Merge branch 'jazzband:master' into cors-oauthlib

Author: akanstantsinau

.github/workflows/test.yml

@@ -10,7 +10,7 @@ jobs:
       fail-fast: false
       matrix:
         python-version: ['3.7', '3.8', '3.9', '3.10', '3.11']
-        django-version: ['2.2', '3.2', '4.0', '4.1', 'main']
+        django-version: ['2.2', '3.2', '4.0', '4.1', '4.2', 'main']
         exclude:
           # https://docs.djangoproject.com/en/dev/faq/install/#what-python-version-can-i-use-with-django
 
@@ -24,13 +24,21 @@ jobs:
           - python-version: '3.7'
             django-version: '4.1'
           - python-version: '3.7'
+            django-version: '4.2'
+          - python-version: '3.7'
+            django-version: 'main'
+
+          # < Python 3.10 is not supported by Django 5.0+
+          - python-version: '3.8'
+            django-version: 'main'
+          - python-version: '3.9'
             django-version: 'main'
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v4
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -41,7 +49,7 @@ jobs:
         echo "::set-output name=dir::$(pip cache dir)"
 
     - name: Cache
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: ${{ steps.pip-cache.outputs.dir }}
         key:
@@ -61,7 +69,7 @@ jobs:
         DJANGO: ${{ matrix.django-version }}
 
     - name: Upload coverage
-      uses: codecov/codecov-action@v1
+      uses: codecov/codecov-action@v3
       with:
         name: Python ${{ matrix.python-version }}
 
@@ -71,4 +79,4 @@ jobs:
     name: Test successful
     steps:
       - name: Success
-        run: echo Test successful
+        run: echo Test successful

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 23.1.0
+    rev: 23.3.0
     hooks:
       - id: black
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)

AUTHORS

@@ -9,6 +9,7 @@ Contributors
 
 Abhishek Patel
 Adam Johnson
+Adheeth P Praveen
 Alan Crosswell
 Alejandro Mantecon Guillen
 Aleksander Vaskevich
@@ -19,6 +20,7 @@ Allisson Azevedo
 Andrea Greco
 Andrej Zbín
 Andrew Chen Wang
+Antoine Laurent
 Anvesh Agarwal
 Aristóbulo Meneses
 Aryan Iyappan
@@ -28,6 +30,7 @@ Bart Merenda
 Bas van Oostveen
 Brian Helba
 Carl Schwan
+Daniel Golding
 Daniel 'Vector' Kerr
 Darrel O'Pry
 Dave Burkholder
@@ -41,6 +44,7 @@ Dulmandakh Sukhbaatar
 Dylan Giesler
 Dylan Tack
 Eduardo Oliveira
+Egor Poderiagin
 Emanuele Palazzetti
 Federico Dolce
 Frederico Vieira
@@ -59,12 +63,13 @@ Jordi Sanchez
 Joseph Abrahams
 Josh Thomas
 Jozef Knaperek
-Julien Palard
 Julian Mundhahs
+Julien Palard
 Jun Zhou
 Kaleb Porter
 Kristian Rune Larsen
 Ludwig Hähne
+Marcus Sonestedt
 Matias Seniquiel
 Michael Howitz
 Owen Gong
@@ -91,4 +96,3 @@ Víðir Valberg Guðmundsson
 Will Beaufoy
 pySilver
 Łukasz Skarżyński
-Marcus Sonestedt

CHANGELOG.md

@@ -17,14 +17,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [unreleased]
 
 ### Added
-* Add Japanese(日本語) Language Support
+* #1273 Add caching of loading of OIDC private key.
+* #1285 Add post_logout_redirect_uris field in application views.
 
-### Changed
-* #1211 documentation improve on 'AUTHORIZATION_CODE_EXPIRE_SECONDS'.
-* #1218 Confim support for Python 3.11.
-* #1222 Remove expired ID tokens alongside access tokens in `cleartokens` management command
+- ### Fixed
+* #1284 Allow to logout whith no id_token_hint even if the browser session already expired
 
-## [2.2.0] 2022-10-18
+## [2.3.0] 2023-05-31
 
 ### WARNING
 
@@ -37,6 +36,17 @@ These issues both result in `{"error": "invalid_client"}`:
 
 2. `PKCE_REQUIRED` is now `True` by default. You should use PKCE with your client or set `PKCE_REQUIRED=False` if you are unable to fix the client.
 
+### Added
+* Add Japanese(日本語) Language Support
+* #1244 implement [OIDC RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
+* #1092 Allow Authorization Code flow without a client_secret per [RFC 6749 2.3.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1)
+
+### Changed
+* #1222 Remove expired ID tokens alongside access tokens in `cleartokens` management command
+* #1267, #1253, #1251, #1250, #1224, #1212, #1211 Various documentation improvements
+
+## [2.2.0] 2022-10-18
+
 ### Added
 * #1208 Add 'code_challenge_method' parameter to authorization call in documentation
 * #1182 Add 'code_verifier' parameter to token requests in documentation

README.rst

@@ -35,11 +35,6 @@ capabilities to your Django projects. Django OAuth Toolkit makes extensive use o
 `OAuthLib <https://github.com/idan/oauthlib>`_, so that everything is
 `rfc-compliant <http://tools.ietf.org/html/rfc6749>`_.
 
-Note: If you have issues installing Django 4.0.0, it is because we only support
-Django 4.0.1+ due to a regression in Django 4.0.0. Besides 4.0.0, Django 2.2+ is supported.
-`Explanation <https://github.com/jazzband/django-oauth-toolkit/pull/1046#issuecomment-998015272>`_.
-
-
 Reporting security issues
 -------------------------
 
@@ -49,7 +44,7 @@ Requirements
 ------------
 
 * Python 3.7+
-* Django 2.2, 3.2, or >=4.0.1
+* Django 2.2, 3.2, 4.0 (4.0.1+ due to a regression), 4.1, or 4.2
 * oauthlib 3.1+
 
 Installation

docs/advanced_topics.rst

@@ -20,6 +20,7 @@ logo, acceptance of some user agreement and so on.
     * :attr:`client_id` The client identifier issued to the client during the registration process as described in :rfc:`2.2`
     * :attr:`user` ref to a Django user
     * :attr:`redirect_uris` The list of allowed redirect uri. The string consists of valid URLs separated by space
+    * :attr:`post_logout_redirect_uris` The list of allowed redirect uris after an RP initiated logout. The string consists of valid URLs separated by space
     * :attr:`client_type` Client type as described in :rfc:`2.1`
     * :attr:`authorization_grant_type` Authorization flows available to the Application
     * :attr:`client_secret` Confidential secret issued to the client during the registration process as described in :rfc:`2.2`

docs/management_commands.rst

@@ -38,6 +38,7 @@ The ``createapplication`` management command provides a shortcut to create a new
 
     usage: manage.py createapplication [-h] [--client-id CLIENT_ID] [--user USER]
                                        [--redirect-uris REDIRECT_URIS]
+                                       [--post-logout-redirect-uris POST_LOGOUT_REDIRECT_URIS]
                                        [--client-secret CLIENT_SECRET]
                                        [--name NAME] [--skip-authorization]
                                        [--algorithm ALGORITHM] [--version]
@@ -64,6 +65,9 @@ The ``createapplication`` management command provides a shortcut to create a new
       --redirect-uris REDIRECT_URIS
                             The redirect URIs, this must be a space separated
                             string e.g 'URI1 URI2'
+      --post-logout-redirect-uris POST_LOGOUT_REDIRECT_URIS
+                            The post logout redirect URIs, this must be a space
+                            separated string e.g 'URI1 URI2'
       --client-secret CLIENT_SECRET
                             The secret for this application
       --name NAME           The name this application

docs/oidc.rst

@@ -23,6 +23,8 @@ We support:
 * OpenID Connect Implicit Flow
 * OpenID Connect Hybrid Flow
 
+Furthermore ``django-oauth-toolkit`` also supports `OpenID Connect RP-Initiated Logout <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>`_.
+
 
 Configuration
 =============
@@ -147,6 +149,23 @@ scopes in your ``settings.py``::
     If you want to enable ``RS256`` at a later date, you can do so - just add
     the private key as described above.
 
+
+RP-Initiated Logout
+~~~~~~~~~~~~~~~~~~~
+This feature has to be enabled separately as it is an extension to the core standard.
+
+.. code-block:: python
+
+   OAUTH2_PROVIDER = {
+       # OIDC has to be enabled to use RP-Initiated Logout
+       "OIDC_ENABLED": True,
+       # Enable and configure RP-Initiated Logout
+       "OIDC_RP_INITIATED_LOGOUT_ENABLED": True,
+       "OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT": True,
+       # ... any other settings you want
+   }
+
+
 Setting up OIDC enabled clients
 ===============================
 
@@ -403,3 +422,10 @@ UserInfoView
 
 Available at ``/o/userinfo/``, this view provides extra user details. You can
 customize the details included in the response as described above.
+
+
+RPInitiatedLogoutView
+~~~~~~~~~~~~~~~~~~~~~
+
+Available at ``/o/rp-initiated-logout/``, this view allows a :term:`Client` (Relying Party) to request that a :term:`Resource Owner`
+is logged out at the :term:`Authorization Server` (OpenID Provider).

docs/settings.rst

@@ -45,7 +45,7 @@ this value if you wrote your own implementation (subclass of
 ACCESS_TOKEN_GENERATOR
 ~~~~~~~~~~~~~~~~~~~~~~
 Import path of a callable used to generate access tokens.
-oauthlib.oauth2.tokens.random_token_generator is (normally) used if not provided.
+oauthlib.oauth2.rfc6749.tokens.random_token_generator is (normally) used if not provided.
 
 ALLOWED_REDIRECT_URI_SCHEMES
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -313,6 +313,41 @@ this you must also provide the service at that endpoint.
 If unset, the default location is used, eg if ``django-oauth-toolkit`` is
 mounted at ``/o/``, it will be ``<server-address>/o/userinfo/``.
 
+OIDC_RP_INITIATED_LOGOUT_ENABLED
+~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``False``
+
+When is set to `False` (default) the `OpenID Connect RP-Initiated Logout <https://openid.net/specs/openid-connect-rpinitiated-1_0.html>`_
+endpoint is not enabled. OpenID Connect RP-Initiated Logout enables an :term:`Client` (Relying Party)
+to request that a :term:`Resource Owner` (End User) is logged out at the :term:`Authorization Server` (OpenID Provider).
+
+OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``True``
+
+Whether to always prompt the :term:`Resource Owner` (End User) to confirm a logout requested by a
+:term:`Client` (Relying Party). If it is disabled the :term:`Resource Owner` (End User) will only be prompted if required by the standard.
+
+OIDC_RP_INITIATED_LOGOUT_STRICT_REDIRECT_URIS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``False``
+
+Enable this setting to require `https` in post logout redirect URIs. `http` is only allowed when a :term:`Client` is `confidential`.
+
+OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``True``
+
+Whether expired ID tokens are accepted for RP-Initiated Logout. The Tokens must still be signed by the OP and otherwise valid.
+
+OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``True``
+
+Whether to delete the access, refresh and ID tokens of the user that is being logged out.
+The types of applications for which tokens are deleted can be customized with `RPInitiatedLogoutView.token_types_to_delete`.
+The default is to delete the tokens of all applications if this flag is enabled.
+
 OIDC_ISS_ENDPOINT
 ~~~~~~~~~~~~~~~~~
 Default: ``""``

docs/templates.rst

@@ -165,6 +165,7 @@ This template gets passed the following template context variables:
     - ``client_type``
     - ``authorization_grant_type``
     - ``redirect_uris``
+    - ``post_logout_redirect_uris``
 
 .. caution::
     In the default implementation this template in extended by `application_registration_form.html`_.
@@ -184,6 +185,7 @@ This template gets passed the following template context variable:
     - ``client_type``
     - ``authorization_grant_type``
     - ``redirect_uris``
+    - ``post_logout_redirect_uris``
 
 .. note::
     In the default implementation this template extends `application_form.html`_.