OpenID Connect support (#915)

* Openid Connect Core support - Round 3

* Add OpenID connect hybrid grant type

* Add OpenID connect algorithm type to Application model

* Add OpenID connect id token model

* Add nonce Authorization as required by OpenID connect Implicit Flow

* Add body to create_authorization_response to pass nonce and future OpenID parameters to oauthlib.common.Request

* Add OpenID connect ID token creation and validation methods and scopes

* Add OpenID connect response types

* Add OpenID connect authorization code flow test

* Add OpenID connect implicit flow tests

* Add validate_user_match method to OAuth2Validator

* Add RSA_PRIVATE_KEY setting with blank value

* Update tox

* Add get_jwt_bearer_token to OAuth2Validator

* Add validate_jwt_bearer_token to OAuth2Validator

* Change OAuth2Validator.validate_id_token default return value to False to avoid validation security breach

* Change to use .encode to avoid py2.7 tox test error

* Add OpenID connect hybrid flow tests

* Change to use .encode to avoid py2.7 tox test error

* Add RSA_PRIVATE_KEY to the list of settings that cannot be empt

* Add support for oidc connect discovery

* Use double quotes for strings

* Rename migrations to avoid name and order conflict

* Remove commando to install OAuthLib from master and removed jwcrypto duplication

* Remove python 2 compatible code

* Change errors access_denied/unauthorized_client/consent_required/login_required to be 400 as changed in oauthlib/pull/623

* Change iss claim value to come from settings

* Change to use openid connect code server class

* Change test to include missing state

* Add id_token relation to AbstractAccessToken

* Add claims property to AbstractIDToken

* Change OAuth2Validator._create_access_token to save id_token to access_token

* Add userinfo endpoint

* Update migrations and remove oauthlib duplication

* Remove old generated migrations

* Add new migrations

* Fix tests

* Add nonce to hybrid tests

* Add missing new attributes to test migration

* Rebase fixing conflicts and tests

* Remove auto generate message

* Fix flake8 issues

* Fix test doc deps

* Add project settings to be ignored in coverage

* Tweak migrations to support non-overidden models

* OIDC_USERINFO_ENDPOINT is not mandatory

* refresh_token grant should be support for OpenID hybrid

* Fix the user info view, and remove hard dependency on DRF

* Use proper URL generation for OIDC endpoints

* Support rich ID tokens and userinfo claims

Extend the validator and override get_additional_claims based on your own user model.

* Bug fix for at_hash generation

See https://openid.net/specs/openid-connect-core-1_0.html#id_token-tokenExample to prove algorithm

* OIDC_ISS_ENDPOINT is an optional setting

* Support OIDC urls from issuer url if provided

* Test for generated OIDC urls

* Flake

* Rebase on master and migrate url function to re_path

* Handle invalid token format exceptions as invalid tokens

* Merge migrations and sort imports isort for flake8 lint check

Co-authored-by: Dave Burkholder <dave@thinkwelldesigns.com>
Co-authored-by: Wiliam Souza <wiliamsouza83@gmail.com>
Co-authored-by: Allisson Azevedo <allisson@gmail.com>
Co-authored-by: fvlima <frederico.vieira@gmail.com>
Co-authored-by: Shaun Stanworth <shaun.stanworth@googlemail.com>

* Make IDToken admin class swappable

* Make OIDC support optional

Make OIDC support optional by not requiring OIDC_RSA_PRIVATE_KEY to be
set in the settings, and using the standard oauthlib.oauth2.Server class
when an OIDC private key is not configured.

Add a test fixture wrapping oauth2_settings. This allows individual
tests / test suites to override oauth2 settings and have them reset at
the end of the test. This avoids configuration leaking from one test to
another, and allows us to test multiple different configurations in one
test run.

When using the oauth2_settings fixture, allow configuration for the test
case to be loaded from a pytest marker called oauth2_settings.

Split out OIDC specific tests requiring specific OIDC configuration into
separate TestCase.

Adjust the OAuthLibMixin to fallback to using the server, validator and
core classes specified in oauth2_settings when not hardcoded in to the
class. These classes can still be specified as hard-coded attributes in
sub-classes, but it's no longer required if you just want what is
configured in oauth2_settings, so remove all attributes that are just
pointing at the configuration anyway.

Add a setting ALWAYS_RELOAD_OAUTHLIB_CORE, which causes OAuthLibMixin to
reload the OAuthLibCore object on each request. This is only intended to
be used during testing, to allow the views to recognise changes in
configuration.

Show missing coverage lines in the coverage report.

Fixes: #873

* Add tests for OIDC userinfo view

* Add test for creating the OIDC issuer url for JWTs

* Add ID token generation and validation tests

* Add tests for OAuth2ProviderSettings

* Add tests for IDToken model methods

* Remove unnecessary __future__ declarations

* Enable OIDC only views only when using OIDC

Add a mixin for OIDC only views that checks that OIDC is correctly
configured before allowing the request to continue.

If OIDC is not enabled, raise an ImproperlyConfigured exception if the
site is in DEBUG mode, otherwise log a warning and return a 404
response.

* Remove mistakenly committed comment

* Add OIDC documentation

* Add OIDC support change to CHANGELOG.md

* Support nonce and claims in OIDC auth

* Add nonce and claims fields to Grant model.
* Complete support for nonce in the OIDC auth code flow, and work around
  an oauthlib bug in the OIDC hybrid flow that caused a nonce presented
  in the authentication endpoint to be omitted from the ID token.
* Switch to using `RequestValidator.finalize_id_token` instead of
  `RequestValidator.get_id_token`. This allows us to use the oauthlib
  stock implementation of `get_id_token`, which creates `at_hash` and
  `c_hash` when appropriate.
* Support `claims` in the authentication endpoint to specify what claims
  are desired in the ID token, as per section 5.5. Interpreting the
  claims parameter is up to implementers.
* Add documentation on using scopes and claims as authentication
  endpoint parameters to influence what claims to add to the tokens.
* Add tests for `nonce` and `claims` handling.

* Fix py3.5 tests getting scopes in unexpected order

Not entirely sure how my previous changes caused that, but convert them
to sets and compare the sets of scopes.

* Simplify and optimise get_authorization_code_scopes

`code` is sufficient for retrieving an auth code's scopes, and we don't
need to do two DB queries where one will suffice.

* Serve JWKs using well-known URL

JWKs are commonly served from `.well-known/jwks.json`. This isn't a
standard, but it is in common usage so it makes sense to conform.

* Allow POST for OIDC UserInfo endpoint

* Refactor how OIDC issuer url is generated

Split out how to generate the OIDC issuer (when not specified in
settings) out to a util function.

Add tests

Dont use reverse_lazy when the next thing we do with the url is to
format it in to a string - no time for it to be lazy!

* Support HS256 for OIDC

* Add full support for HS256 signed OIDC keys.
* Add a new default signing algorithm, NO_ALGORITHM.
* Add docs on why you shouldn't choose HS256, and how to do it anyway.
* Add docs on how to enable an app for OIDC.
* Remove OIDC_ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED and generate it
  depending on whether you have added an RSA key.
* Add validation for your application signing algorithm so its not
  possible to accidentally setup something insecure.
* Add `Application.jwk_key` property to load the correct key for an
  application.
* Peek at a supplied id_token to determine the application it belongs to
  so that we can load the correct key to verify the signature.
* Add an OIDC_ENABLED setting, as we can now enable OIDC without adding
  OIDC_RSA_PRIVATE_KEY.
* Update and add new tests.

* fix: json.loads on python 3.5 requires a str

* Remove changes to create_authorization_response

When using OIDC, the additional parameters nonce and claims are
correctly extracted by oauthlib, we don't need to manually parse them
out and pass them as a phony body parameter.

Similarly, the django request is passed down to the final wrapper layer
that calls create_authorization_response in oauthlib, we can defer
calling `request.get_raw_uri()` until that point and drop passing `uri`
down two function calls.

This reverts create_authorization_response back to basically how it was
pre-OIDC changes.

* Reduce changes compared to master

There were a few other places where stylistic changes have been made that
are not a part of the changes. Revert them to make the patch less
different compared to master.

* Use simpler import name for oauthlib OIDC server

* Fix another reference to oauthlib.openid.Server

* Add indirect six dependency from jwcrpyto

jwcrypto has a direct dependency on six, but does not list it yet in a
release. Previously, cryptography also depended on six, so this was
unnoticed.

* Django master now supports only python 3.8+

* Store jti instead of the ID token contents

Add a jti parameter to each ID token generated. After verifying a
received ID token JWT, extract the jti claim to verify that the ID token
exists in our database and is not expired.

We don't require the contents of the JWT to verify that an ID token
hasn't expired or been revoked, just the jti claim, so don't bother to
store or index the ID token contents. Because we only would look at this
when presented with an ID token JWT, all the claim contents are
available in this JWT.

Add missing scope check when verifying an ID token, add tests to verify
this.

Add functions _load_id_token and _load_access_token to OAuth2Validator,
analagous to _save_id_token and _create_access_token. These can be
overridden in sub-classes to customise loading behaviour, if these
models have been swapped.

* Code review changes

* Don't swallow ValueError in ClientProtectedResourceMixin
* Use OAuthLibCore._get_escaped_full_path to encode URI before passing
  to oauthlib.
* You cannot create an ID Token using client credentials flow, so remove
  dead code handling this eventuality from OAuth2Validator._save_id_token
* Remove TODO comment about saving IDTokens, it isn't necessary.

* Generate the correct issuer URL from oauthlib

OAuthlib will use OAuth2Validator.get_oidc_issuer_endpoint to generate
the issuer endpoint; we create a phony django request to use django's
mechanisms for generating the fully qualified URL. However, when SSL is
enableld, not enough information is passed through to determine that the
protocol is HTTPS.

Adjust OAuthLibCore.extract_headers() to inject a custom header when the
django request is secure. Use this extra header when generating the
issuer URL to determine whether to set the protocol to "https", and use
a custom django.http.HttpRequest subclass to allow us to set this.

Adjust OAuthLibCore.create_authorization_response() to pass through
headers to oauthlib to allow this header to be received.

* Update OIDC docs

* Krl/oidc round three fixes (#1)

Add kid to id_token header, conditional on the algorithm used

* Fix linting from PR

* Handle invalid tokens in userinfo endpoint

* Update a comment

Co-authored-by: Dave Burkholder <dave@thinkwelldesigns.com>
Co-authored-by: Wiliam Souza <wiliamsouza83@gmail.com>
Co-authored-by: Allisson Azevedo <allisson@gmail.com>
Co-authored-by: fvlima <frederico.vieira@gmail.com>
Co-authored-by: Shaun Stanworth <shaun.stanworth@googlemail.com>
Co-authored-by: Alan Crosswell <alan@columbia.edu>
Co-authored-by: Kristian Rune Larsen <67627991+kristianrunelarsen@users.noreply.github.com>

Author: 8 people

.editorconfig

@@ -8,7 +8,7 @@ indent_size = 4
 insert_final_newline = true
 trim_trailing_whitespace = true
 
-[{Makefile,tox.ini,setup.cfg}]
+[{Makefile,setup.cfg}]
 indent_style = tab
 
 [*.{yml,yaml}]

.gitignore

@@ -26,6 +26,7 @@ pip-log.txt
 
 # Unit test / coverage reports
 .cache
+.pytest_cache
 .coverage
 .tox
 .pytest_cache/

CHANGELOG.md

@@ -16,6 +16,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+### Added
+* #915 Add optional OpenID Connect support.
+
 ## [1.4.1]
 
 ### Changed

docs/index.rst

@@ -40,6 +40,7 @@ Index
    views/details
    models
    advanced_topics
+   oidc
    signals
    settings
    resource_server

docs/oidc.rst

@@ -0,0 +1,308 @@
+OpenID Connect
+++++++++++++++
+
+OpenID Connect support
+======================
+
+``django-oauth-toolkit`` supports OpenID Connect (OIDC), which standardizes
+authentication flows and provides a plug and play integration with other
+systems. OIDC is built on top of OAuth 2.0 to provide:
+
+* Generating ID tokens as part of the login process. These are JWT that
+  describe the user, and can be used to authenticate them to your application.
+* Metadata based auto-configuration for providers
+* A user info endpoint, which applications can query to get more information
+  about a user.
+
+Enabling OIDC doesn't affect your existing OAuth 2.0 flows, these will
+continue to work alongside OIDC.
+
+We support:
+
+* OpenID Connect Authorization Code Flow
+* OpenID Connect Implicit Flow
+* OpenID Connect Hybrid Flow
+
+
+Configuration
+=============
+
+OIDC is not enabled by default because it requires additional configuration
+that must be provided. ``django-oauth-toolkit`` supports two different
+algorithms for signing JWT tokens, ``RS256``, which uses asymmetric RSA keys (a
+public key and a private key), and ``HS256``, which uses a symmetric key.
+
+It is preferrable to use ``RS256``, because this produces a token that can be
+verified by anyone using the public key (which is made available and
+discoverable by OIDC service auto-discovery, included with
+``django-oauth-toolkit``). ``HS256`` on the other hand uses the
+``client_secret`` in order to verify keys. This is simpler to implement, but
+makes it harder to safely verify tokens.
+
+Using ``HS256`` also means that you cannot use the Implicit or Hybrid flows,
+or verify the tokens in public clients, because you cannot disclose the
+``client_secret`` to a public client. If you are using a public client, you
+must use ``RS256``.
+
+
+Creating RSA private key
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+To use ``RS256`` requires an RSA private key, which is used for signing JWT. You
+can generate this using the `openssl`_ tool::
+
+    openssl genrsa -out oidc.key 4096
+
+This will generate a 4096-bit RSA key, which will be sufficient for our needs.
+
+.. _openssl: https://www.openssl.org
+
+.. warning::
+    The contents of this key *must* be kept a secret. Don't put it in your
+    settings and commit it to version control!
+
+    If the key is ever accidentally disclosed, an attacker could use it to
+    forge JWT tokens that verify as issued by your OAuth provider, which is
+    very bad!
+
+    If it is ever disclosed, you should immediately replace the key.
+
+    Safe ways to handle it would be:
+
+    * Store it in a secure system like `Hashicorp Vault`_, and inject it in to
+      your environment when running your server.
+    * Store it in a secure file on your server, and use your initialization
+      scripts to inject it in to your environment.
+
+.. _Hashicorp Vault: https://www.hashicorp.com/products/vault
+
+Now we need to add this key to our settings and allow the ``openid`` scope to
+be used. Assuming we have set an environment variable called
+``OIDC_RSA_PRIVATE_KEY``, we can make changes to our ``settings.py``::
+
+    import os.environ
+
+    OAUTH2_PROVIDER = {
+        "OIDC_ENABLED": True,
+        "OIDC_RSA_PRIVATE_KEY": os.environ.get("OIDC_RSA_PRIVATE_KEY"),
+        "SCOPES": {
+            "openid": "OpenID Connect scope",
+            # ... any other scopes that you use
+        },
+        # ... any other settings you want
+    }
+
+If you are adding OIDC support to an existing OAuth 2.0 provider site, and you
+are currently using a custom class for ``OAUTH2_SERVER_CLASS``, you must
+change this class to derive from ``oauthlib.openid.Server`` instead of
+``oauthlib.oauth2.Server``.
+
+With ``RSA`` key-pairs, the public key can be generated from the private key,
+so there is no need to add a setting for the public key.
+
+Using ``HS256`` keys
+~~~~~~~~~~~~~~~~~~~~
+
+If you would prefer to use just ``HS256`` keys, you don't need to create any
+additional keys, ``django-oauth-toolkit`` will just use the application's
+``client_secret`` to sign the JWT token.
+
+In this case, you just need to enable OIDC and add ``openid`` to your list of
+scopes in your ``settings.py``::
+
+    OAUTH2_PROVIDER = {
+        "OIDC_ENABLED": True,
+        "SCOPES": {
+            "openid": "OpenID Connect scope",
+            # ... any other scopes that you use
+        },
+        # ... any other settings you want
+    }
+
+.. info::
+    If you want to enable ``RS256`` at a later date, you can do so - just add
+    the private key as described above.
+
+Setting up OIDC enabled clients
+===============================
+
+Setting up an OIDC client in ``django-oauth-toolkit`` is simple - in fact, all
+existing OAuth 2.0 Authorization Code Flow and Implicit Flow applications that
+are already configured can be easily updated to use OIDC by setting the
+appropriate algorithm for them to use.
+
+You can also switch existing apps to use OIDC Hybrid Flow by changing their
+Authorization Grant Type and selecting a signing algorithm to use.
+
+You can read about the pros and cons of the different flows in `this excellent
+article`_ from Robert Broeckelmann.
+
+.. _this excellent article: https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864
+
+OIDC Authorization Code Flow
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To create an OIDC Authorization Code Flow client, create an ``Application``
+with the grant type ``Authorization code`` and select your desired signing
+algorithm.
+
+When making an authorization request, be sure to include ``openid`` as a
+scope. When the code is exchanged for the access token, the response will
+also contain an ID token JWT.
+
+If the ``openid`` scope is not requested, authorization requests will be
+treated as standard OAuth 2.0 Authorization Code Grant requests.
+
+With ``PKCE`` enabled, even public clients can use this flow, and it is the most
+secure and recommended flow.
+
+OIDC Implicit Flow
+~~~~~~~~~~~~~~~~~~
+
+OIDC Implicit Flow is very similar to OAuth 2.0 Implicit Grant, except that
+the client can request a ``response_type`` of ``id_token`` or ``id_token
+token``. Requesting just ``token`` is also possible, but it would make it not
+an OIDC flow and would fall back to being the same as OAuth 2.0 Implicit
+Grant.
+
+To setup an OIDC Implicit Flow client, simply create an ``Application`` with
+the a grant type of ``Implicit`` and select your desired signing algorithm,
+and configure the client to request the ``openid`` scope and an OIDC
+``response_type`` (``id_token`` or ``id_token token``).
+
+
+OIDC Hybrid Flow
+~~~~~~~~~~~~~~~~
+
+OIDC Hybrid Flow is a mixture of the previous two flows. It allows the ID
+token and an access token to be returned to the frontend, whilst also
+allowing the backend to retrieve the ID token and an access token (not
+necessarily the same access token) on the backend.
+
+To setup an OIDC Hybrid Flow application, create an ``Application`` with a
+grant type of ``OpenID connect hybrid`` and select your desired signing
+algorithm.
+
+
+Customizing the OIDC responses
+==============================
+
+This basic configuration will give you a basic working OIDC setup, but your
+ID tokens will have very few claims in them, and the ``UserInfo`` service will
+just return the same claims as the ID token.
+
+To configure all of these things we need to customize the
+``OAUTH2_VALIDATOR_CLASS`` in ``django-oauth-toolkit``. Create a new file in
+our project, eg ``my_project/oauth_validator.py``::
+
+    from oauth2_provider.oauth2_validators import OAuth2Validator
+
+
+    class CustomOAuth2Validator(OAuth2Validator):
+        pass
+
+
+and then configure our site to use this in our ``settings.py``::
+
+    OAUTH2_PROVIDER = {
+        "OAUTH2_VALIDATOR_CLASS": "my_project.oauth_validators.CustomOAuth2Validator",
+        # ... other settings
+    }
+
+Now we can customize the tokens and the responses that are produced by adding
+methods to our custom validator.
+
+
+Adding claims to the ID token
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+By default the ID token will just have a ``sub`` claim (in addition to the
+required claims, eg ``iss``, ``aud``, ``exp``, ``iat``, ``auth_time`` etc),
+and the ``sub`` claim will use the primary key of the user as the value.
+You'll probably want to customize this and add additional claims or change
+what is sent for the ``sub`` claim. To do so, you will need to add a method to
+our custom validator::
+
+    class CustomOAuth2Validator(OAuth2Validator):
+
+        def get_additional_claims(self, request):
+            return {
+                "sub": request.user.email,
+                "first_name": request.user.first_name,
+                "last_name": request.user.last_name,
+            }
+
+.. note::
+    This ``request`` object is not a ``django.http.Request`` object, but an
+    ``oauthlib.common.Request`` object. This has a number of attributes that
+    you can use to decide what claims to put in to the ID token:
+
+    * ``request.scopes`` - a list of the scopes requested by the client when
+      making an authorization request.
+    * ``request.claims`` - a dictionary of the requested claims, using the
+      `OIDC claims requesting system`_. These must be requested by the client
+      when making an authorization request.
+    * ``request.user`` - the django user object.
+
+.. _OIDC claims requesting system: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
+
+What claims you decide to put in to the token is up to you to determine based
+upon what the scopes and / or claims means to your provider.
+
+
+Adding information to the ``UserInfo`` service
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``UserInfo`` service is supplied as part of the OIDC service, and is used
+to retrieve more information about the user than was supplied in the ID token
+when the user logged in to the OIDC client application. It is optional to use
+the service. The service is accessed by making a request to the
+``UserInfo`` endpoint, eg ``/o/userinfo/`` and supplying the access token
+retrieved at login as a ``Bearer`` token.
+
+Again, to modify the content delivered, we need to add a function to our
+custom validator. The default implementation adds the claims from the ID
+token, so you will probably want to re-use that::
+
+    class CustomOAuth2Validator(OAuth2Validator):
+
+        def get_userinfo_claims(self, request):
+            claims = super().get_userinfo_claims()
+            claims["color_scheme"] = get_color_scheme(request.user)
+            return claims
+
+
+OIDC Views
+==========
+
+Enabling OIDC support adds three views to ``django-oauth-toolkit``. When OIDC
+is not enabled, these views will log that OIDC support is not enabled, and
+return a ``404`` response, or if ``DEBUG`` is enabled, raise an
+``ImproperlyConfigured`` exception.
+
+In the docs below, it assumes that you have mounted the
+``django-oauth-toolkit`` at ``/o/``. If you have mounted it elsewhere, adjust
+the URLs accordingly.
+
+
+ConnectDiscoveryInfoView
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Available at ``/o/.well-known/openid-configuration/``, this view provides auto
+discovery information to OIDC clients, telling them the JWT issuer to use, the
+location of the JWKs to verify JWTs with, the token and userinfo endpoints to
+query, and other details.
+
+
+JwksInfoView
+~~~~~~~~~~~~
+
+Available at ``/o/.well-known/jwks.json``, this view provides details of the key used to sign
+the JWTs generated for ID tokens, so that clients are able to verify them.
+
+
+UserInfoView
+~~~~~~~~~~~~
+
+Available at ``/o/userinfo/``, this view provides extra user details. You can
+customize the details included in the response as described above.