Use iss field instead of issuer in auth init request to comply with spec

Nonce session_id and created fields are added, nothing is stored in session object
Set default nonce size to 28 bytes to meet specification requirements
Allow both GET and POST reauests for login initiation
Add DISABLE_OIDC_DISCOVER setting to disable OP auto discover
Add LOGIN_COMPLETE hook
Replace exception in views with HTTP responses

Author: Ivip

oidc_auth/errors.py

@@ -42,5 +42,5 @@ class ForbiddenAuthRequest(OpenIDConnectError):
     message = 'querystring state differs from state saved on session'
 
 
-class MissingRedirectURL(OpenIDConnectError):
-    message = "Missing URL for oidc redirect (maybe DEFAULT_ENDPOINT's missing on settings?)"
+class InvalidIssuer(OpenIDConnectError):
+    message = "Missing or invalid OIDC provider URL"

oidc_auth/forms.py

@@ -2,5 +2,5 @@
 
 
 class OpenIDConnectForm(forms.Form):
-    issuer = forms.CharField(max_length=200,
+    iss = forms.CharField(max_length=200,
             widget=forms.TextInput(attrs={'class': 'required openid'}))

oidc_auth/migrations/0003_add_session_id_and_created.py

@@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import models, migrations
+import datetime
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('oidc_auth', '0002_delete_openiduser'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='nonce',
+            name='created',
+            field=models.DateTimeField(default=datetime.datetime(2016, 2, 28, 5, 40, 41, 496670), auto_now_add=True),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='nonce',
+            name='session_id',
+            field=models.CharField(default='', max_length=128),
+            preserve_default=False,
+        ),
+    ]

oidc_auth/models.py

@@ -17,42 +17,38 @@ class Nonce(models.Model):
     issuer_url = models.URLField()
     state = models.CharField(max_length=255, unique=True)
     redirect_url = models.CharField(max_length=100)
+    session_id = models.CharField(max_length=128)
+    created = models.DateTimeField(auto_now_add=True)
 
     def __unicode__(self):
         return '%s' % self.state
 
     def __init__(self, *args, **kwargs):
         super(Nonce, self).__init__(*args, **kwargs)
 
-    @classmethod
-    def generate(cls, redirect_url, issuer_url, length=oidc_settings.NONCE_LENGTH):
-        """This method generates and returns a nonce, an unique generated
-        string. If the maximum of retries is exceeded, it returns None.
-        """
+    @staticmethod
+    def nonce(length=oidc_settings.NONCE_LENGTH):
+        """Generate nonce string"""
         CHARS = string.letters + string.digits
+        return ''.join(random.choice(CHARS) for n in range(length))
 
-        for i in range(5):
-            _hash = ''.join(random.choice(CHARS) for n in range(length))
-
-            try:
-                log.debug('Attempt %s to save nonce %s to issuer %s' % (i+1,
-                    _hash, issuer_url))
-                nonce = cls.objects.create(issuer_url=issuer_url, state=_hash,
-                        redirect_url=redirect_url)
-                return nonce.state
-            except IntegrityError:
-                pass
-
-        log.error('Maximum of retries to create a nonce to issuer %s '
-                  'exceeded! Max: 5' % issuer_url)
-        return None
+    @classmethod
+    def generate(cls, request, session_id, redirect_url, issuer_url, nonce=None):
+        """Generate and return state string for specified session"""
+        state = nonce or cls.nonce()
+        try:
+            cls.objects.create(issuer_url=issuer_url, state=state,
+                    session_id=session_id, redirect_url=redirect_url)
+            return state
+        except IntegrityError:
+            return None
 
     @classmethod
-    def validate(cls, state):
-        """This method validates nonce and returns encoded data dictionary
-        """
+    def validate(cls, request, session_id, state):
+        """This method validates nonce for the session and returns
+            object with redirect_url and issuer or None"""
         try:
-            return cls.objects.get(state=state)
+            return cls.objects.get(state=state, session_id=session_id)
         except cls.DoesNotExist:
             return None
 
@@ -96,6 +92,9 @@ def discover(cls, issuer='', credentials={}, save=True):
         except cls.DoesNotExist:
             pass
 
+        if oidc_settings.DISABLE_OIDC_DISCOVER:
+            raise errors.InvalidIssuer()
+
         log.debug('Provider %s not discovered yet, proceeding discovery' % issuer)
         discover_endpoint = urljoin(issuer, '.well-known/openid-configuration')
         response = requests.get(discover_endpoint, verify=oidc_settings.VERIFY_SSL)

oidc_auth/settings.py

@@ -4,15 +4,17 @@
 
 DEFAULTS = {
     'DISABLE_OIDC': False,
+    'DISABLE_OIDC_DISCOVER': False,
     'DEFAULT_PROVIDER': {},
     'SCOPES': ('openid', 'given_name', 'family_name', 'preferred_username', 'email'),
     'CLIENT_ID': None,
     'CLIENT_SECRET': None,
-    'NONCE_LENGTH': 8,
+    'NONCE_LENGTH': 32,
     'VERIFY_SSL': True,
     'COMPLETE_URL': None,
     'USER_MANAGER': None,
-    'STATE_KEEPER': '.models.Nonce'
+    'STATE_KEEPER': '.models.Nonce',
+    'LOGIN_COMPLETE': None,
 }
 
 USER_SETTINGS = getattr(settings, 'OIDC_AUTH', {})

oidc_auth/views.py

@@ -1,6 +1,6 @@
 from urllib import urlencode
 from django.conf import settings
-from django.http import HttpResponseBadRequest, HttpResponse
+from django.http import HttpResponseBadRequest, HttpResponse, HttpResponseNotAllowed
 from django.contrib.auth import REDIRECT_FIELD_NAME, authenticate, login as django_login
 from django.core.urlresolvers import reverse
 from django.shortcuts import render, redirect
@@ -30,18 +30,24 @@ def _redirect(request, login_complete_view, form_class, redirect_field_name):
     provider = get_default_provider()
 
     if not provider:
-        form = form_class(request.POST)
-
-        if not form.is_valid():
-            raise errors.MissingRedirectURL()
-
-        provider = OpenIDProvider.discover(issuer=form.cleaned_data['issuer'])
+        if request.method == 'POST':
+            form = form_class(request.POST)
+            if not form.is_valid():
+                return HttpResponseBadRequest('Invalid issuer')
+            provider = OpenIDProvider.discover(issuer=form.cleaned_data['iss'])
+        elif request.method == 'GET':
+            try:
+                iss = request.GET['iss']
+            except KeyError:
+                return HttpResponseBadRequest('Invalid issuer')
+            provider = OpenIDProvider.discover(issuer=iss)
+        else:
+            return HttpResponseNotAllowed(['POST', 'GET'])
 
     redirect_url = request.GET.get(redirect_field_name, settings.LOGIN_REDIRECT_URL)
 
     Nonce = import_from_str(oidc_settings.STATE_KEEPER)
-    state = Nonce.generate(redirect_url, provider.issuer)
-    request.session['oidc_state'] = state
+    state = Nonce.generate(request, request.session.session_key, redirect_url, provider.issuer)
 
     redirect_url = oidc_settings.COMPLETE_URL
     if redirect_url is None:
@@ -68,19 +74,15 @@ def login_complete(request, login_complete_view='oidc-complete',
             'error': request.GET['error']
         })
 
-    if 'oidc_state' not in request.session:
-        return redirect(settings.LOGIN_URL)
-
     if 'code' not in request.GET and 'state' not in request.GET:
         return HttpResponseBadRequest('Invalid request')
 
-    if request.GET['state'] != request.session['oidc_state']:
-        raise errors.ForbiddenAuthRequest()
+    state = request.GET['state']
 
     Nonce = import_from_str(oidc_settings.STATE_KEEPER)
-    nonce = Nonce.validate(request.GET['state'])
+    nonce = Nonce.validate(request, request.session.session_key, state)
     if nonce is None:
-        raise errors.ForbiddenAuthRequest()
+        return HttpResponseBadRequest('Invalid state')
 
     provider = OpenIDProvider.objects.get(issuer=nonce.issuer_url)
     log.debug('Login started from provider %s' % provider)
@@ -100,14 +102,18 @@ def login_complete(request, login_complete_view='oidc-complete',
                              data=params, verify=oidc_settings.VERIFY_SSL)
 
     if response.status_code != 200:
-        raise errors.RequestError(provider.token_endpoint, response.status_code)
+        return HttpResponseForbiddent('Invalid token')
 
     log.debug('Token exchange done, proceeding authentication')
     credentials = response.json()
     credentials['provider'] = provider
     user = authenticate(credentials=credentials)
     django_login(request, user)
 
+    if oidc_settings.LOGIN_COMPLETE:
+        hook = import_from_str(oidc_settings.LOGIN_COMPLETE)
+        return hook(request, state, nonce.redirect_url)
+
     return redirect(nonce.redirect_url)
 
 
@@ -119,4 +125,5 @@ def _redirect_to_provider(request):
     has_default_provider = oidc_settings.DEFAULT_PROVIDER
 
     return (not oidc_settings.DISABLE_OIDC
-            and (has_default_provider or request.method == 'POST'))
+            and (has_default_provider 
+                    or request.method == 'POST' or request.GET.get('iss')))