To make it easier to change the AuthorizeEndpoint and Client we set them as class variables. Then people inheriting from the view are able to easily change them. In my personal case this helps with skipping consent more explicitly as defined in issue https://github.com/juanifioren/django-oidc-provider/issues/278
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.
This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
Django 1.11 deprecated the django.contrib.auth.views.logout
function-based view, which django-oidc-provider relied on. This
patchset instead subclasses the new LogoutView.
LogoutView was introduced in Django 1.11. logout() was deprecated in
1.11 and removed in 2.1. Accordingly, this patch adds Django 2.1 to
CI and removes 1.8, 1.9, and 1.10.
Resolves#258
Django 1.10 changed request.user.is_authenticated from a function to a
boolean and Django 2.0 dropped the backward compatibility. In order to
use django-oidc-provider with Django 2.0, AuthorizeView needs to handle
request.user.is_authenticated as a boolean.
* Add test to expose issue #197
* Strip 'login' from prompt before redirecting
This fixes#197. Otherwise the user would have to login once,
then is immediately logged out and prompted to login again.
* Only remove 'login' if present
* Don't append an empty prompt parameter
* Inline variable
When using Implicit Flow, it should be OK to use the stored user consent
even if the client is public. The redirect uri checks should make sure
that the stored consent of another client cannot be misused to get a
consent to a site that is not related to the client.
It is also important to support this, since public clients using
Implicit Flow do not have a refresh token to update their access tokens,
so only way to keep their login session open is by issuing authorization
requests from an iframe with the "prompt=none" parameter (which does not
work without the previously stored consent). See the following links
for more info and examples on how to renew the access token with SPAs:
https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokenshttps://damienbod.com/2017/06/02/https://github.com/IdentityServer/IdentityServer3/issues/719#issuecomment-230145034
* Log create_uri_response exceptions to logger.exception
* Support grant type password - basics
* Add tests for Resource Owner Password Credentials Flow
* Password Grant -Response according to specification
* Better tests for errors, disable grant type password by default
* Add documentation for grant type password
* User authentication failure to return 403
* Add id_token to response
* skipping consent only works for confidential clients
* fix URI fragment
example not working URL `http://localhost:8100/#/auth/callback/`
* OIDC_POST_END_SESSION_HOOK + tests
* Explicit function naming
* Remove print statements
* No need for semicolons, this is Python
* Update CHANGELOG.md
* fixed logger message
* Improved `exp` value calculation
* rename OIDC_POST_END_SESSION_HOOK to OIDC_AFTER_END_SESSION_HOOK
* added docs for OIDC_AFTER_END_SESSION_HOOK
* Replaces `LOGIN_URL` with `OIDC_LOGIN_URL`
so users can use a different login path for their oidc requests.
* Adds a setting variable for custom template paths
* Updates documentation
* Fixed bad try/except/finally block
* Adds test for OIDC_TEMPLATES settings
* Determine value for op_browser_state from session_key or default
* Do not use cookie for browser_state. It may not yet be there
* Add docs on new setting
OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY
* Fix compatibility for older versions of Django
* solved merging typo for missing @property