def callback(request):
if 'oauth_state' not in request.session:
return HttpResponseRedirect(request.build_absolute_uri(reverse(oauthadmin.views.login)))
redirect_uri = request.build_absolute_uri(reverse(oauthadmin.views.callback))
oauth = OAuth2Session(
app_setting('CLIENT_ID'),
state=request.session['oauth_state'].decode('utf-8'),
redirect_uri=redirect_uri,
)
try:
token = oauth.fetch_token(
app_setting('TOKEN_URL'),
client_secret=app_setting('CLIENT_SECRET'),
authorization_response=app_setting('AUTH_URL') + "?" + request.GET.urlencode()
)
except (MismatchingStateError, InvalidGrantError):
return HttpResponseRedirect(request.build_absolute_uri(reverse(oauthadmin.views.login)))
user = import_by_path(app_setting('GET_USER'))(token)
request.session['last_verified_at'] = int(time())
request.session['oauth_token'] = token
request.session['user'] = user
next = json.loads(base64.b64decode(request.session['oauth_state']).decode('utf-8'))['next']
if not next:
next = '/admin'
return redirect(request.build_absolute_uri(next))
def login(request):
# this view can be called directly by django admin site from
# any url, or can be accessed by the login url if the urls
# from this app were included
if request.path == reverse(oauthadmin.views.login):
# if this view is being accessed from login url look for 'next'
# in query string to use as destination after the login is complete
next = request.GET.get('next')
else:
# otherwise the django admin site called this view from another view.
# Django admin doesn't redirect to login url if login is required, it
# calls the view directly (django 1.7 fixed this and redirects and we
# don't support it yet)
next = request.get_full_path()
redirect_uri = request.build_absolute_uri(
reverse(oauthadmin.views.callback))
state_token = generate_token()
state = base64.b64encode(
json.dumps({
"state": state_token,
"next": next
}).encode('utf-8'))
oauth = OAuth2Session(
client_id=app_setting('CLIENT_ID'),
redirect_uri=redirect_uri,
scope=["default"],
state=state,
)
authorization_url, state = oauth.authorization_url(app_setting('AUTH_URL'))
request.session['oauth_state'] = state
return redirect(authorization_url)
def login(request):
# this view can be called directly by django admin site from
# any url, or can be accessed by the login url if the urls
# from this app were included
if request.path == reverse(oauthadmin.views.login):
# if this view is being accessed from login url look for 'next'
# in query string to use as destination after the login is complete
next = request.GET.get('next')
else:
# otherwise the django admin site called this view from another view.
# Django admin doesn't redirect to login url if login is required, it
# calls the view directly (django 1.7 fixed this and redirects and we
# don't support it yet)
next = request.get_full_path()
redirect_uri = request.build_absolute_uri(reverse(oauthadmin.views.callback))
state_token = generate_token()
state=base64.b64encode(json.dumps({"state": state_token, "next": next}).encode('utf-8'))
oauth = OAuth2Session(
client_id=app_setting('CLIENT_ID'),
redirect_uri=redirect_uri,
scope=["default"],
state=state,
)
authorization_url, state = oauth.authorization_url(app_setting('AUTH_URL'))
request.session['oauth_state'] = state
return redirect(authorization_url)
def logout(request):
if 'oauth_token' in request.session:
oauth = OAuth2Session(app_setting('CLIENT_ID'), token=request.session['oauth_token'])
oauth.get(app_setting('BASE_URL') + 'destroy_tokens')
destroy_session(request)
return redirect(request.build_absolute_uri('/'))
def logout(request):
if 'oauth_token' in request.session:
oauth = OAuth2Session(app_setting('CLIENT_ID'), token=request.session['oauth_token'])
oauth.get(app_setting('BASE_URL') + 'destroy_tokens')
destroy_session(request)
return redirect(request.build_absolute_uri('/'))
def process_request(self, request):
if hasattr(request, 'session') and 'user' in request.session:
request.user = request.session['user']
request._cached_user = request.session['user']
if app_setting('PING_INTERVAL') and app_setting('PING'):
_verify_ping_interval(request, app_setting('PING_INTERVAL'),
import_by_path(app_setting('PING')))
else:
from django.contrib.auth.models import AnonymousUser
request.user = AnonymousUser()
def logout_redirect(request):
q = QueryDict(mutable=True)
q['client_id'] = app_setting('CLIENT_ID')
q['logout_uri'] = request.build_absolute_uri(
reverse(oauthadmin.views.logout))
q['redirect_uri'] = quote_plus(
request.build_absolute_uri(reverse(oauthadmin.views.logout)))
q['response_type'] = 'code'
# state_token = generate_token()
# state=base64.b64encode(json.dumps({"state": state_token}).encode('utf-8'))
# q['state'] = state
q['scope'] = 'openid'
return redirect(app_setting('BASE_URL') + 'logout?' + q.urlencode())
def process_request(self, request):
if hasattr(request, 'session') and 'user' in request.session:
request.user = request.session['user']
request._cached_user = request.session['user']
if app_setting('PING_INTERVAL') and app_setting('PING'):
_verify_ping_interval(
request,
app_setting('PING_INTERVAL'),
import_by_path(app_setting('PING'))
)
else:
from django.contrib.auth.models import AnonymousUser
request.user = AnonymousUser()
def apply_groups(user):
for group_name in app_setting('GROUPS'):
try:
group = Group.objects.get(name=group_name)
group.user_set.add(user)
except Group.DoesNotExist:
pass
def callback(request):
if 'oauth_state' not in request.session:
return HttpResponseRedirect(
request.build_absolute_uri(reverse(oauthadmin.views.login)))
redirect_uri = request.build_absolute_uri(
reverse(oauthadmin.views.callback))
oauth = OAuth2Session(
app_setting('CLIENT_ID'),
state=request.session['oauth_state'].decode('utf-8'),
redirect_uri=redirect_uri,
)
try:
token = oauth.fetch_token(
app_setting('TOKEN_URL'),
client_secret=app_setting('CLIENT_SECRET'),
authorization_response=app_setting('AUTH_URL') + "?" +
request.GET.urlencode())
except (MismatchingStateError, InvalidGrantError):
return HttpResponseRedirect(
request.build_absolute_uri(reverse(oauthadmin.views.login)))
user = import_by_path(app_setting('GET_USER'))(token)
request.session['last_verified_at'] = int(time())
request.session['oauth_token'] = token
request.session['user'] = user
next = json.loads(
base64.b64decode(
request.session['oauth_state']).decode('utf-8'))['next']
if not next:
next = app_setting('DEFAULT_NEXT_URL')
return redirect(request.build_absolute_uri(next))
def default_get_user(token):
# This import needs to be deferred
from django.contrib.auth.models import User
ui = userinfo(token)
pk = ui[app_setting('USER_PK_ATTRIBUTE')]
roles = ui[app_setting('USER_ROLES_ATTRIBUTE')]
try:
user = User.objects.get(username=pk)
except User.DoesNotExist:
user = User(username=pk)
user.is_superuser = app_setting('ADMIN_ROLE_NAME') in roles
user.is_staff = True
user.email = ui[app_setting('USER_EMAIL_ATTRIBUTE')]
user.first_name = ui[app_setting('USER_FIRST_NAME_ATTRIBUTE')]
user.last_name = ui[app_setting('USER_LAST_NAME_ATTRIBUTE')]
user.save()
return user
def logout_redirect(request):
return redirect(
app_setting('BASE_URL') + 'logout?next=' + quote_plus(
request.build_absolute_uri(reverse(oauthadmin.views.logout))))
def userinfo(token):
oauth = OAuth2Session(app_setting('CLIENT_ID'), token=token)
req = oauth.request('GET', app_setting('USERINFO'))
return req.json()
def logout_redirect(request):
return redirect(app_setting('BASE_URL') + 'logout?next=' + quote_plus(request.build_absolute_uri(reverse(oauthadmin.views.logout))))