kumi/django-oidc-provider
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge branch 'develop' into patch-1

Browse source
This commit is contained in:
Juan Ignacio Fiorentino 2018-06-04 10:54:55 -03:00 committed by GitHub
parent 76c169e73e dfcc3de01c
commit 2ed0d21f12
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 497 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
.travis.yml
View file

@ -5,7 +5,6 @@ python:
- "3.5"
- "3.6"
env:
- DJANGO=1.7
- DJANGO=1.8
- DJANGO=1.9
- DJANGO=1.10
@ -15,10 +14,6 @@ matrix:
exclude:
- python: "2.7"
env: DJANGO=2.0
- python: "3.5"
env: DJANGO=1.7
- python: "3.6"
env: DJANGO=1.7
install:
- pip install tox coveralls
script:

4
README.md
View file

@ -1,4 +1,4 @@
# Django OIDC Provider
# Django OpenID Connect Provider
[![Python Versions](https://img.shields.io/pypi/pyversions/django-oidc-provider.svg)](https://pypi.python.org/pypi/django-oidc-provider)
[![PyPI Versions](https://img.shields.io/pypi/v/django-oidc-provider.svg)](https://pypi.python.org/pypi/django-oidc-provider)
@ -11,7 +11,7 @@ OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, whic
## About the package
`django-oidc-provider` can help you providing out of the box all the endpoints, data and logic needed to add OpenID Connect capabilities to your Django projects.
`django-oidc-provider` can help you providing out of the box all the endpoints, data and logic needed to add OpenID Connect (and OAuth2) capabilities to your Django projects.
Support for Python 3 and 2. Also latest versions of django.

1
docs/index.rst
View file

@ -39,7 +39,6 @@ Contents:
sections/signals
sections/examples
sections/contribute
sections/contribute
sections/changelog
..

5
docs/sections/changelog.rst
View file

@ -8,6 +8,11 @@ All notable changes to this project will be documented in this file.
Unreleased
==========
* Added: token instrospection endpoint support (RFC7662).
* Added: request in password grant authenticate call.
* Changed: dropping support for Django versions before 1.8.
* Changed: pass token and request to OIDC_IDTOKEN_PROCESSING_HOOK.
0.6.0
=====

4
docs/sections/installation.rst
View file

@ -7,12 +7,12 @@ Requirements
============
* Python: ``2.7`` ``3.4`` ``3.5`` ``3.6``
* Django: ``1.7`` ``1.8`` ``1.9`` ``1.10`` ``1.11`` ``2.0``
* Django: ``1.8`` ``1.9`` ``1.10`` ``1.11`` ``2.0``
Quick Installation
==================
If you want to get started fast see our ``/example_project`` folder in your local installation. Or look at it `on github <https://github.com/juanifioren/django-oidc-provider/tree/v0.5.x/example_project>`_.
If you want to get started fast see our ``/example`` folder in your local installation. Or look at it `on github <https://github.com/juanifioren/django-oidc-provider/tree/master/example>`_.
Install the package using pip::

55
docs/sections/settings.rst
View file

@ -64,6 +64,13 @@ Used to add extra scopes specific for your app. OpenID Connect RP's will use sco
Read more about how to implement it in :ref:`scopesclaims` section.
OIDC_IDTOKEN_INCLUDE_CLAIMS
==============================
OPTIONAL. ``bool``. If enabled, id_token will include standard claims of the user (email, first name, etc.).
Default is ``False``.
OIDC_IDTOKEN_EXPIRE
===================
@ -81,12 +88,27 @@ Here you can add extra dictionary values specific for your app into id_token.
The ``list`` or ``tuple`` is useful when you want to set multiple hooks, i.e. one for permissions and second for some special field.
The function receives a ``id_token`` dictionary and ``user`` instance
and returns it with additional fields.
The hook function receives following arguments:
* ``id_token``: the ID token dictionary which contains at least the
basic claims (``iss``, ``sub``, ``aud``, ``exp``, ``iat``,
``auth_time``), but may also contain other claims. If several
processing hooks are configured, then the claims of the previous hook
are also present in the passed dictionary.
* ``user``: User object of the authenticating user,
* ``token``: the Token object created for the authentication request, and
* ``request``: Django request object of the authentication request.
The hook function should return the modified ID token as dictionary.
.. note::
It is a good idea to add ``**kwargs`` to the hook function argument
list so that the hook function will work even if new arguments are
added to the hook function call signature.
Default is::
def default_idtoken_processing_hook(id_token, user):
def default_idtoken_processing_hook(id_token, user, token, request, **kwargs):
return id_token
@ -103,12 +125,31 @@ Default is::
return str(user.id)
OIDC_IDTOKEN_INCLUDE_CLAIMS
==============================
OIDC_INTROSPECTION_PROCESSING_HOOK
==================================
OPTIONAL. ``bool``. If enabled, id_token will include standard claims of the user (email, first name, etc.).
OPTIONAL. ``str`` or ``(list, tuple)``.
Default is ``False``.
A string with the location of your function hook or ``list`` or ``tuple`` with hook functions.
Here you can add extra dictionary values specific to your valid response value for token introspection.
The function receives an ``introspection_response`` dictionary, a ``client`` instance and an ``id_token`` dictionary.
Default is::
def default_introspection_processing_hook(introspection_response, client, id_token):
return introspection_response
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE
==========================================
OPTIONAL ``bool``
A flag which toggles whether the audience is matched against the client resource scope when calling the introspection endpoint.
Default is ``True``.
OIDC_SESSION_MANAGEMENT_ENABLE
==============================

98
oidc_provider/lib/endpoints/introspection.py Normal file
View file

@ -0,0 +1,98 @@
import logging
from django.http import JsonResponse
from oidc_provider.lib.errors import TokenIntrospectionError
from oidc_provider.lib.utils.common import run_processing_hook
from oidc_provider.lib.utils.oauth2 import extract_client_auth
from oidc_provider.models import Token, Client
from oidc_provider import settings
logger = logging.getLogger(__name__)
INTROSPECTION_SCOPE = 'token_introspection'
class TokenIntrospectionEndpoint(object):
def __init__(self, request):
self.request = request
self.params = {}
self.id_token = None
self.client = None
self._extract_params()
def _extract_params(self):
# Introspection only supports POST requests
self.params['token'] = self.request.POST.get('token')
client_id, client_secret = extract_client_auth(self.request)
self.params['client_id'] = client_id
self.params['client_secret'] = client_secret
def validate_params(self):
if not (self.params['client_id'] and self.params['client_secret']):
logger.debug('[Introspection] No client credentials provided')
raise TokenIntrospectionError()
if not self.params['token']:
logger.debug('[Introspection] No token provided')
raise TokenIntrospectionError()
try:
token = Token.objects.get(access_token=self.params['token'])
except Token.DoesNotExist:
logger.debug('[Introspection] Token does not exist: %s', self.params['token'])
raise TokenIntrospectionError()
if token.has_expired():
logger.debug('[Introspection] Token is not valid: %s', self.params['token'])
raise TokenIntrospectionError()
if not token.id_token:
logger.debug('[Introspection] Token not an authentication token: %s',
self.params['token'])
raise TokenIntrospectionError()
self.id_token = token.id_token
audience = self.id_token.get('aud')
if not audience:
logger.debug('[Introspection] No audience found for token: %s', self.params['token'])
raise TokenIntrospectionError()
try:
self.client = Client.objects.get(
client_id=self.params['client_id'],
client_secret=self.params['client_secret'])
except Client.DoesNotExist:
logger.debug('[Introspection] No valid client for id: %s',
self.params['client_id'])
raise TokenIntrospectionError()
if INTROSPECTION_SCOPE not in self.client.scope:
logger.debug('[Introspection] Client %s does not have introspection scope',
self.params['client_id'])
raise TokenIntrospectionError()
if settings.get('OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE') \
and audience not in self.client.scope:
logger.debug('[Introspection] Client %s does not audience scope %s',
self.params['client_id'], audience)
raise TokenIntrospectionError()
def create_response_dic(self):
response_dic = dict((k, self.id_token[k]) for k in ('sub', 'exp', 'iat', 'iss'))
response_dic['active'] = True
response_dic['client_id'] = self.id_token.get('aud')
response_dic['aud'] = self.client.client_id
response_dic = run_processing_hook(response_dic,
'OIDC_INTROSPECTION_PROCESSING_HOOK',
client=self.client,
id_token=self.id_token)
return response_dic
@classmethod
def response(cls, dic, status=200):
"""
Create and return a response object.
"""
response = JsonResponse(dic, status=status)
response['Cache-Control'] = 'no-store'
response['Pragma'] = 'no-cache'
return response

38
oidc_provider/lib/endpoints/token.py
View file

@ -1,7 +1,7 @@
from base64 import b64decode, urlsafe_b64encode
import inspect
from base64 import urlsafe_b64encode
import hashlib
import logging
import re
from django.contrib.auth import authenticate
from django.http import JsonResponse
@ -10,6 +10,7 @@ from oidc_provider.lib.errors import (
TokenError,
UserAuthError,
)
from oidc_provider.lib.utils.oauth2 import extract_client_auth
from oidc_provider.lib.utils.token import (
create_id_token,
create_token,
@ -26,6 +27,7 @@ logger = logging.getLogger(__name__)
class TokenEndpoint(object):
def __init__(self, request):
self.request = request
self.params = {}
@ -33,7 +35,7 @@ class TokenEndpoint(object):
self._extract_params()
def _extract_params(self):
client_id, client_secret = self._extract_client_auth()
client_id, client_secret = extract_client_auth(self.request)
self.params['client_id'] = client_id
self.params['client_secret'] = client_secret
@ -49,29 +51,6 @@ class TokenEndpoint(object):
self.params['username'] = self.request.POST.get('username', '')
self.params['password'] = self.request.POST.get('password', '')
def _extract_client_auth(self):
"""
Get client credentials using HTTP Basic Authentication method.
Or try getting parameters via POST.
See: http://tools.ietf.org/html/rfc6750#section-2.1
Return a string.
"""
auth_header = self.request.META.get('HTTP_AUTHORIZATION', '')
if re.compile('^Basic\s{1}.+$').match(auth_header):
b64_user_pass = auth_header.split()[1]
try:
user_pass = b64decode(b64_user_pass).decode('utf-8').split(':')
client_id, client_secret = tuple(user_pass)
except Exception:
client_id = client_secret = ''
else:
client_id = self.request.POST.get('client_id', '')
client_secret = self.request.POST.get('client_secret', '')
return (client_id, client_secret)
def validate_params(self):
try:
self.client = Client.objects.get(client_id=self.params['client_id'])
@ -118,7 +97,14 @@ class TokenEndpoint(object):
if not settings.get('OIDC_GRANT_TYPE_PASSWORD_ENABLE'):
raise TokenError('unsupported_grant_type')
auth_args = (self.request,)
try:
inspect.getcallargs(authenticate, *auth_args)
except TypeError:
auth_args = ()
user = authenticate(
*auth_args,
username=self.params['username'],
password=self.params['password']
)

9
oidc_provider/lib/errors.py
View file

@ -32,6 +32,15 @@ class UserAuthError(Exception):
}
class TokenIntrospectionError(Exception):
"""
Specific to the introspection endpoint. This error will be converted
to an "active: false" response, as per the spec.
See https://tools.ietf.org/html/rfc7662
"""
pass
class AuthorizeError(Exception):
_errors = {

34
oidc_provider/lib/utils/common.py
View file

@ -107,7 +107,8 @@ def default_after_end_session_hook(
return None
def default_idtoken_processing_hook(id_token, user):
def default_idtoken_processing_hook(
id_token, user, token, request, **kwargs):
"""
Hook to perform some additional actions to `id_token` dictionary just before serialization.
@ -117,12 +118,29 @@ def default_idtoken_processing_hook(id_token, user):
:param user: user for whom id_token is generated
:type user: User
:param token: the Token object created for the authentication request
:type token: oidc_provider.models.Token
:param request: the request initiating this ID token processing
:type request: django.http.HttpRequest
:return: custom modified dictionary of values for `id_token`
:rtype dict
:rtype: dict
"""
return id_token
def default_introspection_processing_hook(introspection_response, client, id_token):
"""
Hook to customise the returned data from the token introspection endpoint
:param introspection_response:
:param client:
:param id_token:
:return:
"""
return introspection_response
def get_browser_state_or_default(request):
"""
Determine value to use as session state.
@ -130,3 +148,15 @@ def get_browser_state_or_default(request):
key = (request.session.session_key or
settings.get('OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY'))
return sha224(key.encode('utf-8')).hexdigest()
def run_processing_hook(subject, hook_settings_name, **kwargs):
processing_hooks = settings.get(hook_settings_name)
if not isinstance(processing_hooks, (list, tuple)):
processing_hooks = [processing_hooks]
for hook_string in processing_hooks:
hook = settings.import_from_str(hook_string)
subject = hook(subject, **kwargs)
return subject

25
oidc_provider/lib/utils/oauth2.py
View file

@ -1,3 +1,4 @@
from base64 import b64decode
import logging
import re
@ -28,6 +29,30 @@ def extract_access_token(request):
return access_token
def extract_client_auth(request):
"""
Get client credentials using HTTP Basic Authentication method.
Or try getting parameters via POST.
See: http://tools.ietf.org/html/rfc6750#section-2.1
Return a tuple `(client_id, client_secret)`.
"""
auth_header = request.META.get('HTTP_AUTHORIZATION', '')
if re.compile('^Basic\s{1}.+$').match(auth_header):
b64_user_pass = auth_header.split()[1]
try:
user_pass = b64decode(b64_user_pass).decode('utf-8').split(':')
client_id, client_secret = tuple(user_pass)
except Exception:
client_id = client_secret = ''
else:
client_id = request.POST.get('client_id', '')
client_secret = request.POST.get('client_secret', '')
return (client_id, client_secret)
def protected_resource_view(scopes=None):
"""
View decorator. The client accesses protected resources by presenting the

12
oidc_provider/lib/utils/token.py
View file

@ -9,7 +9,7 @@ from jwkest.jwk import SYMKey
from jwkest.jws import JWS
from jwkest.jwt import JWT
from oidc_provider.lib.utils.common import get_issuer
from oidc_provider.lib.utils.common import get_issuer, run_processing_hook
from oidc_provider.lib.claims import StandardScopeClaims
from oidc_provider.models import (
Code,
@ -62,13 +62,9 @@ def create_id_token(token, user, aud, nonce='', at_hash='', request=None, scope=
claims = StandardScopeClaims(token).create_response_dic()
dic.update(claims)
processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')
if isinstance(processing_hook, (list, tuple)):
for hook in processing_hook:
dic = settings.import_from_str(hook)(dic, user=user)
else:
dic = settings.import_from_str(processing_hook)(dic, user=user)
dic = run_processing_hook(
dic, 'OIDC_IDTOKEN_PROCESSING_HOOK',
user=user, token=token, request=request)
return dic

16
oidc_provider/settings.py
View file

@ -129,6 +129,22 @@ class DefaultSettings(object):
"""
return 'oidc_provider.lib.utils.common.default_idtoken_processing_hook'
@property
def OIDC_INTROSPECTION_PROCESSING_HOOK(self):
"""
OPTIONAL. A string with the location of your function.
Used to update the response for a valid introspection token request.
"""
return 'oidc_provider.lib.utils.common.default_introspection_processing_hook'
@property
def OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE(self):
"""
OPTIONAL: A boolean to specify whether or not to verify that the introspection
resource has the requesting client id as one of its scopes.
"""
return True
@property
def OIDC_GRANT_TYPE_PASSWORD_ENABLE(self):
"""

39
oidc_provider/tests/app/utils.py
View file

@ -1,5 +1,9 @@
import random
import string
import django
from django.contrib.auth.backends import ModelBackend
try:
from urlparse import parse_qs, urlsplit
except ImportError:
@ -109,7 +113,7 @@ def fake_sub_generator(user):
return user.email
def fake_idtoken_processing_hook(id_token, user):
def fake_idtoken_processing_hook(id_token, user, **kwargs):
"""
Fake function for inserting some keys into token. Testing OIDC_IDTOKEN_PROCESSING_HOOK.
"""
@ -118,7 +122,7 @@ def fake_idtoken_processing_hook(id_token, user):
return id_token
def fake_idtoken_processing_hook2(id_token, user):
def fake_idtoken_processing_hook2(id_token, user, **kwargs):
"""
Fake function for inserting some keys into token.
Testing OIDC_IDTOKEN_PROCESSING_HOOK - tuple or list as param
@ -126,3 +130,34 @@ def fake_idtoken_processing_hook2(id_token, user):
id_token['test_idtoken_processing_hook2'] = FAKE_RANDOM_STRING
id_token['test_idtoken_processing_hook_user_email2'] = user.email
return id_token
def fake_idtoken_processing_hook3(id_token, user, token, **kwargs):
"""
Fake function for checking scope is passed to processing hook.
"""
id_token['scope_of_token_passed_to_processing_hook'] = token.scope
return id_token
def fake_idtoken_processing_hook4(id_token, user, **kwargs):
"""
Fake function for checking kwargs passed to processing hook.
"""
id_token['kwargs_passed_to_processing_hook'] = {
key: repr(value)
for (key, value) in kwargs.items()
}
return id_token
def fake_introspection_processing_hook(response_dict, client, id_token):
response_dict['test_introspection_processing_hook'] = FAKE_RANDOM_STRING
return response_dict
class TestAuthBackend:
def authenticate(self, *args, **kwargs):
if django.VERSION[0] >= 2 or (django.VERSION[0] == 1 and django.VERSION[1] >= 11):
assert len(args) > 0 and args[0]
return ModelBackend().authenticate(*args, **kwargs)

116
oidc_provider/tests/cases/test_introspection_endpoint.py Normal file
View file

@ -0,0 +1,116 @@
import time
import random
from mock import patch
try:
from urllib.parse import urlencode
except ImportError:
from urllib import urlencode
from django.utils.encoding import force_text
from django.core.management import call_command
from django.test import TestCase, RequestFactory, override_settings
from django.utils import timezone
try:
from django.urls import reverse
except ImportError:
from django.core.urlresolvers import reverse
from oidc_provider.tests.app.utils import (
create_fake_user,
create_fake_client,
create_fake_token,
FAKE_RANDOM_STRING)
from oidc_provider.lib.utils.token import create_id_token
from oidc_provider.views import TokenIntrospectionView
class IntrospectionTestCase(TestCase):
def setUp(self):
call_command('creatersakey')
self.factory = RequestFactory()
self.user = create_fake_user()
self.client = create_fake_client(response_type='id_token token')
self.resource = create_fake_client(response_type='id_token token')
self.resource.scope = ['token_introspection', self.client.client_id]
self.resource.save()
self.token = create_fake_token(self.user, self.client.scope, self.client)
self.token.access_token = str(random.randint(1, 999999)).zfill(6)
self.now = time.time()
with patch('oidc_provider.lib.utils.token.time.time') as time_func:
time_func.return_value = self.now
self.token.id_token = create_id_token(self.token, self.user, self.client.client_id)
self.token.save()
def _assert_inactive(self, response):
self.assertEqual(response.status_code, 200)
self.assertJSONEqual(force_text(response.content), {'active': False})
def _make_request(self, **kwargs):
url = reverse('oidc_provider:token-introspection')
data = {
'client_id': kwargs.get('client_id', self.resource.client_id),
'client_secret': kwargs.get('client_secret', self.resource.client_secret),
'token': kwargs.get('access_token', self.token.access_token),
}
request = self.factory.post(url, data=urlencode(data),
content_type='application/x-www-form-urlencoded')
return TokenIntrospectionView.as_view()(request)
def test_no_client_params_returns_inactive(self):
response = self._make_request(client_id='')
self._assert_inactive(response)
def test_no_client_secret_returns_inactive(self):
response = self._make_request(client_secret='')
self._assert_inactive(response)
def test_invalid_client_returns_inactive(self):
response = self._make_request(client_id='invalid')
self._assert_inactive(response)
def test_token_not_found_returns_inactive(self):
response = self._make_request(access_token='invalid')
self._assert_inactive(response)
def test_scope_no_audience_returns_inactive(self):
self.resource.scope = ['token_introspection']
self.resource.save()
response = self._make_request()
self._assert_inactive(response)
def test_token_expired_returns_inactive(self):
self.token.expires_at = timezone.now() - timezone.timedelta(seconds=60)
self.token.save()
response = self._make_request()
self._assert_inactive(response)
def test_valid_request_returns_default_properties(self):
response = self._make_request()
self.assertEqual(response.status_code, 200)
self.assertJSONEqual(force_text(response.content), {
'active': True,
'aud': self.resource.client_id,
'client_id': self.client.client_id,
'sub': str(self.user.pk),
'iat': int(self.now),
'exp': int(self.now + 600),
'iss': 'http://localhost:8000/openid',
})
@override_settings(OIDC_INTROSPECTION_PROCESSING_HOOK='oidc_provider.tests.app.utils.fake_introspection_processing_hook') # NOQA
def test_custom_introspection_hook_called_on_valid_request(self):
response = self._make_request()
self.assertEqual(response.status_code, 200)
self.assertJSONEqual(force_text(response.content), {
'active': True,
'aud': self.resource.client_id,
'client_id': self.client.client_id,
'sub': str(self.user.pk),
'iat': int(self.now),
'exp': int(self.now + 600),
'iss': 'http://localhost:8000/openid',
'test_introspection_processing_hook': FAKE_RANDOM_STRING
})

52
oidc_provider/tests/cases/test_token_endpoint.py
View file

@ -3,6 +3,7 @@ import time
import uuid
from base64 import b64encode
try:
from urllib.parse import urlencode
except ImportError:
@ -256,6 +257,17 @@ class TokenTestCase(TestCase):
else:
self.assertNotIn(claim, userinfo)
@override_settings(OIDC_GRANT_TYPE_PASSWORD_ENABLE=True,
AUTHENTICATION_BACKENDS=("oidc_provider.tests.app.utils.TestAuthBackend",))
def test_password_grant_passes_request_to_backend(self):
response = self._post_request(
post_data=self._password_grant_post_data(),
extras=self._password_grant_auth_header()
)
response_dict = json.loads(response.content.decode('utf-8'))
self.assertIn('access_token', response_dict)
@override_settings(OIDC_TOKEN_EXPIRE=720)
def test_authorization_code(self):
"""
@ -716,6 +728,46 @@ class TokenTestCase(TestCase):
self.assertEqual(id_token.get('test_idtoken_processing_hook2'), FAKE_RANDOM_STRING)
self.assertEqual(id_token.get('test_idtoken_processing_hook_user_email2'), self.user.email)
@override_settings(
OIDC_IDTOKEN_PROCESSING_HOOK=(
'oidc_provider.tests.app.utils.fake_idtoken_processing_hook3'))
def test_additional_idtoken_processing_hook_scope_available(self):
"""
Test scope is available in OIDC_IDTOKEN_PROCESSING_HOOK.
"""
id_token = self._request_id_token_with_scope(
['openid', 'email', 'profile', 'dummy'])
self.assertEqual(
id_token.get('scope_of_token_passed_to_processing_hook'),
['openid', 'email', 'profile', 'dummy'])
@override_settings(
OIDC_IDTOKEN_PROCESSING_HOOK=(
'oidc_provider.tests.app.utils.fake_idtoken_processing_hook4'))
def test_additional_idtoken_processing_hook_kwargs(self):
"""
Test correct kwargs are passed to OIDC_IDTOKEN_PROCESSING_HOOK.
"""
id_token = self._request_id_token_with_scope(['openid', 'profile'])
kwargs_passed = id_token.get('kwargs_passed_to_processing_hook')
assert kwargs_passed
self.assertEqual(kwargs_passed.get('token'),
'<Token: Some Client - johndoe@example.com>')
self.assertEqual(kwargs_passed.get('request'),
"<WSGIRequest: POST '/openid/token'>")
self.assertEqual(set(kwargs_passed.keys()), {'token', 'request'})
def _request_id_token_with_scope(self, scope):
code = self._create_code(scope)
post_data = self._auth_code_post_data(code=code.code)
response = self._post_request(post_data)
response_dic = json.loads(response.content.decode('utf-8'))
id_token = JWT().unpack(response_dic['id_token'].encode('utf-8')).payload()
return id_token
def test_pkce_parameters(self):
"""
Test Proof Key for Code Exchange by OAuth Public Clients.

1
oidc_provider/urls.py
View file

@ -17,6 +17,7 @@ urlpatterns = [
url(r'^end-session/?$', views.EndSessionView.as_view(), name='end-session'),
url(r'^\.well-known/openid-configuration/?$', views.ProviderInfoView.as_view(),
name='provider-info'),
url(r'^introspect/?$', views.TokenIntrospectionView.as_view(), name='token-introspection'),
url(r'^jwks/?$', views.JwksView.as_view(), name='jwks'),
]

28
oidc_provider/views.py
View file

@ -1,5 +1,8 @@
import logging
from django.views.decorators.csrf import csrf_exempt
from oidc_provider.lib.endpoints.introspection import TokenIntrospectionEndpoint
try:
from urllib import urlencode
from urlparse import urlsplit, parse_qs, urlunsplit
@ -34,7 +37,8 @@ from oidc_provider.lib.errors import (
ClientIdError,
RedirectUriError,
TokenError,
UserAuthError)
UserAuthError,
TokenIntrospectionError)
from oidc_provider.lib.utils.common import (
redirect,
get_site_url,
@ -50,6 +54,7 @@ from oidc_provider.models import (
from oidc_provider import settings
from oidc_provider import signals
logger = logging.getLogger(__name__)
OIDC_TEMPLATES = settings.get('OIDC_TEMPLATES')
@ -230,10 +235,10 @@ class TokenView(View):
@protected_resource_view(['openid'])
def userinfo(request, *args, **kwargs):
"""
Create a diccionary with all the requested claims about the End-User.
Create a dictionary with all the requested claims about the End-User.
See: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
Return a diccionary.
Return a dictionary.
"""
token = kwargs['token']
@ -267,6 +272,7 @@ class ProviderInfoView(View):
dic['token_endpoint'] = site_url + reverse('oidc_provider:token')
dic['userinfo_endpoint'] = site_url + reverse('oidc_provider:userinfo')
dic['end_session_endpoint'] = site_url + reverse('oidc_provider:end-session')
dic['introspection_endpoint'] = site_url + reverse('oidc_provider:token-introspection')
types_supported = [x[0] for x in RESPONSE_TYPE_CHOICES]
dic['response_types_supported'] = types_supported
@ -356,3 +362,19 @@ class CheckSessionIframeView(View):
def get(self, request, *args, **kwargs):
return render(request, 'oidc_provider/check_session_iframe.html', kwargs)
class TokenIntrospectionView(View):
@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
return super(TokenIntrospectionView, self).dispatch(request, *args, **kwargs)
def post(self, request, *args, **kwargs):
introspection = TokenIntrospectionEndpoint(request)
try:
introspection.validate_params()
dic = introspection.create_response_dic()
return TokenIntrospectionEndpoint.response(dic)
except TokenIntrospectionError:
return TokenIntrospectionEndpoint.response({'active': False})

1
setup.py
View file

@ -20,6 +20,7 @@ setup(
author='Juan Ignacio Fiorentino',
author_email='juanifioren@gmail.com',
classifiers=[
'Development Status :: 5 - Production/Stable',
'Environment :: Web Environment',
'Framework :: Django',
'Intended Audience :: Developers',

15
tox.ini
View file

@ -1,7 +1,7 @@
[tox]
envlist=
py27-django{17,18,19,110,111},
py34-django{17,18,19,110,111,20},
py27-django{18,19,110,111},
py34-django{18,19,110,111,20},
py35-django{18,19,110,111,20},
py36-django{18,19,110,111,20},
@ -15,7 +15,6 @@ deps =
pytest-django
pytest-flake8
pytest-cov
django17: django>=1.7,<1.8
django18: django>=1.8,<1.9
django19: django>=1.9,<1.10
django110: django>=1.10,<1.11
@ -25,6 +24,16 @@ deps =
commands =
pytest --flake8 --cov=oidc_provider {posargs}
[testenv:docs]
basepython = python2.7
changedir = docs
deps =
sphinx
sphinx_rtd_theme
commands =
mkdir -p _static/
sphinx-build -v -W -b html -d {envtmpdir}/doctrees -D html_static_path="_static" . {envtmpdir}/html
[pytest]
DJANGO_SETTINGS_MODULE = oidc_provider.tests.settings
python_files = test_*.py