Commit graph

857 commits

Author SHA1 Message Date
Juan Ignacio Fiorentino
b405bf7119
Update README.md 2018-03-28 14:28:54 -03:00
Juan Ignacio Fiorentino
b2128751db
Update CHANGELOG.md 2018-03-28 12:42:48 -03:00
Juan Ignacio Fiorentino
3bb0d5d51a
Merge pull request #237 from impak-finance/fix-check-session-iframe-infinit-cb
Fixed infinite callback loop in the check-session iframe
2018-03-28 12:00:52 -03:00
Morgan Aubert
bdb2fdb8f5
Fixed infinite callback loop in check-session iframe
This commit fixes the JS callback defined in the check-session iframe which can produce infinite callback loops if the received message doesn't come from the relying
party. In that case another message is posted to the source of the message (which can be the OP itself) thus resulting in an infinite loop because "error" messages are
continuously generated by the callback function.
2018-03-28 10:34:01 -04:00
Juan Ignacio Fiorentino
582587f337 Fix PEP8. New migration. 2018-03-27 17:15:06 -03:00
Juan Ignacio Fiorentino
e85b47bf11 Merge branch 'master' of https://github.com/juanifioren/django-oidc-provider into develop 2018-03-26 17:59:59 -03:00
Juan Ignacio Fiorentino
b803f8917d Update example project. 2018-03-23 17:06:44 -03:00
Juan Ignacio Fiorentino
8545ada615 Fix PEP8. 2018-03-23 16:53:23 -03:00
Juan Ignacio Fiorentino
9dbdac6574 Fix PEP8. 2018-03-23 15:46:12 -03:00
Juan Ignacio Fiorentino
748ac231ca PEP8 errors and urls. 2018-03-22 17:53:31 -03:00
Juan Ignacio Fiorentino
7ec3a763d6 PEP8 models. 2018-03-22 17:36:20 -03:00
Juan Ignacio Fiorentino
2a34a93da7 Fix contribute docs. 2018-03-22 16:52:08 -03:00
Juan Ignacio Fiorentino
5b57605daa Fix tox for checking PEP8 all files. 2018-03-22 16:48:54 -03:00
Juan Ignacio Fiorentino
d830908759
Update README.md 2018-03-22 13:50:54 -03:00
Juan Ignacio Fiorentino
c0fbad2cfd
Update README.md 2018-03-22 12:53:23 -03:00
Juan Ignacio Fiorentino
e66b374803 Merge branch 'v0.5.x' of https://github.com/juanifioren/django-oidc-provider into develop 2018-03-22 12:28:02 -03:00
Juan Ignacio Fiorentino
c8fd9a72fb :Merge branch 'v0.5.x' of https://github.com/juanifioren/django-oidc-provider into v0.5.x 2018-03-22 11:46:24 -03:00
Juan Ignacio Fiorentino
d519e49acb Simplify test suit. 2018-03-22 11:45:56 -03:00
Juan Ignacio Fiorentino
baee747c0d
Update CHANGELOG.md 2018-03-09 17:05:22 -03:00
Juan Ignacio Fiorentino
b32fa6c17c Bump version 0.5.3. 2018-03-09 17:03:25 -03:00
Juan Ignacio Fiorentino
4f0afe27d3
Update installation.rst 2018-02-19 23:43:26 -03:00
Juan Ignacio Fiorentino
72388bb117
Update CHANGELOG.md 2018-02-19 23:41:38 -03:00
Juan Ignacio Fiorentino
33dc30ab0e
Merge pull request #229 from olist/v0.5.x
Update project to support Django 2.0
2018-02-19 23:40:06 -03:00
Juan Ignacio Fiorentino
0e50f82087
Merge pull request #233 from YannikG/patch-1
Fixed wrong Object in Template
2018-02-19 23:36:41 -03:00
Yannik Gartmann
baa53d0c88
Fixed wrong Object in Template
See >> https://github.com/juanifioren/django-oidc-provider/blob/v0.5.x/oidc_provider/views.py#L129
2018-02-19 16:31:30 +01:00
Allisson Azevedo
795ac32257 Update project to support Django 2.0 2018-02-01 14:00:57 -03:00
Reinout van Rees
bb218dbc56 Sphinx documentation fixes (#219)
* Small wording change + fix in example template code

* Added note about UserConsent not being in the admin

* Mostly spelling corrections and phrasing changes

* Moved template context explation from the settings to the templates page

* Changed wording

* Changed wording
2017-12-14 18:30:46 +01:00
Nicolas Iooss
43d990c04d Use request.user.is_authenticated as a bool with recent Django (#216)
Django 1.10 changed request.user.is_authenticated from a function to a
boolean and Django 2.0 dropped the backward compatibility. In order to
use django-oidc-provider with Django 2.0, AuthorizeView needs to handle
request.user.is_authenticated as a boolean.
2017-12-14 18:28:55 +01:00
Antoine Nguyen
65c6cc6fec Fixed client id retrieval when aud is a list of str. (#210)
* Fixed client id retrievel when aud is a list of str.

* Split tests.
2017-11-09 12:05:20 +01:00
Monte Hellawell
6beb186540 Add owner field to Client (#211)
* Add owner field to Client

* Add related_name to client owner
2017-11-09 11:57:22 +01:00
Wojciech Bartosiak
bc3a4a2b9f Update CHANGELOG 2017-08-23 15:30:47 +02:00
Wojciech Bartosiak
8149f1f9ab Merge pull request #203 from psavoie/develop
Add pep8 compliance and checker
2017-08-23 15:29:49 +02:00
Wojciech Bartosiak
9678505a72 Merge pull request #206 from juanifioren/develop_and_0.5.x_merge
Develop and 0.5.x merge
2017-08-23 15:28:21 +02:00
Wojciech Bartosiak
6bb42a1731 removed tab char 2017-08-23 14:01:32 +02:00
Wojciech Bartosiak
b6739fa8d3 Merge pull request #205 from juanifioren/develop
Develop
2017-08-23 14:00:31 +02:00
Philippe Savoie
5dcd6a10b0 Add pep8 compliance and checker 2017-08-22 11:53:52 -07:00
Wojciech Bartosiak
f052f694c9 Bump version 2017-08-22 17:36:54 +02:00
Wojciech Bartosiak
0e4ba169df Update CHANGELOG.md 2017-08-22 17:36:18 +02:00
Wojciech Bartosiak
8e26248022 Preparing v0.5.2 (#201)
* Fix infinite login loop if "prompt=login" (#198)
* Fix Django 2.0 deprecation warnings (#185)
2017-08-22 17:33:13 +02:00
Dillon Dixon
04c03787af Fix Django 2.0 deprecation warnings (#185)
* explicit default foreign key delete operations

* first iteration of Django 2.0 deprecation fixes
2017-08-10 11:38:50 +02:00
Jan Brauer
f78e2be3c5 Fix infinite login loop if "prompt=login" (#198)
* Add test to expose issue #197

* Strip 'login' from prompt before redirecting

This fixes #197. Otherwise the user would have to login once,
then is immediately logged out and prompted to login again.

* Only remove 'login' if present

* Don't append an empty prompt parameter

* Inline variable
2017-07-19 10:52:10 +02:00
Wojciech Bartosiak
2e1efc41ed fixed typos 2017-07-11 16:44:24 +02:00
Juan Ignacio Fiorentino
faf64e4e38 Merge pull request #196 from wojtek-fliposports/v0.5.x
Added changedlog and bump version
2017-07-11 10:18:43 -03:00
Wojciech Bartosiak
7407e2c5b0 Bump version 2017-07-11 07:35:52 +02:00
Wojciech Bartosiak
45717a82f2 Merge pull request #4 from juanifioren/v0.5.x
Fetch latest changes
2017-07-11 07:35:08 +02:00
Juan Ignacio Fiorentino
34fe4f2728 Merge pull request #195 from juanifioren/develop
prepare 0.5.1 version
2017-07-10 17:04:58 -03:00
Tuomas Suutari
ea340993b1 Fix scope handling of token endpoint (#193)
The token endpoint handled the scope parameter incorrectly for all of
the three handled grant types:

 1. For "authorization_code" grant type the scope parameter in the token
    request should not be respected but the scope should be taken from
    the authorization code.  It was not totally ignored, but rather the
    scope parameter of the token request was used for the generated ID
    token.  This had two consequences:

      * Spec conforming implementations of authorization code flow
        didn't get correct ID tokens, since they usually don't pass
        scope parameter with the token request.

      * It's possible to get a broader scope for the ID token than what
        is authorized by the user in the original authorization code
        request.

 2. For "refresh_token" grant type the scope parameter in the token
    request should only allow narrowing down the scope.  It wasn't
    narrowed, but rather the original auth code scope was used for the
    access token and the passed in scope parameter was used for the ID
    token (again allowing unauthorized scopes in the ID token).

 3. For "password" grant type the scope parameter in the token request
    should be respected.  The problem with this was that it wasn't
    properly splitted when passed to ID token creation.

Fixes #186
2017-07-10 17:48:12 +02:00
Wojciech Bartosiak
eed581399e Fixes #192 2017-07-07 17:47:11 +02:00
Tuomas Suutari
5165312d01 Use stored user consent for public clients too (#189)
When using Implicit Flow, it should be OK to use the stored user consent
even if the client is public.  The redirect uri checks should make sure
that the stored consent of another client cannot be misused to get a
consent to a site that is not related to the client.

It is also important to support this, since public clients using
Implicit Flow do not have a refresh token to update their access tokens,
so only way to keep their login session open is by issuing authorization
requests from an iframe with the "prompt=none" parameter (which does not
work without the previously stored consent).  See the following links
for more info and examples on how to renew the access token with SPAs:

https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens

https://damienbod.com/2017/06/02/

https://github.com/IdentityServer/IdentityServer3/issues/719#issuecomment-230145034
2017-07-07 13:18:36 +02:00
Jan Brauer
1215c27d7e Redirect URIs must match exactly. (#191)
* Test redirect_uri construction

This was a test marked as TODO.

* Remove duplicate test

* Add tests to exactly match redirect URIs

* Redirect URIs must match exactly.

To quote from the specification at
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest:

Redirection URI to which the response will be sent. This URI MUST
exactly match one of the Redirection URI values for the Client
pre-registered at the OpenID Provider, with the matching performed as
described in Section 6.2.1 of [RFC3986] (Simple String Comparison).
2017-07-07 09:07:21 +02:00