def __init__(self, *args, **kwargs): """Initialize settings.""" self.OIDC_OP_TOKEN_ENDPOINT = import_from_settings('OIDC_OP_TOKEN_ENDPOINT') self.OIDC_OP_USER_ENDPOINT = import_from_settings('OIDC_OP_USER_ENDPOINT') self.OIDC_RP_VERIFICATION_CLIENT_ID = ( import_from_settings('OIDC_RP_VERIFICATION_CLIENT_ID') ) self.OIDC_RP_VERIFICATION_CLIENT_SECRET = ( import_from_settings('OIDC_RP_VERIFICATION_CLIENT_SECRET') )
def verify_token(self, token, **kwargs): """Validate the token signature.""" nonce = kwargs.get('nonce') token = force_bytes(token) if self.OIDC_RP_SIGN_ALGO.startswith('RS'): if self.OIDC_RP_IDP_SIGN_KEY is not None: key = self.OIDC_RP_IDP_SIGN_KEY else: key = self.retrieve_matching_jwk(token) else: key = self.OIDC_RP_CLIENT_SECRET # Verify the token verified_token = self._verify_jws(token, key) # The 'verified_token' will always be a byte string since it's # the result of base64.urlsafe_b64decode(). # The payload is always the result of base64.urlsafe_b64decode(). # In Python 3 and 2, that's always a byte string. # In Python3.6, the json.loads() function can accept a byte string # as it will automagically decode it to a unicode string before # deserializing https://bugs.python.org/issue17909 verified_id = json.loads(verified_token.decode('utf-8')) token_nonce = verified_id.get('nonce') if import_from_settings('OIDC_USE_NONCE', True) and nonce != token_nonce: msg = 'JWT Nonce verification failed.' raise SuspiciousOperation(msg) return verified_id
def login_success(self): auth.login(self.request, self.user) # Figure out when this id_token will expire. This is ignored unless you're # using the RenewIDToken middleware. expiration_interval = import_from_settings('OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS', 60 * 15) self.request.session['oidc_id_token_expiration'] = time.time() + expiration_interval return HttpResponseRedirect(self.success_url)
def get_token(self, payload): """Return token object as a dictionary.""" response = requests.post( self.OIDC_OP_TOKEN_ENDPOINT, data=payload, verify=import_from_settings('OIDC_VERIFY_SSL', True)) response.raise_for_status() return response.json()
def get_userinfo(self, access_token, id_token, verified_id): """Return user details dictionary. The id_token and verified_id are not used in the default implementation, but may be used when overriding this method""" user_response = requests.get( self.OIDC_OP_USER_ENDPOINT, headers={ 'Authorization': 'Bearer {0}'.format(access_token) }, verify=import_from_settings('OIDC_VERIFY_SSL', True)) user_response.raise_for_status() return user_response.json()
def get(self, request): """OIDC client authentication initialization HTTP endpoint""" state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32)) redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next') reverse_url = import_from_settings('OIDC_AUTHENTICATION_CALLBACK_URL', 'oidc_authentication_callback') params = { 'response_type': 'code', 'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'), 'client_id': self.OIDC_RP_CLIENT_ID, 'redirect_uri': absolutify( request, reverse(reverse_url) ), 'state': state, } params.update(self.get_extra_params(request)) if import_from_settings('OIDC_USE_NONCE', True): nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32)) params.update({ 'nonce': nonce }) request.session['oidc_nonce'] = nonce request.session['oidc_state'] = state request.session['oidc_login_next'] = get_next_url(request, redirect_field_name) query = urlencode(params) redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query) return HttpResponseRedirect(redirect_url)
def get_or_create_user(self, access_token, id_token, verified_id): """Returns a User instance if 1 user is found. Creates a user if not found and configured to do so. Returns nothing if multiple users are matched.""" session = self.request.session if import_from_settings('OIDC_STORE_ACCESS_TOKEN', False): session['oidc_access_token'] = access_token if import_from_settings('OIDC_STORE_ID_TOKEN', False): session['oidc_id_token'] = id_token # get userinfo user_info = self.get_userinfo(access_token, id_token, verified_id) email = user_info.get('email') claims_verified = self.verify_claims(user_info) if not claims_verified: LOGGER.debug('Login failed: Claims verification for %s failed.', email) return None # email based filtering users = self.filter_users_by_claims(user_info) if len(users) == 1: return self.update_user(users[0], user_info) elif len(users) > 1: # In the rare case that two user accounts have the same email address, # log and bail. Randomly selecting one seems really wrong. LOGGER.warn('Multiple users with email address %s.', email) return None elif import_from_settings('OIDC_CREATE_USER', True): user = self.create_user(user_info) return user else: LOGGER.debug('Login failed: No user with email %s found, and ' 'OIDC_CREATE_USER is False', email) return None
def get(self, request): """OIDC client authentication initialization HTTP endpoint. This is based on the mozilla-django-oidc library """ state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32)) redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next') params = { 'response_type': 'code', 'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'), 'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID, 'redirect_uri': absolutify( request, nonprefixed_url('phonebook:verify_identity_callback') ), 'state': state, 'prompt': settings.OIDC_PROMPT } if import_from_settings('OIDC_USE_NONCE', True): nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32)) params.update({ 'nonce': nonce }) request.session['oidc_verify_nonce'] = nonce # Add parameter to disable silent authentication and the LDAP check for AUTO_VOUCH_DOMAINS # This will allow users to verify AUTO_VOUCH_DOMAINS as contact identities params['account_linking'] = settings.OIDC_ACCOUNT_LINKING request.session['oidc_verify_state'] = state request.session['oidc_login_next'] = get_next_url(request, redirect_field_name) query = urlencode(params) redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query) return HttpResponseRedirect(redirect_url)
def process_request(self, request): if not self.is_refreshable_url(request): LOGGER.debug('request is not refreshable') return expiration = request.session.get('oidc_id_token_expiration', 0) now = time.time() if expiration > now: # The id_token is still valid, so we don't have to do anything. LOGGER.debug('id token is still valid (%s > %s)', expiration, now) return LOGGER.debug('id token has expired') # The id_token has expired, so we have to re-authenticate silently. auth_url = import_from_settings('OIDC_OP_AUTHORIZATION_ENDPOINT') client_id = import_from_settings('OIDC_RP_CLIENT_ID') state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32)) # Build the parameters as if we were doing a real auth handoff, except # we also include prompt=none. params = { 'response_type': 'code', 'client_id': client_id, 'redirect_uri': absolutify( request, reverse('oidc_authentication_callback') ), 'state': state, 'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'), 'prompt': 'none', } if import_from_settings('OIDC_USE_NONCE', True): nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32)) params.update({ 'nonce': nonce }) request.session['oidc_nonce'] = nonce request.session['oidc_state'] = state request.session['oidc_login_next'] = request.get_full_path() query = urlencode(params) redirect_url = '{url}?{query}'.format(url=auth_url, query=query) if request.is_ajax(): # Almost all XHR request handling in client-side code struggles # with redirects since redirecting to a page where the user # is supposed to do something is extremely unlikely to work # in an XHR request. Make a special response for these kinds # of requests. # The use of 403 Forbidden is to match the fact that this # middleware doesn't really want the user in if they don't # refresh their session. response = JsonResponse({'refresh_url': redirect_url}, status=403) response['refresh_url'] = redirect_url return response return HttpResponseRedirect(redirect_url)
def logout(self, request, next_page): # https://stackoverflow.com/questions/46689034/logout-user-via-keycloak-rest-api-doesnt-work if request.session.get('_auth_user_backend', '') != 'desktop.auth.backend.OIDCBackend': return None session = request.session access_token = session.get('oidc_access_token', '') refresh_token = session.get('oidc_refresh_token', '') if access_token and refresh_token: oidc_logout_url = desktop.conf.OIDC.LOGOUT_REDIRECT_URL.get() client_id = import_from_settings('OIDC_RP_CLIENT_ID') client_secret = import_from_settings('OIDC_RP_CLIENT_SECRET') oidc_verify_ssl = import_from_settings('OIDC_VERIFY_SSL') form = { 'client_id': client_id, 'client_secret': client_secret, 'refresh_token': refresh_token, } headers = { 'Authorization': 'Bearer {0}'.format(access_token), 'Content-Type': 'application/x-www-form-urlencoded' } resp = requests.post(oidc_logout_url, data=form, headers=headers, verify=oidc_verify_ssl) if resp.status_code >= 200 and resp.status_code < 300: LOG.debug("OpenID Connect logout succeed!") delete_oidc_session_tokens(session) auth.logout(request) response = HttpResponseRedirect(next_page) response.delete_cookie(LOAD_BALANCER_COOKIE) return response else: LOG.error("OpenID Connect logout failed: %s" % resp.content) else: LOG.warn("OpenID Connect tokens are not available, logout skipped!") return None
def post(self, request): """Log out the user.""" logout_url = self.redirect_url if is_authenticated(request.user): # Check if a method exists to build the URL to log out the user # from the OP. logout_from_op = import_from_settings('OIDC_OP_LOGOUT_URL_METHOD', '') if logout_from_op: logout_url = import_string(logout_from_op)(request) # Log out the Django user if they were logged in. auth.logout(request) return HttpResponseRedirect(logout_url)
def __init__(self, *args, **kwargs): """Initialize settings.""" self.OIDC_OP_TOKEN_ENDPOINT = import_from_settings('OIDC_OP_TOKEN_ENDPOINT') self.OIDC_OP_USER_ENDPOINT = import_from_settings('OIDC_OP_USER_ENDPOINT') self.OIDC_OP_JWKS_ENDPOINT = import_from_settings('OIDC_OP_JWKS_ENDPOINT', None) self.OIDC_RP_CLIENT_ID = import_from_settings('OIDC_RP_CLIENT_ID') self.OIDC_RP_CLIENT_SECRET = import_from_settings('OIDC_RP_CLIENT_SECRET') self.OIDC_RP_SIGN_ALGO = import_from_settings('OIDC_RP_SIGN_ALGO', 'HS256') self.OIDC_RP_IDP_SIGN_KEY = import_from_settings('OIDC_RP_IDP_SIGN_KEY', None) if (self.OIDC_RP_SIGN_ALGO.startswith('RS') and (self.OIDC_RP_IDP_SIGN_KEY is None and self.OIDC_OP_JWKS_ENDPOINT is None)): msg = '{} alg requires OIDC_RP_IDP_SIGN_KEY or OIDC_OP_JWKS_ENDPOINT to be configured.' raise ImproperlyConfigured(msg.format(self.OIDC_RP_SIGN_ALGO)) self.UserModel = get_user_model()
def create_user(self, claims): """Return object for a newly created user account.""" # bluntly stolen from django-browserid # https://github.com/mozilla/django-browserid/blob/master/django_browserid/auth.py username_algo = import_from_settings('OIDC_USERNAME_ALGO', None) email = claims.get('email') if not email: return None if username_algo: if isinstance(username_algo, six.string_types): username_algo = import_string(username_algo) username = username_algo(email) else: username = default_username_algo(email) return self.UserModel.objects.create_user(username, email)
def create_user(self, claims): """Return object for a newly created user account.""" # Overriding lib's logic, use preferred_username from oidc as username username = claims.get(import_from_settings('OIDC_USERNAME_ATTRIBUTE', 'preferred_username'), '') email = claims.get('email', '') first_name = claims.get('given_name', '') last_name = claims.get('family_name', '') if not username: if not email: LOG.debug("OpenID Connect no username and email while creating new user") return None username = default_username_algo(email) return self.UserModel.objects.create_user(username=username, email=email, first_name=first_name, last_name=last_name, is_superuser=self.is_hue_superuser(claims))
def authenticate(self, **kwargs): self.request = kwargs.pop('request', None) if not self.request: return None state = self.request.GET.get('state') code = self.request.GET.get('code') nonce = kwargs.pop('nonce', None) if not code or not state: return None reverse_url = import_from_settings('OIDC_AUTHENTICATION_CALLBACK_URL', 'oidc_authentication_callback') token_payload = { 'client_id': self.OIDC_RP_CLIENT_ID, 'client_secret': self.OIDC_RP_CLIENT_SECRET, 'grant_type': 'authorization_code', 'code': code, 'redirect_uri': absolutify( self.request, reverse(reverse_url) ), } # Get the token token_info = self.get_token(token_payload) id_token = token_info.get('id_token') access_token = token_info.get('access_token') refresh_token = token_info.get('refresh_token') # Validate the token verified_id = self.verify_token(id_token, nonce=nonce) if verified_id: self.save_refresh_tokens(refresh_token) user = self.get_or_create_user(access_token, id_token, verified_id) user = rewrite_user(user) return user return None
def retrieve_matching_jwk(self, token): """Get the signing key by exploring the JWKS endpoint of the OP.""" response_jwks = requests.get( self.OIDC_OP_JWKS_ENDPOINT, verify=import_from_settings('OIDC_VERIFY_SSL', True) ) response_jwks.raise_for_status() jwks = response_jwks.json() # Compute the current header from the given token to find a match jws = JWS.from_compact(token) json_header = jws.signature.protected header = Header.json_loads(json_header) key = None for jwk in jwks['keys']: if jwk['alg'] == smart_text(header.alg) and jwk['kid'] == smart_text(header.kid): key = jwk if key is None: raise SuspiciousOperation('Could not find a valid JWKS.') return key
def exempt_urls(self): """Generate and return a set of url paths to exempt from SessionRefresh This takes the value of ``settings.OIDC_EXEMPT_URLS`` and appends three urls that mozilla-django-oidc uses. These values can be view names or absolute url paths. :returns: list of url paths (for example "/oidc/callback/") """ exempt_urls = list(import_from_settings('OIDC_EXEMPT_URLS', [])) exempt_urls.extend([ 'oidc_authentication_init', 'oidc_authentication_callback', 'oidc_logout', ]) return set([ url if url.startswith('/') else reverse(url) for url in exempt_urls ])
def save_refresh_tokens(self, refresh_token): session = self.request.session if import_from_settings('OIDC_STORE_REFRESH_TOKEN', False): session['oidc_refresh_token'] = refresh_token
def get_settings(attr, *args): return import_from_settings(attr, *args)
def test_attr_nonexisting_no_default_value(self): with self.assertRaises(ImproperlyConfigured): import_from_settings('EXAMPLE_VARIABLE')
def get_extra_params(self, request): return import_from_settings('OIDC_AUTH_REQUEST_EXTRA_PARAMS', {})
def failure_url(self): return import_from_settings('LOGIN_REDIRECT_URL_FAILURE', '/')
def provider_logout(request): return get_from_well_known( utils.import_from_settings('OIDC_OP_METADATA_ENDPOINT'), 'end_session_endpoint')
def save_refresh_tokens(self, refresh_token): session = self.request.session if import_from_settings('OIDC_STORE_REFRESH_TOKEN', False): session['oidc_refresh_token'] = refresh_token
def get_or_create_user(self, access_token, id_token, verified_id): user = super(OIDCBackend, self).get_or_create_user(access_token, id_token, verified_id) if not user and not import_from_settings('OIDC_CREATE_USER', True): # in this case, user is login from Keycloak, but not allow create self.logout(self.request, next_page=import_from_settings('LOGIN_REDIRECT_URL_FAILURE', '/')) return user
from django.conf.urls import url from django.utils.module_loading import import_string from mozilla_django_oidc import views from mozilla_django_oidc.utils import import_from_settings DEFAULT_CALLBACK_CLASS = 'mozilla_django_oidc.views.OIDCAuthenticationCallbackView' CALLBACK_CLASS_PATH = import_from_settings('OIDC_CALLBACK_CLASS', DEFAULT_CALLBACK_CLASS) OIDCCallbackClass = import_string(CALLBACK_CLASS_PATH) DEFAULT_AUTHENTICATE_CLASS = 'mozilla_django_oidc.views.OIDCAuthenticationRequestView' AUTHENTICATE_CLASS_PATH = import_from_settings( 'OIDC_AUTHENTICATE_CLASS', DEFAULT_AUTHENTICATE_CLASS ) OIDCAuthenticateClass = import_string(AUTHENTICATE_CLASS_PATH) urlpatterns = [ url(r'^callback/$', OIDCCallbackClass.as_view(), name='oidc_authentication_callback'), url(r'^authenticate/$', OIDCAuthenticateClass.as_view(), name='oidc_authentication_init'), url(r'^logout/$', views.OIDCLogoutView.as_view(), name='oidc_logout'), ]
def authenticate(self, **kwargs): """Authenticates a user based on the OIDC code flow.""" self.request = kwargs.pop('request', None) if not self.request: return None state = self.request.GET.get('state') code = self.request.GET.get('code') nonce = kwargs.pop('nonce', None) session = self.request.session if not code or not state: raise SuspiciousOperation('Code or state not found.') token_payload = { 'client_id': self.OIDC_RP_CLIENT_ID, 'client_secret': self.OIDC_RP_CLIENT_SECRET, 'grant_type': 'authorization_code', 'code': code, 'redirect_uri': absolutify(self.request, reverse('oidc_authentication_callback')), } # Get the token response = requests.post(self.OIDC_OP_TOKEN_ENDPOINT, data=token_payload, verify=import_from_settings( 'OIDC_VERIFY_SSL', True)) response.raise_for_status() # Validate the token token_response = response.json() id_token = token_response.get('id_token') if self.verify_token(id_token, nonce=nonce): access_token = token_response.get('access_token') if import_from_settings('OIDC_STORE_ACCESS_TOKEN', False): session['oidc_access_token'] = access_token if import_from_settings('OIDC_STORE_ID_TOKEN', False): session['oidc_id_token'] = id_token user_response = requests.get( self.OIDC_OP_USER_ENDPOINT, headers={'Authorization': 'Bearer {0}'.format(access_token)}, verify=import_from_settings('OIDC_VERIFY_SSL', True)) user_response.raise_for_status() user_info = user_response.json() email = user_info.get('email') claims_verified = self.verify_claims(user_info) if not claims_verified: LOGGER.debug( 'Login failed: Claims verification for %s failed.', email) return None # email based filtering users = self.filter_users_by_claims(user_info) if len(users) == 1: return self.update_user(users[0], user_info) elif len(users) > 1: # In the rare case that two user accounts have the same email address, # log and bail. Randomly selecting one seems really wrong. LOGGER.warn('Multiple users with email address %s.', email) return None elif import_from_settings('OIDC_CREATE_USER', True): user = self.create_user(user_info) return user else: LOGGER.debug( 'Login failed: No user with email %s found, and ' 'OIDC_CREATE_USER is False', email) return None return None
def get_or_create_user(self, access_token, id_token, verified_id): user = super(OIDCBackend, self).get_or_create_user(access_token, id_token, verified_id) if not user and not import_from_settings('OIDC_CREATE_USER', True): # in this case, user is login from Keycloak, but not allow create self.logout(self.request, next_page=import_from_settings('LOGIN_REDIRECT_URL_FAILURE', '/')) return user
def filter_users_by_claims(self, claims): username = claims.get(import_from_settings('OIDC_USERNAME_ATTRIBUTE', 'preferred_username')) if not username: return self.UserModel.objects.none() return self.UserModel.objects.filter(username__iexact=username)
def get_extra_params(self, request): return import_from_settings('OIDC_AUTH_REQUEST_EXTRA_PARAMS', {})
def test_attr_nonexisting_default_value(self): s = import_from_settings('EXAMPLE_VARIABLE', 'example_default') self.assertEqual(s, 'example_default')
def __init__(self, *args, **kwargs): """Override the init method to dynamically pass a different client_id.""" self.OIDC_RP_VERIFICATION_CLIENT_ID = ( import_from_settings('OIDC_RP_VERIFICATION_CLIENT_ID') ) super(VerifyIdentityView, self).__init__(*args, **kwargs)
def filter_users_by_claims(self, claims): username = claims.get(import_from_settings('OIDC_USERNAME_ATTRIBUTE', 'preferred_username')) if not username: return self.UserModel.objects.none() return self.UserModel.objects.filter(username__iexact=username)
def get(self, request): """Callback handler for OIDC authorization code flow. This is based on the mozilla-django-oidc library. This callback is used to verify the identity added by the user. Users are already logged in and we do not care about authentication. The JWT token is used to prove the identity of the user. """ profile = request.user.userprofile # This is a difference nonce than the one used to login! nonce = request.session.get('oidc_verify_nonce') if nonce: # Make sure that nonce is not used twice del request.session['oidc_verify_nonce'] # Check for all possible errors and display a message to the user. errors = [ 'code' not in request.GET, 'state' not in request.GET, 'oidc_verify_state' not in request.session, request.GET['state'] != request.session['oidc_verify_state'] ] if any(errors): msg = 'Something went wrong, account verification failed.' messages.error(request, msg) return redirect('phonebook:profile_edit') token_payload = { 'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID, 'client_secret': self.OIDC_RP_VERIFICATION_CLIENT_SECRET, 'grant_type': 'authorization_code', 'code': request.GET['code'], 'redirect_uri': absolutify( self.request, nonprefixed_url('phonebook:verify_identity_callback') ), } response = requests.post(self.OIDC_OP_TOKEN_ENDPOINT, data=token_payload, verify=import_from_settings('OIDC_VERIFY_SSL', True)) response.raise_for_status() token_response = response.json() id_token = token_response.get('id_token') # Verify JWT jws = JWS.from_compact(force_bytes(id_token)) jwk = JWK.load(smart_bytes(self.OIDC_RP_VERIFICATION_CLIENT_SECRET)) verified_token = None if jws.verify(jwk): verified_token = jws.payload # Create the new Identity Profile. if verified_token: user_info = json.loads(verified_token) email = user_info['email'] if not user_info.get('email_verified'): msg = 'Account verification failed: Email is not verified.' messages.error(request, msg) return redirect('phonebook:profile_edit') user_q = { 'auth0_user_id': user_info['sub'], 'email': email } # If we are linking GitHub we need to save # the username too. if 'github|' in user_info['sub']: user_q['username'] = user_info['nickname'] # Check that the identity doesn't exist in another Identity profile # or in another mozillians profile error_msg = '' if IdpProfile.objects.filter(**user_q).exists(): error_msg = 'Account verification failed: Identity already exists.' elif User.objects.filter(email__iexact=email).exclude(pk=profile.user.pk).exists(): error_msg = 'The email in this identity is used by another user.' if error_msg: messages.error(request, error_msg) next_url = self.request.session.get('oidc_login_next', None) return HttpResponseRedirect(next_url or reverse('phonebook:profile_edit')) # Save the new identity to the IdpProfile user_q['profile'] = profile idp, created = IdpProfile.objects.get_or_create(**user_q) current_idp = get_object_or_none(IdpProfile, profile=profile, primary=True) # The new identity is stronger than the one currently used. Let's swap append_msg = '' # We need to check for equality too in the case a user updates the primary email in # the same identity (matching auth0_user_id). If there is an addition of the same type # we are not swapping login identities if ((current_idp and current_idp.type < idp.type) or (current_idp and current_idp.auth0_user_id == idp.auth0_user_id) or (not current_idp and created and idp.type >= IdpProfile.PROVIDER_GITHUB)): IdpProfile.objects.filter(profile=profile).exclude(pk=idp.pk).update(primary=False) idp.primary = True idp.save() # Also update the primary email of the user update_email_in_basket(profile.user.email, idp.email) User.objects.filter(pk=profile.user.id).update(email=idp.email) append_msg = ' You need to use this identity the next time you will login.' send_userprofile_to_cis.delay(profile.pk) if created: msg = 'Account successfully verified.' if append_msg: msg += append_msg messages.success(request, msg) else: msg = 'Account verification failed: Identity already exists.' messages.error(request, msg) next_url = self.request.session.get('oidc_login_next', None) return HttpResponseRedirect(next_url or reverse('phonebook:profile_edit'))
from django.conf.urls import url from django.utils.module_loading import import_string from mozilla_django_oidc import views from mozilla_django_oidc.utils import import_from_settings DEFAULT_CALLBACK_CLASS = 'mozilla_django_oidc.views.OIDCAuthenticationCallbackView' CALLBACK_CLASS_PATH = import_from_settings('OIDC_CALLBACK_CLASS', DEFAULT_CALLBACK_CLASS) OIDCCallbackClass = import_string(CALLBACK_CLASS_PATH) DEFAULT_AUTHENTICATE_CLASS = 'mozilla_django_oidc.views.OIDCAuthenticationRequestView' AUTHENTICATE_CLASS_PATH = import_from_settings('OIDC_AUTHENTICATE_CLASS', DEFAULT_AUTHENTICATE_CLASS) OIDCAuthenticateClass = import_string(AUTHENTICATE_CLASS_PATH) urlpatterns = [ url(r'^callback/$', OIDCCallbackClass.as_view(), name='oidc_authentication_callback'), url(r'^authenticate/$', OIDCAuthenticateClass.as_view(), name='oidc_authentication_init'), url(r'^logout/$', views.OIDCLogoutView.as_view(), name='oidc_logout'), ]
def __init__(self, *args, **kwargs): super(OIDCAuthenticationRequestView, self).__init__(*args, **kwargs) self.OIDC_OP_AUTH_ENDPOINT = get_from_well_known( utils.import_from_settings('OIDC_OP_METADATA_ENDPOINT'), 'authorization_endpoint')
def success_url(self): next_url = self.request.session.get('oidc_login_next', None) return next_url or import_from_settings('LOGIN_REDIRECT_URL', '/')
def failure_url(self): return import_from_settings('LOGIN_REDIRECT_URL_FAILURE', '/')
def success_url(self): # Pull the next url from the session or settings--we don't need to # sanitize here because it should already have been sanitized. next_url = self.request.session.get('oidc_login_next', None) return next_url or import_from_settings('LOGIN_REDIRECT_URL', '/')
def success_url(self): # Pull the next url from the session or settings--we don't need to # sanitize here because it should already have been sanitized. next_url = self.request.session.get('oidc_login_next', None) return next_url or import_from_settings('LOGIN_REDIRECT_URL', '/')
from django.conf.urls import url from django.utils.module_loading import import_string from mozilla_django_oidc import views from mozilla_django_oidc.utils import import_from_settings DEFAULT_CALLBACK_CLASS = 'mozilla_django_oidc.views.OIDCAuthenticationCallbackView' CALLBACK_CLASS_PATH = import_from_settings('OIDC_CALLBACK_CLASS', DEFAULT_CALLBACK_CLASS) OIDCCallbackClass = import_string(CALLBACK_CLASS_PATH) urlpatterns = [ url(r'^callback/$', OIDCCallbackClass.as_view(), name='oidc_authentication_callback'), url(r'^authenticate/$', views.OIDCAuthenticationRequestView.as_view(), name='oidc_authentication_init'), url(r'^logout/$', views.OIDCLogoutView.as_view(), name='oidc_logout'), ]
def __init__(self, *args, **kwargs): """Override the init method to dynamically pass a different client_id.""" self.OIDC_RP_VERIFICATION_CLIENT_ID = ( import_from_settings('OIDC_RP_VERIFICATION_CLIENT_ID')) super(VerifyIdentityView, self).__init__(*args, **kwargs)
def redirect_url(self): """Return the logout url defined in settings.""" return import_from_settings('LOGOUT_REDIRECT_URL', '/')
def get(self, request): """Callback handler for OIDC authorization code flow. This is based on the mozilla-django-oidc library. This callback is used to verify the identity added by the user. Users are already logged in and we do not care about authentication. The JWT token is used to prove the identity of the user. """ profile = request.user.userprofile # This is a difference nonce than the one used to login! nonce = request.session.get('oidc_verify_nonce') if nonce: # Make sure that nonce is not used twice del request.session['oidc_verify_nonce'] # Check for all possible errors and display a message to the user. errors = [ 'code' not in request.GET, 'state' not in request.GET, 'oidc_verify_state' not in request.session, not request.GET.get('state') or request.GET['state'] != request.session['oidc_verify_state'] ] if any(errors): msg = 'Something went wrong, account verification failed.' messages.error(request, msg) return redirect('phonebook:profile_edit') token_payload = { 'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID, 'client_secret': self.OIDC_RP_VERIFICATION_CLIENT_SECRET, 'grant_type': 'authorization_code', 'code': request.GET['code'], 'redirect_uri': absolutify(self.request, nonprefixed_url('phonebook:verify_identity_callback')), } response = requests.post(self.OIDC_OP_TOKEN_ENDPOINT, data=token_payload, verify=import_from_settings( 'OIDC_VERIFY_SSL', True)) response.raise_for_status() token_response = response.json() id_token = token_response.get('id_token') # Verify JWT jws = JWS.from_compact(force_bytes(id_token)) jwk = JWK.load(smart_bytes(self.OIDC_RP_VERIFICATION_CLIENT_SECRET)) verified_token = None if jws.verify(jwk): verified_token = jws.payload # Create the new Identity Profile. if verified_token: user_info = json.loads(verified_token) email = user_info['email'] verification_user_id = user_info.get(ORIGINAL_CONNECTION_USER_ID) msg = '' if not user_info.get('email_verified'): msg = 'Account verification failed: Email is not verified.' if not verification_user_id: msg = 'Account verification failed: Could not get original user id' if msg: messages.error(request, msg) return redirect('phonebook:profile_edit') user_q = {'auth0_user_id': verification_user_id, 'email': email} # If we are linking GitHub we need to save # the username too. if 'github|' in verification_user_id: user_q['username'] = user_info['nickname'] # Check that the identity doesn't exist in another Identity profile # or in another mozillians profile error_msg = '' if IdpProfile.objects.filter(**user_q).exists(): error_msg = 'Account verification failed: Identity already exists.' elif User.objects.filter(email__iexact=email).exclude( pk=profile.user.pk).exists(): error_msg = 'The email in this identity is used by another user.' if error_msg: messages.error(request, error_msg) next_url = self.request.session.get('oidc_login_next', None) return HttpResponseRedirect( next_url or reverse('phonebook:profile_edit')) # Save the new identity to the IdpProfile user_q['profile'] = profile idp, created = IdpProfile.objects.get_or_create(**user_q) current_idp = get_object_or_none(IdpProfile, profile=profile, primary=True) # The new identity is stronger than the one currently used. Let's swap append_msg = '' # We need to check for equality too in the case a user updates the primary email in # the same identity (matching auth0_user_id). If there is an addition of the same type # we are not swapping login identities if ((current_idp and current_idp.type < idp.type) or (current_idp and current_idp.auth0_user_id == idp.auth0_user_id) or (not current_idp and created and idp.type >= IdpProfile.PROVIDER_GITHUB)): IdpProfile.objects.filter(profile=profile).exclude( pk=idp.pk).update(primary=False) idp.primary = True idp.save() # Also update the primary email of the user update_email_in_basket(profile.user.email, idp.email) User.objects.filter(pk=profile.user.id).update(email=idp.email) append_msg = ' You need to use this identity the next time you will login.' send_userprofile_to_cis.delay(profile.pk) if created: msg = 'Account successfully verified.' if append_msg: msg += append_msg messages.success(request, msg) else: msg = 'Account verification failed: Identity already exists.' messages.error(request, msg) next_url = self.request.session.get('oidc_login_next', None) return HttpResponseRedirect(next_url or reverse('phonebook:profile_edit'))
def __init__(self, *args, **kwargs): super(OIDCAuthenticationRequestView, self).__init__(*args, **kwargs) self.OIDC_OP_AUTH_ENDPOINT = import_from_settings('OIDC_OP_AUTHORIZATION_ENDPOINT') self.OIDC_RP_CLIENT_ID = import_from_settings('OIDC_RP_CLIENT_ID')
def process_request(self, request): site = request.site if not hasattr(site, "oidcsettings"): raise RuntimeError( "Site {} has no settings configured.".format(site)) if not self.is_refreshable_url(request): return expiration = request.session.get('oidc_id_token_expiration', 0) now = time.time() if expiration > now: # The id_token is still valid, so we don't have to do anything. return # The id_token has expired, so we have to re-authenticate silently. auth_url = import_from_settings('OIDC_OP_AUTHORIZATION_ENDPOINT') client_id = site.oidcsettings.oidc_rp_client_id state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32)) # Build the parameters as if we were doing a real auth handoff, except # we also include prompt=none. params = { 'response_type': 'code', 'client_id': client_id, 'redirect_uri': absolutify(request, reverse('oidc_authentication_callback')), 'state': state, 'scope': site.oidcsettings.oidc_rp_scopes, 'prompt': 'none', } if import_from_settings('OIDC_USE_NONCE', True): nonce = get_random_string( import_from_settings('OIDC_NONCE_SIZE', 32)) params.update({'nonce': nonce}) request.session['oidc_nonce'] = nonce request.session['oidc_state'] = state request.session['oidc_login_next'] = request.get_full_path() query = urlencode(params) redirect_url = '{url}?{query}'.format(url=auth_url, query=query) if request.is_ajax(): # Almost all XHR request handling in client-side code struggles # with redirects since redirecting to a page where the user # is supposed to do something is extremely unlikely to work # in an XHR request. Make a special response for these kinds # of requests. # The use of 403 Forbidden is to match the fact that this # middleware doesn't really want the user in if they don't # refresh their session. response = JsonResponse({'refresh_url': redirect_url}, status=403) response['refresh_url'] = redirect_url return response return HttpResponseRedirect(redirect_url)
def redirect_url(self): """Return the logout url defined in settings.""" return import_from_settings('LOGOUT_REDIRECT_URL', '/')
def __init__(self, *args, **kwargs): super(OIDCAuthenticationRequestView, self).__init__(*args, **kwargs) self.OIDC_OP_AUTH_ENDPOINT = import_from_settings('OIDC_OP_AUTHORIZATION_ENDPOINT') self.OIDC_RP_CLIENT_ID = import_from_settings('OIDC_RP_CLIENT_ID')