include request in password grant authenticate call

An an example this can be used to help implement measures against brute
force attacks and to alert on or mitigate other untrusted authentication
attempts.
This commit is contained in:
Andy Clayton 2017-11-22 11:40:58 -06:00
parent f132e041d5
commit 713d15297c
3 changed files with 31 additions and 0 deletions

View file

@ -1,3 +1,4 @@
import inspect
from base64 import urlsafe_b64encode
import hashlib
import logging
@ -96,7 +97,14 @@ class TokenEndpoint(object):
if not settings.get('OIDC_GRANT_TYPE_PASSWORD_ENABLE'):
raise TokenError('unsupported_grant_type')
auth_args = (self.request,)
try:
inspect.getcallargs(authenticate, *auth_args)
except TypeError:
auth_args = ()
user = authenticate(
*auth_args,
username=self.params['username'],
password=self.params['password']
)

View file

@ -1,5 +1,9 @@
import random
import string
import django
from django.contrib.auth.backends import ModelBackend
try:
from urlparse import parse_qs, urlsplit
except ImportError:
@ -131,3 +135,10 @@ def fake_idtoken_processing_hook2(id_token, user):
def fake_introspection_processing_hook(response_dict, client, id_token):
response_dict['test_introspection_processing_hook'] = FAKE_RANDOM_STRING
return response_dict
class TestAuthBackend:
def authenticate(self, *args, **kwargs):
if django.VERSION[0] >= 2 or (django.VERSION[0] == 1 and django.VERSION[1] >= 11):
assert len(args) > 0 and args[0]
return ModelBackend().authenticate(*args, **kwargs)

View file

@ -3,6 +3,7 @@ import time
import uuid
from base64 import b64encode
try:
from urllib.parse import urlencode
except ImportError:
@ -256,6 +257,17 @@ class TokenTestCase(TestCase):
else:
self.assertNotIn(claim, userinfo)
@override_settings(OIDC_GRANT_TYPE_PASSWORD_ENABLE=True,
AUTHENTICATION_BACKENDS=("oidc_provider.tests.app.utils.TestAuthBackend",))
def test_password_grant_passes_request_to_backend(self):
response = self._post_request(
post_data=self._password_grant_post_data(),
extras=self._password_grant_auth_header()
)
response_dict = json.loads(response.content.decode('utf-8'))
self.assertIn('access_token', response_dict)
@override_settings(OIDC_TOKEN_EXPIRE=720)
def test_authorization_code(self):
"""