using the well-known json dict instead of manually providing multiple API endpoints through the config file

Author: sjanssen2

qiita_core/configuration_manager.py

@@ -137,16 +137,18 @@ class ConfigurationManager(object):
     redirect_endpoint : str
         The internal Qiita endpoint the IdP shall redirect the user after
         logging in
-    authorize_url : str
-        The URL of the IdP to obtain a code (step 1)
-    accesstoken_url : str
-        The URL of the IdP to exchange the code from step 1 for an access
-        token (step 2)
-    userinfo_url : str
-        The URL of the IdP to obtain information about the user, like email,
-        username, ...
+    wellknown_uri : str
+        The URL of the well-known json document, specifying how API end points
+        like 'authorize', 'token' or 'userinfo' are defined. See e.g.
+        https://swagger.io/docs/specification/authentication/
+            openid-connect-discovery/
     label : str
         A speaking label for the Identity Provider
+    scope : str
+        The scope, i.e. fields about a user, which Qiita requests from the
+        Identity Provider, e.g. "profile email eduperson_orcid".
+        Will be automatically extended by the scope "openid", to enable the
+        "authorize_code" OIDC flow.
 
     Raises
     ------
@@ -436,14 +438,16 @@ def _get_oidc(self, config):
                     if provider['redirect_endpoint'].endswith('/'):
                         provider['redirect_endpoint'] = provider[
                             'redirect_endpoint'][:-1]
-                provider['authorize_url'] = config.get(
-                    section_name, 'AUTHORIZE_URL')
-                provider['accesstoken_url'] = config.get(
-                    section_name, 'ACCESS_TOKEN_URL')
-                provider['userinfo_url'] = config.get(
-                    section_name, 'USERINFO_URL')
+                provider['wellknown_uri'] = config.get(
+                    section_name, 'WELLKNOWN_URI')
                 provider['label'] = config.get(section_name, 'LABEL')
                 if not provider['label']:
                     # fallback, if no label is provided
                     provider['label'] = section_name[len(PREFIX):]
                 self.oidc[section_name[len(PREFIX):]] = provider
+                provider['scope'] = config.get(
+                    section_name, 'SCOPE', fallback=None)
+                if not provider['scope']:
+                    provider['scope'] = 'openid'
+                if 'openid' not in provider['scope']:
+                    provider['scope'] = 'openid %s' % provider['scope']

qiita_core/support_files/config_test.cfg

@@ -201,8 +201,8 @@ QIIMP = https://localhost:8898/
 # --------------------- External Identity Provider settings --------------------
 # user authentication happens per default within Qiita, i.e. when a user logs in,
 # the stored password hash and email address is compared against what a user
-# just provided. You might however, use an external identity provider (IdP) to 
-# authenticate the user like 
+# just provided. You might however, use an external identity provider (IdP) to
+# authenticate the user like
 #    google: https://developers.google.com/identity/protocols/oauth2 or
 #    github: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps or
 #    self hosted keycloak: https://www.keycloak.org/
@@ -235,23 +235,26 @@ QIIMP = https://localhost:8898/
 #
 ## client secret to verify Qiita as the correct client. Not all IdPs require
 ## a client secret!
-#CLIENT_SECRET = 5M6zKl8SKrlnRP4tPgtrgZpCpcYCj7uK
+#CLIENT_SECRET = verySecretString
 #
-## redirect URL (end point in your Qiita instance), to which the IdP redirects 
-## after user types in his/her credentials. If you don't want to change code in 
+## redirect URL (end point in your Qiita instance), to which the IdP redirects
+## after user types in his/her credentials. If you don't want to change code in
 ## qiita_pet/webserver.py the URL must follow the pattern:
-## base_URL/auth/login_OIDC/foo where foo is the name of this config section 
+## base_URL/auth/login_OIDC/foo where foo is the name of this config section
 ## without the oidc_ prefix!
 #REDIRECT_ENDPOINT = /auth/login_OIDC/localkeycloak
 #
-## URL for step 1: obtain code
-#AUTHORIZE_URL = https://keycloak.sso.gwdg.de/auth/realms/academiccloud/protocol/openid-connect/auth
-#
-## URL for step 2: obtain user token
-#ACCESS_TOKEN_URL = https://keycloak.sso.gwdg.de/auth/realms/academiccloud/protocol/openid-connect/token
-#
-## URL for step 3: obtain user infos
-#USERINFO_URL = https://keycloak.sso.gwdg.de/auth/realms/academiccloud/protocol/openid-connect/userinfo
+## The URL of the well-known json document, specifying how API end points
+## like 'authorize', 'token' or 'userinfo' are defined. See e.g.
+## https://swagger.io/docs/specification/authentication/
+##    openid-connect-discovery/
+#WELLKNOWN_URI = https://keycloak.sso.gwdg.de/.well-known/openid-configuration
 #
 ## a speaking label for the Identity Provider. Section name is used if empty.
 #LABEL = GWDG Academic Cloud
+#
+## The scope, i.e. fields about a user, which Qiita requests from the
+## Identity Provider, e.g. "profile email eduperson_orcid".
+## Will be automatically extended by the scope "openid", to enable the
+## "authorize_code" OIDC flow.
+#SCOPE = openid

qiita_core/tests/test_configuration_manager.py

@@ -311,9 +311,7 @@ def test_get_oidc(self):
         obs._get_oidc(self.conf)
         self.assertEqual(obs.oidc['academicid']['client_id'], "foo")
 
-        self.assertTrue('gwdg.de' in obs.oidc['academicid']['authorize_url'])
-        self.assertTrue('gwdg.de' in obs.oidc['academicid']['accesstoken_url'])
-        self.assertTrue('gwdg.de' in obs.oidc['academicid']['userinfo_url'])
+        self.assertTrue('gwdg.de' in obs.oidc['academicid']['wellknown_uri'])
 
         self.assertEqual(obs.oidc['academicid']['label'],
                          'GWDG Academic Cloud')
@@ -322,6 +320,18 @@ def test_get_oidc(self):
         obs._get_oidc(self.conf)
         self.assertEqual(obs.oidc['academicid']['label'], 'academicid')
 
+        self.assertEqual(obs.oidc['academicid']['scope'], 'openid')
+        print(obs.oidc['academicid']['scope'])
+        # test fallback, if no scope is provided
+        self.conf.set(SECTION_NAME, 'SCOPE', '')
+        obs._get_oidc(self.conf)
+        self.assertEqual(obs.oidc['academicid']['scope'], 'openid')
+
+        # test if scope will be automatically extended with 'openid'
+        self.conf.set(SECTION_NAME, 'SCOPE', 'email affiliation')
+        obs._get_oidc(self.conf)
+        self.assertTrue('openid' in obs.oidc['academicid']['scope'].split())
+
 CONF = """
 # ------------------------------ Main settings --------------------------------
 [main]
@@ -513,7 +523,7 @@ def test_get_oidc(self):
 
 # client secret to verify Qiita as the correct client. Not all IdPs require
 # a client secret.
-CLIENT_SECRET = 5M6zKl8SKrlnRP4tPgtrgZpCpcYCj7uK
+CLIENT_SECRET = verySecretString
 
 # redirect URL (end point in your Qiita instance), to which the IdP redirects
 # after user types in his/her credentials. If you don't want to change code in
@@ -522,17 +532,20 @@ def test_get_oidc(self):
 # without the oidc_ prefix!
 REDIRECT_ENDPOINT = /auth/login_OIDC/academicid
 
-# URL for step 1: obtain code
-AUTHORIZE_URL = https://keycloak.sso.gwdg.de/auth/realms/academiccloud/auth
-
-# URL for step 2: obtain user token
-ACCESS_TOKEN_URL = https://keycloak.sso.gwdg.de/auth/realms/academiccloud/token
-
-# URL for step 3: obtain user infos
-USERINFO_URL = https://keycloak.sso.gwdg.de/auth/realms/academiccloud/userinfo
+# The URL of the well-known json document, specifying how API end points
+# like 'authorize', 'token' or 'userinfo' are defined. See e.g.
+# https://swagger.io/docs/specification/authentication/
+#    openid-connect-discovery/
+WELLKNOWN_URI = https://keycloak.sso.gwdg.de/.well-known/openid-configuration
 
 # a speaking label for the Identity Provider. Section name is used if empty.
 LABEL = GWDG Academic Cloud
+
+# The scope, i.e. fields about a user, which Qiita requests from the
+# Identity Provider, e.g. "profile email eduperson_orcid".
+# Will be automatically extended by the scope "openid", to enable the
+# "authorize_code" OIDC flow.
+SCOPE = openid
 """
 
 if __name__ == '__main__':

qiita_pet/handlers/auth_handlers.py

@@ -9,6 +9,7 @@
 import urllib.parse
 import os
 import warnings
+import requests
 
 from tornado.escape import url_escape, json_encode, json_decode
 from tornado.auth import OAuth2Mixin
@@ -268,12 +269,14 @@ async def post(self, login):
         if self.idp is None:
             self.render("index.html", message=msg, level='warning')
 
-        self._OAUTH_AUTHORIZE_URL = qiita_config.oidc[self.idp][
-            'authorize_url']
-        self._OAUTH_ACCESS_TOKEN_URL = qiita_config.oidc[self.idp][
-            'accesstoken_url']
-        self._OAUTH_USERINFO_URL = qiita_config.oidc[self.idp][
-            'userinfo_url']
+        idp_config = requests.get(qiita_config.oidc[self.idp]['wellknown_uri'],
+            proxies={env: os.environ[env]
+                     for env in os.environ
+                     if env.lower().endswith('_proxy')}).json()
+
+        self._OAUTH_AUTHORIZE_URL = idp_config['authorization_endpoint']
+        self._OAUTH_ACCESS_TOKEN_URL = idp_config['token_endpoint']
+        self._OAUTH_USERINFO_URL = idp_config['userinfo_endpoint']
 
         if code:
             # step 2: we got a code and now want to exchange it for a user
@@ -333,7 +336,7 @@ async def post(self, login):
                  client_id=qiita_config.oidc[self.idp]['client_id'],
                  client_secret=qiita_config.oidc[self.idp]['client_secret'],
                  response_type='code',
-                 scope=['openid']
+                 scope=[qiita_config.oidc[self.idp]['scope']]
             )
     get = post  # redirect will use GET method