Commit graph

93 commits

Author SHA1 Message Date
Andy Clayton
36018d19ae support multiple response types per client
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.

This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
2018-08-16 11:38:46 -05:00
Andy Clayton
9d5c2b39fa support introspection on client credentials tokens
The response can simply omit fields that require id_token as the only
required field is "active" according to RFC 7662. I think it would be
nice for introspection of client credentials tokens to be supported by
default without needing to override
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE, but this is a start.
2018-07-06 11:41:09 -05:00
Andy Clayton
b1e994aa7e Fix token introspection "aud" and "client_id" response
Based on the OAuth 2.0 Token Introspection spec the "aud" field should
be based on the token. Previously "aud" was populated with the id of the
client making the introspection request which seems wrong. This changes
the endpoint to return the value from the token.

The "client_id" field is then changed to return the client id for the
client that originally requested the token rather than returning the
"aud" value from the token.

From the spec https://tools.ietf.org/html/rfc7662:

   client_id
      OPTIONAL.  Client identifier for the OAuth 2.0 client that
      requested this token.

   aud
      OPTIONAL.  Service-specific string identifier or list of string
      identifiers representing the intended audience for this token, as
      defined in JWT [RFC7519].
2018-07-04 09:53:30 -05:00
Andy Clayton
713d15297c include request in password grant authenticate call
An an example this can be used to help implement measures against brute
force attacks and to alert on or mitigate other untrusted authentication
attempts.
2018-05-12 09:18:56 -05:00
Maxim Daniline
8eeaf5cf33 Remove the Resource model 2018-04-23 14:59:56 +01:00
Maxim Daniline
180aad9a36 Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662 2018-04-23 10:47:01 +01:00
Juan Ignacio Fiorentino
21a64b262c Move extract_client_auth to oauth2 utils. 2018-04-20 12:00:38 -03:00
Juan Ignacio Fiorentino
56ad376518 Merge branch 'feature/token_retun_claims' of https://github.com/dhrp/django-oidc-provider into dhrp-feature/token_retun_claims 2018-04-10 18:41:38 -03:00
Juan Ignacio Fiorentino
dbed87aa78 Client credentials implementation. 2018-04-08 17:43:24 -03:00
Juan Ignacio Fiorentino
582587f337 Fix PEP8. New migration. 2018-03-27 17:15:06 -03:00
Juan Ignacio Fiorentino
9dbdac6574 Fix PEP8. 2018-03-23 15:46:12 -03:00
dhrp
900cc9e5df Now passing along the token to create_id_token function. 2017-12-15 09:29:49 +01:00
Philippe Savoie
5dcd6a10b0 Add pep8 compliance and checker 2017-08-22 11:53:52 -07:00
Tuomas Suutari
ea340993b1 Fix scope handling of token endpoint (#193)
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:

 1. For "authorization_code" grant type the scope parameter in the token
    request should not be respected but the scope should be taken from
    the authorization code.  It was not totally ignored, but rather the
    scope parameter of the token request was used for the generated ID
    token.  This had two consequences:

      * Spec conforming implementations of authorization code flow
        didn't get correct ID tokens, since they usually don't pass
        scope parameter with the token request.

      * It's possible to get a broader scope for the ID token than what
        is authorized by the user in the original authorization code
        request.

 2. For "refresh_token" grant type the scope parameter in the token
    request should only allow narrowing down the scope.  It wasn't
    narrowed, but rather the original auth code scope was used for the
    access token and the passed in scope parameter was used for the ID
    token (again allowing unauthorized scopes in the ID token).

 3. For "password" grant type the scope parameter in the token request
    should be respected.  The problem with this was that it wasn't
    properly splitted when passed to ID token creation.

Fixes #186
2017-07-10 17:48:12 +02:00
Jan Brauer
1215c27d7e Redirect URIs must match exactly. (#191)
* Test redirect_uri construction

This was a test marked as TODO.

* Remove duplicate test

* Add tests to exactly match redirect URIs

* Redirect URIs must match exactly.

To quote from the specification at
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest:

Redirection URI to which the response will be sent. This URI MUST
exactly match one of the Redirection URI values for the Client
pre-registered at the OpenID Provider, with the matching performed as
described in Section 6.2.1 of [RFC3986] (Simple String Comparison).
2017-07-07 09:07:21 +02:00
Wojciech Bartosiak
f07327a713 Bug #187 prompt handling (#188)
prompt parameter changed to list of strings not a simple string
2017-06-06 11:12:37 +02:00
Wojciech Bartosiak
a829726be8 Merge develop to v0.5.x (#179)
* Log create_uri_response exceptions to logger.exception

* Support grant type password - basics

* Add tests for Resource Owner Password Credentials Flow

* Password Grant -Response according to specification

* Better tests for errors, disable grant type password by default

* Add documentation for grant type password

* User authentication failure to return 403

* Add id_token to response

* skipping consent only works for confidential clients

* fix URI fragment

example not working URL `http://localhost:8100/#/auth/callback/`

* OIDC_POST_END_SESSION_HOOK + tests

* Explicit function naming

* Remove print statements

* No need for semicolons, this is Python

* Update CHANGELOG.md

* fixed logger message

* Improved `exp` value calculation

* rename OIDC_POST_END_SESSION_HOOK to OIDC_AFTER_END_SESSION_HOOK

* added docs for OIDC_AFTER_END_SESSION_HOOK

*  Replaces `LOGIN_URL` with `OIDC_LOGIN_URL`
so users can use a different login path for their oidc requests.

* Adds a setting variable for custom template paths

* Updates documentation

* Fixed bad try/except/finally block

* Adds test for OIDC_TEMPLATES settings

* Determine value for op_browser_state from session_key or default

* Do not use cookie for browser_state. It may not yet be there

* Add docs on new setting

OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY

* Fix compatibility for older versions of Django

* solved merging typo for missing @property
2017-05-05 05:19:57 +02:00
Ignacio Fiorentino
53166fb9ea Fix TypeError Unicode when using hashlib. 2016-11-04 15:56:51 -03:00
Ignacio Fiorentino
ecba16ed36 Fix bug with id_token without openid scope. 2016-10-31 16:37:51 -03:00
Ignacio Fiorentino
50e5287b48 Initial Session Management version. 2016-10-28 15:25:52 -03:00
Ignacio Fiorentino
38e37e7c47 Merge branch 'v0.4.x' of https://github.com/wojtek-fliposports/django-oidc-provider into wojtek-fliposports-v0.4.x 2016-10-11 11:52:31 -03:00
Ignacio Fiorentino
74b5390daa Merge branch 'redirect_uri_query' of https://github.com/jerrykan/django-oidc-provider into jerrykan-redirect_uri_query 2016-10-05 12:33:05 -03:00
Wojciech Bartosiak
59312bf811 redirect URI clean up moved to utils module 2016-10-04 19:32:54 +02:00
Ignacio Fiorentino
c14d2f055a Remove Params() object from endpoints classes. 2016-09-09 14:49:41 -03:00
Ignacio Fiorentino
8a63c83514 Refactoring create_id_token function. 2016-09-09 13:10:12 -03:00
Ignacio Fiorentino
5836774f6b Add user email into id_token. Fix missing OIDC_TOKEN_EXPIRE setting. 2016-09-09 11:43:28 -03:00
Ignacio Fiorentino
f8dbfa5c04 Add Hybrid flow login in view and models. 2016-09-08 16:21:48 -03:00
Graham Ullrich
ba4faee6ef Fix global imports
Global imports ("from X import *") are discouraged in Python.
2016-08-11 16:05:13 -06:00
Graham Ullrich
ffddb69f80 Add tests for at_hash
Ensure at_hash is present in id_token when warranted.
2016-08-08 11:24:07 -06:00
Brian Rosner
afc3a60ee7
Added at_hash when access token is present
This is required by response type "id_token token", but can be
used by other flows if they choose.
2016-08-05 14:00:00 -06:00
Ignacio Fiorentino
dc9ec1863e Change setting OIDC_USERINFO. 2016-07-07 12:50:27 -03:00
Ignacio Fiorentino
4cc7474c19 Add verbose name and description for scopes. 2016-06-16 17:18:39 -03:00
Ignacio Fiorentino
5255719700 Add date_given to UserConsent model. Add verbose names in models. 2016-06-13 12:15:10 -03:00
Si Feng
be5656bcf4 Make SITE_URL optional. 2016-05-25 14:58:58 -07:00
Ignacio Fiorentino
497f2f3a68 Bump version v0.3.3. 2016-05-03 12:17:22 -03:00
Ignacio Fiorentino
9f9df355a3 Merge branch 'v0.3.x' of https://github.com/juanifioren/django-oidc-provider into feature-jwtalg 2016-04-25 14:55:30 -03:00
Ignacio Fiorentino
61f0c209af Refactoring prompt=none logic. 2016-04-13 17:19:37 -03:00
John Kristensen
2f54e53766 Ensure client redirect URIs with query strings work
In some cases a client will provide a redirect URI with a query string.
In these cases the client redirect URI should still still match a
registered redirect URI and not result in a failure.
2016-04-13 22:29:21 +10:00
Ignacio Fiorentino
b05894bf6d Add prompt parameter to authorize view. 2016-04-12 18:19:16 -03:00
Ignacio Fiorentino
e97c32acd1 Fix encoding problem when using Py34. 2016-04-08 13:22:05 -03:00
Ignacio Fiorentino
e495d6c41d Remplace AES encryption with database. For saving PKCE parameters. 2016-04-07 16:18:47 -03:00
Ignacio
b1b8247cb0 Add hidden inputs for PKCE. Fix bug with AES. 2016-04-07 11:45:35 -03:00
Ignacio Fiorentino
6e8af74f76 First intent to implement PKCE. 2016-04-06 18:03:30 -03:00
Ignacio Fiorentino
dff76cd1ea Add HS256 support for JWS. 2016-03-22 16:17:56 -03:00
Nick Mohoric
f8dce31fa2 Changed logging from error to debug 2016-03-17 14:31:41 -04:00
Wojciech Bartosiak
08033bb9ad Fix missing verification of response type for client 2016-03-08 13:21:55 +00:00
juanifioren
25a59c8344 Refactoring supporting OAuth2 flow. 2016-02-16 17:33:12 -03:00
juanifioren
8eb0877d89 Refactoring userinfo endpoint. Create decorator "oauth2.protected_resource_view". 2016-02-15 17:13:19 -03:00
juanifioren
c6534db693 Add nonce validation for Implicit Flow. 2016-01-19 16:05:34 -03:00
Maarten van Schaik
f4dfa7303f Forget old token when a refresh token is used 2015-09-30 16:46:33 +02:00