OpenID connect improvements #484
Conversation
|
Nice, I also ran into some missing bits in this area but worked around them in a different way. I'll need to dig up what I did exactly, but do believe we need something that looks like this PR. |
…ent in request.response_type
Changes AuthorizationEndpoint response_type `'token'`, `'id_token'` and `'id_token token'` to work with OpenID Connect and OAuth2 implicit flow in a transparent way
Change AuthorizationEndpoint grant_types `'authorization_code'` to work with OpenID Connect and OAuth2 authorization flow in a transparent way
Now OpenID Connect and OAuth2 authorization flow can use `authorization_code` in a transparent way
a8fe881 to
9fb35bb
Compare
|
@thedrow Done! |
skion
left a comment
There was a problem hiding this comment.
I like it and it doesn't break my implementation. I've added some questions inline.
There was a problem hiding this comment.
Is it possible to assert here (and below) how the mocked get_authorization_code_scopes() method was called?
There was a problem hiding this comment.
Should id_token and id_token token not point to the openid_connect_implicit grant directly?
There was a problem hiding this comment.
Why do client_id and redirect_uri default to an empty string instead of None?
There was a problem hiding this comment.
Nothing special, changed to None, thanks.
|
@skion can answer the question! |
There was a problem hiding this comment.
What I don't particularly like, but also not really sure how to do differently, is that this forces to lookup the grant twice; once in get_authorization_code_scopes() and once in validate_code(). Not ideal for performance.
I wonder if we should pass in the request object here, as with many of the other validator methods. Then at least one can choose to attach the result of the first lookup to the request.
There was a problem hiding this comment.
This is a gap between stateless endpoints:
- Authorization Endpoint
- Token Endpoint
request_validator.get_authorization_code_scopes() is called before request_validator.validate_code() which is used inside AuthorizationCodeGrant.validate_token_request() we can call request_validator.validate_code() here and pass in request.code_validate a True value indicating the code was already validated and in AuthorizationCodeGrant.validate_token_request() line 410 add a check before call request_validator.validate_code() again.
There was a problem hiding this comment.
I guess what I meant was: Could we use the following signature instead?
def get_authorization_code_scopes(self, client_id, code, redirect_uri, request):
This seems to be a common pattern already, and it would allow us to cache database lookups on the request object easily across validation calls.
34aa9b0 to
76c08b7
Compare
|
LGTM! |
|
@thedrow ready for merge! |
|
@thedrow Yes not backward compatible. |
|
Turns out this leads to problems with existing code that doesn't have To fix we could catch the |
|
@thedrow we need to add a |
|
Can we please back this out? It's doing more harm than good right now. I love the idea of OpenIDConnect support, but I also think it should be optional and not shoved into the library without consideration of servers/providers/clients that don't want it or don't need it. My opinion is to let the OAuth2 library do Oauth2, add the extras openid connect wants on top with a library of its own that uses the openid2 library, and keep a good separation of concerns so the code stays as SOLID and DRY as possible. |
|
@duaneking Not so easy to back out OIDC entirely, since its support was added long before this PR already, and mostly modular/separate from the existing code. The exception being the preconfigured server code, which I agree would have been better to leave alone and add a dedicated OIDC server. But undoing this now would also be a breaking change. IMO this PR should not have been a breaking change at all, and my suggestion would be: Find a fix to make this non-breaking and release 2.0.6, and plan for more structural changes in 3.0. |
|
Is there no way to remove 2.0.5 from the history? |
|
@wiliamsouza no. But there is a 2.0.6 in pypi now. I cherry picked every commits except this one. |
|
@lepture Great job! |
|
@wiliamsouza Would this be backward compatible if we just add this line 78 back in? |
This pull request removes the need of using
grant_type=openidin token endpoint and when defining a application credential theauthorization_grant_typecan be same already used (authorization-code) both for OpenID Connect and OAuth2.OpenID Connect and OAuth2 specification links:
To achieve this a new method
get_authorization_code_scopeshave to be added toRequestValidatoralong side news dispatches for implicit and token grant.Example old way to send a token request:
Example fixed way to send a token request:
I successfully tested using django-oauth-toolkit the following flows:
Adding support to OpenID Connect is a working in progress based on this pull request.