS256':`
			`keys = [SYMKey(key=client.client_secret, alg=alg)]`
			`else:`
			`raise Exception('Unsupported key algorithm.')`
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00
Add HS256 support for JWS. 2016-03-22 19:17:56 +00:00			`_jws = JWS(payload, alg=alg)`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00
Upgrade pyjwkest to version > 1.0.3 There have been some issues in Python 3 where elements of the id_token were left when encoding the token. Cause was incorrect encoding logic in pyjwkest. Version 1.0.3 has improved encoding handling. 2015-09-30 15:31:49 +00:00			`return _jws.sign_compact(keys)`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`def create_token(user, client, scope, id_token_dic=None):`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`Create and populate a Token object.`

			`Return a Token object.`
Pull request PEP8 compliant from nicchub:master. 2015-01-28 18:19:36 +00:00			`"""`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`token = Token()`
			`token.user = user`
			`token.client = client`
			`token.access_token = uuid.uuid4().hex`

Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00			`if id_token_dic is not None:`
			`token.id_token = id_token_dic`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00
			`token.refresh_token = uuid.uuid4().hex`
A few changes in settings. Add more variables to it. 2015-01-28 20:00:04 +00:00			`token.expires_at = timezone.now() + timedelta(`
Change "DOP" with "OIDC" in settings. 2015-02-26 19:14:36 +00:00			`seconds=settings.get('OIDC_TOKEN_EXPIRE'))`
Add Implicit flow support. 2015-01-08 20:55:24 +00:00			`token.scope = scope`

Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`return token`


First intent to implement PKCE. 2016-04-06 21:03:30 +00:00			`def create_code(user, client, scope, nonce, is_authentication,`
			`code_challenge=None, code_challenge_method=None):`
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`"""`
			`Create and populate a Code object.`

			`Return a Code object.`
			`"""`
			`code = Code()`
			`code.user = user`
			`code.client = client`
First intent to implement PKCE. 2016-04-06 21:03:30 +00:00
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`code.code = uuid.uuid4().hex`
Added at_hash when access token is present This is required by response type "id_token token", but can be used by other flows if they choose. 2016-08-05 19:11:01 +00:00
Remplace AES encryption with database. For saving PKCE parameters. 2016-04-07 19:18:47 +00:00			`if code_challenge and code_challenge_method:`
			`code.code_challenge = code_challenge`
			`code.code_challenge_method = code_challenge_method`
First intent to implement PKCE. 2016-04-06 21:03:30 +00:00
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00			`code.expires_at = timezone.now() + timedelta(`
			`seconds=settings.get('OIDC_CODE_EXPIRE'))`
			`code.scope = scope`
Add nonce to Code model. Modify create_code function. 2015-07-15 19:23:36 +00:00			`code.nonce = nonce`
Refactoring supporting OAuth2 flow. 2016-02-16 20:33:12 +00:00			`code.is_authentication = is_authentication`
Move Grant Code creation logic into a functon. 2015-03-12 15:40:36 +00:00
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`return code`