Commit graph

346 commits

Author SHA1 Message Date
Nicolas Iooss
43d990c04d Use request.user.is_authenticated as a bool with recent Django (#216)
Django 1.10 changed request.user.is_authenticated from a function to a
boolean and Django 2.0 dropped the backward compatibility. In order to
use django-oidc-provider with Django 2.0, AuthorizeView needs to handle
request.user.is_authenticated as a boolean.
2017-12-14 18:28:55 +01:00
Antoine Nguyen
65c6cc6fec Fixed client id retrieval when aud is a list of str. (#210)
* Fixed client id retrievel when aud is a list of str.

* Split tests.
2017-11-09 12:05:20 +01:00
Monte Hellawell
6beb186540 Add owner field to Client (#211)
* Add owner field to Client

* Add related_name to client owner
2017-11-09 11:57:22 +01:00
Wojciech Bartosiak
8149f1f9ab Merge pull request #203 from psavoie/develop
Add pep8 compliance and checker
2017-08-23 15:29:49 +02:00
Philippe Savoie
5dcd6a10b0 Add pep8 compliance and checker 2017-08-22 11:53:52 -07:00
Wojciech Bartosiak
8e26248022 Preparing v0.5.2 (#201)
* Fix infinite login loop if "prompt=login" (#198)
* Fix Django 2.0 deprecation warnings (#185)
2017-08-22 17:33:13 +02:00
Dillon Dixon
04c03787af Fix Django 2.0 deprecation warnings (#185)
* explicit default foreign key delete operations

* first iteration of Django 2.0 deprecation fixes
2017-08-10 11:38:50 +02:00
Jan Brauer
f78e2be3c5 Fix infinite login loop if "prompt=login" (#198)
* Add test to expose issue #197

* Strip 'login' from prompt before redirecting

This fixes #197. Otherwise the user would have to login once,
then is immediately logged out and prompted to login again.

* Only remove 'login' if present

* Don't append an empty prompt parameter

* Inline variable
2017-07-19 10:52:10 +02:00
Tuomas Suutari
ea340993b1 Fix scope handling of token endpoint (#193)
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:

 1. For "authorization_code" grant type the scope parameter in the token
    request should not be respected but the scope should be taken from
    the authorization code.  It was not totally ignored, but rather the
    scope parameter of the token request was used for the generated ID
    token.  This had two consequences:

      * Spec conforming implementations of authorization code flow
        didn't get correct ID tokens, since they usually don't pass
        scope parameter with the token request.

      * It's possible to get a broader scope for the ID token than what
        is authorized by the user in the original authorization code
        request.

 2. For "refresh_token" grant type the scope parameter in the token
    request should only allow narrowing down the scope.  It wasn't
    narrowed, but rather the original auth code scope was used for the
    access token and the passed in scope parameter was used for the ID
    token (again allowing unauthorized scopes in the ID token).

 3. For "password" grant type the scope parameter in the token request
    should be respected.  The problem with this was that it wasn't
    properly splitted when passed to ID token creation.

Fixes #186
2017-07-10 17:48:12 +02:00
Tuomas Suutari
eb682f23ff Pass scope to OIDC_IDTOKEN_PROCESSING_HOOK
The ID token processing hook might want to add claims to the ID token
conditionally based on the scope parameter.  Therefore it would be very
useful to provide the scope parameter to the processing hook.
2017-07-07 22:56:35 +03:00
Tuomas Suutari
6199a9a17e Fix scope handling of token endpoint
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:

 1. For "authorization_code" grant type the scope parameter in the token
    request should not be respected but the scope should be taken from
    the authorization code.  It was not totally ignored, but rather the
    scope parameter of the token request was used for the generated ID
    token.  This had two consequences:

      * Spec conforming implementations of authorization code flow
        didn't get correct ID tokens, since they usually don't pass
        scope parameter with the token request.

      * It's possible to get a broader scope for the ID token than what
        is authorized by the user in the original authorization code
        request.

 2. For "refresh_token" grant type the scope parameter in the token
    request should only allow narrowing down the scope.  It wasn't
    narrowed, but rather the original auth code scope was used for the
    access token and the passed in scope parameter was used for the ID
    token (again allowing unauthorized scopes in the ID token).

 3. For "password" grant type the scope parameter in the token request
    should be respected.  The problem with this was that it wasn't
    properly splitted when passed to ID token creation.

Fixes #186
2017-07-07 22:17:09 +03:00
Tuomas Suutari
5165312d01 Use stored user consent for public clients too (#189)
When using Implicit Flow, it should be OK to use the stored user consent
even if the client is public.  The redirect uri checks should make sure
that the stored consent of another client cannot be misused to get a
consent to a site that is not related to the client.

It is also important to support this, since public clients using
Implicit Flow do not have a refresh token to update their access tokens,
so only way to keep their login session open is by issuing authorization
requests from an iframe with the "prompt=none" parameter (which does not
work without the previously stored consent).  See the following links
for more info and examples on how to renew the access token with SPAs:

https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens

https://damienbod.com/2017/06/02/

https://github.com/IdentityServer/IdentityServer3/issues/719#issuecomment-230145034
2017-07-07 13:18:36 +02:00
Jan Brauer
1215c27d7e Redirect URIs must match exactly. (#191)
* Test redirect_uri construction

This was a test marked as TODO.

* Remove duplicate test

* Add tests to exactly match redirect URIs

* Redirect URIs must match exactly.

To quote from the specification at
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest:

Redirection URI to which the response will be sent. This URI MUST
exactly match one of the Redirection URI values for the Client
pre-registered at the OpenID Provider, with the matching performed as
described in Section 6.2.1 of [RFC3986] (Simple String Comparison).
2017-07-07 09:07:21 +02:00
Wojciech Bartosiak
f07327a713 Bug #187 prompt handling (#188)
prompt parameter changed to list of strings not a simple string
2017-06-06 11:12:37 +02:00
Wojciech Bartosiak
a829726be8 Merge develop to v0.5.x (#179)
* Log create_uri_response exceptions to logger.exception

* Support grant type password - basics

* Add tests for Resource Owner Password Credentials Flow

* Password Grant -Response according to specification

* Better tests for errors, disable grant type password by default

* Add documentation for grant type password

* User authentication failure to return 403

* Add id_token to response

* skipping consent only works for confidential clients

* fix URI fragment

example not working URL `http://localhost:8100/#/auth/callback/`

* OIDC_POST_END_SESSION_HOOK + tests

* Explicit function naming

* Remove print statements

* No need for semicolons, this is Python

* Update CHANGELOG.md

* fixed logger message

* Improved `exp` value calculation

* rename OIDC_POST_END_SESSION_HOOK to OIDC_AFTER_END_SESSION_HOOK

* added docs for OIDC_AFTER_END_SESSION_HOOK

*  Replaces `LOGIN_URL` with `OIDC_LOGIN_URL`
so users can use a different login path for their oidc requests.

* Adds a setting variable for custom template paths

* Updates documentation

* Fixed bad try/except/finally block

* Adds test for OIDC_TEMPLATES settings

* Determine value for op_browser_state from session_key or default

* Do not use cookie for browser_state. It may not yet be there

* Add docs on new setting

OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY

* Fix compatibility for older versions of Django

* solved merging typo for missing @property
2017-05-05 05:19:57 +02:00
kaveh
b164388e15 Adds per-client consent customization 2017-04-11 13:16:06 -07:00
Ignacio Fiorentino
40009944af Merge branch 'develop' of https://github.com/juanifioren/django-oidc-provider into develop 2016-12-12 16:46:30 -03:00
Ignacio Fiorentino
66a3497a1c Fix refresh_token cannot be primary key if null. 2016-12-12 16:46:21 -03:00
Juan Ignacio Fiorentino
c5d0a99b55 Merge pull request #145 from suutari-ai/use-time-time
Use time.time to generate the timestamps.
2016-12-12 14:32:45 -03:00
Tuomas Suutari
65538b0f7d utils.token: Use time.time to generate the timestamps
Use `time.time()` rather than `timezone.now()` for generating the unix
timestamps.  This avoids conversion between year-month-day-hh-mm-ss
formatted timestamp vs. unix timestamp and is therefore simpler and more
robust.

Add a test case for this too and amend test_token_endpoint, since it
used to mock timezone.now, but now it needs to mock time.time.
2016-12-07 14:22:20 +02:00
Tuomas Suutari
5e3876f0c6 Revert "Fix timestamps computing in tokens"
This reverts commit 975eb0163f.
2016-12-07 14:22:20 +02:00
Ignacio Fiorentino
5242f0841e Add initial signals logic. 2016-12-01 16:20:34 -03:00
Brice Gelineau
975eb0163f Fix timestamps computing in tokens
The timestamp of timezone-aware datetimes was offset by the value of their timezone.
2016-11-30 15:23:11 +01:00
Brice Gelineau
8666990f69 Fix translations handling
Fix a missing _lazy.
Fix locale inclusion in the sdist package.
Fix French locale compiling.
2016-11-24 13:09:19 +01:00
hpool
acc5b408d1 Fix a bug that the value of STANDARD_CLAIMS is updated 2016-11-09 19:31:37 +09:00
hpool
155b4598b0 Add test for STANDARD_CLAIMS values 2016-11-09 19:20:27 +09:00
Ignacio Fiorentino
53166fb9ea Fix TypeError Unicode when using hashlib. 2016-11-04 15:56:51 -03:00
Ignacio Fiorentino
8a4103edca Fix bug in Python 3 using Session Management middleware. 2016-11-04 15:40:35 -03:00
Ignacio Fiorentino
59db79b65c Fix tests for end session endpoint. 2016-11-01 16:01:03 -03:00
Ignacio Fiorentino
e458542be2 Fix urls and names. 2016-11-01 12:15:48 -03:00
Ignacio Fiorentino
f8e0f2dc2c Re-generate migrations with Python 3. 2016-11-01 12:00:13 -03:00
Ignacio Fiorentino
5d07111a18 Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 17:07:06 -03:00
Ignacio Fiorentino
ecba16ed36 Fix bug with id_token without openid scope. 2016-10-31 16:37:51 -03:00
Ignacio Fiorentino
9bdec5da7c Add post_logout_redirect_uris for Client model. 2016-10-31 16:36:58 -03:00
Ignacio Fiorentino
50e5287b48 Initial Session Management version. 2016-10-28 15:25:52 -03:00
Ignacio Fiorentino
4d2bdb9a97 Generate bigger secret with sha224. 2016-10-26 17:04:12 -03:00
Ignacio Fiorentino
3711d6c5ab Fallback user claims (email, first_name, etc). 2016-10-26 16:46:14 -03:00
David Montano
99d7194ab1 Make Client available when using OIDC_EXTRA_SCOPE_CLAIMS
Now it's passed the Token to the ScopeClaims constructor so that it can make Client avaialble to implementors
2016-10-12 14:23:57 -05:00
Ignacio Fiorentino
2cedde5e3f Remove spaces. 2016-10-11 13:18:06 -03:00
Ignacio Fiorentino
38e37e7c47 Merge branch 'v0.4.x' of https://github.com/wojtek-fliposports/django-oidc-provider into wojtek-fliposports-v0.4.x 2016-10-11 11:52:31 -03:00
Wojciech Bartosiak
2bf2ffa275 added migrations for client secret 2016-10-05 17:58:39 +02:00
Wojciech Bartosiak
d174d4e629 fix for generating client secret 2016-10-05 17:37:49 +02:00
Ignacio Fiorentino
74b5390daa Merge branch 'redirect_uri_query' of https://github.com/jerrykan/django-oidc-provider into jerrykan-redirect_uri_query 2016-10-05 12:33:05 -03:00
Wojciech Bartosiak
59312bf811 redirect URI clean up moved to utils module 2016-10-04 19:32:54 +02:00
Ignacio Fiorentino
6ed2c200a7 Update pyjwkest to version 1.3.0. 2016-10-03 12:54:54 -03:00
yasserisa
1c3bd7579b FIX id_token, field iss set to type str 2016-09-21 10:20:03 -03:00
Ignacio Fiorentino
4971449684 Create migration again. 2016-09-12 11:09:21 -03:00
Ignacio Fiorentino
1973ce1108 Add more attr to Client object. 2016-09-09 15:57:25 -03:00
Ignacio Fiorentino
c14d2f055a Remove Params() object from endpoints classes. 2016-09-09 14:49:41 -03:00
Ignacio Fiorentino
8a63c83514 Refactoring create_id_token function. 2016-09-09 13:10:12 -03:00
Ignacio Fiorentino
5836774f6b Add user email into id_token. Fix missing OIDC_TOKEN_EXPIRE setting. 2016-09-09 11:43:28 -03:00
Ignacio Fiorentino
439774aeeb Add test for Hybrid flow. Plus refactoring. 2016-09-08 17:15:25 -03:00
Ignacio Fiorentino
f8dbfa5c04 Add Hybrid flow login in view and models. 2016-09-08 16:21:48 -03:00
Ignacio Fiorentino
d7b06ee3b4 Fix bug when creating first time client public. 2016-09-07 12:30:20 -03:00
Ignacio Fiorentino
68d982369e Add CORS fix to userinfo view. 2016-09-06 15:37:23 -03:00
Ignacio Fiorentino
a583648be2 Add Access-Control-Allow-Origin to ProviderInfoView. 2016-09-06 13:21:29 -03:00
Wojciech Bartosiak
9e6928c6a9 Polish translation 2016-09-06 13:15:40 +02:00
Florent Jouatte
2872d2e10b #113: tiny improvement 2016-08-17 12:24:00 +02:00
Florent Jouatte
2c1d582475 #113: omit claim when empty 2016-08-17 12:13:33 +02:00
Ignacio Fiorentino
d35f16eeae Merge branch 'fix-import-all' of https://github.com/grahamu/django-oidc-provider into grahamu-fix-import-all 2016-08-12 12:02:48 -03:00
Graham Ullrich
ba4faee6ef Fix global imports
Global imports ("from X import *") are discouraged in Python.
2016-08-11 16:05:13 -06:00
Ignacio Fiorentino
2214ec0d70 Add missing migration. 2016-08-11 16:56:02 -03:00
Ignacio Fiorentino
988cad073e Add new test for migrations. 2016-08-11 16:43:30 -03:00
Graham Ullrich
b8d1d63c28 Improve tox.ini envlist layout, simplified commands.
Remove tests/app/settings.py in favor of settings in setup.py.
Change MANIFEST.in to include README.md (which exists) instead of README.rst (which does not exist).
Update .travis.yml to use tox instead of `python django_admin.py`, include Django v1.10 in the mix.
2016-08-11 11:13:23 -06:00
Ignacio Fiorentino
6151a6cfb9 Merge branch 'fix-id-token-at-hash' of https://github.com/brosner/django-oidc-provider into brosner-fix-id-token-at-hash 2016-08-10 18:13:33 -03:00
Graham Ullrich
e822252b6e Use original test files 2016-08-08 12:20:47 -06:00
Graham Ullrich
e04d42fedf flake8 fixes 2016-08-08 11:54:40 -06:00
Graham Ullrich
ffddb69f80 Add tests for at_hash
Ensure at_hash is present in id_token when warranted.
2016-08-08 11:24:07 -06:00
Arkadiy Korotaev
8cbf5c3304 Cleanup urls.py - remove unused and wildcard import 2016-08-08 09:58:36 +04:00
Brian Rosner
afc3a60ee7
Added at_hash when access token is present
This is required by response type "id_token token", but can be
used by other flows if they choose.
2016-08-05 14:00:00 -06:00
Ignacio Fiorentino
2573a60092 Fix test app urls and templates loaders in settings. 2016-08-04 13:35:27 -03:00
Graham Ullrich
ddb62a383b Remove unused import
Update mock requirement.
2016-08-03 23:44:17 -06:00
Florent Jouatte
f4c27ed28d tiny translation 2016-07-29 09:07:25 +02:00
Florent Jouatte
c29514ca64 add french translation (not over) 2016-07-28 10:55:06 +02:00
Ignacio Fiorentino
b70007e4a9 Add ES and FR initial translations. 2016-07-26 17:19:33 -03:00
Ignacio Fiorentino
dc9ec1863e Change setting OIDC_USERINFO. 2016-07-07 12:50:27 -03:00
Ignacio Fiorentino
4cc7474c19 Add verbose name and description for scopes. 2016-06-16 17:18:39 -03:00
Ignacio Fiorentino
739b6ef381 Provide doc for user consent model. 2016-06-13 13:26:33 -03:00
Ignacio Fiorentino
5255719700 Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 12:15:10 -03:00
Ignacio Fiorentino
41f23afa31 Add missing migration. 2016-06-10 10:57:31 -03:00
Ignacio Fiorentino
70c7d128c1 Refactoring views.py. 2016-06-01 12:09:40 -03:00
Ignacio Fiorentino
21e8e89d35 Edit default setting. 2016-05-30 14:26:25 -03:00
Ignacio Fiorentino
eea590e006 Modify scope claims class. 2016-05-30 13:28:07 -03:00
Si Feng
86a921aba7 Fix typo 2016-05-25 15:21:27 -07:00
Si Feng
be5656bcf4 Make SITE_URL optional. 2016-05-25 14:58:58 -07:00
Ignacio Fiorentino
497f2f3a68 Bump version v0.3.3. 2016-05-03 12:17:22 -03:00
Ignacio Fiorentino
a0c7b3c0c4 Create migrations. Improve docs. 2016-04-25 17:33:52 -03:00
Ignacio Fiorentino
9f9df355a3 Merge branch 'v0.3.x' of https://github.com/juanifioren/django-oidc-provider into feature-jwtalg 2016-04-25 14:55:30 -03:00
Ignacio Fiorentino
b8f442184c Remove migration. 2016-04-25 14:51:00 -03:00
Ignacio Fiorentino
8320394a67 Refactoring variables. 2016-04-14 17:45:30 -03:00
Ignacio Fiorentino
bc6a083571 Refactoring tests. 2016-04-14 16:22:38 -03:00
Ignacio Fiorentino
41dcb192bc Add support for the other values of the prompt param. 2016-04-13 18:38:38 -03:00
Ignacio Fiorentino
61f0c209af Refactoring prompt=none logic. 2016-04-13 17:19:37 -03:00
John Kristensen
2f54e53766 Ensure client redirect URIs with query strings work
In some cases a client will provide a redirect URI with a query string.
In these cases the client redirect URI should still still match a
registered redirect URI and not result in a failure.
2016-04-13 22:29:21 +10:00
Ignacio Fiorentino
b05894bf6d Add prompt parameter to authorize view. 2016-04-12 18:19:16 -03:00
Ignacio Fiorentino
3f5992100a Not auto-approve requests for non-confidential clients. 2016-04-08 18:09:24 -03:00
Ignacio Fiorentino
e97c32acd1 Fix encoding problem when using Py34. 2016-04-08 13:22:05 -03:00
Ignacio Fiorentino
559f90c5a6 Remove pdb. 2016-04-07 16:36:42 -03:00
Ignacio Fiorentino
e495d6c41d Remplace AES encryption with database. For saving PKCE parameters. 2016-04-07 16:18:47 -03:00
Ignacio
b1b8247cb0 Add hidden inputs for PKCE. Fix bug with AES. 2016-04-07 11:45:35 -03:00