diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index 93821ef..7147041 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -36,6 +36,11 @@ Then run :
```
pip install pip-tools
-pip-compile requirements.in # freeze package versions
-pip-compile requirements-test.in
+pip-compile --output-file=requirements.txt pyproject.toml # freeze package versions
+pip-compile --output-file=requirements-test.txt requirements-test.in
+```
+
+FIXME: possible alternative for tests requirements would be:
+```
+python -m piptools compile --extra test -o requirements-test.txt pyproject.toml
```
diff --git a/django_pyoidc/VERSION b/django_pyoidc/VERSION
index 1750564..5a5831a 100644
--- a/django_pyoidc/VERSION
+++ b/django_pyoidc/VERSION
@@ -1 +1 @@
-0.0.6
+0.0.7
diff --git a/django_pyoidc/__init__.py b/django_pyoidc/__init__.py
index b6caaf1..25497cb 100644
--- a/django_pyoidc/__init__.py
+++ b/django_pyoidc/__init__.py
@@ -1,23 +1,75 @@
from typing import Dict
from django.contrib.auth import get_user_model
+from django.core.exceptions import SuspiciousOperation
+from django_pyoidc.exceptions import ClaimNotFoundError
+from django_pyoidc.utils import extract_claim_from_tokens
-def get_user_by_email(userinfo_token: Dict[str, str], id_token_claims: Dict):
+
+def get_user_by_email(tokens: Dict):
User = get_user_model()
- username = ""
+ username = None
+ preferred_username = None
+ email = None
+ client_host = None
+ client_address = None
+ client_id = None
+ django_username = None
+
+ try:
+ email = extract_claim_from_tokens("email", tokens)
+ except ClaimNotFoundError:
+ pass
+
+ try:
+ preferred_username = extract_claim_from_tokens("preferred_username", tokens)
+ except ClaimNotFoundError:
+ pass
- if "preferred_username" in id_token_claims:
- username = id_token_claims["preferred_username"]
- elif "preferred_username" in userinfo_token:
- username = userinfo_token["preferred_username"]
+ try:
+ username = extract_claim_from_tokens("username", tokens)
+ except ClaimNotFoundError:
+ pass
+
+ if preferred_username is None:
+ if username is None:
+ if email:
+ django_username = email
+ else:
+ raise SuspiciousOperation(
+ "Cannot extract username or email from available OIDC tokens."
+ )
+ else:
+ django_username = username
else:
- username = userinfo_token["email"]
+ django_username = preferred_username
+
+ # Currently client Credential logins in Keycloak adds these mappers in access tokens.
+ # we can use that to detect M2M accounts.
+ # TODO: check if any other mapper can/should be used for other providers
+ try:
+ client_host = extract_claim_from_tokens("clientHost", tokens)
+ except ClaimNotFoundError:
+ pass
+ try:
+ client_address = extract_claim_from_tokens("clientAddress", tokens)
+ except ClaimNotFoundError:
+ pass
+
+ if email is None and client_host is not None and client_address is not None:
+ # that's a M2M connexion in grant=client_credential mode
+ try:
+ client_id = extract_claim_from_tokens("client_id", tokens)
+ except ClaimNotFoundError:
+ client_id = django_username
+ # Build a fake email for the service accounts
+ email = f"{client_id}@localhost.lan"
user, created = User.objects.get_or_create(
- email=userinfo_token["email"],
- username=username,
+ email=email,
+ username=django_username,
)
user.backend = "django.contrib.auth.backends.ModelBackend"
return user
diff --git a/django_pyoidc/client.py b/django_pyoidc/client.py
new file mode 100644
index 0000000..56cb604
--- /dev/null
+++ b/django_pyoidc/client.py
@@ -0,0 +1,59 @@
+import logging
+
+# import oic
+from oic.extension.client import Client as ClientExtension
+from oic.oic.consumer import Consumer
+from oic.utils.authn.client import CLIENT_AUTHN_METHOD
+
+from django_pyoidc.session import OIDCCacheSessionBackendForDjango
+from django_pyoidc.utils import OIDCCacheBackendForDjango, get_setting_for_sso_op
+
+logger = logging.getLogger(__name__)
+
+
+class OIDCClient:
+ def __init__(self, op_name, session_id=None):
+ self._op_name = op_name
+
+ self.session_cache_backend = OIDCCacheSessionBackendForDjango(self._op_name)
+ self.general_cache_backend = OIDCCacheBackendForDjango(self._op_name)
+
+ consumer_config = {
+ # "debug": True,
+ "response_type": "code"
+ }
+
+ client_config = {
+ "client_id": get_setting_for_sso_op(op_name, "OIDC_CLIENT_ID"),
+ "client_authn_method": CLIENT_AUTHN_METHOD,
+ }
+
+ self.consumer = Consumer(
+ session_db=self.session_cache_backend,
+ consumer_config=consumer_config,
+ client_config=client_config,
+ )
+ # used in token introspection
+ self.client_extension = ClientExtension(**client_config)
+
+ provider_info_uri = get_setting_for_sso_op(
+ op_name, "OIDC_PROVIDER_DISCOVERY_URI"
+ )
+ client_secret = get_setting_for_sso_op(op_name, "OIDC_CLIENT_SECRET")
+ self.client_extension.client_secret = client_secret
+
+ if session_id:
+ self.consumer.restore(session_id)
+ else:
+
+ cache_key = self.general_cache_backend.generate_hashed_cache_key(
+ provider_info_uri
+ )
+ try:
+ config = self.general_cache_backend[cache_key]
+ except KeyError:
+ config = self.consumer.provider_config(provider_info_uri)
+ # shared microcache for provider config
+ # FIXME: Setting for duration
+ self.general_cache_backend.set(cache_key, config, 60)
+ self.consumer.client_secret = client_secret
diff --git a/django_pyoidc/drf/authentication.py b/django_pyoidc/drf/authentication.py
new file mode 100644
index 0000000..6470166
--- /dev/null
+++ b/django_pyoidc/drf/authentication.py
@@ -0,0 +1,126 @@
+import logging
+
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
+from rest_framework import exceptions
+from rest_framework.authentication import BaseAuthentication
+
+from django_pyoidc.client import OIDCClient
+from django_pyoidc.engine import OIDCEngine
+from django_pyoidc.utils import (
+ OIDCCacheBackendForDjango,
+ check_audience,
+ get_setting_for_sso_op,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class OIDCBearerAuthentication(BaseAuthentication):
+ def __init__(self, *args, **kwargs):
+ super(OIDCBearerAuthentication, self).__init__(*args, **kwargs)
+ self.op_name = self.extract_drf_opname()
+ self.general_cache_backend = OIDCCacheBackendForDjango(self.op_name)
+ self.client = OIDCClient(self.op_name)
+ self.engine = OIDCEngine(self.op_name)
+
+ def extract_drf_opname(self):
+ """
+ Given a list of opnames and setting in DJANGO_PYOIDC conf, extract the one having USED_BY_REST_FRAMEWORK=True.
+ """
+ op = None
+ found = False
+ for op_name, configs in settings.DJANGO_PYOIDC.items():
+ if (
+ "USED_BY_REST_FRAMEWORK" in configs
+ and configs["USED_BY_REST_FRAMEWORK"]
+ ):
+ if found:
+ raise RuntimeError(
+ "Several DJANGO_PYOIDC sections are declared as USED_BY_REST_FRAMEWORK, only one should be used."
+ )
+ found = True
+ op = op_name
+ if found:
+ return op
+ else:
+ raise RuntimeError(
+ "No DJANGO_PYOIDC sections are declared with USED_BY_REST_FRAMEWORK configuration option."
+ )
+
+ def extract_access_token(self, request) -> str:
+ val = request.headers.get("Authorization")
+ if not val:
+ msg = "Request missing the authorization header."
+ raise RuntimeError(msg)
+ val = val.strip()
+ bearer_name, access_token_jwt = val.split(maxsplit=1)
+ requested_bearer_name = get_setting_for_sso_op(
+ self.op_name, "OIDC_API_BEARER_NAME", "Bearer"
+ )
+ if not bearer_name.lower() == requested_bearer_name.lower():
+ msg = f"Bad authorization header, invalid Keyword for the bearer, expecting {requested_bearer_name}."
+ raise RuntimeError(msg)
+ return access_token_jwt
+
+ def authenticate(self, request):
+ """
+ Returns two-tuple of (user, token) if authentication succeeds,
+ or None otherwise.
+ """
+ try:
+ user = None
+ access_token_claims = None
+
+ # Extract the access token from an HTTP Authorization Bearer header
+ try:
+ access_token_jwt = self.extract_access_token(request)
+ except RuntimeError as e:
+ logger.error(e)
+ # we return None, and not an Error.
+ # API auth failed, but maybe anon access is allowed
+ return None
+
+ # This introspection of the token is made by the SSO server
+ # so it is quite slow, but there's a cache added based on the token expiration
+ access_token_claims = self.engine.introspect_access_token(
+ access_token_jwt, client=self.client
+ )
+ logger.debug(access_token_claims)
+ if not access_token_claims.get("active"):
+ msg = "Inactive access token."
+ raise exceptions.AuthenticationFailed(msg)
+
+ # FIXME: add an option to request userinfo here, but that may be quite slow
+
+ if access_token_claims:
+ logger.debug("Request has valid access token.")
+
+ # FIXME: Add a setting to disable
+ client_id = get_setting_for_sso_op(self.op_name, "OIDC_CLIENT_ID")
+ if not check_audience(client_id, access_token_claims):
+ raise PermissionDenied(
+ f"Invalid result for acces token audiences check for {client_id}."
+ )
+
+ logger.debug("Let application load user via user hook.")
+ user = self.engine.call_get_user_function(
+ tokens={
+ "access_token_jwt": access_token_jwt,
+ "access_token_claims": access_token_claims,
+ }
+ )
+
+ if not user:
+ logger.error(
+ "OIDC Bearer Authentication process failure. Cannot set active authenticated user."
+ )
+ return None
+
+ except PermissionDenied as exp:
+ raise exp
+ except Exception as exp:
+ logger.exception(exp)
+ return None
+
+ return (user, access_token_claims)
diff --git a/django_pyoidc/engine.py b/django_pyoidc/engine.py
new file mode 100644
index 0000000..78138bc
--- /dev/null
+++ b/django_pyoidc/engine.py
@@ -0,0 +1,78 @@
+import datetime
+import logging
+
+from django_pyoidc import get_user_by_email
+from django_pyoidc.client import OIDCClient
+from django_pyoidc.utils import (
+ OIDCCacheBackendForDjango,
+ get_setting_for_sso_op,
+ import_object,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class OIDCEngine:
+ def __init__(self, op_name: str):
+ self.op_name = op_name
+ self.general_cache_backend = OIDCCacheBackendForDjango(self.op_name)
+
+ def call_function(self, setting_name, *args, **kwargs):
+ function_path = get_setting_for_sso_op(self.op_name, setting_name)
+ if function_path:
+ func = import_object(function_path, "")
+ return func(*args, **kwargs)
+
+ def call_get_user_function(self, tokens={}):
+ if get_setting_for_sso_op(self.op_name, "HOOK_GET_USER"):
+ logger.debug("OIDC, Calling user hook on get_user")
+ return self.call_function("HOOK_GET_USER", tokens)
+ else:
+ return get_user_by_email(tokens)
+
+ def introspect_access_token(self, access_token_jwt: str, client: OIDCClient):
+ """
+ Perform a cached intropesction call to extract claims from encoded jwt of the access_token
+ """
+ # FIXME: allow a non-cached mode by global settings
+ access_token_claims = None
+
+ # FIXME: in what case could we not have an access token available?
+ # should we raise an error then?
+ if access_token_jwt is not None:
+ cache_key = self.general_cache_backend.generate_hashed_cache_key(
+ access_token_jwt
+ )
+ try:
+ access_token_claims = self.general_cache_backend["cache_key"]
+ except KeyError:
+ # CACHE MISS
+
+ # RFC 7662: token introspection: ask SSO to validate and render the jwt as json
+ # this means a slow web call
+ request_args = {
+ "token": access_token_jwt,
+ "token_type_hint": "access_token",
+ }
+ client_auth_method = client.consumer.registration_response.get(
+ "introspection_endpoint_auth_method", "client_secret_basic"
+ )
+ introspection = client.client_extension.do_token_introspection(
+ request_args=request_args,
+ authn_method=client_auth_method,
+ endpoint=client.consumer.introspection_endpoint,
+ )
+ access_token_claims = introspection.to_dict()
+
+ # store it in cache
+ current = datetime.datetime.now().strftime("%s")
+ if "exp" not in access_token_claims:
+ raise RuntimeError("No expiry set on the access token.")
+ access_token_expiry = access_token_claims["exp"]
+ exp = int(access_token_expiry) - int(current)
+ logger.debug(
+ f"Token expiry: {exp} - current is {current} "
+ f"and expiry is set to {access_token_expiry} in the token"
+ )
+ self.general_cache_backend.set(cache_key, access_token_claims, exp)
+ return access_token_claims
diff --git a/django_pyoidc/exceptions.py b/django_pyoidc/exceptions.py
new file mode 100644
index 0000000..fc9ec8d
--- /dev/null
+++ b/django_pyoidc/exceptions.py
@@ -0,0 +1,6 @@
+class InvalidSIDException(Exception):
+ pass
+
+
+class ClaimNotFoundError(Exception):
+ pass
diff --git a/django_pyoidc/utils.py b/django_pyoidc/utils.py
index 9be9a9c..d5ad963 100644
--- a/django_pyoidc/utils.py
+++ b/django_pyoidc/utils.py
@@ -1,10 +1,13 @@
import hashlib
import logging
-from typing import Dict, Union
+from importlib import import_module
+from typing import Any, Dict, Union
from django.conf import settings
from django.core.cache import BaseCache, caches
+from django_pyoidc.exceptions import ClaimNotFoundError
+
logger = logging.getLogger(__name__)
@@ -19,6 +22,57 @@ def get_settings_for_sso_op(op_name: str):
return settings.DJANGO_PYOIDC[op_name]
+def import_object(path, def_name):
+ try:
+ mod, cls = path.split(":", 1)
+ except ValueError:
+ mod = path
+ cls = def_name
+
+ return getattr(import_module(mod), cls)
+
+
+def extract_claim_from_tokens(claim: str, tokens: dict) -> Any:
+ """Given a dictionnary of tokens claims, extract the given claim.
+
+ This function will seek in "info_token_claims", then "id_token_claims"
+ and finally "access_token_claims".
+ If the claim is not found a ClaimNotFoundError exception is raised.
+ """
+ if "info_token_claims" in tokens and claim in tokens["info_token_claims"]:
+ value = tokens["info_token_claims"][claim]
+ elif "id_token_claims" in tokens and claim in tokens["id_token_claims"]:
+ value = tokens["id_token_claims"][claim]
+ elif "access_token_claims" and claim in tokens["access_token_claims"]:
+ value = tokens["access_token_claims"][claim]
+ else:
+ raise ClaimNotFoundError(f"{claim} not found in available OIDC tokens.")
+ return value
+
+
+def check_audience(client_id: str, access_token_claims: dict) -> bool:
+ """Verify that the current client_id is present in 'aud' claim.
+
+ Audences are stored in 'aud' claim.
+ Audiences of an access token is a list of client_id where this token is allowed.
+ When receiving an access token in 'API' bearer mode checking that your client_id
+ is in the audience is a must.
+ Access tokens received in 'full' mode, when this Django is the OIDC client
+ managing the redirections to the SSO server may not always contain the client_id
+ in 'aud'. This is the case for Keycloak for example, where the 'aud' would only
+ contain 'others' client_id where this token can be used, and not the one generating it.
+ Audience in userinfo and id tokens are different beasts.
+ """
+ if "aud" not in access_token_claims:
+ return False
+ if client_id not in access_token_claims["aud"]:
+ logger.error(
+ f"{client_id} not found in access_token_claims['aud']: {access_token_claims['aud']}"
+ )
+ return False
+ return True
+
+
class OIDCCacheBackendForDjango:
"""Implement General cache for OIDC using django cache"""
diff --git a/django_pyoidc/views.py b/django_pyoidc/views.py
index 8bbfc14..8dbc8b4 100644
--- a/django_pyoidc/views.py
+++ b/django_pyoidc/views.py
@@ -1,4 +1,3 @@
-import datetime
import logging
from importlib import import_module
@@ -14,86 +13,18 @@
from django.views.decorators.csrf import csrf_exempt
from jwt import JWT
from jwt.exceptions import JWTDecodeError
-from oic.extension.client import Client as ClientExtension
-from oic.oic.consumer import Consumer
-from oic.utils.authn.client import CLIENT_AUTHN_METHOD
-from django_pyoidc import get_user_by_email
+from django_pyoidc.client import OIDCClient
+from django_pyoidc.engine import OIDCEngine
+from django_pyoidc.exceptions import InvalidSIDException
from django_pyoidc.models import OIDCSession
-from django_pyoidc.session import OIDCCacheSessionBackendForDjango
-from django_pyoidc.utils import (
- OIDCCacheBackendForDjango,
- get_setting_for_sso_op,
- get_settings_for_sso_op,
-)
+from django_pyoidc.utils import get_setting_for_sso_op, import_object
SessionStore = import_module(settings.SESSION_ENGINE).SessionStore
logger = logging.getLogger(__name__)
-class InvalidSIDException(Exception):
- pass
-
-
-def _import_object(path, def_name):
- try:
- mod, cls = path.split(":", 1)
- except ValueError:
- mod = path
- cls = def_name
-
- return getattr(import_module(mod), cls)
-
-
-class OIDClient:
- def __init__(self, op_name, session_id=None):
- self._op_name = op_name
-
- self.session_cache_backend = OIDCCacheSessionBackendForDjango(self._op_name)
- self.general_cache_backend = OIDCCacheBackendForDjango(self._op_name)
-
- consumer_config = {
- # "debug": True,
- "response_type": "code"
- }
-
- client_config = {
- "client_id": get_setting_for_sso_op(op_name, "OIDC_CLIENT_ID"),
- "client_authn_method": CLIENT_AUTHN_METHOD,
- }
-
- self.consumer = Consumer(
- session_db=self.session_cache_backend,
- consumer_config=consumer_config,
- client_config=client_config,
- )
- # used in token introspection
- self.client_extension = ClientExtension(**client_config)
-
- provider_info_uri = get_setting_for_sso_op(
- op_name, "OIDC_PROVIDER_DISCOVERY_URI"
- )
- client_secret = get_setting_for_sso_op(op_name, "OIDC_CLIENT_SECRET")
- self.client_extension.client_secret = client_secret
-
- if session_id:
- self.consumer.restore(session_id)
- else:
-
- cache_key = self.general_cache_backend.generate_hashed_cache_key(
- provider_info_uri
- )
- try:
- config = self.general_cache_backend[cache_key]
- except KeyError:
- config = self.consumer.provider_config(provider_info_uri)
- # shared microcache for provider config
- # FIXME: Setting for duration
- self.general_cache_backend.set(cache_key, config, 60)
- self.consumer.client_secret = client_secret
-
-
class OIDCMixin:
op_name = None
@@ -111,18 +42,9 @@ def get_setting(self, name, default=None):
def call_function(self, setting_name, *args, **kwargs):
function_path = get_setting_for_sso_op(self.op_name, setting_name)
if function_path:
- func = _import_object(function_path, "")
+ func = import_object(function_path, "")
return func(*args, **kwargs)
- def call_get_user_function(self, tokens={}):
- if "HOOK_GET_USER" in get_settings_for_sso_op(self.op_name):
- logger.debug("OIDC, Calling user hook on get_user")
- return self.call_function("HOOK_GET_USER", tokens)
- else:
- return get_user_by_email(
- tokens["info_token_claims"], tokens["id_token_claims"]
- )
-
def call_callback_function(self, request, user):
logger.debug("OIDC, Calling user hook on login")
self.call_function("HOOK_USER_LOGIN", request, user)
@@ -145,7 +67,7 @@ def get_next_url(self, request, redirect_field_name):
Adapted from https://github.com/mozilla/mozilla-django-oidc/blob/71e4af8283a10aa51234de705d34cd298e927f97/mozilla_django_oidc/views.py#L132
"""
next_url = request.GET.get(redirect_field_name)
- print(f"{next_url=}")
+ # print(f"{next_url=}")
if next_url:
is_safe = url_has_allowed_host_and_scheme(
next_url,
@@ -179,9 +101,9 @@ class OIDCLoginView(OIDCView):
def get(self, request, *args, **kwargs):
super().get(request, *args, **kwargs)
- client = OIDClient(self.op_name)
- client.consumer.consumer_config["authz_page"] = str(
- self.get_setting("OIDC_CALLBACK_PATH")
+ client = OIDCClient(self.op_name)
+ client.consumer.consumer_config["authz_page"] = self.get_setting(
+ "OIDC_CALLBACK_PATH"
)
redirect_uri = self.get_next_url(request, "next")
@@ -264,7 +186,7 @@ def post(self, request):
if sid:
try:
- client = OIDClient(self.op_name, session_id=sid)
+ client = OIDCClient(self.op_name, session_id=sid)
except Exception as e: # FIXME : Finer exception handling (KeyError,ParseError,CommunicationError)
logger.error("OIDC Logout call error when loading OIDC state: ")
logger.exception(e)
@@ -316,7 +238,7 @@ class OIDCBackChannelLogoutView(OIDCView):
http_method_names = ["post"]
- def logout_sessions_by_sid(self, client: OIDClient, sid: str, body):
+ def logout_sessions_by_sid(self, client: OIDCClient, sid: str, body):
validated_sid = client.consumer.backchannel_logout(
request_args={"logout_token": body}
)
@@ -326,7 +248,7 @@ def logout_sessions_by_sid(self, client: OIDClient, sid: str, body):
for session in sessions:
self._logout_session(session)
- def logout_sessions_by_sub(self, client: OIDClient, sub: str, body):
+ def logout_sessions_by_sub(self, client: OIDCClient, sub: str, body):
sessions = OIDCSession.objects.filter(sub=sub)
for session in sessions:
client.consumer.backchannel_logout(request_args={"logout_token": body})
@@ -350,10 +272,10 @@ def post(self, request):
sub = decoded.get("sub")
if sub:
# Authorization server wants to kill all sessions
- client = OIDClient(self.op_name)
+ client = OIDCClient(self.op_name)
self.logout_sessions_by_sub(client, sub, body)
elif sid:
- client = OIDClient(self.op_name, session_id=sid)
+ client = OIDCClient(self.op_name, session_id=sid)
try:
self.logout_sessions_by_sid(client, sid, body)
except InvalidSIDException as e:
@@ -385,7 +307,7 @@ class OIDCCallbackView(OIDCView):
def __init__(self, **kwargs):
super().__init__(**kwargs)
- self.general_cache_backend = OIDCCacheBackendForDjango(self.op_name)
+ self.engine = OIDCEngine(self.op_name)
def success_url(self, request):
# Pull the next url from the session or settings --we don't need to
@@ -408,54 +330,13 @@ def _introspect_access_token(self, access_token_jwt):
"""
Perform a cached intropesction call to extract claims from encoded jwt of the access_token
"""
- # FIXME: allow a non-cached mode by global settings
- access_token_claims = None
-
- # FIXME: in what case could we not have an access token available?
- # should we raise an error then?
- if access_token_jwt is not None:
- cache_key = self.general_cache_backend.generate_hashed_cache_key(
- access_token_jwt
- )
- try:
- access_token_claims = self.general_cache_backend["cache_key"]
- except KeyError:
- # CACHE MISS
-
- # RFC 7662: token introspection: ask SSO to validate and render the jwt as json
- # this means a slow web call
- request_args = {
- "token": access_token_jwt,
- "token_type_hint": "access_token",
- }
- client_auth_method = self.client.consumer.registration_response.get(
- "introspection_endpoint_auth_method", "client_secret_basic"
- )
- introspection = self.client.client_extension.do_token_introspection(
- request_args=request_args,
- authn_method=client_auth_method,
- endpoint=self.client.consumer.introspection_endpoint,
- )
- access_token_claims = introspection.to_dict()
-
- # store it in cache
- current = datetime.datetime.now().strftime("%s")
- if "exp" not in access_token_claims:
- raise RuntimeError("No expiry set on the access token.")
- access_token_expiry = access_token_claims["exp"]
- print("**********************")
- print(current)
- print(access_token_expiry)
- exp = int(access_token_expiry) - int(current)
- print(exp)
- self.general_cache_backend.set(cache_key, access_token_claims, exp)
- return access_token_claims
+ return
def get(self, request, *args, **kwargs):
super().get(request, *args, **kwargs)
try:
if "oidc_sid" in request.session:
- self.client = OIDClient(
+ self.client = OIDCClient(
self.op_name, session_id=request.session["oidc_sid"]
)
@@ -495,8 +376,8 @@ def get(self, request, *args, **kwargs):
tokens["access_token"] if "access_token" in tokens else None
)
- access_token_claims = self._introspect_access_token(
- access_token_jwt
+ access_token_claims = self.engine.introspect_access_token(
+ access_token_jwt, self.client
)
id_token_claims = (
@@ -508,7 +389,7 @@ def get(self, request, *args, **kwargs):
userinfo_claims = userinfo.to_dict()
# Call user hook
- user = self.call_get_user_function(
+ user = self.engine.call_get_user_function(
tokens={
"info_token_claims": userinfo_claims,
"access_token_jwt": access_token_jwt,
diff --git a/pyproject.toml b/pyproject.toml
index 8f02377..21c747b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -13,7 +13,7 @@ classifiers=["Topic :: Utilities",
"Intended Audience :: Developers",
"Environment :: Web Environment",
"Framework :: Django",
- "Development Status :: 5 - Production/Stable",
+ "Development Status :: 3 - Alpha",
"Programming Language :: Python :: 3 :: Only",
"Programming Language :: Python :: 3.8",
"Programming Language :: Python :: 3.9",
diff --git a/requirements-test.in b/requirements-test.in
index d1e700c..0f67c9e 100644
--- a/requirements-test.in
+++ b/requirements-test.in
@@ -6,4 +6,6 @@ sphinx-rtd-theme
sphinx-autobuild
isort
pre-commit
-selenium
+selenium>4.10.0
+djangorestframework>=3.15
+django-cors-headers
\ No newline at end of file
diff --git a/requirements-test.txt b/requirements-test.txt
index 0c73ee5..0e1b47f 100644
--- a/requirements-test.txt
+++ b/requirements-test.txt
@@ -1,15 +1,16 @@
#
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
# pip-compile --output-file=requirements-test.txt requirements-test.in
#
-alabaster==0.7.16
+alabaster==0.7.13
# via sphinx
-anyio==4.3.0
+asgiref==3.8.1
# via
- # starlette
- # watchfiles
+ # -c requirements.txt
+ # django
+ # django-cors-headers
attrs==23.2.0
# via
# outcome
@@ -27,28 +28,36 @@ charset-normalizer==3.3.2
# via
# -c requirements.txt
# requests
-click==8.1.7
- # via uvicorn
colorama==0.4.6
# via sphinx-autobuild
distlib==0.3.8
# via virtualenv
+django==4.2.13
+ # via
+ # -c requirements.txt
+ # django-cors-headers
+ # djangorestframework
+django-cors-headers==4.3.1
+ # via -r requirements-test.in
+djangorestframework==3.15.1
+ # via -r requirements-test.in
docutils==0.19
# via
# sphinx
# sphinx-rtd-theme
+exceptiongroup==1.2.1
+ # via
+ # trio
+ # trio-websocket
filelock==3.14.0
# via virtualenv
h11==0.14.0
- # via
- # uvicorn
- # wsproto
+ # via wsproto
identify==2.5.36
# via pre-commit
idna==3.7
# via
# -c requirements.txt
- # anyio
# requests
# trio
imagesize==1.4.1
@@ -57,6 +66,8 @@ isort==5.13.2
# via -r requirements-test.in
jinja2==3.1.4
# via sphinx
+livereload==2.6.3
+ # via sphinx-autobuild
markupsafe==2.1.5
# via
# -c requirements.txt
@@ -69,7 +80,7 @@ packaging==24.0
# via sphinx
platformdirs==4.2.2
# via virtualenv
-pre-commit==3.7.1
+pre-commit==3.5.0
# via -r requirements-test.in
psycopg2==2.9.9
# via -r requirements-test.in
@@ -87,10 +98,12 @@ requests==2.32.1
# sphinx
selenium==4.21.0
# via -r requirements-test.in
-sniffio==1.3.1
+six==1.16.0
# via
- # anyio
- # trio
+ # -c requirements.txt
+ # livereload
+sniffio==1.3.1
+ # via trio
snowballstemmer==2.2.0
# via sphinx
sortedcontainers==2.4.0
@@ -101,26 +114,30 @@ sphinx==6.2.1
# sphinx-autobuild
# sphinx-rtd-theme
# sphinxcontrib-jquery
-sphinx-autobuild==2024.4.16
+sphinx-autobuild==2021.3.14
# via -r requirements-test.in
sphinx-rtd-theme==2.0.0
# via -r requirements-test.in
-sphinxcontrib-applehelp==1.0.8
+sphinxcontrib-applehelp==1.0.4
# via sphinx
-sphinxcontrib-devhelp==1.0.6
+sphinxcontrib-devhelp==1.0.2
# via sphinx
-sphinxcontrib-htmlhelp==2.0.5
+sphinxcontrib-htmlhelp==2.0.1
# via sphinx
sphinxcontrib-jquery==4.1
# via sphinx-rtd-theme
sphinxcontrib-jsmath==1.0.1
# via sphinx
-sphinxcontrib-qthelp==1.0.7
+sphinxcontrib-qthelp==1.0.3
# via sphinx
-sphinxcontrib-serializinghtml==1.1.10
+sphinxcontrib-serializinghtml==1.1.5
# via sphinx
-starlette==0.37.2
- # via sphinx-autobuild
+sqlparse==0.5.0
+ # via
+ # -c requirements.txt
+ # django
+tornado==6.4
+ # via livereload
trio==0.25.1
# via
# selenium
@@ -130,20 +147,15 @@ trio-websocket==0.11.1
typing-extensions==4.11.0
# via
# -c requirements.txt
+ # asgiref
# selenium
urllib3[socks]==2.2.1
# via
# -c requirements.txt
# requests
# selenium
-uvicorn==0.29.0
- # via sphinx-autobuild
virtualenv==20.26.2
# via pre-commit
-watchfiles==0.21.0
- # via sphinx-autobuild
-websockets==12.0
- # via sphinx-autobuild
wsproto==1.2.0
# via trio-websocket
diff --git a/requirements.txt b/requirements.txt
index a6da609..324c87d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
#
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.10
# by the following command:
#
# pip-compile --output-file=requirements.txt pyproject.toml
@@ -20,7 +20,7 @@ cryptography==42.0.7
# oic
defusedxml==0.7.1
# via oic
-django==5.0.6
+django==4.2.13
# via django-pyoidc (pyproject.toml)
future==1.0.0
# via pyjwkest
@@ -62,6 +62,7 @@ sqlparse==0.5.0
# via django
typing-extensions==4.11.0
# via
+ # asgiref
# pydantic
# pydantic-core
urllib3==2.2.1
diff --git a/tests/e2e/front_test_app/Dockerfile b/tests/e2e/front_test_app/Dockerfile
new file mode 100644
index 0000000..d5fbd86
--- /dev/null
+++ b/tests/e2e/front_test_app/Dockerfile
@@ -0,0 +1,9 @@
+FROM php:7.2-apache
+
+RUN sed -i 's/Listen 80/Listen 9999/' /etc/apache2/ports.conf
+RUN cat /etc/apache2/ports.conf
+RUN chmod 777 /var/run/apache2
+
+COPY *.js /var/www/html/
+COPY *.php /var/www/html/
+COPY *.css /var/www/html/
\ No newline at end of file
diff --git a/tests/e2e/front_test_app/README.md b/tests/e2e/front_test_app/README.md
new file mode 100644
index 0000000..debc575
--- /dev/null
+++ b/tests/e2e/front_test_app/README.md
@@ -0,0 +1,7 @@
+# Very simpel front app using OIDC
+
+Inspired by the Keycloak demo project (Apache2 License):
+
+* https://github.com/keycloak/keycloak-demo/tree/master/demo-app
+
+Used to test OIDC front interaction with our Django backend in API mode.
diff --git a/tests/e2e/front_test_app/app.js b/tests/e2e/front_test_app/app.js
new file mode 100644
index 0000000..359b5cd
--- /dev/null
+++ b/tests/e2e/front_test_app/app.js
@@ -0,0 +1,70 @@
+var keycloak = new Keycloak({
+ realm: 'realm1',
+ clientId: 'app1-front'
+});
+
+window.onload = async function () {
+ try {
+ var authenticated = await keycloak.init({
+ onLoad: 'check-sso',
+ checkLoginIframe: false
+ })
+ } catch (error) {
+ var output = document.getElementById('message');
+ output.innerHTML = 'Failed to initialize connexion with Keycloak SSO';
+ }
+ console.log(authenticated);
+ if (authenticated) {
+ userAuthenticated();
+ } else {
+ userNotAuthenticated();
+ }
+ document.getElementById('wrapper').style.display = 'block';
+}
+
+function userNotAuthenticated() {
+ document.getElementById('anon').style.display = 'block';
+ document.getElementById('authenticated').style.display = 'none';
+}
+
+function userAuthenticated() {
+ document.getElementById('anon').style.display = 'none';
+ document.getElementById('authenticated').style.display = 'block';
+ document.getElementById('message').innerHTML = 'User: ' + keycloak.tokenParsed['preferred_username'];
+ document.getElementById('debug').innerHTML = JSON.stringify(keycloak.tokenParsed);
+}
+
+async function request(endpoint) {
+ var req = new XMLHttpRequest();
+ var output = document.getElementById('message');
+ req.open('GET', backendUrl + '/' + endpoint, true);
+ req.setRequestHeader('Accept', 'application/json');
+
+ if (keycloak.authenticated) {
+ try {
+ success = await keycloak.updateToken(30)
+ output.innerHTML = 'Sending request with Bearer';
+ req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);
+ } catch (error) {
+ output.innerHTML = 'Failed to refresh user token';
+ };
+ }
+
+ req.onreadystatechange = function () {
+ if (req.readyState == 4) {
+ if (req.status == 200) {
+ output.innerHTML = 'Message: ' + JSON.stringify(req.responseText);
+ } else if (req.status == 403) {
+ output.innerHTML = 'Request Forbidden';
+ } else if (req.status == 0) {
+ output.innerHTML = 'Request failed';
+ } else {
+ output.innerHTML = '' + req.status + ' ' + req.statusText + '';
+ }
+ }
+ };
+
+ req.send();
+}
+
+keycloak.onAuthLogout = userNotAuthenticated;
diff --git a/tests/e2e/front_test_app/index.php b/tests/e2e/front_test_app/index.php
new file mode 100644
index 0000000..c481938
--- /dev/null
+++ b/tests/e2e/front_test_app/index.php
@@ -0,0 +1,42 @@
+
+
+
+
+ Keycloak Front App Example
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+