Bring IDToken fields into agreement with OIDC Spec (HarryMWinters#10) 😊

- Updates IDToken type.
- Adds OktaIDToken child type.
- Fixes CI.

Author: HarryMWinters

.bandit.yml

@@ -0,0 +1,85 @@
+### This config may optionally select a subset of tests to run or skip by
+### filling out the 'tests' and 'skips' lists given below. If no tests are
+### specified for inclusion then it is assumed all tests are desired. The skips
+### set will remove specific tests from the include set. This can be controlled
+### using the -t/-s CLI options. Note that the same test ID should not appear
+### in both 'tests' and 'skips', this would be nonsensical and is detected by
+### Bandit at runtime.
+
+# Available tests:
+# B101 : assert_used
+# B102 : exec_used
+# B103 : set_bad_file_permissions
+# B104 : hardcoded_bind_all_interfaces
+# B105 : hardcoded_password_string
+# B106 : hardcoded_password_funcarg
+# B107 : hardcoded_password_default
+# B108 : hardcoded_tmp_directory
+# B110 : try_except_pass
+# B112 : try_except_continue
+# B201 : flask_debug_true
+# B301 : pickle
+# B302 : marshal
+# B303 : md5
+# B304 : ciphers
+# B305 : cipher_modes
+# B306 : mktemp_q
+# B307 : eval
+# B308 : mark_safe
+# B309 : httpsconnection
+# B310 : urllib_urlopen
+# B311 : random
+# B312 : telnetlib
+# B313 : xml_bad_cElementTree
+# B314 : xml_bad_ElementTree
+# B315 : xml_bad_expatreader
+# B316 : xml_bad_expatbuilder
+# B317 : xml_bad_sax
+# B318 : xml_bad_minidom
+# B319 : xml_bad_pulldom
+# B320 : xml_bad_etree
+# B321 : ftplib
+# B322 : input
+# B323 : unverified_context
+# B324 : hashlib_new_insecure_functions
+# B325 : tempnam
+# B401 : import_telnetlib
+# B402 : import_ftplib
+# B403 : import_pickle
+# B404 : import_subprocess
+# B405 : import_xml_etree
+# B406 : import_xml_sax
+# B407 : import_xml_expat
+# B408 : import_xml_minidom
+# B409 : import_xml_pulldom
+# B410 : import_lxml
+# B411 : import_xmlrpclib
+# B412 : import_httpoxy
+# B413 : import_pycrypto
+# B501 : request_with_no_cert_validation
+# B502 : ssl_with_bad_version
+# B503 : ssl_with_bad_defaults
+# B504 : ssl_with_no_version
+# B505 : weak_cryptographic_key
+# B506 : yaml_load
+# B507 : ssh_no_host_key_verification
+# B601 : paramiko_calls
+# B602 : subprocess_popen_with_shell_equals_true
+# B603 : subprocess_without_shell_equals_true
+# B604 : any_other_function_with_shell_equals_true
+# B605 : start_process_with_a_shell
+# B606 : start_process_with_no_shell
+# B607 : start_process_with_partial_path
+# B608 : hardcoded_sql_expressions
+# B609 : linux_commands_wildcard_injection
+# B610 : django_extra_used
+# B611 : django_rawsql_used
+# B701 : jinja2_autoescape_false
+# B702 : use_of_mako_templates
+# B703 : django_mark_safe
+
+# (optional) list included test IDs here, eg '[B101, B406]':
+tests:
+
+# (optional) list skipped test IDs here, eg '[B101, B406]':
+skips: [B101]

.github/workflows/tests.yaml

@@ -21,11 +21,9 @@ jobs:
         uses: actions/setup-python@v1
         with:
           python-version: ${{ matrix.python-version }}
+      
       - name: Install Task
-        uses: Arduino/actions/setup-taskfile@master
-        with:
-          version: 3.x
-      - name: Run pre-commit
-        run: task pre-commit-ci
-      - name: Run test
-        run: task unit-test
+        uses: arduino/setup-task@v1
+
+      - name: Run CI
+        run: task ci

.isort.cfg

@@ -3,33 +3,42 @@ default_language_version:
 
 repos:
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v2.3.0
+    rev: v4.0.1
     hooks:
       - id: check-merge-conflict
+
   - repo: https://github.com/asottile/seed-isort-config
-    rev: v1.9.4
+    rev: v2.2.0
     hooks:
       - id: seed-isort-config
         language_version: python3.8
+
   - repo: https://github.com/timothycrosley/isort
-    rev: cd9c2f6
+    rev: 5.9.2
     hooks:
       - id: isort
+
   - repo: https://github.com/psf/black
-    rev: stable
+    rev: 21.7b0
     hooks:
       - id: black
+
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v0.770
+    rev: v0.910
     hooks:
       - id: mypy
         additional_dependencies:
           - "pydantic"
+          - "types-requests"
+          - "types-cachetools"
+
   - repo: https://gitlab.com/pycqa/flake8
-    rev: 3.7.9
+    rev: 3.9.2
     hooks:
       - id: flake8
+
   - repo: https://github.com/PyCQA/bandit
-    rev: "1.6.2"
+    rev: "1.7.0"
     hooks:
       - id: bandit
+        entry: bandit -c .bandit.yml

.pre-commit-config.yaml

@@ -3,29 +3,42 @@ version: "3"
 dotenv: [".env"]
 
 tasks:
+  
+  ci:
+    desc: "Run code analyzers from pre-commit and unit tests"
+    deps: [install-poetry, create-virtual-env]
+    cmds:
+      - task: unit
+      - task: lint
+
+  lint:
+    desc: "Install and init pre-commits."
+    deps: [install-poetry, create-virtual-env]
+    cmds:
+      - poetry run pre-commit run --all-files
+
+  unit:
+    desc: "Run unit tests"
+    deps: [install-poetry, create-virtual-env]
+    cmds:
+      - poetry run pytest
+    silent: true
+
   install-poetry:
     desc: "Install poetry package manager."
     cmds:
-      - curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python3 -
+      - pip install poetry
     status:
       - poetry --version
     generates:
       - $HOME/.poetry/env
 
-  unit-test:
-    desc: "Run unit tests"
-    deps: [install-poetry, create-virtual-env]
-    cmds:
-      - source $HOME/.poetry/env && poetry run pytest
-        # --cov=fastapi_oidc \
-        # --cov-report=term-missing
-        # --cov-report=xml tests ${@}
-    silent: true
   create-virtual-env:
     desc: "Create poetry virtual env."
     deps: [install-poetry]
     cmds:
-      - source $HOME/.poetry/env && poetry install
+      - poetry install
+
   build:
     desc: "Build python package for publication."
     deps: [install-poetry]
@@ -37,6 +50,7 @@ tasks:
       - pyproject.toml
     generates:
       - dist/**
+
   publish:
     desc: "Push package to PIPy"
     deps: [build]
@@ -51,22 +65,11 @@ tasks:
     #   - pyproject.toml
     # status:
     #   - echo "Return nonzero code if we shouldn't publish"
+
   clean:
     desc: "Remove artifacts and caches."
     cmds:
       - rm -rf ./build ./dist ./*.egg-info __pycache__
-  pre-commit-ci:
-    desc: "Install and init pre-commits."
-    deps: [install-pre-commit-ci, init-pre-commit-ci]
-    cmds:
-      - python3 pre-commit-2.8.2.pyz run --all-files
-  install-pre-commit-ci:
-    desc: "Install pre-commit without dependencies."
-    cmds:
-      - curl -OL https://github.com/pre-commit/pre-commit/releases/download/v2.8.2/pre-commit-2.8.2.pyz 
-      - python3 pre-commit-2.8.2.pyz
-    status:
-      - which pre-commit
 
   init-pre-commit-ci:
     desc: "Init pre-commit."
@@ -77,7 +80,7 @@ tasks:
     - .git/hooks/pre-commit
 
   build_docs:
-    desc: "Build sphinc docs in /docs"
+    desc: "Build sphinx docs in /docs"
     deps: [create-virtual-env]
     cmds:
       - |

Taskfile.yml

@@ -39,7 +39,7 @@ def get_auth(
 ) -> Callable[[str], IDToken]:
     """Take configurations and return the authenticate_user function.
 
-    This function should only be invoked once at the begging of your
+    This function should only be invoked once at the beggining of your
     server code. The function it returns should be used to check user credentials.
 
     Args:
@@ -110,7 +110,7 @@ def authenticate_user(auth_header: str = Depends(oauth2_scheme)) -> IDToken:
 
 # This is a dummy method for sphinx docs. DO NOT User.
 # TODO Find a way to doc higher order functions w/ sphinx.
-def authenticate_user(auth_header: str) -> IDToken:
+def authenticate_user(auth_header: str) -> IDToken:  # type: ignore
     """
     Validate and parse OIDC ID token against issuer in config.
     Note this function caches the signatures and algorithms of the issuing server

fastapi_oidc/auth.py

@@ -2,6 +2,7 @@
 
 from pydantic import BaseModel
 from pydantic import BaseSettings
+from pydantic import Extra
 
 
 class OIDCConfig(BaseSettings):
@@ -12,21 +13,43 @@ class OIDCConfig(BaseSettings):
 
 
 class IDToken(BaseModel):
-    """"""
+    """Pydantic model representing an OIDC ID Token.
+
+    ID Tokens are polymorphic and may have many attributes not defined in the spec thus this model accepts
+    all addition fields. Only required fields are listed in the attributes section of this docstring or
+    enforced by pydantic.
+
+    See the specifications here. https://openid.net/specs/openid-connect-core-1_0.html#IDToken
+
+    Attributes:
+        iss (str): Issuer Identifier for the Issuer of the response.
+        sub (str): Subject Identifier.
+        aud (str): Audience(s) that this ID Token is intended for.
+        exp (str): Expiration time on or after which the ID Token MUST NOT be accepted for processing.
+        iat (iat): Time at which the JWT was issued.
+
+    """
 
-    # TODO Verify the minimum and maximum claim set for ID Tokens.
-    name: str
-    email: str
-    preferred_username: str
-    exp: int
-    auth_time: int
-    sub: str
-    ver: int
     iss: str
+    sub: str
     aud: str
+    exp: int
     iat: int
+
+    class Config:
+        extra = Extra.allow
+
+
+class OktaIDToken(IDToken):
+    """Pydantic Model for the IDToken returned by Okta's OIDC implementation."""
+
+    auth_time: int
+    ver: int
     jti: str
     amr: List[str]
     idp: str
     nonce: str
     at_hash: str
+    name: str
+    email: str
+    preferred_username: str