OIDC & JWT (#174)

* add oidc capabilities * lint * fix: temp key for build step * fix(debug): prevent http failure in local env * feat(oidc): jwt with properties * lint * chore(black)
pennlabs · Sep 1, 2024 · cd79316 · cd79316
1 parent ff1796e
commit cd79316
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 2 deletions.
diff --git a/backend/Platform/settings/base.py b/backend/Platform/settings/base.py
@@ -198,6 +198,7 @@
 # OAuth2 Settings
 
 OAUTH2_PROVIDER = {
+    "OAUTH2_VALIDATOR_CLASS": "accounts.oauth2_validator.LabsOAuth2Validator",
     "SCOPES": {
         "openid": "OpenID Connect scope",
         "read": "Read scope",

diff --git a/backend/Platform/urls.py b/backend/Platform/urls.py
@@ -10,7 +10,7 @@
 urlpatterns = [
     path("admin/", admin.site.urls),
     path("announcements/", include("announcements.urls", namespace="announcements")),
-    path("accounts/", include("accounts.urls")),
+    path("accounts/", include("accounts.urls", namespace="oauth2_provider")),
     path("options/", include("options.urls", namespace="options")),
     path("identity/", include("identity.urls", namespace="identity")),
     path("s/", include("shortener.urls", namespace="shortener")),

diff --git a/backend/accounts/backends.py b/backend/accounts/backends.py
@@ -15,6 +15,8 @@ class ShibbolethRemoteUserBackend(RemoteUserBackend):
     """
 
     def get_email(self, pennid):
+        if settings.DEBUG:
+            return None
         """
         Use Penn Directory API with OAuth2 to get the email of a user given their Penn ID.
         This is necessary to ensure that we have the correct domain (@seas vs. @wharton, etc.)

diff --git a/backend/accounts/models.py b/backend/accounts/models.py
@@ -69,6 +69,10 @@ class User(AbstractUser):
 
     VERIFICATION_EXPIRATION_MINUTES = 10
 
+    @property
+    def id(self):
+        return self.username
+
     def get_preferred_name(self):
         if self.preferred_name != "":
             return self.preferred_name

diff --git a/backend/accounts/oauth2_validator.py b/backend/accounts/oauth2_validator.py
@@ -0,0 +1,23 @@
+from oauth2_provider.oauth2_validators import OAuth2Validator
+
+
+class LabsOAuth2Validator(OAuth2Validator):
+    oidc_claim_scope = OAuth2Validator.oidc_claim_scope
+    oidc_claim_scope.update(
+        {
+            "name": "read",
+            "email": "read",
+            "pennid": "read",
+            "is_staff": "read",
+            "is_active": "read",
+        }
+    )
+
+    def get_additional_claims(self, request):
+        return {
+            "name": request.user.preferred_name or request.user.get_full_name(),
+            "email": request.user.email,
+            "pennid": request.user.pennid,
+            "is_staff": request.user.is_staff,
+            "is_active": request.user.is_active,
+        }
diff --git a/backend/accounts/urls.py b/backend/accounts/urls.py
@@ -1,7 +1,12 @@
 from django.conf import settings
 from django.conf.urls.static import static
 from django.urls import path
-from oauth2_provider.views import AuthorizationView, TokenView
+from oauth2_provider.views import (
+    AuthorizationView,
+    ConnectDiscoveryInfoView,
+    JwksInfoView,
+    TokenView,
+)
 from rest_framework import routers
 
 from accounts.views import (
@@ -47,6 +52,12 @@
     path("privacy/", PrivacySettingView.as_view(), name="privacy"),
     path("privacy/<int:pk>/", PrivacySettingView.as_view(), name="privacy"),
     path("user/<str:username>", FindUserView.as_view(), name="user"),
+    path(
+        ".well-known/openid-configuration",
+        ConnectDiscoveryInfoView.as_view(),
+        name="oidc-connect-discovery-info",
+    ),
+    path(".well-known/jwks.json", JwksInfoView.as_view(), name="oidc-jwks-info"),
 ]
 
 urlpatterns += router.urls