Task/update from main library

.gitignore

@@ -13,3 +13,4 @@ docs/_build/
 .eggs/
 .python-version
 .pytest_cache/
+.coverage*

.readthedocs.yaml

@@ -0,0 +1,24 @@
+# Read the Docs configuration file for Sphinx projects
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Set the OS, Python version and other tools you might need
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.10"
+
+# Build documentation in the "docs/" directory with Sphinx
+sphinx:
+  configuration: docs/conf.py
+
+# Optionally build your docs in additional formats such as PDF and ePub
+formats:
+  - pdf
+
+# Python requirements required to build your documentation
+python:
+  install:
+    - requirements: docs/requirements.txt

README.md

@@ -1,9 +1,9 @@
 # Django OpenID Connect Provider
 
 [![Python Versions](https://img.shields.io/pypi/pyversions/django-oidc-provider.svg)](https://pypi.python.org/pypi/django-oidc-provider)
+[![Django Versions](https://img.shields.io/badge/Django-3.2%20%7C%204.2-green)](https://pypi.python.org/pypi/django-oidc-provider)
 [![PyPI Versions](https://img.shields.io/pypi/v/django-oidc-provider.svg)](https://pypi.python.org/pypi/django-oidc-provider)
 [![Documentation Status](https://readthedocs.org/projects/django-oidc-provider/badge/?version=master)](http://django-oidc-provider.readthedocs.io/)
-[![Travis](https://travis-ci.org/juanifioren/django-oidc-provider.svg?branch=master)](https://travis-ci.org/juanifioren/django-oidc-provider)
 
 ## About OpenID
 
@@ -13,8 +13,8 @@ OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, whic
 
 `django-oidc-provider` can help you providing out of the box all the endpoints, data and logic needed to add OpenID Connect (and OAuth2) capabilities to your Django projects.
 
-Support for Python 3 and 2. Also latest versions of django.
+Support for Python 3 and latest versions of django.
 
 [Read documentation for more info.](http://django-oidc-provider.readthedocs.org/)
 
-[Do you want to contribute? Please read this.](http://django-oidc-provider.readthedocs.io/en/latest/sections/contribute.html)
+[Do you want to contribute? Please read this.](http://django-oidc-provider.readthedocs.io/en/master/sections/contribute.html)

docs/conf.py

@@ -45,24 +45,24 @@
 
 # General information about the project.
 project = u'django-oidc-provider'
-copyright = u'2016, Juan Ignacio Fiorentino'
+copyright = u'2023, Juan Ignacio Fiorentino'
 author = u'Juan Ignacio Fiorentino'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The short X.Y version.
-version = u'0.5'
+version = u'0.8'
 # The full version, including alpha/beta/rc tags.
-release = u'0.5.x'
+release = u'0.8.0'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:

docs/requirements.txt

@@ -0,0 +1,2 @@
+sphinx
+sphinx_rtd_theme

docs/sections/changelog.rst

@@ -8,6 +8,36 @@ All notable changes to this project will be documented in this file.
 Unreleased
 ==========
 
+
+0.8.2
+=====
+
+*2023-12-15*
+
+* Added: Discovery endpoint response caching. Introducing OIDC_DISCOVERY_CACHE_ENABLE.
+* Fixed: ResponseType data migration.
+* Fixed: correctly verify PKCE secret in token endpoint.
+
+0.8.1
+=====
+
+*2023-10-22*
+
+* Changed: create_token and create_code are now methods on base classes to enable customization.
+* Changed: extract "is consent skip allowed" decision from the view to the endpoint.
+* Fixed: race condition in authorization code, parallel requests may reuse same token.
+
+0.8.0
+=====
+
+*2023-05-05*
+
+* Changed: now supporting latest versions of Django.
+* Changed: drop support for Python 2 and Django lower than 3.2.
+* Added: scope on token and introspection endpoints.
+* Changed: Use static instead of deprecated staticfiles template tag.
+* Fixed: example in docs for translatable scopes (ugettext).
+
 0.7.0
 =====
 

docs/sections/contribute.rst

@@ -7,10 +7,10 @@ We love contributions, so please feel free to fix bugs, improve things, provide
 
 * Create an issue and explain your feature/bugfix.
 * Wait collaborators comments.
-* Fork the project and create new branch from `develop`.
+* Fork the project and create new branch from ``develop``.
 * Make your feature addition or bug fix.
 * Add tests and documentation if needed.
-* Create pull request for the issue to the `develop` branch.
+* Create pull request for the issue to the ``develop`` branch.
 * Wait collaborators reviews.
 
 Running Tests
@@ -21,18 +21,18 @@ Use `tox <https://pypi.python.org/pypi/tox>`_ for running tests in each of the e
     # Run all tests.
     $ tox
 
-    # Run with Python 3.5 and Django 2.0.
-    $ tox -e py35-django20
+    # Run with Python 3.11 and Django 4.2.
+    $ tox -e py311-django42
 
     # Run single test file on specific environment.
-    $ tox -e py35-django20 tests/cases/test_authorize_endpoint.py
+    $ tox -e py311-django42 -- tests/cases/test_authorize_endpoint.py
 
-We also use `travis <https://travis-ci.org/juanifioren/django-oidc-provider/>`_ to automatically test every commit to the project.
+We use `Github Actions <https://github.com/juanifioren/django-oidc-provider/actions>`_ to automatically test every commit to the project.
 
 Improve Documentation
 =====================
 
-We use `Sphinx <http://www.sphinx-doc.org/>`_ for generate this documentation. I you want to add or modify something just:
+We use `Sphinx <http://www.sphinx-doc.org/>`_ to generate this documentation. If you want to add or modify something just:
 
 * Install Sphinx (``pip install sphinx``) and the auto-build tool (``pip install sphinx-autobuild``).
 * Move inside the docs folder. ``cd docs/``

docs/sections/installation.rst

@@ -6,8 +6,8 @@ Installation
 Requirements
 ============
 
-* Python: ``2.7`` ``3.4`` ``3.5`` ``3.6``
-* Django: ``1.8`` ``1.9`` ``1.10`` ``1.11`` ``2.0``
+* Python: ``3.8`` ``3.9`` ``3.10`` ``3.11``
+* Django: ``3.2`` ``4.2``
 
 Quick Installation
 ==================
@@ -20,24 +20,19 @@ Install the package using pip::
 
 Add it to your apps in your project's django settings::
 
-    INSTALLED_APPS = (
-        'django.contrib.admin',
-        'django.contrib.auth',
-        'django.contrib.contenttypes',
-        'django.contrib.sessions',
-        'django.contrib.messages',
-        'django.contrib.staticfiles',
+    INSTALLED_APPS = [
+        # ...
         'oidc_provider',
         # ...
-    )
+    ]
 
 Include our urls to your project's ``urls.py``::
 
-    urlpatterns = patterns('',
+    urlpatterns = [
         # ...
-        url(r'^openid/', include('oidc_provider.urls', namespace='oidc_provider')),
+        path('openid/', include('oidc_provider.urls', namespace='oidc_provider')),
         # ...
-    )
+    ]
 
 Run the migrations and generate a server RSA key::
 

docs/sections/relyingparties.rst

@@ -19,7 +19,7 @@ Properties
 * ``client_type``: Values are ``confidential`` and ``public``.
 * ``client_id``: Client unique identifier.
 * ``client_secret``: Client secret for confidential applications.
-* ``response_types``: The flows and associated ```response_type``` values that can be used by the client.
+* ``response_types``: The flows and associated ``response_type`` values that can be used by the client.
 * ``jwt_alg``: Clients can choose which algorithm will be used to sign id_tokens. Values are ``HS256`` and ``RS256``.
 * ``date_created``: Date automatically added when created.
 * ``redirect_uris``: List of redirect URIs.

docs/sections/scopesclaims.rst

@@ -82,7 +82,7 @@ Somewhere in your Django ``settings.py``::
 
 Inside your oidc_provider_settings.py file add the following class::
 
-    from django.utils.translation import ugettext as _
+    from django.utils.translation import ugettext_lazy as _
     from oidc_provider.lib.claims import ScopeClaims
 
     class CustomScopeClaims(ScopeClaims):

docs/sections/settings.rst

@@ -55,6 +55,20 @@ OPTIONAL. ``int``. Code object expiration after been delivered.
 
 Expressed in seconds. Default is ``60*10``.
 
+OIDC_DISCOVERY_CACHE_ENABLE
+================
+
+OPTIONAL. ``bool``. Enable caching the response on the discovery endpoint, by using default cache. Cache key will be a combination of site URL and types supported by the provider, changing any of these will invalidate stored value.
+
+Default is ``False``.
+
+OIDC_DISCOVERY_CACHE_EXPIRE
+================
+
+OPTIONAL. ``int``. Discovery endpoint cache expiration time expressed in seconds.
+
+Expressed in seconds. Default is ``60*10``.
+
 OIDC_EXTRA_SCOPE_CLAIMS
 =======================
 
@@ -234,3 +248,14 @@ Default is::
 See the :ref:`templates` section.
 
 The templates that are not specified here will use the default ones.
+
+OIDC_INTROSPECTION_RESPONSE_SCOPE_ENABLE
+==========================================
+
+OPTIONAL ``bool``
+
+A flag which toggles whether the scope is returned with successful response on introspection request.
+
+Must be ``True`` to include ``scope`` into the successful response
+
+Default is ``False``.

example/app/urls.py

@@ -9,8 +9,8 @@
 
 urlpatterns = [
     url(r'^$', TemplateView.as_view(template_name='home.html'), name='home'),
-    url(r'^accounts/login/$', auth_views.login, {'template_name': 'login.html'}, name='login'),
-    url(r'^accounts/logout/$', auth_views.logout, {'next_page': '/'}, name='logout'),
+    url(r'^accounts/login/$', auth_views.LoginView.as_view(template_name='login.html'), name='login'),  # noqa
+    url(r'^accounts/logout/$', auth_views.LogoutView.as_view(next_page='/'), name='logout'),
     url(r'^', include('oidc_provider.urls', namespace='oidc_provider')),
     url(r'^admin/', admin.site.urls),
 ]

oidc_provider/admin.py

@@ -4,7 +4,7 @@
 
 from django.forms import ModelForm
 from django.contrib import admin
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 
 from oidc_provider.models import Client, Code, Token, RSAKey, RefreshToken
 
@@ -75,13 +75,17 @@ class ClientAdmin(admin.ModelAdmin):
 @admin.register(Code)
 class CodeAdmin(admin.ModelAdmin):
 
+    raw_id_fields = ['user']
+
     def has_add_permission(self, request):
         return False
 
 
 @admin.register(Token)
 class TokenAdmin(admin.ModelAdmin):
 
+    raw_id_fields = ['user']
+
     def has_add_permission(self, request):
         return False
 

oidc_provider/lib/claims.py

@@ -1,6 +1,6 @@
 import copy
 
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 
 from oidc_provider import settings
 

oidc_provider/lib/endpoints/authorize.py

@@ -126,31 +126,42 @@ def validate_params(self):
                 raise AuthorizeError(
                     self.params['redirect_uri'], 'invalid_request', self.grant_type)
 
+    def create_code(self):
+        code = create_code(
+            user=self.request.user,
+            client=self.client,
+            scope=self.params['scope'],
+            nonce=self.params['nonce'],
+            is_authentication=self.is_authentication,
+            code_challenge=self.params['code_challenge'],
+            code_challenge_method=self.params['code_challenge_method'],
+        )
+
+        return code
+
+    def create_token(self):
+        token = create_token(
+            user=self.request.user,
+            client=self.client,
+            scope=self.params['scope'],
+        )
+
+        return token
+
     def create_response_uri(self):
         uri = urlsplit(self.params['redirect_uri'])
         query_params = parse_qs(uri.query)
         query_fragment = {}
 
         try:
             if self.grant_type in ['authorization_code', 'hybrid']:
-                code = create_code(
-                    user=self.request.user,
-                    client=self.client,
-                    scope=self.params['scope'],
-                    nonce=self.params['nonce'],
-                    is_authentication=self.is_authentication,
-                    code_challenge=self.params['code_challenge'],
-                    code_challenge_method=self.params['code_challenge_method'])
+                code = self.create_code()
                 code.save()
-
             if self.grant_type == 'authorization_code':
                 query_params['code'] = code.code
                 query_params['state'] = self.params['state'] if self.params['state'] else ''
             elif self.grant_type in ['implicit', 'hybrid']:
-                token = create_token(
-                    user=self.request.user,
-                    client=self.client,
-                    scope=self.params['scope'])
+                token = self.create_token()
 
                 # Check if response_type must include access_token in the response.
                 if (self.params['response_type'] in
@@ -261,6 +272,13 @@ def client_has_user_consent(self):
 
         return value
 
+    def is_client_allowed_to_skip_consent(self):
+        implicit_flow_resp_types = {'id_token', 'id_token token'}
+        return (
+            self.client.client_type != 'public' or
+            self.params['response_type'] in implicit_flow_resp_types
+        )
+
     def get_scopes_information(self):
         """
         Return a list with the description of all the scopes requested.