Commit graph

40 commits

Author SHA1 Message Date
Andy Clayton
036c4fc9b3 document non-obvious string check 2018-08-16 15:47:14 -05:00
Andy Clayton
36018d19ae support multiple response types per client
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.

This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
2018-08-16 11:38:46 -05:00
Tuomas Suutari
c95497dbd9 Remove scope param from OIDC_IDTOKEN_PROCESSING_HOOK
There is no need to pass in the scope parameter separately, since the
scope is available via the token parameter already.
2018-05-31 10:23:58 +03:00
Tuomas Suutari
b0a82aa4ab Pass token and request to OIDC_ID_TOKEN_PROCESSING_HOOK
The ID token processing hook might need the token or request too, so
make them available.
2018-05-24 09:31:05 +03:00
Tuomas Suutari
93420461b4 Merge branch 'develop' of github.com:juanifioren/django-oidc-provider
* 'develop' of github.com:juanifioren/django-oidc-provider:
  Update changelog.rst
  include request in password grant authenticate call
  Update setup.py
  Update changelog.rst
  Update changelog.rst
  Adjust import order and method order in introspection tests
  Replace resource with client in docs.
  Update settings docs to add extra introspection setting
  Update README.md
  Update README.md
  Remove the Resource model
  Skip csrf protection on introspection endpoint
  Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662
  Test docs with tox.
  Remove Django 1.7 for travis.
  Drop support for Django 1.7.
  Move extract_client_auth to oauth2 utils.
  Remove duplicate link in docs.
  Bump version v0.6.0.
  Fix BaseCodeTokenModel and user attr.
  Update README.md
  Edit README and contribute doc.
  Edit changelog.
  Update changelog.rst
  Add protected_resource_view test using client_credentials.
  Fix docs.
  Improve docs.
  Client credentials implementation.
  Move changelog into docs.
  Update README.md
  Update CHANGELOG.md
  Fixed infinite callback loop in check-session iframe
  Fix PEP8. New migration.
  Update example project.
  Fix PEP8.
  Fix PEP8.
  PEP8 errors and urls.
  PEP8 models.
  Fix contribute docs.
  Fix tox for checking PEP8 all files.
  Update README.md
  Update README.md
  Simplify test suit.
  Update CHANGELOG.md
  Bump version 0.5.3.
  Update installation.rst
  Update CHANGELOG.md
  Fixed wrong Object in Template
  Update project to support Django 2.0
  Now passing along the token to create_id_token function.
  Made token and token_refresh endpoint return requested claims.
  Sphinx documentation fixes (#219)
  Use request.user.is_authenticated as a bool with recent Django (#216)
  Fixed client id retrieval when aud is a list of str. (#210)
  Add owner field to Client (#211)
  Update CHANGELOG
  removed tab char
  Add pep8 compliance and checker
  Bump version
  Update CHANGELOG.md
  Preparing v0.5.2 (#201)
  Fix Django 2.0 deprecation warnings (#185)
  Fix infinite login loop if "prompt=login" (#198)
  fixed typos
  Bump version
  Fix scope handling of token endpoint (#193)
  Fixes #192
  Use stored user consent for public clients too (#189)
  Redirect URIs must match exactly. (#191)
  Bug #187 prompt handling (#188)
  Don't pin exact versions in install_requires.
2018-05-24 00:16:26 +03:00
Andy Clayton
713d15297c include request in password grant authenticate call
An an example this can be used to help implement measures against brute
force attacks and to alert on or mitigate other untrusted authentication
attempts.
2018-05-12 09:18:56 -05:00
Maxim Daniline
8eeaf5cf33 Remove the Resource model 2018-04-23 14:59:56 +01:00
Maxim Daniline
180aad9a36 Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 2018-04-23 10:47:01 +01:00
Juan Ignacio Fiorentino
56ad376518 Merge branch 'feature/token_retun_claims' of https://github.com/dhrp/django-oidc-provider into dhrp-feature/token_retun_claims 2018-04-10 18:41:38 -03:00
Juan Ignacio Fiorentino
9dbdac6574 Fix PEP8. 2018-03-23 15:46:12 -03:00
Allisson Azevedo
795ac32257 Update project to support Django 2.0 2018-02-01 14:00:57 -03:00
dhrp
8c736b8b08 Made token and token_refresh endpoint return requested claims. 2017-12-14 23:33:05 +01:00
Tuomas Suutari
ea340993b1 Fix scope handling of token endpoint (#193)
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:

 1. For "authorization_code" grant type the scope parameter in the token
    request should not be respected but the scope should be taken from
    the authorization code.  It was not totally ignored, but rather the
    scope parameter of the token request was used for the generated ID
    token.  This had two consequences:

      * Spec conforming implementations of authorization code flow
        didn't get correct ID tokens, since they usually don't pass
        scope parameter with the token request.

      * It's possible to get a broader scope for the ID token than what
        is authorized by the user in the original authorization code
        request.

 2. For "refresh_token" grant type the scope parameter in the token
    request should only allow narrowing down the scope.  It wasn't
    narrowed, but rather the original auth code scope was used for the
    access token and the passed in scope parameter was used for the ID
    token (again allowing unauthorized scopes in the ID token).

 3. For "password" grant type the scope parameter in the token request
    should be respected.  The problem with this was that it wasn't
    properly splitted when passed to ID token creation.

Fixes #186
2017-07-10 17:48:12 +02:00
Tuomas Suutari
eb682f23ff Pass scope to OIDC_IDTOKEN_PROCESSING_HOOK
The ID token processing hook might want to add claims to the ID token
conditionally based on the scope parameter.  Therefore it would be very
useful to provide the scope parameter to the processing hook.
2017-07-07 22:56:35 +03:00
Tuomas Suutari
6199a9a17e Fix scope handling of token endpoint
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:

 1. For "authorization_code" grant type the scope parameter in the token
    request should not be respected but the scope should be taken from
    the authorization code.  It was not totally ignored, but rather the
    scope parameter of the token request was used for the generated ID
    token.  This had two consequences:

      * Spec conforming implementations of authorization code flow
        didn't get correct ID tokens, since they usually don't pass
        scope parameter with the token request.

      * It's possible to get a broader scope for the ID token than what
        is authorized by the user in the original authorization code
        request.

 2. For "refresh_token" grant type the scope parameter in the token
    request should only allow narrowing down the scope.  It wasn't
    narrowed, but rather the original auth code scope was used for the
    access token and the passed in scope parameter was used for the ID
    token (again allowing unauthorized scopes in the ID token).

 3. For "password" grant type the scope parameter in the token request
    should be respected.  The problem with this was that it wasn't
    properly splitted when passed to ID token creation.

Fixes #186
2017-07-07 22:17:09 +03:00
kaveh
b164388e15 Adds per-client consent customization 2017-04-11 13:16:06 -07:00
Ignacio Fiorentino
59db79b65c Fix tests for end session endpoint. 2016-11-01 16:01:03 -03:00
David Montano
99d7194ab1 Make Client available when using OIDC_EXTRA_SCOPE_CLAIMS
Now it's passed the Token to the ScopeClaims constructor so that it can make Client avaialble to implementors
2016-10-12 14:23:57 -05:00
Ignacio Fiorentino
439774aeeb Add test for Hybrid flow. Plus refactoring. 2016-09-08 17:15:25 -03:00
Graham Ullrich
ba4faee6ef Fix global imports
Global imports ("from X import *") are discouraged in Python.
2016-08-11 16:05:13 -06:00
Graham Ullrich
b8d1d63c28 Improve tox.ini envlist layout, simplified commands.
Remove tests/app/settings.py in favor of settings in setup.py.
Change MANIFEST.in to include README.md (which exists) instead of README.rst (which does not exist).
Update .travis.yml to use tox instead of `python django_admin.py`, include Django v1.10 in the mix.
2016-08-11 11:13:23 -06:00
Ignacio Fiorentino
2573a60092 Fix test app urls and templates loaders in settings. 2016-08-04 13:35:27 -03:00
Ignacio Fiorentino
dc9ec1863e Change setting OIDC_USERINFO. 2016-07-07 12:50:27 -03:00
Ignacio Fiorentino
5255719700 Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 12:15:10 -03:00
Ignacio Fiorentino
bc6a083571 Refactoring tests. 2016-04-14 16:22:38 -03:00
Ignacio Fiorentino
3f5992100a Not auto-approve requests for non-confidential clients. 2016-04-08 18:09:24 -03:00
Ignacio Fiorentino
e495d6c41d Remplace AES encryption with database. For saving PKCE parameters. 2016-04-07 16:18:47 -03:00
Ignacio
b1b8247cb0 Add hidden inputs for PKCE. Fix bug with AES. 2016-04-07 11:45:35 -03:00
Wojciech Bartosiak
7cb5b4d54e str or list or tuple for OIDC_ID_TOKEN_PROCESSING_HOOK 2016-03-01 17:54:57 +00:00
Wojciech Bartosiak
509100f8ad added 'user' into default_idtoken_processing_hook 2016-02-17 22:28:08 +00:00
juanifioren
782befd6ec Rename setting. 2016-02-12 14:51:43 -03:00
Wojciech Bartosiak
7a357001b6 Added OIDC_ID_TOKEN_PROCESSING_HOOK functionality 2016-02-12 16:02:35 +00:00
juanifioren
32555eb660 Remove old OIDC_RSA_KEY_FOLDER setting from example project and tests. 2016-01-25 18:01:54 -03:00
juanifioren
998ea5fcd1 Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 17:52:24 -03:00
juanifioren
73ece1bf64 Make OIDC_AFTER_USERLOGIN_HOOK to be lazy imported by string. 2016-01-19 17:37:32 -03:00
juanifioren
ccd9836edb Make OIDC_IDTOKEN_SUB_GENERATOR to be lazy imported by the location of the function. 2016-01-12 15:17:22 -03:00
juanifioren
18b492d1db Add tests for userinfo claims. 2015-08-11 15:59:57 -03:00
juanifioren
a08dbdb7d2 Merge branch 'master' of https://github.com/juanifioren/django-oidc-provider into v0.1.0-dev
Conflicts:
	example_project/.gitignore
2015-07-17 11:32:14 -03:00
juanifioren
80f89889bb Add example key file for tests. 2015-07-14 15:01:32 -03:00
juanifioren
051c29a262 Refactoring tests. 2015-07-14 13:27:46 -03:00