Commit graph

73 commits

Author SHA1 Message Date
Christian Bouvier
eb2f272a0b Enhancement: AuthorizeView's static method strip-prompt-login was moved to a new file oidc_provider/lib/utils/authorize.py in order to be more consistent with the implementation of other Views 2018-10-04 10:40:23 -03:00
Christian Bouvier
37e6df8306 Fix #283: bug in strip_prompt_login
AuthorizeView's static method strip_prompt_login fails to remove prompt login when other prompt values appear in the request.
2018-10-03 14:51:51 -03:00
Juan Ignacio Fiorentino
6997e19687
Merge pull request #260 from dcollinsn/django-2.1
Django 2.1
2018-09-14 16:34:15 -03:00
Bono de Visser
69b793a363 Make it easier to change AuthorizeEndpoint and Client
To make it easier to change the AuthorizeEndpoint and Client we set them as class variables. Then people inheriting from the view are able to easily change them. In my personal case this helps with skipping consent more explicitly as defined in issue https://github.com/juanifioren/django-oidc-provider/issues/278
2018-09-14 11:21:57 +02:00
Andy Clayton
36018d19ae support multiple response types per client
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.

This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
2018-08-16 11:38:46 -05:00
Dan Collins
972071e370 Add support for Django 2.1, drop support for Django < 1.11
Django 1.11 deprecated the django.contrib.auth.views.logout
function-based view, which django-oidc-provider relied on. This
patchset instead subclasses the new LogoutView.

LogoutView was introduced in Django 1.11. logout() was deprecated in
1.11 and removed in 2.1. Accordingly, this patch adds Django 2.1 to
CI and removes 1.8, 1.9, and 1.10.

Resolves #258
2018-08-01 14:13:11 -04:00
Andy Clayton
0adb95d25f example fix for userinfo CORS preflight request
Example for
https://github.com/juanifioren/django-oidc-provider/issues/249. If this
approach seems acceptable I can add/update tests.
2018-06-19 15:59:28 -05:00
Maxim Daniline
8eeaf5cf33 Remove the Resource model 2018-04-23 14:59:56 +01:00
Maxim Daniline
00f3efa158 Skip csrf protection on introspection endpoint 2018-04-23 10:47:01 +01:00
Maxim Daniline
180aad9a36 Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 2018-04-23 10:47:01 +01:00
Juan Ignacio Fiorentino
9dbdac6574 Fix PEP8. 2018-03-23 15:46:12 -03:00
Juan Ignacio Fiorentino
e66b374803 Merge branch 'v0.5.x' of https://github.com/juanifioren/django-oidc-provider into develop 2018-03-22 12:28:02 -03:00
Allisson Azevedo
795ac32257 Update project to support Django 2.0 2018-02-01 14:00:57 -03:00
Nicolas Iooss
43d990c04d Use request.user.is_authenticated as a bool with recent Django (#216)
Django 1.10 changed request.user.is_authenticated from a function to a
boolean and Django 2.0 dropped the backward compatibility. In order to
use django-oidc-provider with Django 2.0, AuthorizeView needs to handle
request.user.is_authenticated as a boolean.
2017-12-14 18:28:55 +01:00
Wojciech Bartosiak
8149f1f9ab Merge pull request #203 from psavoie/develop
Add pep8 compliance and checker
2017-08-23 15:29:49 +02:00
Philippe Savoie
5dcd6a10b0 Add pep8 compliance and checker 2017-08-22 11:53:52 -07:00
Wojciech Bartosiak
8e26248022 Preparing v0.5.2 (#201)
* Fix infinite login loop if "prompt=login" (#198)
* Fix Django 2.0 deprecation warnings (#185)
2017-08-22 17:33:13 +02:00
Dillon Dixon
04c03787af Fix Django 2.0 deprecation warnings (#185)
* explicit default foreign key delete operations

* first iteration of Django 2.0 deprecation fixes
2017-08-10 11:38:50 +02:00
Jan Brauer
f78e2be3c5 Fix infinite login loop if "prompt=login" (#198)
* Add test to expose issue #197

* Strip 'login' from prompt before redirecting

This fixes #197. Otherwise the user would have to login once,
then is immediately logged out and prompted to login again.

* Only remove 'login' if present

* Don't append an empty prompt parameter

* Inline variable
2017-07-19 10:52:10 +02:00
Tuomas Suutari
5165312d01 Use stored user consent for public clients too (#189)
When using Implicit Flow, it should be OK to use the stored user consent
even if the client is public.  The redirect uri checks should make sure
that the stored consent of another client cannot be misused to get a
consent to a site that is not related to the client.

It is also important to support this, since public clients using
Implicit Flow do not have a refresh token to update their access tokens,
so only way to keep their login session open is by issuing authorization
requests from an iframe with the "prompt=none" parameter (which does not
work without the previously stored consent).  See the following links
for more info and examples on how to renew the access token with SPAs:

https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens

https://damienbod.com/2017/06/02/

https://github.com/IdentityServer/IdentityServer3/issues/719#issuecomment-230145034
2017-07-07 13:18:36 +02:00
Wojciech Bartosiak
f07327a713 Bug #187 prompt handling (#188)
prompt parameter changed to list of strings not a simple string
2017-06-06 11:12:37 +02:00
Wojciech Bartosiak
a829726be8 Merge develop to v0.5.x (#179)
* Log create_uri_response exceptions to logger.exception

* Support grant type password - basics

* Add tests for Resource Owner Password Credentials Flow

* Password Grant -Response according to specification

* Better tests for errors, disable grant type password by default

* Add documentation for grant type password

* User authentication failure to return 403

* Add id_token to response

* skipping consent only works for confidential clients

* fix URI fragment

example not working URL `http://localhost:8100/#/auth/callback/`

* OIDC_POST_END_SESSION_HOOK + tests

* Explicit function naming

* Remove print statements

* No need for semicolons, this is Python

* Update CHANGELOG.md

* fixed logger message

* Improved `exp` value calculation

* rename OIDC_POST_END_SESSION_HOOK to OIDC_AFTER_END_SESSION_HOOK

* added docs for OIDC_AFTER_END_SESSION_HOOK

*  Replaces `LOGIN_URL` with `OIDC_LOGIN_URL`
so users can use a different login path for their oidc requests.

* Adds a setting variable for custom template paths

* Updates documentation

* Fixed bad try/except/finally block

* Adds test for OIDC_TEMPLATES settings

* Determine value for op_browser_state from session_key or default

* Do not use cookie for browser_state. It may not yet be there

* Add docs on new setting

OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY

* Fix compatibility for older versions of Django

* solved merging typo for missing @property
2017-05-05 05:19:57 +02:00
kaveh
b164388e15 Adds per-client consent customization 2017-04-11 13:16:06 -07:00
Ignacio Fiorentino
5242f0841e Add initial signals logic. 2016-12-01 16:20:34 -03:00
Ignacio Fiorentino
e458542be2 Fix urls and names. 2016-11-01 12:15:48 -03:00
Ignacio Fiorentino
5d07111a18 Implementing end_session_endpoint feature with post_logout_redirect_uri. 2016-10-31 17:07:06 -03:00
Ignacio Fiorentino
50e5287b48 Initial Session Management version. 2016-10-28 15:25:52 -03:00
David Montano
99d7194ab1 Make Client available when using OIDC_EXTRA_SCOPE_CLAIMS
Now it's passed the Token to the ScopeClaims constructor so that it can make Client avaialble to implementors
2016-10-12 14:23:57 -05:00
Ignacio Fiorentino
6ed2c200a7 Update pyjwkest to version 1.3.0. 2016-10-03 12:54:54 -03:00
Ignacio Fiorentino
c14d2f055a Remove Params() object from endpoints classes. 2016-09-09 14:49:41 -03:00
Ignacio Fiorentino
68d982369e Add CORS fix to userinfo view. 2016-09-06 15:37:23 -03:00
Ignacio Fiorentino
a583648be2 Add Access-Control-Allow-Origin to ProviderInfoView. 2016-09-06 13:21:29 -03:00
Graham Ullrich
ba4faee6ef Fix global imports
Global imports ("from X import *") are discouraged in Python.
2016-08-11 16:05:13 -06:00
Graham Ullrich
e04d42fedf flake8 fixes 2016-08-08 11:54:40 -06:00
Ignacio Fiorentino
dc9ec1863e Change setting OIDC_USERINFO. 2016-07-07 12:50:27 -03:00
Ignacio Fiorentino
4cc7474c19 Add verbose name and description for scopes. 2016-06-16 17:18:39 -03:00
Ignacio Fiorentino
70c7d128c1 Refactoring views.py. 2016-06-01 12:09:40 -03:00
Ignacio Fiorentino
eea590e006 Modify scope claims class. 2016-05-30 13:28:07 -03:00
Si Feng
be5656bcf4 Make SITE_URL optional. 2016-05-25 14:58:58 -07:00
Ignacio Fiorentino
a0c7b3c0c4 Create migrations. Improve docs. 2016-04-25 17:33:52 -03:00
Ignacio Fiorentino
9f9df355a3 Merge branch 'v0.3.x' of https://github.com/juanifioren/django-oidc-provider into feature-jwtalg 2016-04-25 14:55:30 -03:00
Ignacio Fiorentino
41dcb192bc Add support for the other values of the prompt param. 2016-04-13 18:38:38 -03:00
Ignacio Fiorentino
61f0c209af Refactoring prompt=none logic. 2016-04-13 17:19:37 -03:00
Ignacio Fiorentino
b05894bf6d Add prompt parameter to authorize view. 2016-04-12 18:19:16 -03:00
Ignacio Fiorentino
3f5992100a Not auto-approve requests for non-confidential clients. 2016-04-08 18:09:24 -03:00
Ignacio
b1b8247cb0 Add hidden inputs for PKCE. Fix bug with AES. 2016-04-07 11:45:35 -03:00
Juan Ignacio Fiorentino
f44b5a1114 Update provider info supporting HS256 id_token sign alg. 2016-03-22 20:48:30 -03:00
juanifioren
fb4e9bd8fe Fix openid scope in authorize view. 2016-02-18 16:03:46 -03:00
juanifioren
3da1ff4c85 Add StandardScopeClaims import. 2016-02-15 17:21:46 -03:00
juanifioren
6488386692 Remove wrong import. 2016-02-15 17:17:43 -03:00