Merge branch 'master' into cors-oauthlib

Author: n2ygk

.github/workflows/test.yml

@@ -4,12 +4,27 @@ on: [push, pull_request]
 
 jobs:
   build:
+    name: build (Python ${{ matrix.python-version }}, Django ${{ matrix.django-version }})
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
-      max-parallel: 5
       matrix:
         python-version: ['3.7', '3.8', '3.9', '3.10', '3.11']
+        django-version: ['2.2', '3.2', '4.0', '4.1', 'main']
+        exclude:
+          # https://docs.djangoproject.com/en/dev/faq/install/#what-python-version-can-i-use-with-django
+
+          # Python 3.10+ is not supported by Django 2.2
+          - python-version: '3.10'
+            django-version: '2.2'
+
+          # Python 3.7 is not supported by Django 4.0+
+          - python-version: '3.7'
+            django-version: '4.0'
+          - python-version: '3.7'
+            django-version: '4.1'
+          - python-version: '3.7'
+            django-version: 'main'
 
     steps:
     - uses: actions/checkout@v2
@@ -42,8 +57,18 @@ jobs:
     - name: Tox tests
       run: |
         tox -v
+      env:
+        DJANGO: ${{ matrix.django-version }}
 
     - name: Upload coverage
       uses: codecov/codecov-action@v1
       with:
         name: Python ${{ matrix.python-version }}
+
+  success:
+    needs: build
+    runs-on: ubuntu-latest
+    name: Test successful
+    steps:
+      - name: Success
+        run: echo Test successful

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 23.1.0
     hooks:
       - id: black
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)
@@ -16,7 +16,7 @@ repos:
       - id: mixed-line-ending
         args: ['--fix=lf']
   - repo: https://github.com/PyCQA/isort
-    rev: 5.10.1
+    rev: 5.12.0
     hooks:
       - id: isort
         exclude: ^(oauth2_provider/migrations/|tests/migrations/)

AUTHORS

@@ -60,6 +60,7 @@ Joseph Abrahams
 Josh Thomas
 Jozef Knaperek
 Julien Palard
+Julian Mundhahs
 Jun Zhou
 Kaleb Porter
 Kristian Rune Larsen
@@ -90,3 +91,4 @@ Víðir Valberg Guðmundsson
 Will Beaufoy
 pySilver
 Łukasz Skarżyński
+Marcus Sonestedt

docs/settings.rst

@@ -177,7 +177,7 @@ this value if you wrote your own implementation (subclass of
 ROTATE_REFRESH_TOKEN
 ~~~~~~~~~~~~~~~~~~~~
 When is set to `True` (default) a new refresh token is issued to the client when the client refreshes an access token.
-Known bugs: `False` currently has a side effect of immediately revoking both access and refresh token on refreshing.
+If `False`, it will reuse the same refresh token and only update the access token with a new token value.
 See also: validator's rotate_refresh_token method can be overridden to make this variable
 (could be usable with expiring refresh tokens, in particular, so that they are rotated
 when close to expiration, theoretically).

docs/tutorial/tutorial_01.rst

@@ -89,7 +89,7 @@ point your browser to http://localhost:8000/o/applications/ and add an Applicati
  * `Redirect uris`: Applications must register at least one redirection endpoint before using the
    authorization endpoint. The :term:`Authorization Server` will deliver the access token to the client only if the client
    specifies one of the verified redirection uris. For this tutorial, paste verbatim the value
-   `http://django-oauth-toolkit.herokuapp.com/consumer/exchange/`
+   `https://www.getpostman.com/oauth2/callback`
 
  * `Client type`: this value affects the security level at which some communications between the client application and
    the authorization server are performed. For this tutorial choose *Confidential*.
@@ -105,17 +105,28 @@ process we'll explain shortly)
 Test Your Authorization Server
 ------------------------------
 Your authorization server is ready and can begin issuing access tokens. To test the process you need an OAuth2
-consumer; if you are familiar enough with OAuth2, you can use curl, requests, or anything that speaks http. For the rest
-of us, there is a `consumer service <http://django-oauth-toolkit.herokuapp.com/consumer/>`_ deployed on Heroku to test
-your provider.
+consumer; if you are familiar enough with OAuth2, you can use curl, requests, or anything that speaks http.
+
+For this tutorial, we suggest using [Postman](https://www.postman.com/downloads/) :
+
+Open up the Authorization tab under a request and, for this tutorial, set the fields as follows:
+
+* Grant type: `Authorization code (With PKCE)`
+* Callback URL: `https://www.getpostman.com/oauth2/callback` <- need to be in your added application
+* Authorize using browser: leave unchecked
+* Auth URL: `http://localhost:8000/o/authorize/`
+* Access Token URL: `http://localhost:8000/o/token/`
+* Client ID: `random string for this app, as generated`
+* Client Secret: `random string for this app, as generated` <- must be before hashing, should not begin with 'pbkdf2_sha256' or similar
+
+The rest can be left to their (mostly empty) default values.
 
 Build an Authorization Link for Your Users
 ++++++++++++++++++++++++++++++++++++++++++
 Authorizing an application to access OAuth2 protected data in an :term:`Authorization Code` flow is always initiated
-by the user. Your application can prompt users to click a special link to start the process. Go to the
-`Consumer <http://django-oauth-toolkit.herokuapp.com/consumer/>`_ page and complete the form by filling in your
-application's details obtained from the steps in this tutorial. Submit the form, and you'll receive a link your users can
-use to access the authorization page.
+by the user. Your application can prompt users to click a special link to start the process.
+
+Here, we click "Get New Access Token" in postman, which should open your browser and show django's login.
 
 Authorize the Application
 +++++++++++++++++++++++++
@@ -125,18 +136,19 @@ page is login protected by django-oauth-toolkit. Login, then you should see the
 her authorization to the client application. Flag the *Allow* checkbox and click *Authorize*, you will be redirected
 again to the consumer service.
 
-__ loginTemplate_
+Possible errors:
 
-If you are not redirected to the correct page after logging in successfully,
-you probably need to `setup your login template correctly`__.
+* loginTemplate: If you are not redirected to the correct page after logging in successfully, you probably need to `setup your login template correctly`__.
+* invalid client: client id and client secret needs to be correct. Secret cannot be copied from Django admin after creation.
+  (but you can reset it by pasting the same random string into Django admin and into Postman, to avoid recreating the app)
+* invalid callback url: Add the postman link into your app in Django admin.
+* invalid_request: Use "Authorization Code (With PCKE)" from postman or disable PKCE in Django
 
 Exchange the token
 ++++++++++++++++++
 At this point your authorization server redirected the user to a special page on the consumer passing in an
 :term:`Authorization Code`, a special token the consumer will use to obtain the final access token.
-This operation is usually done automatically by the client application during the request/response cycle, but we cannot
-make a POST request from Heroku to your localhost, so we proceed manually with this step. Fill the form with the
-missing data and click *Submit*.
+
 If everything is ok, you will be routed to another page showing your access token, the token type, its lifetime and
 the :term:`Refresh Token`.
 

oauth2_provider/models.py

@@ -749,7 +749,6 @@ def redirect_to_uri_allowed(uri, allowed_uris):
             and parsed_allowed_uri.netloc == parsed_uri.netloc
             and parsed_allowed_uri.path == parsed_uri.path
         ):
-
             aqs_set = set(parse_qsl(parsed_allowed_uri.query))
             if aqs_set.issubset(uqs_set):
                 return True

oauth2_provider/oauth2_validators.py

@@ -572,7 +572,6 @@ def save_bearer_token(self, token, request, *args, **kwargs):
                 and isinstance(refresh_token_instance, RefreshToken)
                 and refresh_token_instance.access_token
             ):
-
                 access_token = AccessToken.objects.select_for_update().get(
                     pk=refresh_token_instance.access_token.pk
                 )

oauth2_provider/views/oidc.py

@@ -86,7 +86,6 @@ def get(self, request, *args, **kwargs):
                 oauth2_settings.OIDC_RSA_PRIVATE_KEY,
                 *oauth2_settings.OIDC_RSA_PRIVATE_KEYS_INACTIVE,
             ]:
-
                 key = jwk.JWK.from_pem(pem.encode("utf8"))
                 data = {"alg": "RS256", "use": "sig", "kid": key.thumbprint()}
                 data.update(json.loads(key.export_public()))

tests/test_oauth2_validators.py

@@ -160,7 +160,6 @@ def test_save_bearer_token__without_user__raises_fatal_client(self):
             self.validator.save_bearer_token(token, mock.MagicMock())
 
     def test_save_bearer_token__with_existing_tokens__does_not_create_new_tokens(self):
-
         rotate_token_function = mock.MagicMock()
         rotate_token_function.return_value = False
         self.validator.rotate_refresh_token = rotate_token_function
@@ -190,7 +189,6 @@ def test_save_bearer_token__with_existing_tokens__does_not_create_new_tokens(sel
         self.assertEqual(1, AccessToken.objects.count())
 
     def test_save_bearer_token__checks_to_rotate_tokens(self):
-
         rotate_token_function = mock.MagicMock()
         rotate_token_function.return_value = False
         self.validator.rotate_refresh_token = rotate_token_function

tox.ini

@@ -9,7 +9,7 @@ envlist =
     py{37,38,39,310}-dj32,
     py{38,39,310}-dj40,
     py{38,39,310,311}-dj41,
-    py{38,39,310,311}-djmain,
+    py{310,311}-djmain,
 
 [gh-actions]
 python =
@@ -19,6 +19,14 @@ python =
     3.10: py310
     3.11: py311
 
+[gh-actions:env]
+DJANGO =
+    2.2: dj22
+    3.2: dj32
+    4.0: dj40
+    4.1: dj41
+    main: djmain
+
 [pytest]
 django_find_project = false
 addopts =
@@ -70,7 +78,7 @@ commands =
 [testenv:{docs,livedocs}]
 basepython = python3.8
 changedir = docs
-whitelist_externals = make
+allowlist_externals = make
 commands =
     docs: make html
     livedocs: make livehtml