Openid Connect Core support - Round 2 (#859)

* Add OpenID connect hybrid grant type

* Add OpenID connect algorithm type to Application model

* Add OpenID connect id token model

* Add nonce Authorization as required by OpenID connect Implicit Flow

* Add body to create_authorization_response to pass nonce and future OpenID parameters to oauthlib.common.Request

* Add OpenID connect ID token creation and validation methods and scopes

* Add OpenID connect response types

* Add OpenID connect authorization code flow test

* Add OpenID connect implicit flow tests

* Add validate_user_match method to OAuth2Validator

* Add RSA_PRIVATE_KEY setting with blank value

* Update tox

* Add get_jwt_bearer_token to OAuth2Validator

* Add validate_jwt_bearer_token to OAuth2Validator

* Change OAuth2Validator.validate_id_token default return value to False to avoid validation security breach

* Change to use .encode to avoid py2.7 tox test error

* Add OpenID connect hybrid flow tests

* Change to use .encode to avoid py2.7 tox test error

* Add RSA_PRIVATE_KEY to the list of settings that cannot be empt

* Add support for oidc connect discovery

* Use double quotes for strings

* Rename migrations to avoid name and order conflict

* Remove commando to install OAuthLib from master and removed jwcrypto duplication

* Remove python 2 compatible code

* Change errors access_denied/unauthorized_client/consent_required/login_required to be 400 as changed in oauthlib/pull/623

* Change iss claim value to come from settings

* Change to use openid connect code server class

* Change test to include missing state

* Add id_token relation to AbstractAccessToken

* Add claims property to AbstractIDToken

* Change OAuth2Validator._create_access_token to save id_token to access_token

* Add userinfo endpoint

* Update migrations and remove oauthlib duplication

* Remove old generated migrations

* Add new migrations

* Fix tests

* Add nonce to hybrid tests

* Add missing new attributes to test migration

* Rebase fixing conflicts and tests

* Remove auto generate message

* Fix flake8 issues

* Fix test doc deps

* Add project settings to be ignored in coverage

* Tweak migrations to support non-overidden models

* OIDC_USERINFO_ENDPOINT is not mandatory

* refresh_token grant should be support for OpenID hybrid

* Fix the user info view, and remove hard dependency on DRF

* Use proper URL generation for OIDC endpoints

* Support rich ID tokens and userinfo claims

Extend the validator and override get_additional_claims based on your own user model.

* Bug fix for at_hash generation

See https://openid.net/specs/openid-connect-core-1_0.html#id_token-tokenExample to prove algorithm

* OIDC_ISS_ENDPOINT is an optional setting

* Support OIDC urls from issuer url if provided

* Test for generated OIDC urls

* Flake

* Rebase on master and migrate url function to re_path

* Handle invalid token format exceptions as invalid tokens

* Merge migrations and sort imports isort for flake8 lint check

Co-authored-by: Wiliam Souza <[email protected]>
Co-authored-by: Allisson Azevedo <[email protected]>
Co-authored-by: fvlima <[email protected]>
Co-authored-by: Shaun Stanworth <[email protected]>

Author: 5 people

.gitignore

@@ -25,7 +25,7 @@ __pycache__
 pip-log.txt
 
 # Unit test / coverage reports
-.cache
+.pytest_cache
 .coverage
 .tox
 .pytest_cache/

oauth2_provider/admin.py

@@ -2,7 +2,7 @@
 
 from .models import (
     get_access_token_model, get_application_model,
-    get_grant_model, get_refresh_token_model
+    get_grant_model, get_id_token_model, get_refresh_token_model
 )
 
 
@@ -26,6 +26,11 @@ class AccessTokenAdmin(admin.ModelAdmin):
     raw_id_fields = ("user", "source_refresh_token")
 
 
+class IDTokenAdmin(admin.ModelAdmin):
+    list_display = ("token", "user", "application", "expires")
+    raw_id_fields = ("user", )
+
+
 class RefreshTokenAdmin(admin.ModelAdmin):
     list_display = ("token", "user", "application")
     raw_id_fields = ("user", "access_token")
@@ -34,9 +39,11 @@ class RefreshTokenAdmin(admin.ModelAdmin):
 Application = get_application_model()
 Grant = get_grant_model()
 AccessToken = get_access_token_model()
+IDToken = get_id_token_model()
 RefreshToken = get_refresh_token_model()
 
 admin.site.register(Application, ApplicationAdmin)
 admin.site.register(Grant, GrantAdmin)
 admin.site.register(AccessToken, AccessTokenAdmin)
+admin.site.register(IDToken, IDTokenAdmin)
 admin.site.register(RefreshToken, RefreshTokenAdmin)

oauth2_provider/forms.py

@@ -5,6 +5,7 @@ class AllowForm(forms.Form):
     allow = forms.BooleanField(required=False)
     redirect_uri = forms.CharField(widget=forms.HiddenInput())
     scope = forms.CharField(widget=forms.HiddenInput())
+    nonce = forms.CharField(required=False, widget=forms.HiddenInput())
     client_id = forms.CharField(widget=forms.HiddenInput())
     state = forms.CharField(required=False, widget=forms.HiddenInput())
     response_type = forms.CharField(widget=forms.HiddenInput())

oauth2_provider/migrations/0002_auto_20190406_1805.py

@@ -1,5 +1,3 @@
-# Generated by Django 2.2 on 2019-04-06 18:05
-
 from django.db import migrations, models
 
 

oauth2_provider/migrations/0003_auto_20200902_2022.py

@@ -0,0 +1,48 @@
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+from oauth2_provider.settings import oauth2_settings
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('oauth2_provider', '0002_auto_20190406_1805'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='application',
+            name='algorithm',
+            field=models.CharField(choices=[('RS256', 'RSA with SHA-2 256'), ('HS256', 'HMAC with SHA-2 256')], default='RS256', max_length=5),
+        ),
+        migrations.AlterField(
+            model_name='application',
+            name='authorization_grant_type',
+            field=models.CharField(choices=[('authorization-code', 'Authorization code'), ('implicit', 'Implicit'), ('password', 'Resource owner password-based'), ('client-credentials', 'Client credentials'), ('openid-hybrid', 'OpenID connect hybrid')], max_length=32),
+        ),
+        migrations.CreateModel(
+            name='IDToken',
+            fields=[
+                ('id', models.BigAutoField(primary_key=True, serialize=False)),
+                ('token', models.TextField(unique=True)),
+                ('expires', models.DateTimeField()),
+                ('scope', models.TextField(blank=True)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+                ('application', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to=oauth2_settings.APPLICATION_MODEL)),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='oauth2_provider_idtoken', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'abstract': False,
+                'swappable': 'OAUTH2_PROVIDER_ID_TOKEN_MODEL',
+            },
+        ),
+        migrations.AddField(
+            model_name='accesstoken',
+            name='id_token',
+            field=models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='access_token', to=oauth2_settings.ID_TOKEN_MODEL),
+        ),
+    ]

oauth2_provider/models.py

@@ -1,3 +1,4 @@
+import json
 import logging
 from datetime import timedelta
 from urllib.parse import parse_qsl, urlparse
@@ -9,6 +10,7 @@
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
+from jwcrypto import jwk, jwt
 
 from .generators import generate_client_id, generate_client_secret
 from .scopes import get_scopes_backend
@@ -50,11 +52,20 @@ class AbstractApplication(models.Model):
     GRANT_IMPLICIT = "implicit"
     GRANT_PASSWORD = "password"
     GRANT_CLIENT_CREDENTIALS = "client-credentials"
+    GRANT_OPENID_HYBRID = "openid-hybrid"
     GRANT_TYPES = (
         (GRANT_AUTHORIZATION_CODE, _("Authorization code")),
         (GRANT_IMPLICIT, _("Implicit")),
         (GRANT_PASSWORD, _("Resource owner password-based")),
         (GRANT_CLIENT_CREDENTIALS, _("Client credentials")),
+        (GRANT_OPENID_HYBRID, _("OpenID connect hybrid")),
+    )
+
+    RS256_ALGORITHM = "RS256"
+    HS256_ALGORITHM = "HS256"
+    ALGORITHM_TYPES = (
+        (RS256_ALGORITHM, _("RSA with SHA-2 256")),
+        (HS256_ALGORITHM, _("HMAC with SHA-2 256")),
     )
 
     id = models.BigAutoField(primary_key=True)
@@ -82,6 +93,7 @@ class AbstractApplication(models.Model):
 
     created = models.DateTimeField(auto_now_add=True)
     updated = models.DateTimeField(auto_now=True)
+    algorithm = models.CharField(max_length=5, choices=ALGORITHM_TYPES, default=RS256_ALGORITHM)
 
     class Meta:
         abstract = True
@@ -282,6 +294,10 @@ class AbstractAccessToken(models.Model):
         related_name="refreshed_access_token"
     )
     token = models.CharField(max_length=255, unique=True, )
+    id_token = models.OneToOneField(
+        oauth2_settings.ID_TOKEN_MODEL, on_delete=models.CASCADE, blank=True, null=True,
+        related_name="access_token"
+    )
     application = models.ForeignKey(
         oauth2_settings.APPLICATION_MODEL, on_delete=models.CASCADE, blank=True, null=True,
     )
@@ -415,6 +431,99 @@ class Meta(AbstractRefreshToken.Meta):
         swappable = "OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL"
 
 
+class AbstractIDToken(models.Model):
+    """
+    An IDToken instance represents the actual token to
+    access user's resources, as in :openid:`2`.
+
+    Fields:
+
+    * :attr:`user` The Django user representing resources' owner
+    * :attr:`token` ID token
+    * :attr:`application` Application instance
+    * :attr:`expires` Date and time of token expiration, in DateTime format
+    * :attr:`scope` Allowed scopes
+    """
+    id = models.BigAutoField(primary_key=True)
+    user = models.ForeignKey(
+        settings.AUTH_USER_MODEL, on_delete=models.CASCADE, blank=True, null=True,
+        related_name="%(app_label)s_%(class)s"
+    )
+    token = models.TextField(unique=True)
+    application = models.ForeignKey(
+        oauth2_settings.APPLICATION_MODEL, on_delete=models.CASCADE, blank=True, null=True,
+    )
+    expires = models.DateTimeField()
+    scope = models.TextField(blank=True)
+
+    created = models.DateTimeField(auto_now_add=True)
+    updated = models.DateTimeField(auto_now=True)
+
+    def is_valid(self, scopes=None):
+        """
+        Checks if the access token is valid.
+
+        :param scopes: An iterable containing the scopes to check or None
+        """
+        return not self.is_expired() and self.allow_scopes(scopes)
+
+    def is_expired(self):
+        """
+        Check token expiration with timezone awareness
+        """
+        if not self.expires:
+            return True
+
+        return timezone.now() >= self.expires
+
+    def allow_scopes(self, scopes):
+        """
+        Check if the token allows the provided scopes
+
+        :param scopes: An iterable containing the scopes to check
+        """
+        if not scopes:
+            return True
+
+        provided_scopes = set(self.scope.split())
+        resource_scopes = set(scopes)
+
+        return resource_scopes.issubset(provided_scopes)
+
+    def revoke(self):
+        """
+        Convenience method to uniform tokens' interface, for now
+        simply remove this token from the database in order to revoke it.
+        """
+        self.delete()
+
+    @property
+    def scopes(self):
+        """
+        Returns a dictionary of allowed scope names (as keys) with their descriptions (as values)
+        """
+        all_scopes = get_scopes_backend().get_all_scopes()
+        token_scopes = self.scope.split()
+        return {name: desc for name, desc in all_scopes.items() if name in token_scopes}
+
+    @property
+    def claims(self):
+        key = jwk.JWK.from_pem(oauth2_settings.OIDC_RSA_PRIVATE_KEY.encode("utf8"))
+        jwt_token = jwt.JWT(key=key, jwt=self.token)
+        return json.loads(jwt_token.claims)
+
+    def __str__(self):
+        return self.token
+
+    class Meta:
+        abstract = True
+
+
+class IDToken(AbstractIDToken):
+    class Meta(AbstractIDToken.Meta):
+        swappable = "OAUTH2_PROVIDER_ID_TOKEN_MODEL"
+
+
 def get_application_model():
     """ Return the Application model that is active in this project. """
     return apps.get_model(oauth2_settings.APPLICATION_MODEL)
@@ -430,6 +539,11 @@ def get_access_token_model():
     return apps.get_model(oauth2_settings.ACCESS_TOKEN_MODEL)
 
 
+def get_id_token_model():
+    """ Return the AccessToken model that is active in this project. """
+    return apps.get_model(oauth2_settings.ID_TOKEN_MODEL)
+
+
 def get_refresh_token_model():
     """ Return the RefreshToken model that is active in this project. """
     return apps.get_model(oauth2_settings.REFRESH_TOKEN_MODEL)

oauth2_provider/oauth2_backends.py

@@ -104,15 +104,16 @@ def validate_authorization_request(self, request):
         except oauth2.OAuth2Error as error:
             raise OAuthToolkitError(error=error)
 
-    def create_authorization_response(self, request, scopes, credentials, allow):
+    def create_authorization_response(self, uri, request, scopes, credentials, body, allow):
         """
         A wrapper method that calls create_authorization_response on `server_class`
         instance.
 
         :param request: The current django.http.HttpRequest object
         :param scopes: A list of provided scopes
         :param credentials: Authorization credentials dictionary containing
-                           `client_id`, `state`, `redirect_uri`, `response_type`
+                           `client_id`, `state`, `redirect_uri` and `response_type`
+        :param body: Other body parameters not used in credentials dictionary
         :param allow: True if the user authorize the client, otherwise False
         """
         try:
@@ -124,10 +125,10 @@ def create_authorization_response(self, request, scopes, credentials, allow):
             credentials["user"] = request.user
 
             headers, body, status = self.server.create_authorization_response(
-                uri=credentials["redirect_uri"], scopes=scopes, credentials=credentials)
-            uri = headers.get("Location", None)
+                uri=uri, scopes=scopes, credentials=credentials, body=body)
+            redirect_uri = headers.get("Location", None)
 
-            return uri, headers, body, status
+            return redirect_uri, headers, body, status
 
         except oauth2.FatalClientError as error:
             raise FatalClientError(
@@ -166,6 +167,21 @@ def create_revocation_response(self, request):
 
         return uri, headers, body, status
 
+    def create_userinfo_response(self, request):
+        """
+        A wrapper method that calls create_userinfo_response on a
+        `server_class` instance.
+
+        :param request: The current django.http.HttpRequest object
+        """
+        uri, http_method, body, headers = self._extract_params(request)
+        headers, body, status = self.server.create_userinfo_response(
+            uri, http_method, body, headers
+        )
+        uri = headers.get("Location", None)
+
+        return uri, headers, body, status
+
     def verify_request(self, request, scopes):
         """
         A wrapper method that calls verify_request on `server_class` instance.