Commit graph

961 commits

Author SHA1 Message Date
Christian Bouvier
f743e23cc4 Token Introspection docs (#257)
Added a new doc page related to Token Introspection Endpoint.
The documentation includes some introduction with links to the related RFCs and examples.
2018-10-14 14:24:48 -03:00
Juan Ignacio Fiorentino
02a17e10d5
Update changelog.rst 2018-10-05 12:50:10 -03:00
Juan Ignacio Fiorentino
cf0c57ceea
Update changelog.rst 2018-10-05 12:48:43 -03:00
Juan Ignacio Fiorentino
4c7bddfd02
Merge pull request #292 from octobot-dev/increment-rsa-key-length
Enhancement: Increment RSA key size to 2048.
2018-10-05 12:46:54 -03:00
Christian Bouvier
4c63cc67e0 Enhancement: Increment RSA key size to 2048.
It seems like many lead institutions related with security are
recommending a minimum key length of 112-bits since 2013.
In order to achieve that, a RSA key size of 2048 (or more) is required.
2018-10-05 11:55:35 -03:00
Juan Ignacio Fiorentino
a7bbce3db2
Merge pull request #290 from octobot-dev/move-strip-prompt-login-to-utils
Enhancement: AuthorizeView's static method strip-prompt-login moved
2018-10-04 12:50:44 -03:00
Christian Bouvier
eb2f272a0b Enhancement: AuthorizeView's static method strip-prompt-login was moved to a new file oidc_provider/lib/utils/authorize.py in order to be more consistent with the implementation of other Views 2018-10-04 10:40:23 -03:00
Juan Ignacio Fiorentino
035e7a3674
Update changelog.rst 2018-10-03 16:23:25 -03:00
Juan Ignacio Fiorentino
1a0f068f2e
Merge pull request #289 from octobot-dev/fix-strip-prompt-login
Fix #283: bug in strip_prompt_login
2018-10-03 16:19:54 -03:00
Christian Bouvier
37e6df8306 Fix #283: bug in strip_prompt_login
AuthorizeView's static method strip_prompt_login fails to remove prompt login when other prompt values appear in the request.
2018-10-03 14:51:51 -03:00
Juan Ignacio Fiorentino
658eb594e9
Update changelog.rst 2018-09-29 13:33:38 -03:00
Juan Ignacio Fiorentino
76f6348142
Merge pull request #288 from impak-finance/issue-285
Fixed #285 -- Ensured standard and custom claims can be used at the same time when using the OIDC_IDTOKEN_INCLUDE_CLAIMS setting
2018-09-29 13:32:11 -03:00
Morgan Aubert
88aa190763
Fixed #285 -- Ensured standard and custom claims can be used at the same time when using the OIDC_IDTOKEN_INCLUDE_CLAIMS setting 2018-09-28 19:36:21 -04:00
Juan Ignacio Fiorentino
6997e19687
Merge pull request #260 from dcollinsn/django-2.1
Django 2.1
2018-09-14 16:34:15 -03:00
Juan Ignacio Fiorentino
458eb2e3ea
Merge pull request #279 from ByteInternet/make_authorization_endpoint_and_client_more_easily_adjustable
Make it easier to change AuthorizeEndpoint and Client
2018-09-14 10:10:12 -03:00
Juan Ignacio Fiorentino
db0acf3107
Merge pull request #277 from isms/fix-typo
Add missing space
2018-09-14 10:06:41 -03:00
Bono de Visser
69b793a363 Make it easier to change AuthorizeEndpoint and Client
To make it easier to change the AuthorizeEndpoint and Client we set them as class variables. Then people inheriting from the view are able to easily change them. In my personal case this helps with skipping consent more explicitly as defined in issue https://github.com/juanifioren/django-oidc-provider/issues/278
2018-09-14 11:21:57 +02:00
Isaac Slavitt
e36a2c96f8 Add missing space 2018-09-13 15:58:42 -04:00
Juan Ignacio Fiorentino
0effc32be2
Merge pull request #272 from q3aiml/response-type-natural-key
add natural key support to ResponseType
2018-08-20 18:13:28 -03:00
Andy Clayton
4e7116ca9e add natural key support to ResponseType
Have the option to use the more readable response type value rather than
the ResponseType id integer in fixtures and dumpdata output.

Prior to this change dumpdata represents response types like so:

    "response_types": [2]

And after this change when using `dumpdata --natural-foreign`:

    "response_types": [["code"]]
2018-08-20 10:49:00 -05:00
Juan Ignacio Fiorentino
436568a39b
Merge pull request #271 from q3aiml/client-multiple-response-types
support multiple response types per client
2018-08-17 14:34:33 -03:00
Andy Clayton
988b728fb2 update docs for multiple response types per client 2018-08-17 09:54:30 -05:00
Andy Clayton
64a8b935e6 document response_type_descriptions needs to be a list 2018-08-16 15:47:47 -05:00
Andy Clayton
036c4fc9b3 document non-obvious string check 2018-08-16 15:47:14 -05:00
Andy Clayton
36018d19ae support multiple response types per client
The Dynamic Client Registration spec specifies multiple response_types
and grant_types per client
(https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
Since grant_types can be inferred from response_types we should be able
to support both without needing to store grant_types.

This also helps with oidc-client-js which expects a client that supports
both "id_token" and "id_token token".
2018-08-16 11:38:46 -05:00
Juan Ignacio Fiorentino
b5e055205c Bump version v0.6.2. 2018-08-03 11:50:56 -03:00
Juan Ignacio Fiorentino
bf8a7b6853
Merge pull request #266 from q3aiml/accept-lowercase-bearer
Accept lowercase "bearer" in Authorization header
2018-08-02 16:02:45 -03:00
Andy Clayton
f1ed3328f8 Accept lowercase "bearer" in Authorization header
We ran into a client that blindly takes the value of token_type, which
is lowercase "bearer", and passes that back in the Authorization header.
In an earlier PR #99 there seemed to be some support for this change to
simply accept "bearer" in addition to "Bearer".
2018-08-02 13:42:21 -05:00
Dan Collins
85ca083532 Remove Python 3.4, since it is intermittently failing in travis 2018-08-01 14:13:11 -04:00
Dan Collins
972071e370 Add support for Django 2.1, drop support for Django < 1.11
Django 1.11 deprecated the django.contrib.auth.views.logout
function-based view, which django-oidc-provider relied on. This
patchset instead subclasses the new LogoutView.

LogoutView was introduced in Django 1.11. logout() was deprecated in
1.11 and removed in 2.1. Accordingly, this patch adds Django 2.1 to
CI and removes 1.8, 1.9, and 1.10.

Resolves #258
2018-08-01 14:13:11 -04:00
Juan Ignacio Fiorentino
1c31acd525 Pin pytest version. 2018-07-31 14:56:41 -03:00
Juan Ignacio Fiorentino
d2695f76cf
Update changelog.rst 2018-07-31 14:08:08 -03:00
Juan Ignacio Fiorentino
88f91b9305
Merge pull request #265 from stdweird/no_zip_safe
setup.py: code is not zip_safe
2018-07-30 10:57:19 -03:00
stdweird
20d759ef98 setup.py: code is not zip_safe 2018-07-30 15:17:04 +02:00
Juan Ignacio Fiorentino
bf7f380033 Fix scopeclaims class. 2018-07-26 23:12:45 -03:00
Juan Ignacio Fiorentino
9a081cb05a
Update changelog.rst 2018-07-19 11:23:19 -03:00
Juan Ignacio Fiorentino
59581f50d9
Merge pull request #256 from q3aiml/client-credentials-introspection
support introspection on client credentials tokens
2018-07-19 11:18:35 -03:00
Juan Ignacio Fiorentino
5b23a08f82 Fix travis. 2018-07-12 15:28:14 -03:00
Juan Ignacio Fiorentino
cfcd504477 Add python versions travis. 2018-07-12 15:05:43 -03:00
Juan Ignacio Fiorentino
2e83393b65 Make tests run all once (now with docs). 2018-07-12 14:45:54 -03:00
Juan Ignacio Fiorentino
e7eaa52e50 Bump version v0.6.1. 2018-07-10 11:16:02 -03:00
Andy Clayton
9d5c2b39fa support introspection on client credentials tokens
The response can simply omit fields that require id_token as the only
required field is "active" according to RFC 7662. I think it would be
nice for introspection of client credentials tokens to be supported by
default without needing to override
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE, but this is a start.
2018-07-06 11:41:09 -05:00
Juan Ignacio Fiorentino
b087116818
Update changelog.rst 2018-07-05 18:39:43 -03:00
Juan Ignacio Fiorentino
d825061508 Fix: Token Model crashes in Django Admin when a token has been given to a Client using Client Credentials. 2018-07-05 18:37:01 -03:00
Juan Ignacio Fiorentino
6e442a5f35
Update changelog.rst 2018-07-04 16:27:57 -03:00
Juan Ignacio Fiorentino
bd49ada392
Merge pull request #254 from q3aiml/fix-token-introspection-response
Fix token introspection "aud" and "client_id" response
2018-07-04 16:27:12 -03:00
Andy Clayton
b1e994aa7e Fix token introspection "aud" and "client_id" response
Based on the OAuth 2.0 Token Introspection spec the "aud" field should
be based on the token. Previously "aud" was populated with the id of the
client making the introspection request which seems wrong. This changes
the endpoint to return the value from the token.

The "client_id" field is then changed to return the client id for the
client that originally requested the token rather than returning the
"aud" value from the token.

From the spec https://tools.ietf.org/html/rfc7662:

   client_id
      OPTIONAL.  Client identifier for the OAuth 2.0 client that
      requested this token.

   aud
      OPTIONAL.  Service-specific string identifier or list of string
      identifiers representing the intended audience for this token, as
      defined in JWT [RFC7519].
2018-07-04 09:53:30 -05:00
Juan Ignacio Fiorentino
50733f8135
Update changelog.rst 2018-07-04 11:38:30 -03:00
Juan Ignacio Fiorentino
784456f4b1
Merge pull request #255 from q3aiml/fix-false-valued-settings
fix settings to support falsy valued overrides
2018-07-04 11:37:14 -03:00
Andy Clayton
6900e637ab add OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE test
Missing test exposed as part of 0750429 bug fix.
2018-07-03 15:15:12 -05:00