Openid Connect Core support

.gitignore

@@ -25,7 +25,7 @@ __pycache__
 pip-log.txt
 
 # Unit test / coverage reports
-.cache
+.pytest_cache
 .coverage
 .tox
 .pytest_cache/

oauth2_provider/admin.py

@@ -1,8 +1,11 @@
 from django.contrib import admin
 
 from .models import (
-    get_access_token_model, get_application_model,
-    get_grant_model, get_refresh_token_model
+    get_access_token_model,
+    get_application_model,
+    get_grant_model,
+    get_refresh_token_model,
+    get_id_token_model,
 )
 
 
@@ -26,6 +29,11 @@ class AccessTokenAdmin(admin.ModelAdmin):
     raw_id_fields = ("user", "source_refresh_token")
 
 
+class IDTokenAdmin(admin.ModelAdmin):
+    list_display = ("token", "user", "application", "expires")
+    raw_id_fields = ("user", )
+
+
 class RefreshTokenAdmin(admin.ModelAdmin):
     list_display = ("token", "user", "application")
     raw_id_fields = ("user", "access_token")
@@ -34,9 +42,11 @@ class RefreshTokenAdmin(admin.ModelAdmin):
 Application = get_application_model()
 Grant = get_grant_model()
 AccessToken = get_access_token_model()
+IDToken = get_id_token_model()
 RefreshToken = get_refresh_token_model()
 
 admin.site.register(Application, ApplicationAdmin)
 admin.site.register(Grant, GrantAdmin)
 admin.site.register(AccessToken, AccessTokenAdmin)
+admin.site.register(IDToken, IDTokenAdmin)
 admin.site.register(RefreshToken, RefreshTokenAdmin)

oauth2_provider/forms.py

@@ -5,6 +5,7 @@ class AllowForm(forms.Form):
     allow = forms.BooleanField(required=False)
     redirect_uri = forms.CharField(widget=forms.HiddenInput())
     scope = forms.CharField(widget=forms.HiddenInput())
+    nonce = forms.CharField(required=False, widget=forms.HiddenInput())
     client_id = forms.CharField(widget=forms.HiddenInput())
     state = forms.CharField(required=False, widget=forms.HiddenInput())
     response_type = forms.CharField(widget=forms.HiddenInput())

oauth2_provider/migrations/0002_auto_20190406_1805.py

@@ -1,5 +1,3 @@
-# Generated by Django 2.2 on 2019-04-06 18:05
-
 from django.db import migrations, models
 
 

oauth2_provider/migrations/0003_auto_20190413_2007.py

@@ -0,0 +1,21 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oauth2_provider', '0002_auto_20190406_1805'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='application',
+            name='algorithm',
+            field=models.CharField(choices=[('RS256', 'RSA with SHA-2 256'), ('HS256', 'HMAC with SHA-2 256')], default='RS256', max_length=5),
+        ),
+        migrations.AlterField(
+            model_name='application',
+            name='authorization_grant_type',
+            field=models.CharField(choices=[('authorization-code', 'Authorization code'), ('implicit', 'Implicit'), ('password', 'Resource owner password-based'), ('client-credentials', 'Client credentials'), ('openid-hybrid', 'OpenID connect hybrid')], max_length=32),
+        ),
+    ]

oauth2_provider/migrations/0004_idtoken.py

@@ -0,0 +1,31 @@
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('oauth2_provider', '0003_auto_20190413_2007'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='IDToken',
+            fields=[
+                ('id', models.BigAutoField(primary_key=True, serialize=False)),
+                ('token', models.TextField(unique=True)),
+                ('expires', models.DateTimeField()),
+                ('scope', models.TextField(blank=True)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+                ('application', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL)),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='oauth2_provider_idtoken', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'abstract': False,
+                'swappable': 'OAUTH2_PROVIDER_ID_TOKEN_MODEL',
+            },
+        ),
+    ]

oauth2_provider/migrations/0005_accesstoken_id_token.py

@@ -0,0 +1,18 @@
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oauth2_provider', '0004_idtoken'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accesstoken',
+            name='id_token',
+            field=models.OneToOneField(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='access_token', to=settings.OAUTH2_PROVIDER_ID_TOKEN_MODEL),
+        ),
+    ]

oauth2_provider/models.py

@@ -1,7 +1,10 @@
 import logging
+import json
 from datetime import timedelta
 from urllib.parse import parse_qsl, urlparse
 
+from jwcrypto import jwk, jwt
+
 from django.apps import apps
 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured
@@ -50,11 +53,20 @@ class AbstractApplication(models.Model):
     GRANT_IMPLICIT = "implicit"
     GRANT_PASSWORD = "password"
     GRANT_CLIENT_CREDENTIALS = "client-credentials"
+    GRANT_OPENID_HYBRID = "openid-hybrid"
     GRANT_TYPES = (
         (GRANT_AUTHORIZATION_CODE, _("Authorization code")),
         (GRANT_IMPLICIT, _("Implicit")),
         (GRANT_PASSWORD, _("Resource owner password-based")),
         (GRANT_CLIENT_CREDENTIALS, _("Client credentials")),
+        (GRANT_OPENID_HYBRID, _("OpenID connect hybrid")),
+    )
+
+    RS256_ALGORITHM = "RS256"
+    HS256_ALGORITHM = "HS256"
+    ALGORITHM_TYPES = (
+        (RS256_ALGORITHM, _("RSA with SHA-2 256")),
+        (HS256_ALGORITHM, _("HMAC with SHA-2 256")),
     )
 
     id = models.BigAutoField(primary_key=True)
@@ -82,6 +94,7 @@ class AbstractApplication(models.Model):
 
     created = models.DateTimeField(auto_now_add=True)
     updated = models.DateTimeField(auto_now=True)
+    algorithm = models.CharField(max_length=5, choices=ALGORITHM_TYPES, default=RS256_ALGORITHM)
 
     class Meta:
         abstract = True
@@ -282,6 +295,10 @@ class AbstractAccessToken(models.Model):
         related_name="refreshed_access_token"
     )
     token = models.CharField(max_length=255, unique=True, )
+    id_token = models.OneToOneField(
+        oauth2_settings.ID_TOKEN_MODEL, on_delete=models.CASCADE, blank=True, null=True,
+        related_name="access_token"
+    )
     application = models.ForeignKey(
         oauth2_settings.APPLICATION_MODEL, on_delete=models.CASCADE, blank=True, null=True,
     )
@@ -415,6 +432,99 @@ class Meta(AbstractRefreshToken.Meta):
         swappable = "OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL"
 
 
+class AbstractIDToken(models.Model):
+    """
+    An IDToken instance represents the actual token to
+    access user's resources, as in :openid:`2`.
+
+    Fields:
+
+    * :attr:`user` The Django user representing resources' owner
+    * :attr:`token` ID token
+    * :attr:`application` Application instance
+    * :attr:`expires` Date and time of token expiration, in DateTime format
+    * :attr:`scope` Allowed scopes
+    """
+    id = models.BigAutoField(primary_key=True)
+    user = models.ForeignKey(
+        settings.AUTH_USER_MODEL, on_delete=models.CASCADE, blank=True, null=True,
+        related_name="%(app_label)s_%(class)s"
+    )
+    token = models.TextField(unique=True)
+    application = models.ForeignKey(
+        oauth2_settings.APPLICATION_MODEL, on_delete=models.CASCADE, blank=True, null=True,
+    )
+    expires = models.DateTimeField()
+    scope = models.TextField(blank=True)
+
+    created = models.DateTimeField(auto_now_add=True)
+    updated = models.DateTimeField(auto_now=True)
+
+    def is_valid(self, scopes=None):
+        """
+        Checks if the access token is valid.
+
+        :param scopes: An iterable containing the scopes to check or None
+        """
+        return not self.is_expired() and self.allow_scopes(scopes)
+
+    def is_expired(self):
+        """
+        Check token expiration with timezone awareness
+        """
+        if not self.expires:
+            return True
+
+        return timezone.now() >= self.expires
+
+    def allow_scopes(self, scopes):
+        """
+        Check if the token allows the provided scopes
+
+        :param scopes: An iterable containing the scopes to check
+        """
+        if not scopes:
+            return True
+
+        provided_scopes = set(self.scope.split())
+        resource_scopes = set(scopes)
+
+        return resource_scopes.issubset(provided_scopes)
+
+    def revoke(self):
+        """
+        Convenience method to uniform tokens' interface, for now
+        simply remove this token from the database in order to revoke it.
+        """
+        self.delete()
+
+    @property
+    def scopes(self):
+        """
+        Returns a dictionary of allowed scope names (as keys) with their descriptions (as values)
+        """
+        all_scopes = get_scopes_backend().get_all_scopes()
+        token_scopes = self.scope.split()
+        return {name: desc for name, desc in all_scopes.items() if name in token_scopes}
+
+    @property
+    def claims(self):
+        key = jwk.JWK.from_pem(oauth2_settings.OIDC_RSA_PRIVATE_KEY.encode("utf8"))
+        jwt_token = jwt.JWT(key=key, jwt=self.token)
+        return json.loads(jwt_token.claims)
+
+    def __str__(self):
+        return self.token
+
+    class Meta:
+        abstract = True
+
+
+class IDToken(AbstractIDToken):
+    class Meta(AbstractIDToken.Meta):
+        swappable = "OAUTH2_PROVIDER_ID_TOKEN_MODEL"
+
+
 def get_application_model():
     """ Return the Application model that is active in this project. """
     return apps.get_model(oauth2_settings.APPLICATION_MODEL)
@@ -430,6 +540,11 @@ def get_access_token_model():
     return apps.get_model(oauth2_settings.ACCESS_TOKEN_MODEL)
 
 
+def get_id_token_model():
+    """ Return the AccessToken model that is active in this project. """
+    return apps.get_model(oauth2_settings.ID_TOKEN_MODEL)
+
+
 def get_refresh_token_model():
     """ Return the RefreshToken model that is active in this project. """
     return apps.get_model(oauth2_settings.REFRESH_TOKEN_MODEL)

oauth2_provider/oauth2_backends.py

@@ -102,15 +102,16 @@ def validate_authorization_request(self, request):
         except oauth2.OAuth2Error as error:
             raise OAuthToolkitError(error=error)
 
-    def create_authorization_response(self, request, scopes, credentials, allow):
+    def create_authorization_response(self, uri, request, scopes, credentials, body, allow):
         """
         A wrapper method that calls create_authorization_response on `server_class`
         instance.
 
         :param request: The current django.http.HttpRequest object
         :param scopes: A list of provided scopes
         :param credentials: Authorization credentials dictionary containing
-                           `client_id`, `state`, `redirect_uri`, `response_type`
+                           `client_id`, `state`, `redirect_uri` and `response_type`
+        :param body: Other body parameters not used in credentials dictionary
         :param allow: True if the user authorize the client, otherwise False
         """
         try:
@@ -122,10 +123,10 @@ def create_authorization_response(self, request, scopes, credentials, allow):
             credentials["user"] = request.user
 
             headers, body, status = self.server.create_authorization_response(
-                uri=credentials["redirect_uri"], scopes=scopes, credentials=credentials)
-            uri = headers.get("Location", None)
+                uri=uri, scopes=scopes, credentials=credentials, body=body)
+            redirect_uri = headers.get("Location", None)
 
-            return uri, headers, body, status
+            return redirect_uri, headers, body, status
 
         except oauth2.FatalClientError as error:
             raise FatalClientError(error=error, redirect_uri=credentials["redirect_uri"])