Use onaio-oidc library to authenticate with open-id

onaio · Jul 12, 2021 · 3ba75a4 · 3ba75a4
1 parent d3d728d
commit 3ba75a4
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 121 deletions.
diff --git a/onadata/apps/main/urls.py b/onadata/apps/main/urls.py
@@ -25,9 +25,6 @@
 from onadata.apps.restservice import views as restservice_views
 from onadata.apps.sms_support import views as sms_support_views
 from onadata.apps.viewer import views as viewer_views
-from onadata.apps.api.viewsets.openid_connect_viewset import (
-    OpenIDConnectViewSet
-)
 from onadata.apps.api.viewsets.xform_viewset import XFormViewSet
 
 from onadata.libs.utils.analytics import init_analytics
@@ -43,6 +40,8 @@
     re_path(r'^i18n/', include(i18n)),
     url('^api/v1/', include(api_v1_router.urls)),
     url('^api/v2/', include(api_v2_router.urls)),
+    # open id connect urls
+    url(r"^", include("oidc.urls")),
     re_path(r'^api-docs/',
             RedirectView.as_view(url=settings.STATIC_DOC, permanent=True)),
     re_path(r'^api/$',
@@ -205,22 +204,6 @@
             '/(?P<filename>[^/]+)$',
             viewer_views.export_download, name='export-download'),
 
-    # open id connect urls
-    re_path(r'^oidc/(?P<openid_connect_provider>\w+)/login$',
-            OpenIDConnectViewSet.as_view({
-                'get': 'initiate_oidc_flow',
-                'head': 'callback',
-                'post': 'callback'
-            }), name='open-id-connect-login'),
-    re_path(r'^oidc/(?P<openid_connect_provider>\w+)/expire$',
-            OpenIDConnectViewSet.as_view({
-                'get': 'expire'
-            }), name='open-id-connect-logout'),
-    re_path(r'^oidc/(?P<openid_connect_provider>\w+)/callback$',
-            OpenIDConnectViewSet.as_view({
-                'get': 'callback', 'head': 'callback', 'post': 'callback'
-            }), name='open-id-connect-callback'),
-
     # xform versions urls
     re_path(r'^api/v1/forms/(?P<pk>[^/.]+)/versions/(?P<version_id>[^/.]+)$',  # noqa
             XFormViewSet.as_view({'get': 'versions'}),

diff --git a/onadata/libs/tests/utils/test_openid_connect_tools.py b/onadata/libs/tests/utils/test_openid_connect_tools.py
diff --git a/onadata/settings/common.py b/onadata/settings/common.py
@@ -212,6 +212,7 @@
     'actstream',
     'onadata.apps.messaging.apps.MessagingConfig',
     'django_filters',
+    'oidc',
 )
 
 OAUTH2_PROVIDER = {
@@ -223,6 +224,34 @@
     'OAUTH2_VALIDATOR_CLASS': 'onadata.libs.authentication.MasterReplicaOAuth2Validator'  # noqa
 }
 
+OPENID_CONNECT_VIEWSET_CONFIG = {
+    "REDIRECT_AFTER_AUTH": "http://localhost:3000",
+    "USE_SSO_COOKIE": True,
+    "SSO_COOKIE_DATA": "email",
+    "JWT_SECRET_KEY": 'thesecretkey',
+    "JWT_ALGORITHM": 'HS256',
+    "SSO_COOKIE_MAX_AGE": None,
+    "SSO_COOKIE_DOMAIN": "localhost",
+    "USE_AUTH_BACKEND": False,
+    "AUTH_BACKEND": "",  # Defaults to django.contrib.auth.backends.ModelBackend
+    "USE_RAPIDPRO_VIEWSET": False,
+}
+
+OPENID_CONNECT_AUTH_SERVERS = {
+    "microsoft": {
+        "AUTHORIZATION_ENDPOINT": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+        "CLIENT_ID": "client_id",
+        "JWKS_ENDPOINT": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
+        "SCOPE": "openid profile",
+        "TOKEN_ENDPOINT": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+        "END_SESSION_ENDPOINT": "http://localhost:3000",
+        "REDIRECT_URI": "http://localhost:8000/oidc/msft/callback",
+        "RESPONSE_TYPE": "id_token",
+        "RESPONSE_MODE": "form_post",
+        "USE_NONCES": True
+    }
+}
+
 REST_FRAMEWORK = {
     # Use hyperlinked styles by default.
     # Only used if the `serializer_class` attribute is not set on a view.

diff --git a/requirements/base.in b/requirements/base.in
@@ -8,3 +8,4 @@
 -e git+https://github.com/onaio/floip-py.git@3c980eb184069ae7c3c9136b18441978237cd41d#egg=pyfloip
 -e git+https://github.com/onaio/python-json2xlsclient.git@62b4645f7b4f2684421a13ce98da0331a9dd66a0#egg=python-json2xlsclient
 -e git+https://github.com/onaio/oauth2client.git@75dfdee77fb640ae30469145c66440571dfeae5c#egg=oauth2client
+-e git+https://github.com/onaio/ona-oidc.git@9cd6736921d98490b5eab647f18894dc357e099f#egg=ona-oidc
diff --git a/requirements/base.pip b/requirements/base.pip
@@ -10,6 +10,8 @@
     # via -r requirements/base.in
 -e git+https://github.com/onaio/oauth2client.git@75dfdee77fb640ae30469145c66440571dfeae5c#egg=oauth2client
     # via -r requirements/base.in
+-e git+https://github.com/onaio/ona-oidc.git#egg=ona-oidc
+    # via -r requirements/base.in
 -e git+https://github.com/onaio/floip-py.git@3c980eb184069ae7c3c9136b18441978237cd41d#egg=pyfloip
     # via -r requirements/base.in
 -e git+https://github.com/onaio/python-digest.git@3af1bd0ef6114e24bf23d0e8fd9d7ebf389845d1#egg=python-digest
@@ -72,6 +74,7 @@ cryptography==3.4.7
     # via
     #   jwcrypto
     #   onadata
+    #   pyjwt
 datapackage==1.15.2
     # via pyfloip
 defusedxml==0.7.1
@@ -128,6 +131,7 @@ django==2.2.23
     #   djangorestframework-guardian
     #   djangorestframework-jsonapi
     #   jsonfield
+    #   ona-oidc
     #   onadata
 djangorestframework-csv==2.1.1
     # via onadata
@@ -147,6 +151,7 @@ djangorestframework==3.12.4
     #   djangorestframework-gis
     #   djangorestframework-guardian
     #   djangorestframework-jsonapi
+    #   ona-oidc
     #   onadata
 docutils==0.17.1
     # via sphinx
@@ -271,8 +276,10 @@ pyflakes==2.3.1
     # via flake8
 pygments==2.9.0
     # via sphinx
-pyjwt==2.1.0
-    # via onadata
+pyjwt[crypto]==2.1.0
+    # via
+    #   ona-oidc
+    #   onadata
 pylibmc==1.6.1
     # via onadata
 pymongo==3.11.4
@@ -318,6 +325,7 @@ requests==2.25.1
     #   datapackage
     #   django-oauth-toolkit
     #   httmock
+    #   ona-oidc
     #   onadata
     #   python-json2xlsclient
     #   requests-mock