Make OIDC plugin public (#9406)

* Make OIDC plugin public * Add missing dependency package * Apply changes after review * Update changelog * Apply changes after review * Add const file
saleor · Apr 1, 2022 · 7d2e77c · 7d2e77c
1 parent 984ddb4
commit 7d2e77c
Show file tree

Hide file tree

Showing 25 changed files with 4,055 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ All notable, unreleased changes to this project will be documented in this file.
 
 ### Other changes
 - Fix failing `checkoutCustomerAttach` mutation - #9401 by @IKarbowiak
+- Add OpenID Connect Plugin - #9406 by @korycins
 - Add new mutation `orderCreateFromCheckout` - #9343 by @korycins
 - Add `language_code` field to webhook payload for `Order`, `Checkout` and `Customer` - #9433 by @rafalp
 - Add handling webhook payload via GraphQL subscriptions (#9394)  @jakubkuc

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -68,6 +68,7 @@ documentation = "https://docs.saleor.io/"
   cryptography = "^36.0.0"
   graphene = "<3.0"
   uvicorn = {extras = ["standard"], version = "^0.17.5"}
+  Authlib = "^1.0.0"
 
     [tool.poetry.dependencies.celery]
     version = ">=4.4.5,<6.0.0"

diff --git a/requirements.txt b/requirements.txt
@@ -4,6 +4,7 @@ aniso8601==7.0.0
 anyio==3.5.0; python_version >= "3.7" and python_full_version >= "3.6.2"
 asgiref==3.5.0; python_version >= "3.7"
 async-timeout==4.0.2; python_version >= "3.7"
+authlib==1.0.0
 authorizenet==1.1.4
 babel==2.9.1; (python_version >= "2.7" and python_full_version < "3.0.0") or (python_full_version >= "3.4.0")
 beautifulsoup4==4.7.1

diff --git a/requirements_dev.txt b/requirements_dev.txt
@@ -7,6 +7,7 @@ astroid==2.11.2; python_full_version >= "3.6.2"
 async-timeout==4.0.2; python_version >= "3.7"
 atomicwrites==1.4.0; python_version >= "3.7" and python_full_version < "3.0.0" and sys_platform == "win32" and python_version < "4.0" or sys_platform == "win32" and python_version >= "3.7" and python_full_version >= "3.4.0" and python_version < "4.0"
 attrs==21.4.0; python_version >= "3.7" and python_full_version < "3.0.0" and python_version < "4.0" or python_full_version >= "3.5.0" and python_version >= "3.7" and python_version < "4.0"
+authlib==1.0.0
 authorizenet==1.1.4
 babel==2.9.1; (python_version >= "2.7" and python_full_version < "3.0.0") or (python_full_version >= "3.4.0")
 beautifulsoup4==4.7.1

diff --git a/saleor/plugins/base_plugin.py b/saleor/plugins/base_plugin.py
@@ -137,7 +137,9 @@ def __str__(self):
     #  Authenticate user which should be assigned to the request.
     #
     #  Overwrite this method if the plugin handles authentication flow.
-    authenticate_user: Callable[[WSGIRequest], Union["User", NoneType]]
+    authenticate_user: Callable[
+        [WSGIRequest, Optional["User"]], Union["User", NoneType]
+    ]
 
     authorize_payment: Callable[["PaymentData", Any], GatewayResponse]
 
@@ -280,28 +282,35 @@ def __str__(self):
     #  Handle authentication request.
     #
     #  Overwrite this method if the plugin handles authentication flow.
-    external_authentication_url: Callable[[dict, WSGIRequest], dict]
+    external_authentication_url: Callable[[dict, WSGIRequest, dict], dict]
 
     #  Handle logout request.
     #
     #  Overwrite this method if the plugin handles logout flow.
-    external_logout: Callable[[dict], Any]
+    external_logout: Callable[[dict, WSGIRequest, dict], Any]
 
     #  Handle authentication request responsible for obtaining access tokens.
     #
     #  Overwrite this method if the plugin handles authentication flow.
-    external_obtain_access_tokens: Callable[[dict, WSGIRequest], ExternalAccessTokens]
+    external_obtain_access_tokens: Callable[
+        [dict, WSGIRequest, ExternalAccessTokens], ExternalAccessTokens
+    ]
 
     #  Handle authentication refresh request.
     #
     #  Overwrite this method if the plugin handles authentication flow and supports
     #  refreshing the access.
-    external_refresh: Callable[[dict, WSGIRequest], ExternalAccessTokens]
+    external_refresh: Callable[
+        [dict, WSGIRequest, ExternalAccessTokens], ExternalAccessTokens
+    ]
 
     #  Verify the provided authentication data.
     #
     #  Overwrite this method if the plugin should validate the authentication data.
-    external_verify: Callable[[dict, WSGIRequest], Tuple[Union["User", NoneType], dict]]
+    external_verify: Callable[
+        [dict, WSGIRequest, Tuple[Union["User", NoneType], dict]],
+        Tuple[Union["User", NoneType], dict],
+    ]
 
     #  Triggered when ShopFetchTaxRates mutation is called.
     fetch_taxes_data: Callable[[Any], Any]

diff --git a/saleor/plugins/openid_connect/__init__.py b/saleor/plugins/openid_connect/__init__.py
@@ -0,0 +1 @@
+PLUGIN_ID = "mirumee.authentication.openidconnect"
diff --git a/saleor/plugins/openid_connect/const.py b/saleor/plugins/openid_connect/const.py
@@ -0,0 +1 @@
+SALEOR_STAFF_PERMISSION = "saleor:staff"
diff --git a/saleor/plugins/openid_connect/dataclasses.py b/saleor/plugins/openid_connect/dataclasses.py
@@ -0,0 +1,15 @@
+from dataclasses import dataclass
+
+
+@dataclass
+class OpenIDConnectConfig:
+    client_id: str
+    client_secret: str
+    enable_refresh_token: bool
+    json_web_key_set_url: str
+    authorization_url: str
+    logout_url: str
+    token_url: str
+    user_info_url: str
+    audience: str
+    use_scope_permissions: bool
diff --git a/saleor/plugins/openid_connect/exceptions.py b/saleor/plugins/openid_connect/exceptions.py
@@ -0,0 +1,2 @@
+class AuthenticationError(Exception):
+    """Raises when error occurred during authentication."""