kumi/django-oidc-provider
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Improve docs.

Browse source
This commit is contained in:
Juan Ignacio Fiorentino 2018-04-08 18:28:38 -03:00
parent dbed87aa78
commit 5dcb62d35c
3 changed files with 155 additions and 289 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

406
docs/sections/changelog.rst
View file

@ -8,486 +8,318 @@ All notable changes to this project will be documented in this file.
Unreleased Unreleased
========== ==========
**Added** * Added: OAuth2 grant_type client_credentials support.
* Added: pep8 compliance and checker.
* Add pep8 compliance and checker. * Changed: Test suit now uses pytest.
* Fixed: Infinite callback loop in the check-session iframe.
**Changed**
* Test suit now uses pytest.
**Fixed**
* Infinite callback loop in the check-session iframe.
0.5.3 0.5.3
===== =====
*2018-03-09* *2018-03-09*
**Fixed** * Fixed: Update project to support Django 2.0
* Update project to support Django 2.0
0.5.2 0.5.2
===== =====
*2017-08-22* *2017-08-22*
**Fixed** * Fixed: infinite login loop if "prompt=login" (#198)
* Fixed: Django 2.0 deprecation warnings (#185)
* Fix infinite login loop if "prompt=login" (#198)
* Fix Django 2.0 deprecation warnings (#185)
0.5.1 0.5.1
===== =====
*2017-07-11* *2017-07-11*
**Changed** * Changed: Documentation template changed to `Read The Docs`.
* Fixed: `install_requires` has not longer pinned versions.
* Documentation template changed to `Read The Docs`. * Fixed: Removed infinity loop during authorization stage when `prompt=login` has been send.
* Fixed: Changed `prompt` handling as set of options instead of regular string.
**Fixed** * Fixed: Redirect URI must match exactly with given in query parameter.
* Fixed: Stored user consent are useful for public clients too.
* `install_requires` has not longer pinned versions. * Fixed: documentation for custom scopes handling.
* Removed infinity loop during authorization stage when `prompt=login` has been send. * Fixed: Scopes during refresh and code exchange are being taken from authorization request and not from query parameters.
* Changed `prompt` handling as set of options instead of regular string.
* Redirect URI must match exactly with given in query parameter.
* Stored user consent are useful for public clients too.
* Fixed documentation for custom scopes handling.
* Scopes during refresh and code exchange are being taken from authorization request and not from query parameters.
0.5.0 0.5.0
===== =====
*2017-05-18* *2017-05-18*
**Added** * Added: signals when user accept/decline the authorization page.
* Added: `OIDC_AFTER_END_SESSION_HOOK` setting for additional business logic.
* Signals when user accept/decline the authorization page. * Added: feature granttype password.
* `OIDC_AFTER_END_SESSION_HOOK` setting for additional business logic. * Added: require_consent and reuse_consent are added to Client model.
* Feature granttype password. * Changed: OIDC_SKIP_CONSENT_ALWAYS and OIDC_SKIP_CONSENT_ENABLE are removed from settings.
* require_consent and reuse_consent are added to Client model. * Fixed: timestamps with unixtime (instead of django timezone).
* Fixed: field refresh_token cannot be primary key if null.
**Changed** * Fixed: `create_uri_exceptions` are now being logged at `Exception` level not `DEBUG`.
* OIDC_SKIP_CONSENT_ALWAYS and OIDC_SKIP_CONSENT_ENABLE are removed from settings.
**Fixed**
* Timestamps with unixtime (instead of django timezone).
* Field refresh_token cannot be primary key if null.
* `create_uri_exceptions` are now being logged at `Exception` level not `DEBUG`.
0.4.4 0.4.4
===== =====
*2016-11-29* *2016-11-29*
**Fixed** * Fixed: Bug in Session Management middleware when using Python 3.
* Fixed: Translations handling.
* Bug in Session Management middleware when using Python 3.
* Translations handling.
0.4.3 0.4.3
===== =====
*2016-11-02* *2016-11-02*
**Added** * Added: Session Management 1.0 support.
* Added: post_logout_redirect_uris into admin.
* Session Management 1.0 support. * Changed: Package url names.
* post_logout_redirect_uris into admin. * Changed: Rename /logout/ url to /end-session/.
* Fixed: bug when trying authorize with response_type id_token without openid scope.
**Changed**
* Package url names.
* Rename /logout/ url to /end-session/.
**Fixed**
* Bug when trying authorize with response_type id_token without openid scope.
0.4.2 0.4.2
===== =====
*2016-10-13* *2016-10-13*
**Added** * Added: support for client redirect URIs with query strings.
* Fixed: bug when generating secret_key value using admin.
* Support for client redirect URIs with query strings. * Changed: client is available to OIDC_EXTRA_SCOPE_CLAIMS implementations via `self.client`.
* Changed: the constructor signature for `ScopeClaims` has changed, it now is called with the `Token` as its single argument.
**Fixed**
* Bug when generating secret_key value using admin.
**Changed**
* Client is available to OIDC_EXTRA_SCOPE_CLAIMS implementations via `self.client`.
* The constructor signature for `ScopeClaims` has changed, it now is called with the `Token` as its single argument.
0.4.1 0.4.1
===== =====
*2016-10-03* *2016-10-03*
**Changed** * Changed: update pyjwkest to version 1.3.0.
* Changed: use Cryptodome instead of Crypto lib.
* Update pyjwkest to version 1.3.0.
* Use Cryptodome instead of Crypto lib.
0.4.0 0.4.0
===== =====
*2016-09-12* *2016-09-12*
**Added** * Added: support for Hybrid Flow.
* Added: new attributes for Clients: Website url, logo, contact email, terms url.
* Support for Hybrid Flow. * Added: polish translations.
* New attributes for Clients: Website url, logo, contact email, terms url. * Added: examples section in documentation.
* Polish translations. * Fixed: CORS in discovery and userinfo endpoint.
* Examples section in documentation. * Fixed: client type public bug when created using the admin.
* Fixed: missing OIDC_TOKEN_EXPIRE setting on implicit flow.
**Fixed**
* CORS in discovery and userinfo endpoint.
* Client type public bug when created using the admin.
* Missing OIDC_TOKEN_EXPIRE setting on implicit flow.
0.3.7 0.3.7
===== =====
*2016-08-31* *2016-08-31*
**Added** * Added: support for Django 1.10.
* Added: initial translation files (ES, FR).
* Support for Django 1.10. * Added: support for at_hash parameter.
* Initial translation files (ES, FR). * Fixed: empty address dict in userinfo response.
* Support for at_hash parameter.
**Fixed**
* Empty address dict in userinfo response.
0.3.6 0.3.6
===== =====
*2016-07-07* *2016-07-07*
**Changed** * Changed: OIDC_USERINFO setting.
* OIDC_USERINFO setting.
0.3.5 0.3.5
===== =====
*2016-06-21* *2016-06-21*
**Added** * Added: field date_given in UserConsent model.
* Added: verbose names to all model fields.
* Field date_given in UserConsent model. * Added: customize scopes names and descriptions on authorize template.
* Verbose names to all model fields. * Changed: OIDC_EXTRA_SCOPE_CLAIMS setting.
* Customize scopes names and descriptions on authorize template.
**Changed**
* OIDC_EXTRA_SCOPE_CLAIMS setting.
0.3.4 0.3.4
===== =====
*2016-06-10* *2016-06-10*
**Changed** * Changed: Make SITE_URL setting optional.
* Fixed: Missing migration.
* Make SITE_URL setting optional.
**Fixed**
* Missing migration.
0.3.3 0.3.3
===== =====
*2016-05-03* *2016-05-03*
**Fixed** * Fixed: Important bug with PKCE and form submit in Auth Request.
* Important bug with PKCE and form submit in Auth Request.
0.3.2 0.3.2
===== =====
*2016-04-26* *2016-04-26*
**Added** * Added: choose type of client on creation.
* Added: implement Proof Key for Code Exchange by OAuth Public Clients.
* Choose type of client on creation. * Added: support for prompt parameter.
* Implement Proof Key for Code Exchange by OAuth Public Clients. * Added: support for different client JWT tokens algorithm.
* Support for prompt parameter. * Fixed: not auto-approve requests for non-confidential clients (publics).
* Support for different client JWT tokens algorithm.
**Fixed**
* Not auto-approve requests for non-confidential clients (publics).
0.3.1 0.3.1
===== =====
*2016-03-09* *2016-03-09*
**Fixed** * Fixed: response_type was not being validated (OpenID request).
* response_type was not being validated (OpenID request).
0.3.0 0.3.0
===== =====
*2016-02-23* *2016-02-23*
**Added** * Added: support OAuth2 requests.
* Added: decorator for protecting views with OAuth2.
* Support OAuth2 requests. * Added: setting OIDC_IDTOKEN_PROCESSING_HOOK.
* Decorator for protecting views with OAuth2.
* Setting OIDC_IDTOKEN_PROCESSING_HOOK.
0.2.5 0.2.5
===== =====
*2016-02-03* *2016-02-03*
**Added** * Added: Setting OIDC_SKIP_CONSENT_ALWAYS.
* Changed: Removing OIDC_RSA_KEY_FOLDER setting. Moving RSA Keys to the database.
* Setting OIDC_SKIP_CONSENT_ALWAYS. * Changed: Update pyjwkest to version 1.1.0.
* Fixed: Nonce parameter missing on the decide form.
**Changed** * Fixed: Set Allow-Origin header to jwks endpoint.
* Removing OIDC_RSA_KEY_FOLDER setting. Moving RSA Keys to the database.
* Update pyjwkest to version 1.1.0.
**Fixed**
* Nonce parameter missing on the decide form.
* Set Allow-Origin header to jwks endpoint.
0.2.4 0.2.4
===== =====
*2016-01-20* *2016-01-20*
**Added** * Added: Auto-generation of client ID and SECRET using the admin.
* Added: Validate nonce parameter when using Implicit Flow.
* Auto-generation of client ID and SECRET using the admin. * Fixed: generating RSA key by ignoring value of OIDC_RSA_KEY_FOLDER.
* Validate nonce parameter when using Implicit Flow. * Fixed: make OIDC_AFTER_USERLOGIN_HOOK and OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function.
* Fixed: problem with a function that generate urls for the /.well-known/openid-configuration/ endpoint.
**Fixed**
* Fixed generating RSA key by ignoring value of OIDC_RSA_KEY_FOLDER.
* Make OIDC_AFTER_USERLOGIN_HOOK and OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function.
* Problem with a function that generate urls for the /.well-known/openid-configuration/ endpoint.
0.2.3 0.2.3
===== =====
*2016-01-06* *2016-01-06*
**Added** * Added: Make user and client unique on UserConsent model.
* Added: Support for URL's without end slash.
* Make user and client unique on UserConsent model. * Changed: Upgrade pyjwkest to version 1.0.8.
* Support for URL's without end slash. * Fixed: String format error in models.
* Fixed: Redirect to non http urls fail (for Mobile Apps).
**Changed**
* Upgrade pyjwkest to version 1.0.8.
**Fixed**
* String format error in models.
* Redirect to non http urls fail (for Mobile Apps).
0.2.1 0.2.1
===== =====
*2015-10-21* *2015-10-21*
**Added** * Added: refresh token flow.
* Changed: upgrade pyjwkest to version >= 1.0.6.
* Refresh token flow. * Fixed: Unicode error in Client model.
* Fixed: Bug in creatersakey command (when using Python 3).
**Changed** * Fixed: Bug when updating pyjwkest version.
* Upgrade pyjwkest to version >= 1.0.6.
**Fixed**
* Unicode error in Client model.
* Bug in creatersakey command (when using Python 3).
* Bug when updating pyjwkest version.
0.2.0 0.2.0
===== =====
*2015-09-25* *2015-09-25*
**Changed** * Changed: UserInfo model was removed. Now you can add your own model using OIDC_USERINFO setting.
* Fixed: ID token does NOT contain kid.
* UserInfo model was removed. Now you can add your own model using OIDC_USERINFO setting.
**Fixed**
* ID token does NOT contain kid.
0.1.2 0.1.2
===== =====
*2015-08-04* *2015-08-04*
**Added** * Added: add token_endpoint_auth_methods_supported to discovery.
* Fixed: missing commands folder in setup file.
* Add token_endpoint_auth_methods_supported to discovery.
**Fixed**
* Missing commands folder in setup file.
0.1.1 0.1.1
===== =====
*2015-07-31* *2015-07-31*
**Added** * Added: sending access_token as query string parameter in UserInfo Endpoint.
* Added: support HTTP Basic client authentication.
* Sending access_token as query string parameter in UserInfo Endpoint. * Changed: use models setting instead of User.
* Support HTTP Basic client authentication. * Fixed: in python 2: "aud" and "nonce" parameters didn't appear in id_token.
**Changed**
* Use models setting instead of User.
**Fixed**
* In python 2: "aud" and "nonce" parameters didn't appear in id_token.
0.1.0 0.1.0
===== =====
*2015-07-17* *2015-07-17*
**Added** * Added: now id tokens are signed/encrypted with RS256.
* Added: command for easily generate random RSA key.
* Now id tokens are signed/encrypted with RS256. * Added: jwks uri to discovery endpoint.
* Command for easily generate random RSA key. * Added: id_token_signing_alg_values_supported to discovery endpoint.
* Jwks uri to discovery endpoint. * Fixed: nonce support for both Code and Implicit flow.
* id_token_signing_alg_values_supported to discovery endpoint.
**Fixed**
* Nonce support for both Code and Implicit flow.
0.0.7 0.0.7
===== =====
*2015-07-06* *2015-07-06*
**Added** ****
* Support for Python 3. * Added: support for Python 3.
* Way of remember user consent and skipt it (OIDC_SKIP_CONSENT_ENABLE). * Added: way of remember user consent and skipt it (OIDC_SKIP_CONSENT_ENABLE).
* Setting OIDC_SKIP_CONSENT_EXPIRE. * Added: setting OIDC_SKIP_CONSENT_EXPIRE.
* Changed: now OIDC_EXTRA_SCOPE_CLAIMS must be a string, to be lazy imported.
**Changed**
* Now OIDC_EXTRA_SCOPE_CLAIMS must be a string, to be lazy imported.
0.0.6 0.0.6
===== =====
*2015-06-16* *2015-06-16*
**Added** * Added: better naming for models in the admin.
* Changed: now tests run without the need of a project configured.
* Better naming for models in the admin. * Fixed: error when returning address_formatted claim.
**Changed**
* Now tests run without the need of a project configured.
**Fixed**
* Error when returning address_formatted claim.
0.0.5 0.0.5
===== =====
*2015-05-09* *2015-05-09*
**Added** * Added: support for Django 1.8.
* Fixed: validation of scope in UserInfo endpoint.
* Support for Django 1.8.
**Fixed**
* Validation of scope in UserInfo endpoint.
0.0.4 0.0.4
===== =====
*2015-04-22* *2015-04-22*
**Added** * Added: initial migrations.
* Fixed: important bug with id_token when using implicit flow.
* Initial migrations. * Fixed: validate Code expiration in Auth Code Flow.
* Fixed: validate Access Token expiration in UserInfo endpoint.
**Fixed**
* Important bug with id_token when using implicit flow.
* Validate Code expiration in Auth Code Flow.
* Validate Access Token expiration in UserInfo endpoint.
0.0.3 0.0.3
===== =====
*2015-04-15* *2015-04-15*
**Added** * Added: normalize gender field in UserInfo.
* Changed: make address_formatted a property inside UserInfo.
* Normalize gender field in UserInfo. * Fixed: important bug in claims response.
**Changed**
* Make address_formatted a property inside UserInfo.
**Fixed**
* Important bug in claims response.
0.0.2 0.0.2
===== =====
*2015-03-26* *2015-03-26*
**Added** * Added: setting OIDC_AFTER_USERLOGIN_HOOK.
* Fixed: tests failing because an incorrect tag in one template.
* Setting OIDC_AFTER_USERLOGIN_HOOK.
**Fixed**
* Tests failing because an incorrect tag in one template.
0.0.1 0.0.1
===== =====
*2015-03-13* *2015-03-13*
**Added** * Added: provider Configuration Information endpoint.
* Added: setting OIDC_IDTOKEN_SUB_GENERATOR.
* Provider Configuration Information endpoint. * Changed: now use setup in OIDC_EXTRA_SCOPE_CLAIMS setting.
* Setting OIDC_IDTOKEN_SUB_GENERATOR.
**Changed**
* Now use setup in OIDC_EXTRA_SCOPE_CLAIMS setting.
0.0.0 0.0.0
===== =====

2
docs/sections/contribute.rst
View file

@ -24,7 +24,7 @@ Use `tox <https://pypi.python.org/pypi/tox>`_ for running tests in each of the e
# Run single test file on specific environment. # Run single test file on specific environment.
$ tox -e py35-django20 tests/cases/test_authorize_endpoint.py $ tox -e py35-django20 tests/cases/test_authorize_endpoint.py
We also use `travis <https://travis-ci.org/juanifioren/django-oidc-provider/>`_ to automatically test every commit to the project, We also use `travis <https://travis-ci.org/juanifioren/django-oidc-provider/>`_ to automatically test every commit to the project.
Improve Documentation Improve Documentation
===================== =====================

36
docs/sections/oauth2.rst
View file

@ -17,7 +17,7 @@ Here we are going to protect a view with a scope called ``testscope``::
@require_http_methods(['GET']) @require_http_methods(['GET'])
@protected_resource_view(['testscope']) @protected_resource_view(['read_books'])
def protected_api(request, *args, **kwargs): def protected_api(request, *args, **kwargs):
dic = { dic = {
@ -25,3 +25,37 @@ Here we are going to protect a view with a scope called ``testscope``::
} }
return JsonResponse(dic, status=200) return JsonResponse(dic, status=200)
Client Credentials Grant
========================
The client can request an access token using only its client credentials (ID and SECRET) when the client is requesting access to the protected resources under its control, that have been previously arranged with the authorization server using the ``client.scope`` field.
.. note::
You can use Django admin to manually set the client scope or programmatically::
client.scope = ['read_books', 'add_books']
client.save()
This is how the request should look like::
POST /token HTTP/1.1
Host: localhost:8000
Authorization: Basic eWZ3a3c0cWxtaHY0cToyVWE0QjVzRlhmZ3pNeXR5d1FqT01jNUsxYmpWeXhXeXRySVdsTmpQbld3\
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
A successful access token response will like this::
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"token_type" : "Bearer",
"access_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzY3AiOlsib3BlbmlkIiw...",
"expires_in" : 3600,
"scope" : "read_books add_books"
}