def get(self, request):
"""OIDC client authentication initialization HTTP endpoint.
This is based on the mozilla-django-oidc library
"""
state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32))
redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next')
params = {
'response_type': 'code',
'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'),
'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID,
'redirect_uri': absolutify(
request,
nonprefixed_url('phonebook:verify_identity_callback')
),
'state': state,
}
if import_from_settings('OIDC_USE_NONCE', True):
nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32))
params.update({
'nonce': nonce
})
request.session['oidc_verify_nonce'] = nonce
# Add parameter to disable silent authentication
params['tried_silent_auth'] = settings.OIDC_TRIED_SILENT_AUTH
request.session['oidc_verify_state'] = state
request.session['oidc_login_next'] = get_next_url(request, redirect_field_name)
query = urlencode(params)
redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query)
return HttpResponseRedirect(redirect_url)
def get(self, request):
"""OIDC client authentication initialization HTTP endpoint.
This is based on the mozilla-django-oidc library
"""
state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32))
redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME',
'next')
params = {
'response_type':
'code',
'scope':
import_from_settings('OIDC_RP_SCOPES', 'openid email profile'),
'client_id':
self.OIDC_RP_VERIFICATION_CLIENT_ID,
'redirect_uri':
absolutify(request,
nonprefixed_url('phonebook:verify_identity_callback')),
'state':
state,
'prompt':
settings.OIDC_PROMPT
}
if import_from_settings('OIDC_USE_NONCE', True):
nonce = get_random_string(
import_from_settings('OIDC_NONCE_SIZE', 32))
params.update({'nonce': nonce})
request.session['oidc_verify_nonce'] = nonce
# Add parameter to disable silent authentication and the LDAP check for AUTO_VOUCH_DOMAINS
# This will allow users to verify AUTO_VOUCH_DOMAINS as contact identities
params['account_linking'] = settings.OIDC_ACCOUNT_LINKING
request.session['oidc_verify_state'] = state
request.session['oidc_login_next'] = get_next_url(
request, redirect_field_name)
query = urlencode(params)
redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT,
query=query)
return HttpResponseRedirect(redirect_url)
def get(self, request):
"""OIDC client authentication initialization HTTP endpoint.
This is based on the mozilla-django-oidc library
"""
state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32))
redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next')
params = {
'response_type': 'code',
'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'),
'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID,
'redirect_uri': absolutify(
request,
nonprefixed_url('phonebook:verify_identity_callback')
),
'state': state,
'prompt': settings.OIDC_PROMPT
}
if import_from_settings('OIDC_USE_NONCE', True):
nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32))
params.update({
'nonce': nonce
})
request.session['oidc_verify_nonce'] = nonce
# Add parameter to disable silent authentication and the LDAP check for AUTO_VOUCH_DOMAINS
# This will allow users to verify AUTO_VOUCH_DOMAINS as contact identities
params['account_linking'] = settings.OIDC_ACCOUNT_LINKING
request.session['oidc_verify_state'] = state
request.session['oidc_login_next'] = get_next_url(request, redirect_field_name)
query = urlencode(params)
redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query)
return HttpResponseRedirect(redirect_url)
def get(self, request):
"""Callback handler for OIDC authorization code flow.
This is based on the mozilla-django-oidc library.
This callback is used to verify the identity added by the user.
Users are already logged in and we do not care about authentication.
The JWT token is used to prove the identity of the user.
"""
profile = request.user.userprofile
# This is a difference nonce than the one used to login!
nonce = request.session.get('oidc_verify_nonce')
if nonce:
# Make sure that nonce is not used twice
del request.session['oidc_verify_nonce']
# Check for all possible errors and display a message to the user.
errors = [
'code' not in request.GET, 'state' not in request.GET,
'oidc_verify_state' not in request.session,
request.GET['state'] != request.session['oidc_verify_state']
]
if any(errors):
msg = 'Something went wrong, account verification failed.'
messages.error(request, msg)
return redirect('phonebook:profile_edit')
token_payload = {
'client_id':
self.OIDC_RP_VERIFICATION_CLIENT_ID,
'client_secret':
self.OIDC_RP_VERIFICATION_CLIENT_SECRET,
'grant_type':
'authorization_code',
'code':
request.GET['code'],
'redirect_uri':
absolutify(self.request,
nonprefixed_url('phonebook:verify_identity_callback')),
}
response = requests.post(self.OIDC_OP_TOKEN_ENDPOINT,
data=token_payload,
verify=import_from_settings(
'OIDC_VERIFY_SSL', True))
response.raise_for_status()
token_response = response.json()
id_token = token_response.get('id_token')
# Verify JWT
jws = JWS.from_compact(force_bytes(id_token))
jwk = JWK.load(smart_bytes(self.OIDC_RP_VERIFICATION_CLIENT_SECRET))
verified_token = None
if jws.verify(jwk):
verified_token = jws.payload
# Create the new Identity Profile.
if verified_token:
user_info = json.loads(verified_token)
email = user_info['email']
if not user_info.get('email_verified'):
msg = 'Account verification failed: Email is not verified.'
messages.error(request, msg)
return redirect('phonebook:profile_edit')
user_q = {'auth0_user_id': user_info['sub'], 'email': email}
# If we are linking GitHub we need to save
# the username too.
if 'github|' in user_info['sub']:
user_q['username'] = user_info['nickname']
# Check that the identity doesn't exist in another Identity profile
# or in another mozillians profile
error_msg = ''
if IdpProfile.objects.filter(**user_q).exists():
error_msg = 'Account verification failed: Identity already exists.'
elif User.objects.filter(email__iexact=email).exclude(
pk=profile.user.pk).exists():
error_msg = 'The email in this identity is used by another user.'
if error_msg:
messages.error(request, error_msg)
next_url = self.request.session.get('oidc_login_next', None)
return HttpResponseRedirect(
next_url or reverse('phonebook:profile_edit'))
# Save the new identity to the IdpProfile
user_q['profile'] = profile
idp, created = IdpProfile.objects.get_or_create(**user_q)
current_idp = get_object_or_none(IdpProfile,
profile=profile,
primary=True)
# The new identity is stronger than the one currently used. Let's swap
append_msg = ''
# We need to check for equality too in the case a user updates the primary email in
# the same identity (matching auth0_user_id). If there is an addition of the same type
# we are not swapping login identities
if ((current_idp and current_idp.type < idp.type)
or (current_idp
and current_idp.auth0_user_id == idp.auth0_user_id)
or (not current_idp and created
and idp.type >= IdpProfile.PROVIDER_GITHUB)):
IdpProfile.objects.filter(profile=profile).exclude(
pk=idp.pk).update(primary=False)
idp.primary = True
idp.save()
# Also update the primary email of the user
update_email_in_basket(profile.user.email, idp.email)
User.objects.filter(pk=profile.user.id).update(email=idp.email)
append_msg = ' You need to use this identity the next time you will login.'
send_userprofile_to_cis.delay(profile.pk)
if created:
msg = 'Account successfully verified.'
if append_msg:
msg += append_msg
messages.success(request, msg)
else:
msg = 'Account verification failed: Identity already exists.'
messages.error(request, msg)
next_url = self.request.session.get('oidc_login_next', None)
return HttpResponseRedirect(next_url
or reverse('phonebook:profile_edit'))
def get(self, request):
"""Callback handler for OIDC authorization code flow.
This is based on the mozilla-django-oidc library.
This callback is used to verify the identity added by the user.
Users are already logged in and we do not care about authentication.
The JWT token is used to prove the identity of the user.
"""
profile = request.user.userprofile
# This is a difference nonce than the one used to login!
nonce = request.session.get('oidc_verify_nonce')
if nonce:
# Make sure that nonce is not used twice
del request.session['oidc_verify_nonce']
# Check for all possible errors and display a message to the user.
errors = [
'code' not in request.GET,
'state' not in request.GET,
'oidc_verify_state' not in request.session,
request.GET['state'] != request.session['oidc_verify_state']
]
if any(errors):
msg = 'Something went wrong, account verification failed.'
messages.error(request, msg)
return redirect('phonebook:profile_edit')
token_payload = {
'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID,
'client_secret': self.OIDC_RP_VERIFICATION_CLIENT_SECRET,
'grant_type': 'authorization_code',
'code': request.GET['code'],
'redirect_uri': absolutify(
self.request,
nonprefixed_url('phonebook:verify_identity_callback')
),
}
response = requests.post(self.OIDC_OP_TOKEN_ENDPOINT,
data=token_payload,
verify=import_from_settings('OIDC_VERIFY_SSL', True))
response.raise_for_status()
token_response = response.json()
id_token = token_response.get('id_token')
# Verify JWT
jws = JWS.from_compact(force_bytes(id_token))
jwk = JWK.load(smart_bytes(self.OIDC_RP_VERIFICATION_CLIENT_SECRET))
verified_token = None
if jws.verify(jwk):
verified_token = jws.payload
# Create the new Identity Profile.
if verified_token:
user_info = json.loads(verified_token)
email = user_info['email']
if not user_info.get('email_verified'):
msg = 'Account verification failed: Email is not verified.'
messages.error(request, msg)
return redirect('phonebook:profile_edit')
user_q = {
'auth0_user_id': user_info['sub'],
'email': email
}
# If we are linking GitHub we need to save
# the username too.
if 'github|' in user_info['sub']:
user_q['username'] = user_info['nickname']
# Check that the identity doesn't exist in another Identity profile
# or in another mozillians profile
error_msg = ''
if IdpProfile.objects.filter(**user_q).exists():
error_msg = 'Account verification failed: Identity already exists.'
elif User.objects.filter(email__iexact=email).exclude(pk=profile.user.pk).exists():
error_msg = 'The email in this identity is used by another user.'
if error_msg:
messages.error(request, error_msg)
next_url = self.request.session.get('oidc_login_next', None)
return HttpResponseRedirect(next_url or reverse('phonebook:profile_edit'))
# Save the new identity to the IdpProfile
user_q['profile'] = profile
idp, created = IdpProfile.objects.get_or_create(**user_q)
current_idp = get_object_or_none(IdpProfile, profile=profile, primary=True)
# The new identity is stronger than the one currently used. Let's swap
append_msg = ''
# We need to check for equality too in the case a user updates the primary email in
# the same identity (matching auth0_user_id). If there is an addition of the same type
# we are not swapping login identities
if ((current_idp and current_idp.type < idp.type) or
(current_idp and current_idp.auth0_user_id == idp.auth0_user_id) or
(not current_idp and created and idp.type >= IdpProfile.PROVIDER_GITHUB)):
IdpProfile.objects.filter(profile=profile).exclude(pk=idp.pk).update(primary=False)
idp.primary = True
idp.save()
# Also update the primary email of the user
update_email_in_basket(profile.user.email, idp.email)
User.objects.filter(pk=profile.user.id).update(email=idp.email)
append_msg = ' You need to use this identity the next time you will login.'
send_userprofile_to_cis.delay(profile.pk)
if created:
msg = 'Account successfully verified.'
if append_msg:
msg += append_msg
messages.success(request, msg)
else:
msg = 'Account verification failed: Identity already exists.'
messages.error(request, msg)
next_url = self.request.session.get('oidc_login_next', None)
return HttpResponseRedirect(next_url or reverse('phonebook:profile_edit'))
