Merge 5e1e9d6c55 into 015036b499

feat: use oidc well-known url
2024-04-17 17:35:33 +05:30 · 2024-03-24 11:01:51 +01:00
5 changed files with 178 additions and 39 deletions
--- a/app/auth/views/oidc.py
+++ b/app/auth/views/oidc.py
@ -1,6 +1,8 @@
 from flask import request, session, redirect, flash, url_for
 from requests_oauthlib import OAuth2Session

+import requests
+
 from app import config
 from app.auth.base import auth_bp
 from app.auth.views.login_utils import after_login
@ -16,7 +18,7 @@ from app.db import Session
 from app.email_utils import send_welcome_email
 from app.log import LOG
 from app.models import User, SocialAuth
-from app.utils import encode_url, sanitize_email, sanitize_next_url
+from app.utils import sanitize_email, sanitize_next_url


 # need to set explicitly redirect_uri instead of leaving the lib to pre-fill redirect_uri
@ -24,6 +26,7 @@ from app.utils import encode_url, sanitize_email, sanitize_next_url
 _redirect_uri = URL + "/auth/oidc/callback"

 SESSION_STATE_KEY = "oauth_state"
+SESSION_NEXT_KEY = "oauth_redirect_next"


@auth_bp.route("/oidc/login")
@ -32,18 +35,21 @@ def oidc_login():
        return redirect(url_for("auth.login"))

    next_url = sanitize_next_url(request.args.get("next"))
-    if next_url:
-        redirect_uri = _redirect_uri + "?next=" + encode_url(next_url)
-    else:
-        redirect_uri = _redirect_uri
+
+    auth_url = OIDC_AUTHORIZATION_URL
+    if config.OIDC_WELL_KNOWN_URL is not None:
+        auth_url = requests.get(config.OIDC_WELL_KNOWN_URL).json()[
+            "authorization_endpoint"
+        ]

    oidc = OAuth2Session(
-        config.OIDC_CLIENT_ID, scope=[OIDC_SCOPES], redirect_uri=redirect_uri
+        config.OIDC_CLIENT_ID, scope=[OIDC_SCOPES], redirect_uri=_redirect_uri
    )
-    authorization_url, state = oidc.authorization_url(OIDC_AUTHORIZATION_URL)
+    authorization_url, state = oidc.authorization_url(auth_url)

    # State is used to prevent CSRF, keep this for later.
    session[SESSION_STATE_KEY] = state
+    session[SESSION_NEXT_KEY] = next_url
    return redirect(authorization_url)


@ -60,6 +66,13 @@ def oidc_callback():
        flash("Please use another sign in method then", "warning")
        return redirect("/")

+    token_url = OIDC_TOKEN_URL
+    user_info_url = OIDC_USER_INFO_URL
+    if config.OIDC_WELL_KNOWN_URL is not None:
+        oidc_configuration = requests.get(config.OIDC_WELL_KNOWN_URL).json()
+        user_info_url = oidc_configuration["userinfo_endpoint"]
+        token_url = oidc_configuration["token_endpoint"]
+
    oidc = OAuth2Session(
        config.OIDC_CLIENT_ID,
        state=session[SESSION_STATE_KEY],
@ -67,12 +80,12 @@ def oidc_callback():
        redirect_uri=_redirect_uri,
    )
    oidc.fetch_token(
-        OIDC_TOKEN_URL,
+        token_url,
        client_secret=config.OIDC_CLIENT_SECRET,
        authorization_response=request.url,
    )

-    oidc_user_data = oidc.get(OIDC_USER_INFO_URL)
+    oidc_user_data = oidc.get(user_info_url)
    if oidc_user_data.status_code != 200:
        LOG.e(
            f"cannot get oidc user data {oidc_user_data.status_code} {oidc_user_data.text}"
@ -111,7 +124,8 @@ def oidc_callback():
        Session.commit()

    # The activation link contains the original page, for ex authorize page
-    next_url = sanitize_next_url(request.args.get("next")) if request.args else None
+    next_url = session[SESSION_NEXT_KEY]
+    session[SESSION_NEXT_KEY] = None

    return after_login(user, next_url)

--- a/app/config.py
+++ b/app/config.py
@ -245,6 +245,7 @@ FACEBOOK_CLIENT_ID = os.environ.get("FACEBOOK_CLIENT_ID")
 FACEBOOK_CLIENT_SECRET = os.environ.get("FACEBOOK_CLIENT_SECRET")

 CONNECT_WITH_OIDC_ICON = os.environ.get("CONNECT_WITH_OIDC_ICON")
+OIDC_WELL_KNOWN_URL = os.environ.get("OIDC_WELL_KNOWN_URL")
 OIDC_AUTHORIZATION_URL = os.environ.get("OIDC_AUTHORIZATION_URL")
 OIDC_USER_INFO_URL = os.environ.get("OIDC_USER_INFO_URL")
 OIDC_TOKEN_URL = os.environ.get("OIDC_TOKEN_URL")
--- a/example.env
+++ b/example.env
@ -118,6 +118,7 @@ WORDS_FILE_PATH=local_data/test_words.txt

 # Login with OIDC
 # CONNECT_WITH_OIDC_ICON=fa-github
+# OIDC_WELL_KNOWN_URL=to_fill
 # OIDC_AUTHORIZATION_URL=to_fill
 # OIDC_USER_INFO_URL=to_fill
 # OIDC_TOKEN_URL=to_fill
--- a/tests/auth/test_oidc.py
+++ b/tests/auth/test_oidc.py
@ -1,5 +1,5 @@
 from app import config
-from flask import url_for
+from flask import url_for, session
 from urllib.parse import parse_qs
 from urllib3.util import parse_url
 from app.auth.views.oidc import create_user
@ -11,6 +11,64 @@ from app.config import URL, OIDC_CLIENT_ID


 def test_oidc_login(flask_client):
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+
+    with flask_client:
+        r = flask_client.get(
+            url_for("auth.oidc_login"),
+            follow_redirects=False,
+        )
+        location = r.headers.get("Location")
+        assert location is not None
+
+        parsed = parse_url(location)
+        query = parse_qs(parsed.query)
+
+        expected_redirect_url = f"{URL}/auth/oidc/callback"
+
+        assert "code" == query["response_type"][0]
+        assert OIDC_CLIENT_ID == query["client_id"][0]
+        assert expected_redirect_url == query["redirect_uri"][0]
+        assert session["oauth_redirect_next"] is None
+
+
+def test_oidc_login_next_url(flask_client):
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+
+    with flask_client:
+        r = flask_client.get(
+            url_for("auth.oidc_login", next="/dashboard/settings/"),
+            follow_redirects=False,
+        )
+        location = r.headers.get("Location")
+        assert location is not None
+
+        parsed = parse_url(location)
+        query = parse_qs(parsed.query)
+
+        expected_redirect_url = f"{URL}/auth/oidc/callback"
+
+        assert "code" == query["response_type"][0]
+        assert OIDC_CLIENT_ID == query["client_id"][0]
+        assert expected_redirect_url == query["redirect_uri"][0]
+        assert session["oauth_redirect_next"] == "/dashboard/settings/"
+
+
+@patch("requests.get")
+def test_oidc_login_with_well_known_url(mock_get, flask_client):
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+
+    mock_get.return_value.json.return_value = {
+        "authorization_endpoint": "http://localhost:7777/authorization-endpoint",
+    }
+
+    config.OIDC_WELL_KNOWN_URL = "http://localhost:7777/well-known-url"
    r = flask_client.get(
        url_for("auth.oidc_login"),
        follow_redirects=False,
@ -30,6 +88,9 @@ def test_oidc_login(flask_client):

 def test_oidc_login_no_client_id(flask_client):
    config.OIDC_CLIENT_ID = None
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None

    r = flask_client.get(
        url_for("auth.oidc_login"),
@ -49,6 +110,9 @@ def test_oidc_login_no_client_id(flask_client):

 def test_oidc_login_no_client_secret(flask_client):
    config.OIDC_CLIENT_SECRET = None
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None

    r = flask_client.get(
        url_for("auth.oidc_login"),
@ -67,8 +131,10 @@ def test_oidc_login_no_client_secret(flask_client):


 def test_oidc_callback_no_oauth_state(flask_client):
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = None
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+        sess["oauth_state"] = None

    r = flask_client.get(
        url_for("auth.oidc_callback"),
@ -79,8 +145,10 @@ def test_oidc_callback_no_oauth_state(flask_client):


 def test_oidc_callback_no_client_id(flask_client):
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = "state"
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+        sess["oauth_state"] = "state"
    config.OIDC_CLIENT_ID = None

    r = flask_client.get(
@ -97,13 +165,15 @@ def test_oidc_callback_no_client_id(flask_client):
    assert expected_redirect_url == parsed.path

    config.OIDC_CLIENT_ID = "to_fill"
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_state"] = None


 def test_oidc_callback_no_client_secret(flask_client):
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = "state"
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+        sess["oauth_state"] = "state"
    config.OIDC_CLIENT_SECRET = None

    r = flask_client.get(
@ -120,16 +190,18 @@ def test_oidc_callback_no_client_secret(flask_client):
    assert expected_redirect_url == parsed.path

    config.OIDC_CLIENT_SECRET = "to_fill"
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_state"] = None


@patch("requests_oauthlib.OAuth2Session.fetch_token")
@patch("requests_oauthlib.OAuth2Session.get")
 def test_oidc_callback_invalid_user(mock_get, mock_fetch_token, flask_client):
    mock_get.return_value = MockResponse(400, {})
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = "state"
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+        sess["oauth_state"] = "state"

    r = flask_client.get(
        url_for("auth.oidc_callback"),
@ -145,16 +217,18 @@ def test_oidc_callback_invalid_user(mock_get, mock_fetch_token, flask_client):
    assert expected_redirect_url == parsed.path
    assert mock_get.called

-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_state"] = None


@patch("requests_oauthlib.OAuth2Session.fetch_token")
@patch("requests_oauthlib.OAuth2Session.get")
 def test_oidc_callback_no_email(mock_get, mock_fetch_token, flask_client):
    mock_get.return_value = MockResponse(200, {})
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = "state"
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+        sess["oauth_state"] = "state"

    r = flask_client.get(
        url_for("auth.oidc_callback"),
@ -180,8 +254,10 @@ def test_oidc_callback_disabled_registration(mock_get, mock_fetch_token, flask_c
    config.DISABLE_REGISTRATION = True
    email = random_string()
    mock_get.return_value = MockResponse(200, {"email": email})
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = "state"
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+        sess["oauth_state"] = "state"

    r = flask_client.get(
        url_for("auth.oidc_callback"),
@ -198,8 +274,8 @@ def test_oidc_callback_disabled_registration(mock_get, mock_fetch_token, flask_c
    assert mock_get.called

    config.DISABLE_REGISTRATION = False
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_state"] = None


@patch("requests_oauthlib.OAuth2Session.fetch_token")
@ -213,8 +289,10 @@ def test_oidc_callback_registration(mock_get, mock_fetch_token, flask_client):
            config.OIDC_NAME_FIELD: "name",
        },
    )
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = "state"
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+        sess["oauth_state"] = "state"

    user = User.get_by(email=email)
    assert user is None
@ -237,8 +315,8 @@ def test_oidc_callback_registration(mock_get, mock_fetch_token, flask_client):
    assert user is not None
    assert user.email == email

-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_state"] = None


@patch("requests_oauthlib.OAuth2Session.fetch_token")
@ -251,8 +329,10 @@ def test_oidc_callback_login(mock_get, mock_fetch_token, flask_client):
            "email": email,
        },
    )
-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = "state"
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = None
+        sess["oauth_state"] = "state"

    user = User.create(
        email=email,
@ -277,8 +357,50 @@ def test_oidc_callback_login(mock_get, mock_fetch_token, flask_client):
    assert expected_redirect_url == parsed.path
    assert mock_get.called

-    with flask_client.session_transaction() as session:
-        session["oauth_state"] = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_state"] = None
+
+
+@patch("requests_oauthlib.OAuth2Session.fetch_token")
+@patch("requests_oauthlib.OAuth2Session.get")
+def test_oidc_callback_login_with_next_url(mock_get, mock_fetch_token, flask_client):
+    email = random_string()
+    mock_get.return_value = MockResponse(
+        200,
+        {
+            "email": email,
+        },
+    )
+    config.OIDC_WELL_KNOWN_URL = None
+    with flask_client.session_transaction() as sess:
+        sess["oauth_redirect_next"] = "/dashboard/settings/"
+        sess["oauth_state"] = "state"
+
+    user = User.create(
+        email=email,
+        name="name",
+        password="",
+        activated=True,
+    )
+    user = User.get_by(email=email)
+    assert user is not None
+
+    r = flask_client.get(
+        url_for("auth.oidc_callback"),
+        follow_redirects=False,
+    )
+    location = r.headers.get("Location")
+    assert location is not None
+
+    parsed = parse_url(location)
+
+    expected_redirect_url = "/dashboard/settings/"
+
+    assert expected_redirect_url == parsed.path
+    assert mock_get.called
+
+    with flask_client.session_transaction() as sess:
+        sess["oauth_state"] = None


 def test_create_user():
--- a/tests/test.env
+++ b/tests/test.env
@ -51,6 +51,7 @@ FACEBOOK_CLIENT_SECRET=to_fill

 # Login with OIDC
 CONNECT_WITH_OIDC_ICON=fa-github
+# OIDC_WELL_KNOWN_URL=to_fill
 OIDC_AUTHORIZATION_URL=to_fill
 OIDC_USER_INFO_URL=to_fill
 OIDC_TOKEN_URL=to_fill
Author	SHA1	Message	Date
Daniel Mühlbachler-Pietrzykowski	ff0f6db756	Merge `5e1e9d6c55` into `015036b499`	2024-04-17 17:35:33 +05:30
Daniel Muehlbachler-Pietrzykowski	5e1e9d6c55	feat: use oidc well-known url	2024-03-24 11:01:51 +01:00