Commit graph

25 commits

Author SHA1 Message Date
Christian Bouvier
eb2f272a0b Enhancement: AuthorizeView's static method strip-prompt-login was moved to a new file oidc_provider/lib/utils/authorize.py in order to be more consistent with the implementation of other Views 2018-10-04 10:40:23 -03:00
Christian Bouvier
37e6df8306 Fix #283: bug in strip_prompt_login
AuthorizeView's static method strip_prompt_login fails to remove prompt login when other prompt values appear in the request.
2018-10-03 14:51:51 -03:00
Andy Clayton
36018d19ae support multiple response types per client
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.

This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
2018-08-16 11:38:46 -05:00
Andy Clayton
f1ed3328f8 Accept lowercase "bearer" in Authorization header
We ran into a client that blindly takes the value of token_type, which
is lowercase "bearer", and passes that back in the Authorization header.
In an earlier PR #99 there seemed to be some support for this change to
simply accept "bearer" in addition to "Bearer".
2018-08-02 13:42:21 -05:00
Juan Ignacio Fiorentino
bf7f380033 Fix scopeclaims class. 2018-07-26 23:12:45 -03:00
Juan Ignacio Fiorentino
59581f50d9
Merge pull request #256 from q3aiml/client-credentials-introspection
support introspection on client credentials tokens
2018-07-19 11:18:35 -03:00
Andy Clayton
9d5c2b39fa support introspection on client credentials tokens
The response can simply omit fields that require id_token as the only
required field is "active" according to RFC 7662. I think it would be
nice for introspection of client credentials tokens to be supported by
default without needing to override
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE, but this is a start.
2018-07-06 11:41:09 -05:00
Juan Ignacio Fiorentino
d825061508 Fix: Token Model crashes in Django Admin when a token has been given to a Client using Client Credentials. 2018-07-05 18:37:01 -03:00
Andy Clayton
b1e994aa7e Fix token introspection "aud" and "client_id" response
Based on the OAuth 2.0 Token Introspection spec the "aud" field should
be based on the token. Previously "aud" was populated with the id of the
client making the introspection request which seems wrong. This changes
the endpoint to return the value from the token.

The "client_id" field is then changed to return the client id for the
client that originally requested the token rather than returning the
"aud" value from the token.

From the spec https://tools.ietf.org/html/rfc7662:

   client_id
      OPTIONAL.  Client identifier for the OAuth 2.0 client that
      requested this token.

   aud
      OPTIONAL.  Service-specific string identifier or list of string
      identifiers representing the intended audience for this token, as
      defined in JWT [RFC7519].
2018-07-04 09:53:30 -05:00
Andy Clayton
6900e637ab add OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE test
Missing test exposed as part of 0750429 bug fix.
2018-07-03 15:15:12 -05:00
Andy Clayton
0750429992 fix settings to support falsy valued overrides
Up until recently there were settings with truthy defaults but with no
need to be set to a false value. That changed with
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE. Now there is a setting that
has both a true default and a meaningful false value, and without this
fix that setting cannot be changed making it not much of a setting at
all.
2018-07-03 13:17:10 -05:00
Tuomas Suutari
c95497dbd9 Remove scope param from OIDC_IDTOKEN_PROCESSING_HOOK
There is no need to pass in the scope parameter separately, since the
scope is available via the token parameter already.
2018-05-31 10:23:58 +03:00
Tuomas Suutari
b0a82aa4ab Pass token and request to OIDC_ID_TOKEN_PROCESSING_HOOK
The ID token processing hook might need the token or request too, so
make them available.
2018-05-24 09:31:05 +03:00
Tuomas Suutari
93420461b4 Merge branch 'develop' of github.com:juanifioren/django-oidc-provider
* 'develop' of github.com:juanifioren/django-oidc-provider:
  Update changelog.rst
  include request in password grant authenticate call
  Update setup.py
  Update changelog.rst
  Update changelog.rst
  Adjust import order and method order in introspection tests
  Replace resource with client in docs.
  Update settings docs to add extra introspection setting
  Update README.md
  Update README.md
  Remove the Resource model
  Skip csrf protection on introspection endpoint
  Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662
  Test docs with tox.
  Remove Django 1.7 for travis.
  Drop support for Django 1.7.
  Move extract_client_auth to oauth2 utils.
  Remove duplicate link in docs.
  Bump version v0.6.0.
  Fix BaseCodeTokenModel and user attr.
  Update README.md
  Edit README and contribute doc.
  Edit changelog.
  Update changelog.rst
  Add protected_resource_view test using client_credentials.
  Fix docs.
  Improve docs.
  Client credentials implementation.
  Move changelog into docs.
  Update README.md
  Update CHANGELOG.md
  Fixed infinite callback loop in check-session iframe
  Fix PEP8. New migration.
  Update example project.
  Fix PEP8.
  Fix PEP8.
  PEP8 errors and urls.
  PEP8 models.
  Fix contribute docs.
  Fix tox for checking PEP8 all files.
  Update README.md
  Update README.md
  Simplify test suit.
  Update CHANGELOG.md
  Bump version 0.5.3.
  Update installation.rst
  Update CHANGELOG.md
  Fixed wrong Object in Template
  Update project to support Django 2.0
  Now passing along the token to create_id_token function.
  Made token and token_refresh endpoint return requested claims.
  Sphinx documentation fixes (#219)
  Use request.user.is_authenticated as a bool with recent Django (#216)
  Fixed client id retrieval when aud is a list of str. (#210)
  Add owner field to Client (#211)
  Update CHANGELOG
  removed tab char
  Add pep8 compliance and checker
  Bump version
  Update CHANGELOG.md
  Preparing v0.5.2 (#201)
  Fix Django 2.0 deprecation warnings (#185)
  Fix infinite login loop if "prompt=login" (#198)
  fixed typos
  Bump version
  Fix scope handling of token endpoint (#193)
  Fixes #192
  Use stored user consent for public clients too (#189)
  Redirect URIs must match exactly. (#191)
  Bug #187 prompt handling (#188)
  Don't pin exact versions in install_requires.
2018-05-24 00:16:26 +03:00
Andy Clayton
713d15297c include request in password grant authenticate call
An an example this can be used to help implement measures against brute
force attacks and to alert on or mitigate other untrusted authentication
attempts.
2018-05-12 09:18:56 -05:00
Maxim Daniline
eed58197bd Adjust import order and method order in introspection tests 2018-04-26 10:12:52 +01:00
Maxim Daniline
8eeaf5cf33 Remove the Resource model 2018-04-23 14:59:56 +01:00
Juan Ignacio Fiorentino
56ad376518 Merge branch 'feature/token_retun_claims' of https://github.com/dhrp/django-oidc-provider into dhrp-feature/token_retun_claims 2018-04-10 18:41:38 -03:00
Juan Ignacio Fiorentino
ac7bd336a8 Add protected_resource_view test using client_credentials. 2018-04-09 20:20:33 -03:00
Juan Ignacio Fiorentino
dbed87aa78 Client credentials implementation. 2018-04-08 17:43:24 -03:00
Juan Ignacio Fiorentino
582587f337 Fix PEP8. New migration. 2018-03-27 17:15:06 -03:00
Juan Ignacio Fiorentino
8545ada615 Fix PEP8. 2018-03-23 16:53:23 -03:00
Juan Ignacio Fiorentino
9dbdac6574 Fix PEP8. 2018-03-23 15:46:12 -03:00
Juan Ignacio Fiorentino
e66b374803 Merge branch 'v0.5.x' of https://github.com/juanifioren/django-oidc-provider into develop 2018-03-22 12:28:02 -03:00
Juan Ignacio Fiorentino
d519e49acb Simplify test suit. 2018-03-22 11:45:56 -03:00