Commit graph

42 commits

Author SHA1 Message Date
Tuomas Suutari
ea340993b1 Fix scope handling of token endpoint (#193)
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:

 1. For "authorization_code" grant type the scope parameter in the token
    request should not be respected but the scope should be taken from
    the authorization code.  It was not totally ignored, but rather the
    scope parameter of the token request was used for the generated ID
    token.  This had two consequences:

      * Spec conforming implementations of authorization code flow
        didn't get correct ID tokens, since they usually don't pass
        scope parameter with the token request.

      * It's possible to get a broader scope for the ID token than what
        is authorized by the user in the original authorization code
        request.

 2. For "refresh_token" grant type the scope parameter in the token
    request should only allow narrowing down the scope.  It wasn't
    narrowed, but rather the original auth code scope was used for the
    access token and the passed in scope parameter was used for the ID
    token (again allowing unauthorized scopes in the ID token).

 3. For "password" grant type the scope parameter in the token request
    should be respected.  The problem with this was that it wasn't
    properly splitted when passed to ID token creation.

Fixes #186
2017-07-10 17:48:12 +02:00
Jan Brauer
1215c27d7e Redirect URIs must match exactly. (#191)
* Test redirect_uri construction

This was a test marked as TODO.

* Remove duplicate test

* Add tests to exactly match redirect URIs

* Redirect URIs must match exactly.

To quote from the specification at
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest:

Redirection URI to which the response will be sent. This URI MUST
exactly match one of the Redirection URI values for the Client
pre-registered at the OpenID Provider, with the matching performed as
described in Section 6.2.1 of [RFC3986] (Simple String Comparison).
2017-07-07 09:07:21 +02:00
Wojciech Bartosiak
a829726be8 Merge develop to v0.5.x (#179)
* Log create_uri_response exceptions to logger.exception

* Support grant type password - basics

* Add tests for Resource Owner Password Credentials Flow

* Password Grant -Response according to specification

* Better tests for errors, disable grant type password by default

* Add documentation for grant type password

* User authentication failure to return 403

* Add id_token to response

* skipping consent only works for confidential clients

* fix URI fragment

example not working URL `http://localhost:8100/#/auth/callback/`

* OIDC_POST_END_SESSION_HOOK + tests

* Explicit function naming

* Remove print statements

* No need for semicolons, this is Python

* Update CHANGELOG.md

* fixed logger message

* Improved `exp` value calculation

* rename OIDC_POST_END_SESSION_HOOK to OIDC_AFTER_END_SESSION_HOOK

* added docs for OIDC_AFTER_END_SESSION_HOOK

*  Replaces `LOGIN_URL` with `OIDC_LOGIN_URL`
so users can use a different login path for their oidc requests.

* Adds a setting variable for custom template paths

* Updates documentation

* Fixed bad try/except/finally block

* Adds test for OIDC_TEMPLATES settings

* Determine value for op_browser_state from session_key or default

* Do not use cookie for browser_state. It may not yet be there

* Add docs on new setting

OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY

* Fix compatibility for older versions of Django

* solved merging typo for missing @property
2017-05-05 05:19:57 +02:00
Tuomas Suutari
65538b0f7d utils.token: Use time.time to generate the timestamps
Use `time.time()` rather than `timezone.now()` for generating the unix
timestamps.  This avoids conversion between year-month-day-hh-mm-ss
formatted timestamp vs. unix timestamp and is therefore simpler and more
robust.

Add a test case for this too and amend test_token_endpoint, since it
used to mock timezone.now, but now it needs to mock time.time.
2016-12-07 14:22:20 +02:00
Ignacio Fiorentino
38e37e7c47 Merge branch 'v0.4.x' of https://github.com/wojtek-fliposports/django-oidc-provider into wojtek-fliposports-v0.4.x 2016-10-11 11:52:31 -03:00
Ignacio Fiorentino
74b5390daa Merge branch 'redirect_uri_query' of https://github.com/jerrykan/django-oidc-provider into jerrykan-redirect_uri_query 2016-10-05 12:33:05 -03:00
Wojciech Bartosiak
59312bf811 redirect URI clean up moved to utils module 2016-10-04 19:32:54 +02:00
Ignacio Fiorentino
8a63c83514 Refactoring create_id_token function. 2016-09-09 13:10:12 -03:00
Graham Ullrich
ba4faee6ef Fix global imports
Global imports ("from X import *") are discouraged in Python.
2016-08-11 16:05:13 -06:00
Graham Ullrich
e822252b6e Use original test files 2016-08-08 12:20:47 -06:00
Ignacio Fiorentino
bc6a083571 Refactoring tests. 2016-04-14 16:22:38 -03:00
John Kristensen
2f54e53766 Ensure client redirect URIs with query strings work
In some cases a client will provide a redirect URI with a query string.
In these cases the client redirect URI should still still match a
registered redirect URI and not result in a failure.
2016-04-13 22:29:21 +10:00
Ignacio Fiorentino
559f90c5a6 Remove pdb. 2016-04-07 16:36:42 -03:00
Ignacio Fiorentino
e495d6c41d Remplace AES encryption with database. For saving PKCE parameters. 2016-04-07 16:18:47 -03:00
Wojciech Bartosiak
7cb5b4d54e str or list or tuple for OIDC_ID_TOKEN_PROCESSING_HOOK 2016-03-01 17:54:57 +00:00
Ignacio
a4d5f89536 Merge branch 'v0.2.x' of https://github.com/juanifioren/django-oidc-provider into v0.3.x
Conflicts:
	oidc_provider/lib/utils/common.py
	oidc_provider/lib/utils/token.py
2016-02-25 10:10:07 -03:00
Wojciech Bartosiak
56ffd92ee8 added 'user' into default_idtoken_processing_hook 2016-02-17 22:30:10 +00:00
juanifioren
25a59c8344 Refactoring supporting OAuth2 flow. 2016-02-16 17:33:12 -03:00
juanifioren
782befd6ec Rename setting. 2016-02-12 14:51:43 -03:00
Wojciech Bartosiak
7a357001b6 Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00
juanifioren
998ea5fcd1 Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 17:52:24 -03:00
juanifioren
ccd9836edb Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 15:17:22 -03:00
Ignacio
153730e5f9 Fix posible bug with pyjwkest==1.0.8. Revert to version 1.0.6. 2015-12-03 13:29:57 -03:00
juanifioren
121f7f22cb Fix in tests when using JWS.verify_compact. Need allow_none set to True. 2015-12-01 14:42:39 -03:00
Maarten van Schaik
f4dfa7303f Forget old token when a refresh token is used 2015-09-30 16:46:33 +02:00
Maarten van Schaik
8d672cc1ba Add support for refresh_token to token endpoint 2015-09-30 14:55:48 +02:00
juanifioren
83c21cec40 Add tests for HTTP Basic Client auth. 2015-07-30 15:49:48 -03:00
juanifioren
401a35f68f Encode id_token in tests. 2015-07-27 15:51:19 -03:00
Ignacio
064b36d615 Fix tests with pyjwkest package. 2015-07-27 11:35:05 -03:00
juanifioren
162416bfae Add missing encode in test. 2015-07-23 16:28:20 -03:00
juanifioren
01bf1ee5e6 In python 3 use "int" instead of "long". 2015-07-23 16:22:42 -03:00
juanifioren
9b3ba5652f Add idtoken_sign_validation test. 2015-07-22 18:22:46 -03:00
juanifioren
a08dbdb7d2 Merge branch 'master' of https://github.com/juanifioren/django-oidc-provider into v0.1.0-dev
Conflicts:
	example_project/.gitignore
2015-07-17 11:32:14 -03:00
juanifioren
91ae9ba9ff Add one test for request not containing nonce parameter. 2015-07-16 15:58:33 -03:00
juanifioren
882def8124 Fix tests for using nonce parameter. 2015-07-16 15:04:33 -03:00
juanifioren
211f942eec Fix imports in tests. 2015-07-14 14:52:48 -03:00
Maarten van Schaik
a4fcf956c2 Add nonce in id_token when included in auth request
http://openid.net/specs/openid-connect-core-1_0.html#IDToken

If present in the Authentication Request, Authorization Servers MUST
include a nonce Claim in the ID Token with the Claim Value being the
nonce value sent in the Authentication Request.

This patch adds the nonce to the id_token.
2015-07-10 14:44:26 +02:00
juanifioren
27110b65e4 Use decode with utf-8 encoding. 2015-07-01 17:20:16 -03:00
juanifioren
447d026a41 Add urllib and change iteritems() with items(). 2015-07-01 16:43:35 -03:00
juanifioren
e2a0f8ec60 Add urllib compatibility. 2015-07-01 12:53:41 -03:00
juanifioren
06fb967bf8 Add import for reverse function in tests. 2015-05-07 15:47:00 -03:00
juanifioren
1ec93d480f Add test_token_endpoint. 2015-03-12 12:43:21 -03:00