Based on the OAuth 2.0 Token Introspection spec the "aud" field should
be based on the token. Previously "aud" was populated with the id of the
client making the introspection request which seems wrong. This changes
the endpoint to return the value from the token.
The "client_id" field is then changed to return the client id for the
client that originally requested the token rather than returning the
"aud" value from the token.
From the spec https://tools.ietf.org/html/rfc7662:
client_id
OPTIONAL. Client identifier for the OAuth 2.0 client that
requested this token.
aud
OPTIONAL. Service-specific string identifier or list of string
identifiers representing the intended audience for this token, as
defined in JWT [RFC7519].
Up until recently there were settings with truthy defaults but with no
need to be set to a false value. That changed with
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE. Now there is a setting that
has both a true default and a meaningful false value, and without this
fix that setting cannot be changed making it not much of a setting at
all.
* 'develop' of github.com:juanifioren/django-oidc-provider:
Update changelog.rst
include request in password grant authenticate call
Update setup.py
Update changelog.rst
Update changelog.rst
Adjust import order and method order in introspection tests
Replace resource with client in docs.
Update settings docs to add extra introspection setting
Update README.md
Update README.md
Remove the Resource model
Skip csrf protection on introspection endpoint
Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662
Test docs with tox.
Remove Django 1.7 for travis.
Drop support for Django 1.7.
Move extract_client_auth to oauth2 utils.
Remove duplicate link in docs.
Bump version v0.6.0.
Fix BaseCodeTokenModel and user attr.
Update README.md
Edit README and contribute doc.
Edit changelog.
Update changelog.rst
Add protected_resource_view test using client_credentials.
Fix docs.
Improve docs.
Client credentials implementation.
Move changelog into docs.
Update README.md
Update CHANGELOG.md
Fixed infinite callback loop in check-session iframe
Fix PEP8. New migration.
Update example project.
Fix PEP8.
Fix PEP8.
PEP8 errors and urls.
PEP8 models.
Fix contribute docs.
Fix tox for checking PEP8 all files.
Update README.md
Update README.md
Simplify test suit.
Update CHANGELOG.md
Bump version 0.5.3.
Update installation.rst
Update CHANGELOG.md
Fixed wrong Object in Template
Update project to support Django 2.0
Now passing along the token to create_id_token function.
Made token and token_refresh endpoint return requested claims.
Sphinx documentation fixes (#219)
Use request.user.is_authenticated as a bool with recent Django (#216)
Fixed client id retrieval when aud is a list of str. (#210)
Add owner field to Client (#211)
Update CHANGELOG
removed tab char
Add pep8 compliance and checker
Bump version
Update CHANGELOG.md
Preparing v0.5.2 (#201)
Fix Django 2.0 deprecation warnings (#185)
Fix infinite login loop if "prompt=login" (#198)
fixed typos
Bump version
Fix scope handling of token endpoint (#193)
Fixes#192
Use stored user consent for public clients too (#189)
Redirect URIs must match exactly. (#191)
Bug #187 prompt handling (#188)
Don't pin exact versions in install_requires.
An an example this can be used to help implement measures against brute
force attacks and to alert on or mitigate other untrusted authentication
attempts.
* Add test to expose issue #197
* Strip 'login' from prompt before redirecting
This fixes#197. Otherwise the user would have to login once,
then is immediately logged out and prompted to login again.
* Only remove 'login' if present
* Don't append an empty prompt parameter
* Inline variable
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:
1. For "authorization_code" grant type the scope parameter in the token
request should not be respected but the scope should be taken from
the authorization code. It was not totally ignored, but rather the
scope parameter of the token request was used for the generated ID
token. This had two consequences:
* Spec conforming implementations of authorization code flow
didn't get correct ID tokens, since they usually don't pass
scope parameter with the token request.
* It's possible to get a broader scope for the ID token than what
is authorized by the user in the original authorization code
request.
2. For "refresh_token" grant type the scope parameter in the token
request should only allow narrowing down the scope. It wasn't
narrowed, but rather the original auth code scope was used for the
access token and the passed in scope parameter was used for the ID
token (again allowing unauthorized scopes in the ID token).
3. For "password" grant type the scope parameter in the token request
should be respected. The problem with this was that it wasn't
properly splitted when passed to ID token creation.
Fixes#186
The ID token processing hook might want to add claims to the ID token
conditionally based on the scope parameter. Therefore it would be very
useful to provide the scope parameter to the processing hook.
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:
1. For "authorization_code" grant type the scope parameter in the token
request should not be respected but the scope should be taken from
the authorization code. It was not totally ignored, but rather the
scope parameter of the token request was used for the generated ID
token. This had two consequences:
* Spec conforming implementations of authorization code flow
didn't get correct ID tokens, since they usually don't pass
scope parameter with the token request.
* It's possible to get a broader scope for the ID token than what
is authorized by the user in the original authorization code
request.
2. For "refresh_token" grant type the scope parameter in the token
request should only allow narrowing down the scope. It wasn't
narrowed, but rather the original auth code scope was used for the
access token and the passed in scope parameter was used for the ID
token (again allowing unauthorized scopes in the ID token).
3. For "password" grant type the scope parameter in the token request
should be respected. The problem with this was that it wasn't
properly splitted when passed to ID token creation.
Fixes#186
When using Implicit Flow, it should be OK to use the stored user consent
even if the client is public. The redirect uri checks should make sure
that the stored consent of another client cannot be misused to get a
consent to a site that is not related to the client.
It is also important to support this, since public clients using
Implicit Flow do not have a refresh token to update their access tokens,
so only way to keep their login session open is by issuing authorization
requests from an iframe with the "prompt=none" parameter (which does not
work without the previously stored consent). See the following links
for more info and examples on how to renew the access token with SPAs:
https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokenshttps://damienbod.com/2017/06/02/https://github.com/IdentityServer/IdentityServer3/issues/719#issuecomment-230145034
* Test redirect_uri construction
This was a test marked as TODO.
* Remove duplicate test
* Add tests to exactly match redirect URIs
* Redirect URIs must match exactly.
To quote from the specification at
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest:
Redirection URI to which the response will be sent. This URI MUST
exactly match one of the Redirection URI values for the Client
pre-registered at the OpenID Provider, with the matching performed as
described in Section 6.2.1 of [RFC3986] (Simple String Comparison).
* Log create_uri_response exceptions to logger.exception
* Support grant type password - basics
* Add tests for Resource Owner Password Credentials Flow
* Password Grant -Response according to specification
* Better tests for errors, disable grant type password by default
* Add documentation for grant type password
* User authentication failure to return 403
* Add id_token to response
* skipping consent only works for confidential clients
* fix URI fragment
example not working URL `http://localhost:8100/#/auth/callback/`
* OIDC_POST_END_SESSION_HOOK + tests
* Explicit function naming
* Remove print statements
* No need for semicolons, this is Python
* Update CHANGELOG.md
* fixed logger message
* Improved `exp` value calculation
* rename OIDC_POST_END_SESSION_HOOK to OIDC_AFTER_END_SESSION_HOOK
* added docs for OIDC_AFTER_END_SESSION_HOOK
* Replaces `LOGIN_URL` with `OIDC_LOGIN_URL`
so users can use a different login path for their oidc requests.
* Adds a setting variable for custom template paths
* Updates documentation
* Fixed bad try/except/finally block
* Adds test for OIDC_TEMPLATES settings
* Determine value for op_browser_state from session_key or default
* Do not use cookie for browser_state. It may not yet be there
* Add docs on new setting
OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY
* Fix compatibility for older versions of Django
* solved merging typo for missing @property
Use `time.time()` rather than `timezone.now()` for generating the unix
timestamps. This avoids conversion between year-month-day-hh-mm-ss
formatted timestamp vs. unix timestamp and is therefore simpler and more
robust.
Add a test case for this too and amend test_token_endpoint, since it
used to mock timezone.now, but now it needs to mock time.time.