From 092cc37320a996aabf865412d5fe6d812c66c2c7 Mon Sep 17 00:00:00 2001 From: quark Date: Tue, 17 Jun 2025 00:26:13 +0200 Subject: [PATCH 1/2] OIDC 0 Quark 1 --- apps/permission/scopes.py | 29 ++++++++++++++++++++--------- apps/permission/signals.py | 1 + apps/permission/views.py | 2 +- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/apps/permission/scopes.py b/apps/permission/scopes.py index 29b04217..7d2619c1 100644 --- a/apps/permission/scopes.py +++ b/apps/permission/scopes.py @@ -18,22 +18,27 @@ class PermissionScopes(BaseScopes): """ def get_all_scopes(self): - return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})" - for p in Permission.objects.all() for club in Club.objects.all()} + scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})" + for p in Permission.objects.all() for club in Club.objects.all()} + scopes['openid'] = "OpenID Connect" + return scopes def get_available_scopes(self, application=None, request=None, *args, **kwargs): if not application: return [] - return [f"{p.id}_{p.membership.club.id}" - for t in Permission.PERMISSION_TYPES - for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])] + scopes = [f"{p.id}_{p.membership.club.id}" + for t in Permission.PERMISSION_TYPES + for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])] + scopes.append('openid') + return scopes def get_default_scopes(self, application=None, request=None, *args, **kwargs): if not application: return [] - return [f"{p.id}_{p.membership.club.id}" - for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')] - + scopes = [f"{p.id}_{p.membership.club.id}" + for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')] + scopes.append('openid') + return scopes class PermissionOAuth2Validator(OAuth2Validator): oidc_claim_scope = OAuth2Validator.oidc_claim_scope @@ -49,6 +54,10 @@ class PermissionOAuth2Validator(OAuth2Validator): "email": request.user.email, } + def get_discovery_claims(self, request): + claims = super().get_discovery_claims(self) + return claims + ["name", "normalized_name", "email"] + def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs): """ User can request as many scope as he wants, including invalid scopes, @@ -65,7 +74,9 @@ class PermissionOAuth2Validator(OAuth2Validator): scope = f"{p.id}_{p.membership.club.id}" if scope in scopes: valid_scopes.add(scope) + + if 'openid' in scopes: + valid_scopes.add('openid') request.scopes = valid_scopes - return valid_scopes diff --git a/apps/permission/signals.py b/apps/permission/signals.py index b2394c6f..5ea04113 100644 --- a/apps/permission/signals.py +++ b/apps/permission/signals.py @@ -19,6 +19,7 @@ EXCLUDED = [ 'oauth2_provider.accesstoken', 'oauth2_provider.grant', 'oauth2_provider.refreshtoken', + 'oauth2_provider.idtoken', 'sessions.session', ] diff --git a/apps/permission/views.py b/apps/permission/views.py index e7de920e..39e1f98c 100644 --- a/apps/permission/views.py +++ b/apps/permission/views.py @@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView): available_scopes = scopes.get_available_scopes(app) context["scopes"][app] = OrderedDict() items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes] - items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0]))) + # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0]))) for k, v in items: context["scopes"][app][k] = v From df0d886db97ce55088f71e4bb192a47e12182f24 Mon Sep 17 00:00:00 2001 From: quark Date: Tue, 17 Jun 2025 11:46:33 +0200 Subject: [PATCH 2/2] linters --- apps/permission/scopes.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/apps/permission/scopes.py b/apps/permission/scopes.py index 7d2619c1..0702aefa 100644 --- a/apps/permission/scopes.py +++ b/apps/permission/scopes.py @@ -1,5 +1,6 @@ # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay # SPDX-License-Identifier: GPL-3.0-or-later + from oauth2_provider.oauth2_validators import OAuth2Validator from oauth2_provider.scopes import BaseScopes from member.models import Club @@ -19,7 +20,7 @@ class PermissionScopes(BaseScopes): def get_all_scopes(self): scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})" - for p in Permission.objects.all() for club in Club.objects.all()} + for p in Permission.objects.all() for club in Club.objects.all()} scopes['openid'] = "OpenID Connect" return scopes @@ -27,8 +28,8 @@ class PermissionScopes(BaseScopes): if not application: return [] scopes = [f"{p.id}_{p.membership.club.id}" - for t in Permission.PERMISSION_TYPES - for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])] + for t in Permission.PERMISSION_TYPES + for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])] scopes.append('openid') return scopes @@ -36,10 +37,11 @@ class PermissionScopes(BaseScopes): if not application: return [] scopes = [f"{p.id}_{p.membership.club.id}" - for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')] + for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')] scopes.append('openid') return scopes + class PermissionOAuth2Validator(OAuth2Validator): oidc_claim_scope = OAuth2Validator.oidc_claim_scope oidc_claim_scope.update({"name": 'openid', @@ -74,7 +76,7 @@ class PermissionOAuth2Validator(OAuth2Validator): scope = f"{p.id}_{p.membership.club.id}" if scope in scopes: valid_scopes.add(scope) - + if 'openid' in scopes: valid_scopes.add('openid')