It seems like there are multi ways to achieve that, all of them highliting
the importance of maintain a single source of truth for the version number.
More info: https://packaging.python.org/guides/single-sourcing-package-version/.
This PR includes one possible approach, open to discussion.
It seems like many lead institutions related with security are
recommending a minimum key length of 112-bits since 2013.
In order to achieve that, a RSA key size of 2048 (or more) is required.
To make it easier to change the AuthorizeEndpoint and Client we set them as class variables. Then people inheriting from the view are able to easily change them. In my personal case this helps with skipping consent more explicitly as defined in issue https://github.com/juanifioren/django-oidc-provider/issues/278
Have the option to use the more readable response type value rather than
the ResponseType id integer in fixtures and dumpdata output.
Prior to this change dumpdata represents response types like so:
"response_types": [2]
And after this change when using `dumpdata --natural-foreign`:
"response_types": [["code"]]
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.
This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
We ran into a client that blindly takes the value of token_type, which
is lowercase "bearer", and passes that back in the Authorization header.
In an earlier PR #99 there seemed to be some support for this change to
simply accept "bearer" in addition to "Bearer".
Django 1.11 deprecated the django.contrib.auth.views.logout
function-based view, which django-oidc-provider relied on. This
patchset instead subclasses the new LogoutView.
LogoutView was introduced in Django 1.11. logout() was deprecated in
1.11 and removed in 2.1. Accordingly, this patch adds Django 2.1 to
CI and removes 1.8, 1.9, and 1.10.
Resolves#258
The response can simply omit fields that require id_token as the only
required field is "active" according to RFC 7662. I think it would be
nice for introspection of client credentials tokens to be supported by
default without needing to override
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE, but this is a start.
Based on the OAuth 2.0 Token Introspection spec the "aud" field should
be based on the token. Previously "aud" was populated with the id of the
client making the introspection request which seems wrong. This changes
the endpoint to return the value from the token.
The "client_id" field is then changed to return the client id for the
client that originally requested the token rather than returning the
"aud" value from the token.
From the spec https://tools.ietf.org/html/rfc7662:
client_id
OPTIONAL. Client identifier for the OAuth 2.0 client that
requested this token.
aud
OPTIONAL. Service-specific string identifier or list of string
identifiers representing the intended audience for this token, as
defined in JWT [RFC7519].