From 023026ee29f6b6ede6838158c4b7106f5bd8911c Mon Sep 17 00:00:00 2001 From: Jonas Nygaard Pedersen Date: Tue, 6 Apr 2021 16:01:46 +0200 Subject: [PATCH 1/5] Fix double oauth2_provider mountpoint in oidc view Fixes the doubling of mountpoint path in the OIDC endpoints values for `.well-known/openid-configuration/` --- oauth2_provider/views/oidc.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py index ac3a2a172..00c8c3fa4 100644 --- a/oauth2_provider/views/oidc.py +++ b/oauth2_provider/views/oidc.py @@ -1,4 +1,5 @@ import json +from urllib.parse import urlparse from django.http import HttpResponse, JsonResponse from django.urls import reverse @@ -32,12 +33,15 @@ def get(self, request, *args, **kwargs): ) jwks_uri = request.build_absolute_uri(reverse("oauth2_provider:jwks-info")) else: - authorization_endpoint = "{}{}".format(issuer_url, reverse("oauth2_provider:authorize")) - token_endpoint = "{}{}".format(issuer_url, reverse("oauth2_provider:token")) + parsed_url = urlparse(oauth2_settings.OIDC_ISS_ENDPOINT) + host = parsed_url.scheme + "://" + parsed_url.netloc + authorization_endpoint = "{}{}".format(host, reverse("oauth2_provider:authorize")) + token_endpoint = "{}{}".format(host, reverse("oauth2_provider:token")) userinfo_endpoint = oauth2_settings.OIDC_USERINFO_ENDPOINT or "{}{}".format( - issuer_url, reverse("oauth2_provider:user-info") + host, reverse("oauth2_provider:user-info") ) - jwks_uri = "{}{}".format(issuer_url, reverse("oauth2_provider:jwks-info")) + jwks_uri = "{}{}".format(host, reverse("oauth2_provider:jwks-info")) + signing_algorithms = [Application.HS256_ALGORITHM] if oauth2_settings.OIDC_RSA_PRIVATE_KEY: signing_algorithms = [Application.RS256_ALGORITHM, Application.HS256_ALGORITHM] From 0931bc8e803a87e323e1e4ef592c4b44ac2be36b Mon Sep 17 00:00:00 2001 From: Jonas Nygaard Pedersen Date: Tue, 6 Apr 2021 16:14:46 +0200 Subject: [PATCH 2/5] Updated tests According to the `django-oauth-toolkit` documentation for [OIDC_ISS_ENDPOINT](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#oidc-iss-endpoint) this settings variable should enable discovery at `OIDC_ISS_ENDPOINT` + `/.well-known/openid-configuration/`. But if you use the variable as described you'll end up with the correct URL for the `issuer` value but incorrect URL's for the values of `authorization_endpoint`, `token_endpoint`, `userinfo_endpoint`, and `jwks_uri`. So if the `OIDC_ISS_ENDPOINT` is `http://localhost:8001/some-initial-path/o` the `issuer` will be `http://localhost:8001/some-initial-path/o` but `authorization_endpoint` will be `http://localhost:8001/some-initial-path/o/some-initial-path/o/authorize/`. Same pattern for `token_endpoint`, `userinfo_endpoint`, and `jwks_uri` This commit updates the tests to expect `OIDC_ISS_ENDPOINT` to end in `/o` --- tests/presets.py | 4 ++-- tests/test_oidc_views.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/presets.py b/tests/presets.py index da1577bf4..214f804ef 100644 --- a/tests/presets.py +++ b/tests/presets.py @@ -9,8 +9,8 @@ DEFAULT_SCOPES_RO = {"DEFAULT_SCOPES": ["read"]} OIDC_SETTINGS_RW = { "OIDC_ENABLED": True, - "OIDC_ISS_ENDPOINT": "http://localhost", - "OIDC_USERINFO_ENDPOINT": "http://localhost/userinfo/", + "OIDC_ISS_ENDPOINT": "http://localhost/o", + "OIDC_USERINFO_ENDPOINT": "http://localhost/o/userinfo/", "OIDC_RSA_PRIVATE_KEY": settings.OIDC_RSA_PRIVATE_KEY, "SCOPES": { "read": "Reading scope", diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py index 3e3a5538c..5cbae5402 100644 --- a/tests/test_oidc_views.py +++ b/tests/test_oidc_views.py @@ -12,10 +12,10 @@ class TestConnectDiscoveryInfoView(TestCase): def test_get_connect_discovery_info(self): expected_response = { - "issuer": "http://localhost", + "issuer": "http://localhost/o", "authorization_endpoint": "http://localhost/o/authorize/", "token_endpoint": "http://localhost/o/token/", - "userinfo_endpoint": "http://localhost/userinfo/", + "userinfo_endpoint": "http://localhost/o/userinfo/", "jwks_uri": "http://localhost/o/.well-known/jwks.json", "response_types_supported": [ "code", From 6de78733479b801db5d058a0e0fe94c0ad6da113 Mon Sep 17 00:00:00 2001 From: Jonas Nygaard Pedersen Date: Tue, 6 Apr 2021 16:48:56 +0200 Subject: [PATCH 3/5] Updated AUTHORS --- AUTHORS | 1 + 1 file changed, 1 insertion(+) diff --git a/AUTHORS b/AUTHORS index aba1e22f4..d8973f29f 100644 --- a/AUTHORS +++ b/AUTHORS @@ -32,6 +32,7 @@ Hiroki Kiyohara Jens Timmerman Jerome Leclanche Jim Graham +Jonas Nygaard Pedersen Jonathan Steffan Jun Zhou Kristian Rune Larsen From 5b39791ffe0433c57538534ee84f16973a93f467 Mon Sep 17 00:00:00 2001 From: Jonas Nygaard Pedersen Date: Tue, 6 Apr 2021 20:57:59 +0200 Subject: [PATCH 4/5] Update CHANGELOG --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e7b0e35cb..0688ee0f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,9 +19,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added * #712, #636, #808. Calls to `django.contrib.auth.authenticate()` now pass a `request` to provide compatibility with backends that need one. - + ### Fixed * #524 Restrict usage of timezone aware expire dates to Django projects with USE_TZ set to True. +* #955 Avoid doubling of `oauth2_provider` urls mountpath in json response for OIDC view `ConnectDiscoveryInfoView` ## [1.5.0] 2021-03-18 From a58b8953c2abb0abf28c45815847d750369a4294 Mon Sep 17 00:00:00 2001 From: Jonas Nygaard Pedersen Date: Wed, 7 Apr 2021 10:50:18 +0200 Subject: [PATCH 5/5] updated CHANGELOG To include possible breaking change message --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0688ee0f1..c28031a26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed * #524 Restrict usage of timezone aware expire dates to Django projects with USE_TZ set to True. -* #955 Avoid doubling of `oauth2_provider` urls mountpath in json response for OIDC view `ConnectDiscoveryInfoView` +* #955 Avoid doubling of `oauth2_provider` urls mountpath in json response for OIDC view `ConnectDiscoveryInfoView`. + Breaks existing OIDC discovery output ## [1.5.0] 2021-03-18