UA-4020 | Pulled in changes from upstream 0.8.3 (#14)

* Update settings.rst

* Update LICENSE

* Default ordering RSA keys + example app for Django 4.2

* Update docs

* Update docs

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Fix create_id_token with extra scope claims + add ruff as formatter.

* Fix create_id_token with extra scope claims + add ruff as formatter.

* Fix create_id_token with extra scope claims + add ruff as formatter.

* Bump version 0.8.3

* UA-4020 | reducing the diff between ours/theirs where its reasonable.

* UA-4020 | reducing the diff between ours/theirs where its reasonable.

* UA-4020 | reducing the diff between ours/theirs where its reasonable.

---------

Co-authored-by: Juan Ignacio Fiorentino <[email protected]>
Co-authored-by: juanifioren <[email protected]>

Author: kdallege

.vscode/settings.json

@@ -0,0 +1,10 @@
+{
+    "[python]": {
+        "editor.formatOnSave": true,
+        "editor.codeActionsOnSave": {
+            "source.fixAll": "explicit",
+            "source.organizeImports": "explicit"
+        },
+        "editor.defaultFormatter": "charliermarsh.ruff"
+    }
+}

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2014-2019 Juan Ignacio Fiorentino
+Copyright (c) 2014-2024 Juan Ignacio Fiorentino
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

docs/conf.py

@@ -45,7 +45,7 @@
 
 # General information about the project.
 project = u'django-oidc-provider'
-copyright = u'2023, Juan Ignacio Fiorentino'
+copyright = u'2025, Juan Ignacio Fiorentino'
 author = u'Juan Ignacio Fiorentino'
 
 # The version info for the project you're documenting, acts as replacement for
@@ -55,7 +55,7 @@
 # The short X.Y version.
 version = u'0.8'
 # The full version, including alpha/beta/rc tags.
-release = u'0.8.0'
+release = u'0.8'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/images/add_rsa_key.png

@@ -8,6 +8,17 @@ All notable changes to this project will be documented in this file.
 Unreleased
 ==========
 
+None
+
+0.8.3
+=====
+
+*2024-12-06*
+
+* Changed: Improved "OpenID Connect RP-Initiated Logout" implementation.
+* Fixed: Fix ID Tokens not including standard claims when using extra scope claims.
+* Fixed: RSA server keys random ordering.
+* Fixed: Example app working with Django 4.
 
 0.8.2
 =====

docs/sections/changelog.rst

@@ -24,8 +24,8 @@ Use `tox <https://pypi.python.org/pypi/tox>`_ for running tests in each of the e
     # Run with Python 3.11 and Django 4.2.
     $ tox -e py311-django42
 
-    # Run single test file on specific environment.
-    $ tox -e py311-django42 -- tests/cases/test_authorize_endpoint.py
+    # Run a single test method.
+    $ tox -e py311-django42 -- tests/cases/test_authorize_endpoint.py::TestClass::test_some_method
 
 We use `Github Actions <https://github.com/juanifioren/django-oidc-provider/actions>`_ to automatically test every commit to the project.
 
@@ -34,7 +34,7 @@ Improve Documentation
 
 We use `Sphinx <http://www.sphinx-doc.org/>`_ to generate this documentation. If you want to add or modify something just:
 
-* Install Sphinx (``pip install sphinx``) and the auto-build tool (``pip install sphinx-autobuild``).
+* Install Sphinx (``pip install sphinx sphinx_rtd_theme``) and the auto-build tool (``pip install sphinx-autobuild``).
 * Move inside the docs folder. ``cd docs/``
 * Generate and watch docs by running ``sphinx-autobuild . _build/``.
 * Open ``http://127.0.0.1:8000`` in a browser.

docs/sections/contribute.rst

@@ -111,3 +111,11 @@ Inside your oidc_provider_settings.py file add the following class::
 
 .. note::
     If a field is empty or ``None`` inside the dictionary you return on the ``scope_scopename`` method, it will be cleaned from the response.
+
+Include claims in the ID Token
+==============================
+
+The draft specifies that ID Tokens MAY include additional claims. You can add claims to the ID Token using ``OIDC_IDTOKEN_INCLUDE_CLAIMS``. Note that the claims will be filtered based on the token's scope.
+
+.. note::
+    Any extra claims defined with ``OIDC_EXTRA_SCOPE_CLAIMS`` will also be included. 

docs/sections/scopesclaims.rst

@@ -7,7 +7,7 @@ Server RSA keys are used to sign/encrypt ID Tokens. These keys are stored in the
 
 You can easily create them with the admin:
 
-.. image:: http://i64.tinypic.com/vj2ma.png
+.. image:: ../images/add_rsa_key.png
     :align: center
 
 Or by using ``python manage.py creatersakey`` command.

docs/sections/serverkeys.rst

@@ -22,6 +22,47 @@ Somewhere in your Django ``settings.py``::
 If you're in a multi-server setup, you might also want to add ``OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY`` to your settings and set it to some random but fixed string. While authenticated clients have a session that can be used to calculate the browser state, there is no such thing for unauthenticated clients. Hence this value. By default a value is generated randomly on startup, so this will be different on each server. To get a consistent value across all servers you should set this yourself.
 
 
+RP-Initiated Logout
+===================
+
+An RP can notify the OP that the End-User has logged out of the site, and might want to log out of the OP as well. In this case, the RP, after having logged the End-User out of the RP, redirects the End-User's User Agent to the OP's logout endpoint URL.
+
+This URL is normally obtained via the ``end_session_endpoint`` element of the OP's Discovery response.
+
+Parameters that are passed as query parameters in the logout request:
+
+* ``id_token_hint``
+    RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client.
+* ``post_logout_redirect_uri``
+    OPTIONAL. URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed.
+    
+    The value must be a valid, encoded URL that has been registered in the list of "Post Logout Redirect URIs" in your Client (RP) page.
+* ``state``
+    OPTIONAL. Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the ``post_logout_redirect_uri`` query parameter.
+
+Example redirect::
+
+    http://localhost:8000/end-session/?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6ImQwM...&post_logout_redirect_uri=http%3A%2F%2Frp.example.com%2Flogged-out%2F&state=c91c03ea6c46a86
+
+**Logout consent prompt**
+
+The standard defines that the logout flow should be interrupted to prompt the user for consent if the OpenID provider cannot verify that the request was made by the user.
+
+We enforce this behavior by displaying a logout consent prompt if it detects any of the following conditions:
+
+* If ``id_token_hint`` is not present or is invalid (we could not validate the client from it).
+* If ``post_logout_redirect_uri`` is not registered in the list of "Post Logout Redirect URIs".
+
+If the user confirms the logout request, we continue the logout flow. To modify the logout consent template create your own ``oidc_provider/end_session_prompt.html``.
+
+**Other scenarios**
+
+In some cases, there may be no valid redirect URI for the user after logging out (e.g., the OP could not find a post-logout URI). If the user ends up being logged out, the system will render the ``oidc_provider/end_session_completed.html`` template.
+
+On the other hand, if the session remains active for any reason, the ``oidc_provider/end_session_failed.html`` template will be used.
+
+Both templates will receive the ``{{ client }}`` variable in their context.
+
 Example RP iframe
 =================
 
@@ -70,22 +111,4 @@ Example RP iframe
     </script>
     </html>
 
-RP-Initiated Logout
-===================
-
-An RP can notify the OP that the End-User has logged out of the site, and might want to log out of the OP as well. In this case, the RP, after having logged the End-User out of the RP, redirects the End-User's User Agent to the OP's logout endpoint URL.
-
-This URL is normally obtained via the ``end_session_endpoint`` element of the OP's Discovery response.
-
-Parameters that are passed as query parameters in the logout request:
-
-* ``id_token_hint``
-    Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client.
-* ``post_logout_redirect_uri``
-    URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed.
-* ``state``
-    OPTIONAL. Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the ``post_logout_redirect_uri`` query parameter.
-
-Example redirect::
 
-    http://localhost:8000/end-session/?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6ImQwM...&post_logout_redirect_uri=http://rp.example.com/logged-out/&state=c91c03ea6c46a86

docs/sections/sessionmanagement.rst

@@ -53,7 +53,7 @@ OIDC_CODE_EXPIRE
 
 OPTIONAL. ``int``. Code object expiration after been delivered.
 
-Expressed in seconds. Default is ``60*10``.
+Expressed in seconds. Default is ``10 mins``.
 
 OIDC_DISCOVERY_CACHE_ENABLE
 ===========================
@@ -67,7 +67,7 @@ OIDC_DISCOVERY_CACHE_EXPIRE
 
 OPTIONAL. ``int``. Discovery endpoint cache expiration time expressed in seconds.
 
-Expressed in seconds. Default is ``60*10``.
+Expressed in seconds. Default is ``1 day``.
 
 OIDC_EXTRA_SCOPE_CLAIMS
 =======================
@@ -81,7 +81,7 @@ Read more about how to implement it in :ref:`scopesclaims` section.
 OIDC_IDTOKEN_INCLUDE_CLAIMS
 ==============================
 
-OPTIONAL. ``bool``. If enabled, id_token will include standard claims of the user (email, first name, etc.).
+OPTIONAL. ``bool``. If enabled, id_token will include standard (and extra if defined) claims of the user (email, first name, etc.).
 
 Default is ``False``.
 
@@ -90,7 +90,7 @@ OIDC_IDTOKEN_EXPIRE
 
 OPTIONAL. ``int``. ID Token expiration after been delivered.
 
-Expressed in seconds. Default is ``60*10``.
+Expressed in seconds. Default is ``10 mins``.
 
 OIDC_IDTOKEN_PROCESSING_HOOK
 ============================
@@ -188,14 +188,14 @@ OIDC_SKIP_CONSENT_EXPIRE
 
 OPTIONAL. ``int``. How soon User Consent expires after being granted.
 
-Expressed in days. Default is ``30*3``.
+Expressed in days. Default is ``90 days``.
 
 OIDC_TOKEN_EXPIRE
 =================
 
 OPTIONAL. ``int``. Token object (access token) expiration after being created.
 
-Expressed in seconds. Default is ``60*60``.
+Expressed in seconds. Default is ``1 hour``.
 
 OIDC_USERINFO
 =============
@@ -258,4 +258,4 @@ A flag which toggles whether the scope is returned with successful response on i
 
 Must be ``True`` to include ``scope`` into the successful response
 
-Default is ``False``.
+Default is ``False``.