Openid Connect Core support

[wiliamsouza]

This PR add OpenID Connect Core http://openid.net/specs/openid-connect-core-1_0.html support.

To run the tests do:

Django OAuth Toolkit cloned repository

git remote add [email protected]:wiliamsouza/django-oauth-toolkit.git wiliamsouza
git checkout -b openid-connect wiliamsouza/openid-connect
tox

Usage examples:

Authorization-code

http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

token and id_token

http://127.0.0.1:8000/o/authorize?response_type=code&client_id=HCSTniKnHNj6qP6Dkms39q6IT4pahzfXws2uwTkS&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

Only token

http://127.0.0.1:8000/o/authorize?response_type=code&client_id=HCSTniKnHNj6qP6Dkms39q6IT4pahzfXws2uwTkS&redirect_uri=http://localhost/callback&scope=read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

curl -X POST \
    -H "Cache-Control: no-cache" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    "http://127.0.0.1:8000/o/token/" \
    -d "client_id=HCSTniKnHNj6qP6Dkms39q6IT4pahzfXws2uwTkS" \
    -d "client_secret=Ay1rH78PChsOG4mshfdp2oJnomdpu5Vgtdz6jCmDkEM8mKHzcaKo5GEYNGK42KTN8XqEWbbpn1vdHJKYcBgawONx4S1xXY7GtEP9mvsMw593DeXH0aRpWlgySuxeDfe2" \
    -d "code=89BRsh4kQqrwlNMLj4coVZbrpDm0Mh" \
    -d "redirect_uri=http://localhost/callback" \
    -d "grant_type=authorization_code"

implicit

http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth

token

http://127.0.0.1:8000/o/authorize?response_type=token&client_id=Ktn0Sh4hO2gA8PKC2aqsauY4ZCxNyIdF1wNfFfJ3&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

id_token

http://127.0.0.1:8000/o/authorize?response_type=id_token&client_id=Ktn0Sh4hO2gA8PKC2aqsauY4ZCxNyIdF1wNfFfJ3&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

token and id_token

http://127.0.0.1:8000/o/authorize?response_type=id_token%20token&client_id=Ktn0Sh4hO2gA8PKC2aqsauY4ZCxNyIdF1wNfFfJ3&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

openid-hybrid

http://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth

code, id_token and token

http://127.0.0.1:8000/o/authorize?response_type=code%20id_token%20token&client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

code and id_token

http://127.0.0.1:8000/o/authorize?response_type=code%20id_token&client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

code and token

http://127.0.0.1:8000/o/authorize?response_type=code%20token&client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

code

http://127.0.0.1:8000/o/authorize?response_type=code&client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj&redirect_uri=http://localhost/callback&scope=openid%20read&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

curl -X POST \
    -H "Cache-Control: no-cache" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    "http://127.0.0.1:8000/o/token/" \
    -d "client_id=fZjUvm0YABo6mX1UTjo9VVYay9zj1HpaCZaoa4Fj" \
    -d "client_secret=eiBw6IIQ4zzWFP9gSszEHZwexjCDhJjMtRxoOYQexCJMjQ6gdyN2ME9aUzbGkVopx3NSZRPUb4SV9yKpbVwwW9NKdEpkoyGmcTni7G4KTPqtJrsI9HPubFnDDzsvAf89" \
    -d "code=VQGv7tzYGO13jrRnv6oYT7jHbDSGJZ" \
    -d "redirect_uri=http://localhost/callback" \
    -d "grant_type=authorization_code"

TODO:

• Create/Update docs
• Merge OAuthLib PR Openid connect jwt oauthlib/oauthlib#488

[coveralls]

Coverage decreased (-4.7%) to 88.696% when pulling b2847e2 on wiliamsouza:openid-connect into 231efff on evonove:master.

[wiliamsouza]

The CI will be broke until OAuthLib version containing this PR oauthlib/oauthlib#488

[jleclanche]

Hi @wiliamsouza

Thanks, this is a high quality PR. I'm not merging it until the upstream work is fully released, but once it is, feel free to ping here again and I'll do a full review pass.

[wiliamsouza]

OAuthLib upcoming release 3.0.0 oauthlib/oauthlib#512

[rhenter]

Great PR. It will be very good when It wore merged

[afabiani]

Hi all,
how far we are on merging this?

[JonathanHuot]

@jleclanche, oauthlib's PR oauthlib/oauthlib#488 has been merged into oauthlib's master branch. Would be great to validate the changes here before releasing the [email protected]

[wiliamsouza]

@afabiani As soon as [email protected] get released

[jleclanche]

@JonathanHuot Winter is pretty busy here, I'm not sure I'll soon be in a situation where i can do an updated review. And either way, I wouldn't want to land this without testing it (and I'm not in a position to test it).

So if people want to get this PR moving ahead of oauthlib 3.0 release, bring it into your installations and try it out, report back with any issues.

[wiliamsouza]

@jleclanche @JonathanHuot I can manage this

[afabiani]

@wiliamsouza currently I had to fork this one [1] since it required few more changes in order to fully work with OIDC 1.0 (tested mainly using Keycloak). Will look forward to the new release anyway. Thanks.

[1] - https://github.com/GeoNode/geonode-oauth-toolkit

[jejenone]

I would love to see OIDC support in DOT. Looking forward to seeing this merged.

[bpereto]

@wiliamsouza [email protected] is released 🎉

[tribals]

@wiliamsouza

I created dummy Django app with this library integrated, seems like the patch is currently doesn't work.

Here is the app: https://dummy-idp-dot.herokuapp.com. I created an OAuth app, you can view it's credentials here: https://dummy-idp-dot.herokuapp.com/oauth/applications/1. I tested it with OpenID Connect debugger: https://oidcdebugger.com. Currently there is an unsupported_response_type error. Here is the request that Debugger was generated:

https://dummy-idp-dot.herokuapp.com/oauth/authorize?client_id=P25mgGSjKjx77Dw4zaiUhhJMWqYgtIVQiogSpATz&redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug&scope=openid%20read&response_type=token%20id_token&response_mode=form_post&nonce=lokuqbmajz

[wiliamsouza]

Working on it

[coveralls]

Pull Request Test Coverage Report for Build 1345

• 193 of 222 (86.94%) changed or added relevant lines in 11 files are covered.
• 3 unchanged lines in 2 files lost coverage.
• Overall coverage decreased (-1.05%) to 93.721%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
oauth2_provider/settings.py	5	7	71.43%
oauth2_provider/views/oidc.py	25	28	89.29%
oauth2_provider/oauth2_validators.py	103	110	93.64%
oauth2_provider/models.py	31	48	64.58%

Files with Coverage Reduction	New Missed Lines	%
oauth2_provider/settings.py	1	76.56%
oauth2_provider/oauth2_validators.py	2	91.33%

Totals
Change from base Build 1341:	-1.05%
Covered Lines:	1418
Relevant Lines:	1513

---

💛 - Coveralls

[wiliamsouza]

@afabiani Great! Can you explain the changes and how do you test it with Keycloak?

[wiliamsouza]

@jejenone You can help it get done reviewing and testing this branch.

[wiliamsouza]

@tribals Can you update the code and redo the test?

[tribals]

@wiliamsouza Finally I'm testing in local environment. It seems to mostly work. I tried implicit flow with response_type parameter set to both token and id_token token. Server responds correctly. There are still some misunderstandings about how to hook into this library but they disappear as the more I work with library.

[auvipy]

please re-base to master while updating.

[auvipy]

it's better to pull updates from master and change models based on latest master, and then regenerate migrations based on the migrations in masters branch.

[wiliamsouza]

@auvipy Your merge broke the build. Why did you do that before any discussion?

[wiliamsouza]

@tribals @jleclanche @bpereto @auvipy @fvlima @jpbonson @JC127 @esseti @kaeruko @JonathanHuot @jejenone @afabiani Ready to merge? Review, comment! I can add access to my fork to anyone that want to help. Just ask.

[auvipy]

tests are failing. you could add me to your branch

[n2ygk]

This is a big improvement and a lot of new code. I think we should hold off merging this until after the 1.3.0 release which I'm hoping to get out today or tomorrow. Given the significant new functionality, perhaps this becomes a 1.4.0 or 2.0 release. What are your thoughts on whether this is a major or minor release per semver?

And, of course, failing tests have to be resolved. They are mostly isort/flake8 issues because I undid the disabling of those tests in #798. They should be really easy to fix:

• isort <filename> which will sort the includes properly
• make sure to use inline double-quotes. (I just did this doing global replaces of ' with " and a few manual fixes)
• comply with line-length limit
• a few other items

[wiliamsouza]

tests are failing.

I will fix tests.

you could add me to your branch

Done! Welcome.

[wiliamsouza]

This is a big improvement and a lot of new code. I think we should hold off merging this until after the 1.3.0 release which I'm hoping to get out today or tomorrow.

Great!

Given the significant new functionality, perhaps this becomes a 1.4.0 or 2.0 release. What are your thoughts on whether this is a major or minor release per semver?

1.4.0 is ok.

[n2ygk]

I believe you need to add jwcrypto to deps here as well to resolve tox -e py37-docs failure.

[fvlima]

And, of course, failing tests have to be resolved. They are mostly isort/flake8 issues because I undid the disabling of those tests in #798. They should be really easy to fix:

Those things were fixed here wiliamsouza#8. After merging this, only documentation and examples items (#545 (comment)) will remain to merge this PR

[wiliamsouza]

Checklist

• 1) Fix flake8 test
• 2) Fix docs test
• 3) Ensure coverage is higher
• 4) Write docs about OpenID Connect
• 5) Write a example application with OpenID connect flows

I think this the job that must be done.
Will take the 5 one.

[fvlima]

I can fix the 1 and 2 items. And about item 3, is it really necessary to put the oauth2_provider/settings.py to be covered?

[wiliamsouza]

I can fix the 1 and 2 items. And about item 3, is it really necessary to put the oauth2_provider/settings.py to be covered?

It seems to have some logic.

[esseti]

sorry to be late at the party, what/how can I help?

[wiliamsouza]

sorry to be late at the party, what/how can I help?

Can you handle any item from the checklist?

[auvipy]

you can start with rebase

[fvlima]

The items 1 and 2 from the checklist were fixed here wiliamsouza#8

[fvlima]

And about item 3, I made this comment #545 (comment) and created this PR to do it here wiliamsouza#9. This makes sense for me, but if not, just ignore it.

[michaelhelvey]

Testing locally using MySQL the migration created by this errors with MySQL err 1170, "BLOB/TEXT column 'token' used in key specification without a key length".

Reference: https://dev.mysql.com/doc/refman/8.0/en/server-error-reference.html#error_er_blob_key_without_length

Given that this is not the primary key and (if my understanding is correct) typically a value generated by the application, perhaps we could not use a database index to ensure uniqueness? Happy to make a PR if so.

[auvipy]

sure plz

[michaelhelvey]

see wiliamsouza#10

[fvlima]

I think that this PR can be closed because we already have this implementation merged here #859