Allow the use of unhashed secrets (#1311)

* enable configuration of Applications to keep the client_secret unhashed to enable properly signed JWTs

---------

Co-authored-by: Alan Crosswell <[email protected]>
Co-authored-by: Alan Crosswell <[email protected]>

Author: gardenerik

AUTHORS

@@ -9,6 +9,7 @@ Contributors
 
 Abhishek Patel
 Adam Johnson
+Adam Zahradník
 Adheeth P Praveen
 Alan Crosswell
 Alejandro Mantecon Guillen

CHANGELOG.md

@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #1185 Add middleware for adding access token to request
 * #1273 Add caching of loading of OIDC private key.
 * #1285 Add post_logout_redirect_uris field in application views.
+* #1311 Add option to disable client_secret hashing to allow verifying JWTs' signatures.
 
 - ### Fixed
 * #1284 Allow to logout whith no id_token_hint even if the browser session already expired

docs/_images/application-register-auth-code.png

@@ -244,7 +244,9 @@ Start the development server::
 
 Point your browser to http://127.0.0.1:8000/o/applications/register/ lets create an application.
 
-Fill the form as show in the screenshot below and before save take note of ``Client id`` and ``Client secret`` we will use it in a minute.
+Fill the form as show in the screenshot below and before save take note of ``Client id`` and ``Client secret``, we will use it in a minute.
+
+If you want to use this application with OIDC and ``HS256`` (see :doc:`OpenID Connect <oidc>`), uncheck ``Hash client secret`` to allow verifying tokens using JWT signatures. This means your client secret will be stored in cleartext but is the only way to successfully use signed JWT's.
 
 .. image:: _images/application-register-auth-code.png
    :alt: Authorization code application registration

docs/_images/application-register-client-credential.png

@@ -133,6 +133,9 @@ If you would prefer to use just ``HS256`` keys, you don't need to create any
 additional keys, ``django-oauth-toolkit`` will just use the application's
 ``client_secret`` to sign the JWT token.
 
+To be able to verify the JWT's signature using the ``client_secret``, you
+must set the application's ``hash_client_secret`` to ``False``.
+
 In this case, you just need to enable OIDC and add ``openid`` to your list of
 scopes in your ``settings.py``::
 

docs/getting_started.rst

@@ -99,6 +99,11 @@ point your browser to http://localhost:8000/o/applications/ and add an Applicati
  * `Name`: this is the name of the client application on the server, and will be displayed on the authorization request
    page, where users can allow/deny access to their data.
 
+ * `Hash client secret`: checking this hashes the client secret on save so it cannot be retrieved later. This should be
+   unchecked if you plan to use OIDC with ``HS256`` and want to check the tokens' signatures using JWT. Otherwise,
+   Django OAuth Toolkit cannot use `Client Secret` to sign the tokens (as it cannot be retrieved later) and the hashed
+   value will be used when signing. This may lead to incompatibilities with some OIDC Relying Party libraries.
+
 Take note of the `Client id` and the `Client Secret` then logout (this is needed only for testing the authorization
 process we'll explain shortly)
 

docs/oidc.rst

@@ -48,6 +48,13 @@ def add_arguments(self, parser):
             type=str,
             help="The secret for this application",
         )
+        parser.add_argument(
+            "--no-hash-client-secret",
+            dest="hash_client_secret",
+            action="store_false",
+            help="Don't hash the client secret",
+        )
+        parser.set_defaults(hash_client_secret=True)
         parser.add_argument(
             "--name",
             type=str,
@@ -74,7 +81,7 @@ def handle(self, *args, **options):
             # Data in options must be cleaned because there are unneeded key-value like
             # verbosity and others. Also do not pass any None to the Application
             # instance so default values will be generated for those fields
-            if key in application_fields and value:
+            if key in application_fields and (isinstance(value, bool) or value):
                 if key == "user":
                     application_data.update({"user_id": value})
                 else:

docs/tutorial/tutorial_01.rst

@@ -0,0 +1,18 @@
+# Generated by Django 4.2.5 on 2023-09-07 19:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oauth2_provider', '0008_alter_accesstoken_token'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='application',
+            name='hash_client_secret',
+            field=models.BooleanField(default=True),
+        ),
+    ]

oauth2_provider/management/commands/createapplication.py

@@ -29,6 +29,10 @@
 class ClientSecretField(models.CharField):
     def pre_save(self, model_instance, add):
         secret = getattr(model_instance, self.attname)
+        should_be_hashed = getattr(model_instance, "hash_client_secret", True)
+        if not should_be_hashed:
+            return super().pre_save(model_instance, add)
+
         try:
             hasher = identify_hasher(secret)
             logger.debug(f"{model_instance}: {self.attname} is already hashed with {hasher}.")
@@ -120,6 +124,7 @@ class AbstractApplication(models.Model):
         db_index=True,
         help_text=_("Hashed on Save. Copy it now if this is a new secret."),
     )
+    hash_client_secret = models.BooleanField(default=True)
     name = models.CharField(max_length=255, blank=True)
     skip_authorization = models.BooleanField(default=False)