jrd / django-oauth2-authcodeflow Goto Github PK

I am using the package for openidconnect on my API an it works well.
When I am trying to consume the API from the frontend, I always get login form instead of the requested resource.
I tried to test with postman to read log and i see that the problem is with the audience retrieved from the token.

Enhance the documentation (with examples) about auditing included in the README.md file using a proper documentation file.

First, a big THANK YOU for making this library available. Its the only one I found which works properly so far.

In your README you have the string django.contrib.session but I think it should actually be django.contrib.sessions (with an s at the end).

And my question: why does it matter where in the INSTALLED_APPS list I put the oauth2_authcodeflow? Isn't the position of e.g. oauth2_authcodeflow.middleware.LoginRequiredMiddleware within the MIDDLEWARE list much more important? From C# and Java I know that it is important to put the OpenID Connect middleware after the session middleware. But anything like this is not mentioned in the README. Or maybe I am wrong with my understand how middlewares are processed in Django (I am new to it)?

Thank you

The unapply operation of migrations fails:

./manage.py migrate oauth2_authcodeflow zero

 File "/Users/pinoatrome/.virtualenvs/my-project/lib/python3.11/site-packages/django/db/migrations/migration.py", line 159, in unapply
    raise IrreversibleError(
django.db.migrations.exceptions.IrreversibleError: Operation <RunPython <function forwards at 0x108c94680>> in oauth2_authcodeflow.0003_auto_20210528_1432 is not reversible

This is because some migrations use RunPython with only forward function, missing reverse function.

From docs on RunPython

"The reverse_code argument is called when unapplying migrations. This callable should undo what is done in the code callable so that the migration is reversible. If reverse_code is None (the default), the RunPython operation is irreversible."

It seems a migration was renamed and there are issues now:
I have this migration from previous version 0004_alter_blacklistedtoken_id_and_more, and now it's called 0004_blacklistedtoken_constraint.py.

It creates the following error:

django.db.utils.ProgrammingError: relation "unique_username_token" already exists

Any idea how to fix it?

After a valid login on CIAM the callback view invokes the authentication backend that POST a request to the OP to obtain a token
but the server response has 400 error status with content: b'{"error_description":"The client MUST NOT use more than one authentication method in each","error":"invalid_request"}'

the CIAM is configured to not accept requests with 'client_secret' params when using PKCE flow.

the current implementation (v.1.1.0) requires an empty value for OIDC_RP_CLIENT_SECRET settings entry

https:///oauth2/token
with params:
{
'grant_type': 'authorization_code',
'client_id': ,
'client_secret': ,
'redirect_uri': 'http://127.0.0.1/oidc/callback',
'code': ,
'code_verifier': <value from session (only if PKCE is enabled)>
}

the response is an error 400 with content
b'{"error_description":"The client MUST NOT use more than one authentication method in each","error":"invalid_request"}'

Hi there, thanks for this package. I'm using both backends:

AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
    "oauth2_authcodeflow.auth.AuthenticationBackend",
]

and when I'm trying to logout, having used the django.contrib.auth.backends.ModelBackend to login, I get the following error:

id_token is missing from the session, cannot logout

I think this is because of:

which is later used here:

I think if the user has used the django backend, this check should not be done.

One possible solution is to add a blacklist, only if there's an id_token.

Thoughts? I can also submit a PR if needed.

Regards

I encountered an error during the application of migrations in my Django web application when using a MySQL database. Specifically, when attempting to apply migration 0004_alter_blacklistedtoken_id_and_more.py, the following error is raised:

Applying oauth2_authcodeflow.0004_alter_blacklistedtoken_id_and_more...Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/django/db/backends/utils.py", line 87, in _execute
    return self.cursor.execute(sql)
  File "/usr/lib/python3.8/site-packages/django/db/backends/mysql/base.py", line 75, in execute
    return self.cursor.execute(query, args)
  File "/usr/lib/python3.8/site-packages/MySQLdb/cursors.py", line 206, in execute
    res = self._query(query)
  File "/usr/lib/python3.8/site-packages/MySQLdb/cursors.py", line 319, in _query
    db.query(q)
  File "/usr/lib/python3.8/site-packages/MySQLdb/connections.py", line 254, in query
    _mysql.connection.query(self, query)
MySQLdb.OperationalError: (1071, 'Specified key was too long; max key length is 3072 bytes')

Upon inspecting the previous migration (0003_auto_20210528_1432), I noticed that the issue is correctly handled and causes no problems. Below is the relevant snippet from 0003_auto_20210528_1432:

try:
    migrations.AddConstraint(
        model_name='blacklistedtoken',
        constraint=models.UniqueConstraint(fields=('username', 'token'), name='unique_username_token'),
    ),
except Exception:
    # no constraint on mysql, max key is 3072 bytes which is not enough
    pass

Skipping the problematic migration (0004_alter_blacklistedtoken_id_and_more.py) doesn't seem to affect the functionality of the library, but resolving this issue would be preferable for a full compatibility.

Thank you for providing this module, that's the only one that actually work!

Authentication for my app is working fine with Okta integration. Now I need to add auditing, especially log all successful/unsuccessful login attempts and logout events.
I have configured the logger in my settings.py like this:

logger = logging.getLogger('oauth2_authcodeflow')
logger.addHandler(logging.StreamHandler())
if DEBUG:
    logger.setLevel(logging.DEBUG)
else:
    logger.setLevel(logging.INFO)

But I cannot find login/logout messages in the logs. Is it missing currently in the module code? Or I have misconfigured something?

Thanks!