Commit graph

942 commits

Author SHA1 Message Date
Bono de Visser
69b793a363 Make it easier to change AuthorizeEndpoint and Client
To make it easier to change the AuthorizeEndpoint and Client we set them as class variables. Then people inheriting from the view are able to easily change them. In my personal case this helps with skipping consent more explicitly as defined in issue https://github.com/juanifioren/django-oidc-provider/issues/278
2018-09-14 11:21:57 +02:00
Juan Ignacio Fiorentino
0effc32be2
Merge pull request #272 from q3aiml/response-type-natural-key
add natural key support to ResponseType
2018-08-20 18:13:28 -03:00
Andy Clayton
4e7116ca9e add natural key support to ResponseType
Have the option to use the more readable response type value rather than
the ResponseType id integer in fixtures and dumpdata output.

Prior to this change dumpdata represents response types like so:

    "response_types": [2]

And after this change when using `dumpdata --natural-foreign`:

    "response_types": [["code"]]
2018-08-20 10:49:00 -05:00
Juan Ignacio Fiorentino
436568a39b
Merge pull request #271 from q3aiml/client-multiple-response-types
support multiple response types per client
2018-08-17 14:34:33 -03:00
Andy Clayton
988b728fb2 update docs for multiple response types per client 2018-08-17 09:54:30 -05:00
Andy Clayton
64a8b935e6 document response_type_descriptions needs to be a list 2018-08-16 15:47:47 -05:00
Andy Clayton
036c4fc9b3 document non-obvious string check 2018-08-16 15:47:14 -05:00
Andy Clayton
36018d19ae support multiple response types per client
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.

This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
2018-08-16 11:38:46 -05:00
Juan Ignacio Fiorentino
b5e055205c Bump version v0.6.2. 2018-08-03 11:50:56 -03:00
Juan Ignacio Fiorentino
bf8a7b6853
Merge pull request #266 from q3aiml/accept-lowercase-bearer
Accept lowercase "bearer" in Authorization header
2018-08-02 16:02:45 -03:00
Andy Clayton
f1ed3328f8 Accept lowercase "bearer" in Authorization header
We ran into a client that blindly takes the value of token_type, which
is lowercase "bearer", and passes that back in the Authorization header.
In an earlier PR #99 there seemed to be some support for this change to
simply accept "bearer" in addition to "Bearer".
2018-08-02 13:42:21 -05:00
Juan Ignacio Fiorentino
1c31acd525 Pin pytest version. 2018-07-31 14:56:41 -03:00
Juan Ignacio Fiorentino
d2695f76cf
Update changelog.rst 2018-07-31 14:08:08 -03:00
Juan Ignacio Fiorentino
88f91b9305
Merge pull request #265 from stdweird/no_zip_safe
setup.py: code is not zip_safe
2018-07-30 10:57:19 -03:00
stdweird
20d759ef98 setup.py: code is not zip_safe 2018-07-30 15:17:04 +02:00
Juan Ignacio Fiorentino
bf7f380033 Fix scopeclaims class. 2018-07-26 23:12:45 -03:00
Juan Ignacio Fiorentino
9a081cb05a
Update changelog.rst 2018-07-19 11:23:19 -03:00
Juan Ignacio Fiorentino
59581f50d9
Merge pull request #256 from q3aiml/client-credentials-introspection
support introspection on client credentials tokens
2018-07-19 11:18:35 -03:00
Juan Ignacio Fiorentino
5b23a08f82 Fix travis. 2018-07-12 15:28:14 -03:00
Juan Ignacio Fiorentino
cfcd504477 Add python versions travis. 2018-07-12 15:05:43 -03:00
Juan Ignacio Fiorentino
2e83393b65 Make tests run all once (now with docs). 2018-07-12 14:45:54 -03:00
Juan Ignacio Fiorentino
e7eaa52e50 Bump version v0.6.1. 2018-07-10 11:16:02 -03:00
Andy Clayton
9d5c2b39fa support introspection on client credentials tokens
The response can simply omit fields that require id_token as the only
required field is "active" according to RFC 7662. I think it would be
nice for introspection of client credentials tokens to be supported by
default without needing to override
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE, but this is a start.
2018-07-06 11:41:09 -05:00
Juan Ignacio Fiorentino
b087116818
Update changelog.rst 2018-07-05 18:39:43 -03:00
Juan Ignacio Fiorentino
d825061508 Fix: Token Model crashes in Django Admin when a token has been given to a Client using Client Credentials. 2018-07-05 18:37:01 -03:00
Juan Ignacio Fiorentino
6e442a5f35
Update changelog.rst 2018-07-04 16:27:57 -03:00
Juan Ignacio Fiorentino
bd49ada392
Merge pull request #254 from q3aiml/fix-token-introspection-response
Fix token introspection "aud" and "client_id" response
2018-07-04 16:27:12 -03:00
Andy Clayton
b1e994aa7e Fix token introspection "aud" and "client_id" response
Based on the OAuth 2.0 Token Introspection spec the "aud" field should
be based on the token. Previously "aud" was populated with the id of the
client making the introspection request which seems wrong. This changes
the endpoint to return the value from the token.

The "client_id" field is then changed to return the client id for the
client that originally requested the token rather than returning the
"aud" value from the token.

From the spec https://tools.ietf.org/html/rfc7662:

   client_id
      OPTIONAL.  Client identifier for the OAuth 2.0 client that
      requested this token.

   aud
      OPTIONAL.  Service-specific string identifier or list of string
      identifiers representing the intended audience for this token, as
      defined in JWT [RFC7519].
2018-07-04 09:53:30 -05:00
Juan Ignacio Fiorentino
50733f8135
Update changelog.rst 2018-07-04 11:38:30 -03:00
Juan Ignacio Fiorentino
784456f4b1
Merge pull request #255 from q3aiml/fix-false-valued-settings
fix settings to support falsy valued overrides
2018-07-04 11:37:14 -03:00
Andy Clayton
6900e637ab add OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE test
Missing test exposed as part of 0750429 bug fix.
2018-07-03 15:15:12 -05:00
Andy Clayton
0750429992 fix settings to support falsy valued overrides
Up until recently there were settings with truthy defaults but with no
need to be set to a false value. That changed with
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE. Now there is a setting that
has both a true default and a meaningful false value, and without this
fix that setting cannot be changed making it not much of a setting at
all.
2018-07-03 13:17:10 -05:00
Juan Ignacio Fiorentino
72f123c0b5
Update changelog.rst 2018-07-02 14:23:05 -03:00
Juan Ignacio Fiorentino
055a007cda
Merge pull request #251 from q3aiml/userinfo-cors-preflight
example fix for userinfo CORS preflight request
2018-07-02 14:20:21 -03:00
Andy Clayton
0adb95d25f example fix for userinfo CORS preflight request
Example for
https://github.com/juanifioren/django-oidc-provider/issues/249. If this
approach seems acceptable I can add/update tests.
2018-06-19 15:59:28 -05:00
Juan Ignacio Fiorentino
f073c2ef51
Merge pull request #246 from meteozond/patch-1
Fix a little docstring typo
2018-06-04 10:55:11 -03:00
Juan Ignacio Fiorentino
2ed0d21f12
Merge branch 'develop' into patch-1 2018-06-04 10:54:55 -03:00
Alexander Klimenko
76c169e73e
fix little docstring typo 2018-06-04 10:56:31 +03:00
Juan Ignacio Fiorentino
dfcc3de01c
Merge pull request #245 from suutari-ai/remove-extra-scope-param-from-hook
Remove scope param from OIDC_IDTOKEN_PROCESSING_HOOK
2018-05-31 18:01:36 -03:00
Tuomas Suutari
c95497dbd9 Remove scope param from OIDC_IDTOKEN_PROCESSING_HOOK
There is no need to pass in the scope parameter separately, since the
scope is available via the token parameter already.
2018-05-31 10:23:58 +03:00
Juan Ignacio Fiorentino
122b5c19fd
Update installation.rst 2018-05-28 12:50:03 -03:00
Juan Ignacio Fiorentino
acc3cf588b
Update settings.rst 2018-05-28 12:38:53 -03:00
Juan Ignacio Fiorentino
ac509f7a82
Update changelog.rst 2018-05-24 12:29:35 -03:00
Juan Ignacio Fiorentino
c1c84d4961
Merge pull request #194 from suutari-ai/scope-for-idtoken-processor
Pass scope, token and request to OIDC_IDTOKEN_PROCESSING_HOOK.
2018-05-24 12:20:49 -03:00
Tuomas Suutari
7eb31574ee Document the new ID token processing hook parameters 2018-05-24 09:31:07 +03:00
Tuomas Suutari
b0a82aa4ab Pass token and request to OIDC_ID_TOKEN_PROCESSING_HOOK
The ID token processing hook might need the token or request too, so
make them available.
2018-05-24 09:31:05 +03:00
Tuomas Suutari
93420461b4 Merge branch 'develop' of github.com:juanifioren/django-oidc-provider
* 'develop' of github.com:juanifioren/django-oidc-provider:
  Update changelog.rst
  include request in password grant authenticate call
  Update setup.py
  Update changelog.rst
  Update changelog.rst
  Adjust import order and method order in introspection tests
  Replace resource with client in docs.
  Update settings docs to add extra introspection setting
  Update README.md
  Update README.md
  Remove the Resource model
  Skip csrf protection on introspection endpoint
  Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662
  Test docs with tox.
  Remove Django 1.7 for travis.
  Drop support for Django 1.7.
  Move extract_client_auth to oauth2 utils.
  Remove duplicate link in docs.
  Bump version v0.6.0.
  Fix BaseCodeTokenModel and user attr.
  Update README.md
  Edit README and contribute doc.
  Edit changelog.
  Update changelog.rst
  Add protected_resource_view test using client_credentials.
  Fix docs.
  Improve docs.
  Client credentials implementation.
  Move changelog into docs.
  Update README.md
  Update CHANGELOG.md
  Fixed infinite callback loop in check-session iframe
  Fix PEP8. New migration.
  Update example project.
  Fix PEP8.
  Fix PEP8.
  PEP8 errors and urls.
  PEP8 models.
  Fix contribute docs.
  Fix tox for checking PEP8 all files.
  Update README.md
  Update README.md
  Simplify test suit.
  Update CHANGELOG.md
  Bump version 0.5.3.
  Update installation.rst
  Update CHANGELOG.md
  Fixed wrong Object in Template
  Update project to support Django 2.0
  Now passing along the token to create_id_token function.
  Made token and token_refresh endpoint return requested claims.
  Sphinx documentation fixes (#219)
  Use request.user.is_authenticated as a bool with recent Django (#216)
  Fixed client id retrieval when aud is a list of str. (#210)
  Add owner field to Client (#211)
  Update CHANGELOG
  removed tab char
  Add pep8 compliance and checker
  Bump version
  Update CHANGELOG.md
  Preparing v0.5.2 (#201)
  Fix Django 2.0 deprecation warnings (#185)
  Fix infinite login loop if "prompt=login" (#198)
  fixed typos
  Bump version
  Fix scope handling of token endpoint (#193)
  Fixes #192
  Use stored user consent for public clients too (#189)
  Redirect URIs must match exactly. (#191)
  Bug #187 prompt handling (#188)
  Don't pin exact versions in install_requires.
2018-05-24 00:16:26 +03:00
Juan Ignacio Fiorentino
58bd8ec62c
Update changelog.rst 2018-05-15 10:45:05 -03:00
Juan Ignacio Fiorentino
26f06293c5
Merge pull request #221 from q3aiml/auth-call-with-request
include request in password grant authenticate call
2018-05-15 10:43:54 -03:00
Andy Clayton
713d15297c include request in password grant authenticate call
An an example this can be used to help implement measures against brute
force attacks and to alert on or mitigate other untrusted authentication
attempts.
2018-05-12 09:18:56 -05:00