def get_redirect_url(self):
provider_name = self.request.GET.get('provider', None)
if provider_name is None:
raise ValidationError('No provider specified')
badgr_app = BadgrApp.objects.get_current(request=self.request)
if badgr_app is not None:
set_session_badgr_app(self.request, badgr_app)
else:
raise ValidationError('Unable to save BadgrApp in session')
self.request.session['source'] = self.request.GET.get('source', None)
try:
if 'saml2' in provider_name:
redirect_url = reverse('saml2login', args=[provider_name])
else:
redirect_url = reverse('{}_login'.format(provider_name))
except (
NoReverseMatch,
TypeError,
):
raise ValidationError('No {} provider found'.format(provider_name))
authcode = self.request.GET.get('authCode', None)
if authcode is not None:
set_session_authcode(self.request, authcode)
return set_url_query_params(redirect_url,
process=AuthProcess.CONNECT)
else:
return redirect_url
def get_redirect_url(self):
provider_name = self.request.GET.get('provider', None)
if provider_name is None:
raise ValidationError('No provider specified')
badgr_app = BadgrApp.objects.get_current(request=self.request)
if badgr_app is not None:
set_session_badgr_app(self.request, badgr_app)
else:
raise ValidationError('Unable to save BadgrApp in session')
try:
redirect_url = reverse('{}_login'.format(
self.request.GET.get('provider')))
except NoReverseMatch:
raise ValidationError('No {} provider found'.format(provider_name))
auth_token = self.request.GET.get('authToken', None)
if auth_token is not None:
get_verified_user(
auth_token
) # Raises AuthenticationFailed if auth token is invalid
set_session_auth_token(self.request, auth_token)
return set_url_query_params(redirect_url,
process=AuthProcess.CONNECT)
else:
return redirect_url
def get_context_data(self, **kwargs):
context_data = super(LoginLti, self).get_context_data(**kwargs)
context_data['ltitest'] = 'yes lti test'
badgr_app = kwargs['tenant'].badgr_app
context_data['login_url'] = self.get_login_url()
context_data['login_image'] = self.get_login_image()
if badgr_app is not None:
set_session_badgr_app(self.request, badgr_app)
else:
print('badgr app is none in lti_view')
# check login
try:
ltibadgetennant = LtiBadgeUserTennant.objects.get(
lti_tennant=kwargs['tenant'],
lti_user_id=self.request.POST['user_id'],
staff=self.staff)
# login_user(self.request, ltibadgetennant.badge_user)
except Exception as e:
pass
context_data['after_login'] = self.get_after_login(badgr_app)
context_data['check_login'] = self.get_check_login_url(badgr_app)
return context_data
def login(self, request, user):
"""
Preserve badgr_app session data across Django login() boundary
"""
badgr_app = get_session_badgr_app(request)
ret = super(BadgrAccountAdapter, self).login(request, user)
set_session_badgr_app(request, badgr_app)
return ret
def login(self, request, user):
"""
Preserve badgr_app session data across Django login() boundary
"""
badgr_app = get_session_badgr_app(request)
ret = super(BadgrAccountAdapter, self).login(request, user)
set_session_badgr_app(request, badgr_app)
return ret
def test_add_samlaccount_to_existing_user_with_varying_email(self):
email = '*****@*****.**'
t_user = self.setup_user(
email=email, token_scope='rw:profile rw:issuer rw:backpack')
preflight_response = self.client.get(
reverse('v2_api_user_socialaccount_connect') +
'?provider={}'.format(self.config.slug))
self.assertEqual(preflight_response.status_code, 200)
location = urlparse(preflight_response.data['result']['url'])
authcode = parse_qs(location.query)['authCode'][0]
location = '?'.join([location.path, location.query])
# the location now includes an auth code
self.client.logout()
response = self.client.get(location)
self.assertEqual(response.status_code, 302)
location = response._headers['location'][1]
response = self.client.get(location)
self.assertEqual(response.status_code, 302)
# Can auto provision again
rf = RequestFactory()
fake_request = rf.post(
reverse('assertion_consumer_service',
kwargs={'idp_name': self.config.slug}),
{'saml_assertion': 'very fake'})
email2 = '*****@*****.**'
resp = auto_provision(fake_request, [email2], t_user.first_name,
t_user.last_name, self.config)
self.assertEqual(resp.status_code, 302)
fake_request.session = dict()
set_session_authcode(fake_request, authcode)
set_session_badgr_app(fake_request, self.badgr_app)
fake_request.session['idp_name'] = self.config.slug
resp = self.client.get(resp.url)
self.assertEqual(resp.status_code, 302)
self.assertIn("authToken", resp.url)
self.assertIn(self.badgr_app.ui_login_redirect, resp.url)
Saml2Account.objects.get(
user=t_user) # There is a Saml account associated with the user.
CachedEmailAddress.objects.get(email=email2,
user=t_user,
verified=True,
primary=False) # User has the email.
email3 = '*****@*****.**'
resp = auto_provision(fake_request, [email2, email3],
t_user.first_name, t_user.last_name, self.config)
CachedEmailAddress.objects.get(email=email3,
user=t_user,
verified=True,
primary=False) # User has new email.
def login(self, request, user):
"""
Preserve badgr_app session data across Django login() boundary
"""
badgr_app = get_session_badgr_app(request)
if badgr_app is None:
url = request.build_absolute_uri()
print(('Badgr app is none in login {}'.format(url)))
ret = super(BadgrAccountAdapter, self).login(request, user)
set_session_badgr_app(request, badgr_app)
return ret
def get(self, *args, **kwargs):
user = BadgeUser.objects.get(pk=kwargs['id'])
social_account = user.get_social_account()
get_adapter(self.request).logout(self.request)
sociallogin = SocialLogin(account=social_account, email_addresses=[email for email in user.email_items])
sociallogin.user = user
badgr_app = BadgrApp.objects.filter(pk=user.badgrapp_id).first()
if not badgr_app:
badgr_app = BadgrApp.objects.all().first()
set_session_badgr_app(self.request, badgr_app)
ret = perform_login(self.request, sociallogin.user,
email_verification=app_settings.EMAIL_VERIFICATION,
redirect_url=sociallogin.get_redirect_url(self.request),
signal_kwargs={"sociallogin": sociallogin})
return ret
def login(self, request, user):
"""
Guard against unverified users and preserve badgr_app session data
across Django login() boundary.
"""
badgr_app = BadgrApp.objects.get_current(request)
if not user.verified and badgr_app.ui_login_redirect != badgr_app.ui_signup_success_redirect:
# The usual case if a user gets here without a verified recipient
# identifier is a new sign-up with an unverified email. If that's
# the case, we just sent them a confirmation.
# This is for UI clients that do not have the ability to function without a verified user identifier
raise ImmediateHttpResponse(
self.respond_email_verification_sent(request, user))
ret = super(BadgrAccountAdapter, self).login(request, user)
set_session_badgr_app(request, badgr_app)
return ret
def get_redirect_url(self):
provider_name = self.request.GET.get('provider', None)
if provider_name is None:
raise ValidationError('No provider specified')
badgr_app = BadgrApp.objects.get_current(request=self.request)
if badgr_app is not None:
set_session_badgr_app(self.request, badgr_app)
else:
raise ValidationError('Unable to save BadgrApp in session')
try:
redirect_url = reverse('{}_login'.format(self.request.GET.get('provider')))
except NoReverseMatch:
raise ValidationError('No {} provider found'.format(provider_name))
authcode = self.request.GET.get('authCode', None)
if authcode is not None:
set_session_authcode(self.request, authcode)
return set_url_query_params(redirect_url, process=AuthProcess.CONNECT)
else:
validate_name = self.request.GET.get('validateName', "false").lower() == "true"
return set_url_query_params(redirect_url, validateName=validate_name)
def get_redirect_url(self):
provider_name = self.request.GET.get('provider', None)
if provider_name is None:
raise ValidationError('No provider specified')
badgr_app = BadgrApp.objects.get_current(request=self.request)
if badgr_app is not None:
set_session_badgr_app(self.request, badgr_app)
else:
raise ValidationError('Unable to save BadgrApp in session')
try:
redirect_url = reverse('{}_login'.format(self.request.GET.get('provider')))
except NoReverseMatch:
raise ValidationError('No {} provider found'.format(provider_name))
authcode = self.request.GET.get('authCode', None)
if authcode is not None:
set_session_authcode(self.request, authcode)
return set_url_query_params(redirect_url, process=AuthProcess.CONNECT)
else:
return redirect_url
def callback(request):
"""
Callback page, after user returns from "Where are you from" page.
Steps:
1. Exchange callback Token for id token
2. Decode id_token with the user info in the claims
3. Complete social login and return to frontend
Retrieved information:
- email: required, if not available will fail request
- sub: required, string, user code
- given_name: optional, string
- family_name: optional, string
- schac_home_organization: required
:return: Either renders authentication error, or completes the social login
"""
# extract the state of the redirect
if request.user.is_authenticated:
get_account_adapter(request).logout(request) # logging in while being authenticated breaks the login procedure
process, auth_token, badgr_app_pk, lti_data, lti_user_id, lti_roles, referer = json.loads(request.GET.get('state'))
code = request.GET.get('code', None)
if code is None:
error = 'Server error: No userToken found in callback'
return render_authentication_error(request, SurfConextProvider.id, error=error)
# 1. Exchange callback Token for id token
_current_app = SocialApp.objects.get_current(provider='surf_conext')
payload = {
"grant_type": "authorization_code",
"redirect_uri": f"{settings.HTTP_ORIGIN}/account/openid/login/callback/",
"code": code,
"scope": "openid",
"client_id": _current_app.client_id,
"client_secret": _current_app.secret,
}
headers = {'Content-Type': "application/x-www-form-urlencoded",
'Cache-Control': "no-cache"
}
response = requests.post(f"{settings.SURFCONEXT_DOMAIN_URL}/token", data=urllib.parse.urlencode(payload),
headers=headers)
if response.status_code != 200:
error = 'Server error: Token endpoint error (http %s) try alternative login methods' % response.status_code
return render_authentication_error(request, SurfConextProvider.id, error=error)
data = response.json()
id_token = data.get('id_token', None)
if id_token is None:
error = 'Server error: No id_token token, try alternative login methods.'
return render_authentication_error(request, SurfConextProvider.id, error=error)
badgr_app = BadgrApp.objects.get(pk=badgr_app_pk)
set_session_badgr_app(request, BadgrApp.objects.get(pk=badgr_app.pk))
payload = jwt.get_unverified_claims(id_token)
for attr in ['sub', 'email', 'schac_home_organization']:
if attr not in payload:
error = f"Sorry, your account does not have a {attr} attribute. Login with SURFconext and then try again"
logger.error(error)
return render_authentication_error(request, SurfConextProvider.id, error)
# 3. Complete social login and return to frontend
provider = SurfConextProvider(request)
login = provider.sociallogin_from_response(request, payload)
# connect process in which OpenID connects with, either login or connect, if you connect then login user with token
login.state = {'process': process}
# login for connect because socialLogin can only connect to request.user
if process == 'connect' and request.user.is_anonymous and auth_token:
request.user = get_verified_user(auth_token=auth_token)
ret = complete_social_login(request, login)
new_url = ret.url+'&role=teacher'
ret = HttpResponseRedirect(new_url)
if not request.user.is_anonymous: # the social login succeeded
institution_identifier = payload['schac_home_organization']
try:
institution = Institution.objects.get(identifier=institution_identifier)
# the institution exists
if request.user.invited: # this user has been invited in the past
provisions = request.user.match_provisionments()
for provision in provisions:
provision.perform_provisioning()
else: # user has not been invited, check for invitations
request.user.institution = institution
request.user.is_teacher = True
request.user.invited = True
try:
provisionment = request.user.match_provisionments().get() # get the initial provisioning for the first login, there can only be one
request.user.save()
provisionment.match_user(request.user)
provisionment.perform_provisioning()
except (UserProvisionment.DoesNotExist, BadgrValidationError): # there is no provisionment
extra_context = {}
if institution and institution.cached_staff():
cached_staff = institution.cached_staff()
admins = list(filter(lambda u: u.may_administrate_users, cached_staff))
if len(admins) > 0:
extra_context["admin_email"] = admins[0].user.email
error = 'Sorry, you can not register without an invite.'
extra_context["code"] = AuthErrorCode.REGISTER_WITHOUT_INVITE
if request.user.date_joined.today().date() == datetime.datetime.today().date(): # extra protection before deletion
request.user.delete()
return render_authentication_error(request, SurfConextProvider.id, error,
extra_context=extra_context)
except Institution.DoesNotExist: # no institution yet, and therefore also first login ever
error = 'Sorry, your institution has not been created yet.'
return render_authentication_error(request, SurfConextProvider.id, error,
extra_context={"code": AuthErrorCode.REGISTER_WITHOUT_INVITE})
request.user.accept_general_terms()
lti_data = request.session.get('lti_data', None)
if lti_data is not None and 'lti_user_id' in lti_data:
if not request.user.is_anonymous:
tenant = LTITenant.objects.get(client_key=lti_data['lti_tenant'])
badgeuser_tennant, _ = LtiBadgeUserTennant.objects.get_or_create(lti_user_id=lti_data['lti_user_id'],
badge_user=request.user,
lti_tennant=tenant,
staff=True)
user_current_context_id, _ = UserCurrentContextId.objects.get_or_create(badge_user=request.user)
user_current_context_id.context_id = lti_data['lti_context_id']
user_current_context_id.save()
request.session['lti_user_id'] = lti_user_id
request.session['lti_roles'] = lti_roles
# override the response with a redirect to staff dashboard if the login came from there
if referer == 'staff':
return HttpResponseRedirect(reverse('admin:index'))
return ret
def after_terms_agreement(request, **kwargs):
access_token = kwargs.get('access_token', None)
if not access_token:
error = 'Sorry, we could not find you SURFconext credentials.'
return render_authentication_error(request, SurfConextProvider.id,
error)
headers = {'Authorization': 'bearer %s' % access_token}
badgr_app_pk, login_type, process, auth_token, lti_context_id, lti_user_id, lti_roles, referer = json.loads(
kwargs['state'])
try:
badgr_app_pk = int(badgr_app_pk)
except:
badgr_app_pk = settings.BADGR_APP_ID
set_session_badgr_app(request, BadgrApp.objects.get(pk=badgr_app_pk))
lti_data = request.session.get('lti_data', None)
url = settings.SURFCONEXT_DOMAIN_URL + '/userinfo'
response = requests.get(url, headers=headers)
if response.status_code != 200:
error = 'Server error: User info endpoint error (http %s). Try alternative login methods' % response.status_code
return render_authentication_error(request,
SurfConextProvider.id,
error=error)
# retrieved data in fields and ensure that email & sud are in extra_data
extra_data = response.json()
if 'email' not in extra_data or 'sub' not in extra_data:
error = 'Sorry, your account has no email attached from SURFconext, try another login method.'
return render_authentication_error(request, SurfConextProvider.id,
error)
if "schac_home_organization" not in extra_data:
error = 'Sorry, your account has no home organization attached from SURFconext, try another login method.'
return render_authentication_error(request, SurfConextProvider.id,
error)
if 'family_name' in extra_data:
extra_data['family_name'] = ''
if 'given_name' in extra_data:
extra_data['given_name'] = ''
# 3. Complete social login and return to frontend
provider = SurfConextProvider(request)
login = provider.sociallogin_from_response(request, extra_data)
# Reset the badgr app id after login as django overturns it
# connect process in which OpenID connects with, either login or connect, if you connect then login user with token
login.state = {'process': process}
# login for connect because socialLogin can only connect to request.user
if process == 'connect' and request.user.is_anonymous() and auth_token:
request.user = get_verified_user(auth_token=auth_token)
ret = complete_social_login(request, login)
if not request.user.is_anonymous(): # the social login succeeded
institution_name = extra_data['schac_home_organization']
institution, created = Institution.objects.get_or_create(
name=institution_name)
request.user.institution = institution
request.user.save()
badgr_app = BadgrApp.objects.get(pk=badgr_app_pk)
resign = True
check_agreed_term_and_conditions(request.user, badgr_app, resign=resign)
if lti_data is not None and 'lti_user_id' in lti_data:
if not request.user.is_anonymous():
tenant = LTITenant.objects.get(client_key=lti_data['lti_tenant'])
badgeuser_tennant, _ = LtiBadgeUserTennant.objects.get_or_create(
lti_user_id=lti_data['lti_user_id'],
badge_user=request.user,
lti_tennant=tenant,
staff=True)
user_current_context_id, _ = UserCurrentContextId.objects.get_or_create(
badge_user=request.user)
user_current_context_id.context_id = lti_data['lti_context_id']
user_current_context_id.save()
request.session['lti_user_id'] = lti_user_id
request.session['lti_roles'] = lti_roles
if not request.user.is_authenticated:
print(request.__dict__)
a = 1
# override the response with a redirect to staff dashboard if the login came from there
if referer == 'staff':
return HttpResponseRedirect(reverse('admin:index'))
else:
return ret
def after_terms_agreement(request, **kwargs):
'''
this is the second part of the callback, after consent has been given, or is user already exists
'''
badgr_app_pk, login_type, lti_context_id, lti_user_id, lti_roles, referer = json.loads(
kwargs['state'])
lti_data = request.session.get('lti_data', None)
try:
badgr_app_pk = int(badgr_app_pk)
except:
badgr_app_pk = settings.BADGR_APP_ID
badgr_app = BadgrApp.objects.get(pk=badgr_app_pk)
set_session_badgr_app(request, badgr_app)
id_token = kwargs.get('id_token', None)
if not id_token:
error = 'Sorry, we could not find your eduID credentials.'
return render_authentication_error(request, EduIDProvider.id, error)
payload = jwt.get_unverified_claims(id_token)
logger.info(
f"Using payload attribute {settings.EDUID_IDENTIFIER} for unique identifier"
)
social_account = get_social_account(payload[settings.EDUID_IDENTIFIER])
if not social_account: # user does not exist
# Fail fast if not all required attribbutes are there
for attr in [
settings.EDUID_IDENTIFIER, 'email', 'family_name', 'given_name'
]:
if attr not in payload:
error = f"Sorry, your eduID account does not have a {attr} attribute. Login to eduID and then try again"
logger.error(error)
return render_authentication_error(request, EduIDProvider.id,
error)
else: # user already exists
update_user_params(social_account.user, payload)
# 3. Complete social login
provider = EduIDProvider(request)
login = provider.sociallogin_from_response(request, payload)
ret = complete_social_login(request, login)
new_url = ret.url + '&role=student'
ret = HttpResponseRedirect(new_url)
set_session_badgr_app(request, badgr_app)
request.user.accept_general_terms()
logger.info(f"payload from surfconext {json.dumps(payload)}")
if "acr" in payload and payload[
"acr"] == "https://eduid.nl/trust/validate-names":
request.user.validated_name = f"{payload['given_name']} {payload['family_name']}"
logger.info(
f"Stored validated name {payload['given_name']} {payload['family_name']}"
)
access_token = kwargs.get('access_token', None)
headers = {
"Accept": "application/json, application/json;charset=UTF-8",
"Authorization": f"Bearer {access_token}"
}
response = requests.get(
f"{settings.EDUID_API_BASE_URL}/myconext/api/eduid/eppn",
headers=headers)
if response.status_code != 200:
error = f"Server error: eduID eppn endpoint error ({response.status_code})"
logger.debug(error)
return render_authentication_error(request,
EduIDProvider.id,
error=error)
eppn_json = response.json()
request.user.clear_affiliations()
for info in eppn_json:
request.user.add_affiliations([{
'eppn':
info["eppn"],
'schac_home':
info["schac_home_organization"]
}])
logger.info(
f"Stored affiliations {info['eppn']} {info['schac_home_organization']}"
)
request.user.save()
# create lti_connection
if lti_data is not None and 'lti_user_id' in lti_data:
if not request.user.is_anonymous:
tenant = LTITenant.objects.get(client_key=lti_data['lti_tenant'])
badgeuser_tennant, _ = LtiBadgeUserTennant.objects.get_or_create(
lti_user_id=lti_data['lti_user_id'],
badge_user=request.user,
lti_tennant=tenant,
staff=False)
user_current_context_id, _ = UserCurrentContextId.objects.get_or_create(
badge_user=request.user)
user_current_context_id.context_id = lti_data['lti_context_id']
user_current_context_id.save()
request.session['lti_user_id'] = lti_user_id
request.session['lti_roles'] = lti_roles
if not social_account:
# Create an eduIDBadge
create_edu_id_badge_instance(login)
return ret
def after_terms_agreement(request, **kwargs):
'''
this is the second part of the callback, after consent has been given, or is user already exists
'''
badgr_app_pk, login_type, lti_context_id, lti_user_id, lti_roles, referer = json.loads(
kwargs['state'])
lti_data = request.session.get('lti_data', None)
try:
badgr_app_pk = int(badgr_app_pk)
except:
badgr_app_pk = settings.BADGR_APP_ID
badgr_app = BadgrApp.objects.get(pk=badgr_app_pk)
set_session_badgr_app(request, badgr_app)
id_token = kwargs.get('id_token', None)
if not id_token:
error = 'Sorry, we could not find your eduID credentials.'
return render_authentication_error(request, EduIDProvider.id, error)
payload = jwt.get_unverified_claims(id_token)
social_account = get_social_account(payload['sub'])
if not social_account: # user does not exist
# ensure that email & names are in extra_data
if 'email' not in payload:
error = 'Sorry, your eduID account does not have your institution mail. Login to eduID and link your institution account, then try again.'
logger.error(error)
return render_authentication_error(request, EduIDProvider.id,
error)
if 'family_name' not in payload:
error = 'Sorry, your eduID account has no family_name attached from SURFconext. Login to eduID and link your institution account, then try again.'
logger.error(error)
return render_authentication_error(request, EduIDProvider.id,
error)
if 'given_name' not in payload:
error = 'Sorry, your eduID account has no first_name attached from SURFconext. Login to eduID and link your institution account, then try again.'
logger.error(error)
return render_authentication_error(request, EduIDProvider.id,
error)
else: # user already exists
update_user_params(social_account.user, payload)
# 3. Complete social login
provider = EduIDProvider(request)
login = provider.sociallogin_from_response(request, payload)
ret = complete_social_login(request, login)
new_url = ret.url + '&role=student'
ret = HttpResponseRedirect(new_url)
set_session_badgr_app(request, badgr_app)
request.user.accept_general_terms()
logger.info(f"payload from surfconext {json.dumps(payload)}")
if "acr" in payload and payload[
"acr"] == "https://eduid.nl/trust/validate-names":
request.user.validated_name = f"{payload['given_name']} {payload['family_name']}"
request.user.save()
logger.info(
f"Stored validated name {payload['given_name']} {payload['family_name']}"
)
# create lti_connection
if lti_data is not None and 'lti_user_id' in lti_data:
if not request.user.is_anonymous:
tenant = LTITenant.objects.get(client_key=lti_data['lti_tenant'])
badgeuser_tennant, _ = LtiBadgeUserTennant.objects.get_or_create(
lti_user_id=lti_data['lti_user_id'],
badge_user=request.user,
lti_tennant=tenant,
staff=False)
user_current_context_id, _ = UserCurrentContextId.objects.get_or_create(
badge_user=request.user)
user_current_context_id.context_id = lti_data['lti_context_id']
user_current_context_id.save()
request.session['lti_user_id'] = lti_user_id
request.session['lti_roles'] = lti_roles
if not social_account:
# Create an eduIDBadge
create_edu_id_badge_instance(login)
return ret
def callback(request):
"""
Callback page, after user returns from "Where are you from" page.
Due to limited scope support (without tokenized user information) the OpenID workflow is extended.
Steps:
1. Exchange callback Token for access token
2. Retrieve user information with the access token
3. Complete social login and return to frontend
Retrieved information:
- email: Obligated, if not available will fail request
- sub: optional, string, user code
- given_name: optional, string
- family_name: optional, string
- edu_person_targeted_id: optional
- schac_home_organization: optional
:return: Either renders authentication error, or completes the social login
"""
# extract the state of the redirect
if request.user.is_authenticated:
get_account_adapter(request).logout(
request
) # logging in while being authenticated breaks the login procedure
process, auth_token, badgr_app_pk, lti_data, lti_user_id, lti_roles, referer = json.loads(
request.GET.get('state'))
if badgr_app_pk is None:
print('none here')
# check if code is given
code = request.GET.get('code', None)
if code is None:
error = 'Server error: No userToken found in callback'
return render_authentication_error(request,
SurfConextProvider.id,
error=error)
# 1. Exchange callback Token for access token
_current_app = SocialApp.objects.get_current(provider='surf_conext')
data = {
'redirect_uri':
'%s/account/openid/login/callback/' % settings.HTTP_ORIGIN,
'client_id': _current_app.client_id,
'client_secret': _current_app.secret,
'scope': 'openid',
'grant_type': 'authorization_code',
'code': code
}
url = settings.SURFCONEXT_DOMAIN_URL + '/token?%s' % (
urllib.parse.urlencode(data))
response = requests.post(url)
if response.status_code != 200:
error = 'Server error: Token endpoint error (http %s) try alternative login methods' % response.status_code
return render_authentication_error(request,
SurfConextProvider.id,
error=error)
data = response.json()
access_token = data.get('access_token', None)
if access_token is None:
error = 'Server error: No access token, try alternative login methods.'
return render_authentication_error(request,
SurfConextProvider.id,
error=error)
# 2. Retrieve user information with the access token
headers = {'Authorization': 'bearer %s' % data['access_token']}
url = settings.SURFCONEXT_DOMAIN_URL + '/userinfo'
response = requests.get(url, headers=headers)
if response.status_code != 200:
error = 'Server error: User info endpoint error (http %s). Try alternative login methods' % response.status_code
return render_authentication_error(request,
SurfConextProvider.id,
error=error)
# retrieved data in fields and ensure that email & sud are in extra_data
extra_data = response.json()
keyword_arguments = {
'access_token':
access_token,
'state':
json.dumps([
badgr_app_pk, 'surf_conext', process, auth_token, lti_data,
lti_user_id, lti_roles, referer
]),
'after_terms_agreement_url_name':
'surf_conext_terms_accepted_callback'
}
if not get_social_account(extra_data['sub']):
return HttpResponseRedirect(
reverse('accept_terms', kwargs=keyword_arguments))
social_account = get_social_account(extra_data['sub'])
badgr_app = BadgrApp.objects.get(pk=badgr_app_pk)
set_session_badgr_app(request, BadgrApp.objects.get(pk=badgr_app.pk))
if 'edu_person_affiliations' in extra_data:
if not ('employee' in extra_data['edu_person_affiliations']
or 'faculty' in extra_data['edu_person_affiliations']):
error = 'Must be employee or faculty member to login. If You are a student, please login with EduID'
return render_authentication_error(request, SurfConextProvider.id,
error)
if not check_agreed_term_and_conditions(social_account.user, badgr_app):
return HttpResponseRedirect(
reverse('accept_terms_resign', kwargs=keyword_arguments))
return after_terms_agreement(request, **keyword_arguments)
def after_terms_agreement(request, **kwargs):
'''
this is the second part of the callback, after consent has been given, or is user already exists
'''
badgr_app_pk, login_type, lti_context_id, lti_user_id, lti_roles, referer = json.loads(
kwargs['state'])
lti_data = request.session.get('lti_data', None)
badgr_app = BadgrApp.objects.get(pk=badgr_app_pk)
set_session_badgr_app(request, badgr_app)
access_token = kwargs.get('access_token', None)
if not access_token:
error = 'Sorry, we could not find your eduID credentials.'
return render_authentication_error(request, EduIDProvider.id, error)
headers = {"Authorization": "Bearer " + access_token}
response = requests.get("{}/userinfo".format(settings.EDUID_PROVIDER_URL),
headers=headers)
if response.status_code != 200:
error = 'Server error: User info endpoint error (http %s). Try alternative login methods' % response.status_code
logger.debug(error)
return render_authentication_error(request,
EduIDProvider.id,
error=error)
userinfo_json = response.json()
if 'sub' not in userinfo_json:
error = 'Sorry, your eduID account has no identifier.'
logger.debug(error)
return render_authentication_error(request, EduIDProvider.id, error)
social_account = get_social_account(userinfo_json['sub'])
if not social_account: # user does not exist
# ensure that email & names are in extra_data
if 'email' not in userinfo_json:
error = 'Sorry, your eduID account does not have your institution mail. Login to eduID and link your institution account, then try again.'
logger.debug(error)
return render_authentication_error(request, EduIDProvider.id,
error)
if 'family_name' not in userinfo_json:
error = 'Sorry, your eduID account has no family_name attached from SURFconext. Login to eduID and link your institution account, then try again.'
logger.debug(error)
return render_authentication_error(request, EduIDProvider.id,
error)
if 'given_name' not in userinfo_json:
error = 'Sorry, your eduID account has no first_name attached from SURFconext. Login to eduID and link your institution account, then try again.'
logger.debug(error)
return render_authentication_error(request, EduIDProvider.id,
error)
else: # user already exists
update_user_params(social_account.user, userinfo_json)
# 3. Complete social login
provider = EduIDProvider(request)
login = provider.sociallogin_from_response(request, userinfo_json)
ret = complete_social_login(request, login)
set_session_badgr_app(request, badgr_app)
resign = True
check_agreed_term_and_conditions(request.user, badgr_app, resign=resign)
#create lti_connection
if lti_data is not None and 'lti_user_id' in lti_data:
if not request.user.is_anonymous():
tenant = LTITenant.objects.get(client_key=lti_data['lti_tenant'])
badgeuser_tennant, _ = LtiBadgeUserTennant.objects.get_or_create(
lti_user_id=lti_data['lti_user_id'],
badge_user=request.user,
lti_tennant=tenant,
staff=False)
user_current_context_id, _ = UserCurrentContextId.objects.get_or_create(
badge_user=request.user)
user_current_context_id.context_id = lti_data['lti_context_id']
user_current_context_id.save()
request.session['lti_user_id'] = lti_user_id
request.session['lti_roles'] = lti_roles
# 4. Return the user to where she came from (ie the referer: public enrollment or main page)
if 'public' in referer:
if 'badges' in referer:
badgeclass_slug = referer[-1]
if badgeclass_slug:
edu_id = userinfo_json['sub']
enrolled = enroll_student(request.user, edu_id,
badgeclass_slug)
url = ret.url + '&public=true' + '&badgeclassSlug=' + badgeclass_slug + '&enrollmentStatus=' + enrolled
return HttpResponseRedirect(url)
else:
return ret
