[Review] Quite a lot of minor improvements #1
Conversation
TODO: check with python3 and make correct fallback when required.
TODO: add tox and check for old django versions
…ng admin logout page is being shown
|
Thanks for the pull request. Right now we are trying to figure out if / when to pull the changes into our branch. Once we figure out what we are doing we will let you know. |
… disabled in settings
Prefer that the view tries to log out from django and silently fails if the wrong OIDC client is requested.. This just fixes a specific problem I have right now where the views are wrapped in other views in the django application so this is maybe not a good general improvement. Closes #1
Will cause bugs if not overridden
Exceptions should probably be the first thing to get a full makeover in this library, right now I just copied and simplified exceptions.py/status.py from django rest framework. Things which have to be investigated are: - Should http response codes be included? (probably yes) - Should ALL oauth/oic exceptions be wrapped by corresponding local exception types? (maybe not) - Do we even need local exception types or does the ones which pyoic provide enough detail? (not really researched yet)
|
I can confirm that this while I couldn't get Update: Other users are probably still best served by yet another fork, based on @koriaf's work: https://github.com/py-pa/django-oidc |
It's another hack but it's ok since a lot should be rewritten anyways.
…n_session Add auth token expires_in into django session
Merge py-pa/django-oidc work
make it more universal
…etup of a client. This allows the use of 'private_key_jwt' for an authentication method.
…_jwt client authentication
Add ability to use "private_key_jwt" for client authentication
There was a problem hiding this comment.
Overall a good set of changes. Some questions on why things were done the way they were and a couple of changes that we don't want to accept (dealing with packaging)
Thank you for your contributions. We should be able to respond in a more timely manner in the future.
| @@ -7,18 +7,21 @@ Behind the scenes, it uses Roland Hedberg's great pyoidc library. | |||
|
|
|||
| Modified by JHUAPL BOSS to support Python3 | |||
|
|
|||
| Modified by Thomas Frössman with fixes and additional modifications. | |||
There was a problem hiding this comment.
May create an AUTHORS file / add to NOTICE instead of including this information in the README.
This line breaks setup.py, as it includes a non-ascii character and setup.py reads this file without setting the encoding to UTF-8.
| Quickstart | ||
| ---------- | ||
|
|
||
| Install djangooidc:: | ||
|
|
||
| # Latest code - unstable! | ||
| pip install git+https://github.com/jhuapl-boss/django-oidc.git | ||
|
|
||
| pip install git+https://github.com/{desiredforkname}/django-oidc.git |
There was a problem hiding this comment.
We will want to keep our original version
| "post_logout_redirect_uris": ["http://localhost:8000/openid/callback/logout/"], | ||
| } | ||
| }, | ||
| # "Azure Active Directory": { |
There was a problem hiding this comment.
Looking at the full file, this comments out all OIDC providers. What was the reason for this, as it leaves the django_rp example in an incomplete state.
djangooidc/__init__.py
Outdated
| __version__ = '0.0.8' |
There was a problem hiding this comment.
We will not want to downgrade our version number
| from djangooidc import status | ||
|
|
||
|
|
||
| class OIDCException(Exception): |
There was a problem hiding this comment.
I like this addition. What is the reason for the comment out subclasses? It looks like they would be useful.
| query = parse_qs(request.GET.urlencode()) | ||
| callback_result = client.callback(query, request.session) | ||
| if isinstance(callback_result, OIDCError): | ||
| raise callback_result |
There was a problem hiding this comment.
Why return the exception (instead of just raising it in client.callback)?
| # should include the post_logout_redirect_uri | ||
| request_args.update(extra_args) | ||
|
|
||
| url = client.provider_info['end_session_endpoint'] |
| auth_logout(request) | ||
| if next_page: | ||
| request.session['next'] = next_page | ||
|
|
||
| return HttpResponseRedirect(next_page) |
There was a problem hiding this comment.
next_page may be None
Should probably redirect to '/' so similar if variable is not set
| packages=[ | ||
| 'djangooidc', | ||
| ], | ||
| include_package_data=True, | ||
| install_requires=[ | ||
| 'django>=1.8', | ||
| 'oic>=0.7.6', | ||
| 'django>=1.10', |
There was a problem hiding this comment.
This works with earlier versions of Django. We are running Django 1.9.1 and this update messes with the pip install for us.
Any particular reason for the version upgrades?
| @@ -27,20 +27,20 @@ | |||
| history = open('HISTORY.rst').read().replace('.. :changelog:', '') | |||
|
|
|||
| setup( | |||
| name='django-oidc', | |||
| name='django-oidc-tf', | |||
There was a problem hiding this comment.
We will want to keep the original name
There was a problem hiding this comment.
Thanks for the review! Some changes came from the fork py-pa/django-oidc which I merged to get both py3 and py2 support (I use this library both for 2 and 3), so can't say why it's been done what way - like this one.
But I'll try to handle issues which may be handled at all. Looks like some potential bugs were introduced so my projects are affected so it will be fixed.
* fix it up so that django 2.2 is tested and works * nonce/state are too small, need to make acr_value something that can be configured * added django 2.2 required request parameter, try using email address to log in, set unusable password for created users #3
Hi!
Please do not merge this PR until you are 100% sure it's fine, because I didn't tested it in python3 fully yet.
I've made some minor improvements to make it works on my installation and now it's working fine. Please review this and quickly tell me if it worth going to master branch and if it safe to do it. If it's - then I will be able to create smaller commits with smaller changes subset and PR them separately (or commit directly to master if you would like to avoid merge commits).
Or feel free to pull/merge specific commits to master already, leaving problematic out of scope until they are fixed.
Thanks!