bgallet
/
galicea-odoo-addons-ecosystem
forked from Myceliandre/galicea-odoo-addons-ecosystem
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19 Commits
7 Branches
0 Tags
635 KiB
Branch: 13.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '13.0'
${ noResults }
galicea-odoo-addons-ecosystem/galicea_openid_connect/controllers/main.py

463 lines
17 KiB
Raw Permalink Normal View History

[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect] Fix CORS c.d.
6 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[FIX] add openid connect debug
4 years ago
[openid_connect]
6 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
12.0
5 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect] OAuth2 Password Flow
6 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
[openid_connect]
6 years ago
[MIG] 13.0 migration
4 years ago
  1. import logging
  2. import json
  3. import time
  4. import os
  5. import base64
  7. from odoo import http
  8. import werkzeug
  10. from ..api import resource
  12. try:
  13. from jwcrypto import jwk, jwt
  14. from cryptography.hazmat.backends import default_backend
  15. from cryptography.hazmat.primitives import hashes
  16. except ImportError:
  17. pass
  19. _logger = logging.getLogger(__name__)
  22. def jwk_from_json(json_key):
  23. key = jwk.JWK()
  24. key.import_key(**json.loads(json_key))
  25. return key
  28. def jwt_encode(claims, key):
  29. token = jwt.JWT(
  30. header={"alg": key._params["alg"], "kid": key._params["kid"]}, claims=claims
  31. )
  32. token.make_signed_token(key)
  33. return token.serialize()
  36. def jwt_decode(serialized, key):
  37. token = jwt.JWT(jwt=serialized, key=key)
  38. return json.loads(token.claims)
  41. RESPONSE_TYPES_SUPPORTED = ["code", "token", "id_token token", "id_token"]
  44. class OAuthException(Exception):
  45. INVALID_REQUEST = "invalid_request"
  46. INVALID_CLIENT = "invalid_client"
  47. UNSUPPORTED_RESPONSE_TYPE = "unsupported_response_type"
  48. INVALID_GRANT = "invalid_grant"
  49. UNSUPPORTED_GRANT_TYPE = "unsupported_grant_type"
  51. def __init__(self, message, type):
  52. super(Exception, self).__init__(message)
  53. self.type = type
  56. class Main(http.Controller):
  57. def __get_authorization_code_jwk(self, req):
  58. return jwk_from_json(
  59. req.env["ir.config_parameter"]
  60. .sudo()
  61. .get_param("galicea_openid_connect.authorization_code_jwk")
  62. )
  64. def __get_id_token_jwk(self, req):
  65. return jwk_from_json(
  66. req.env["ir.config_parameter"]
  67. .sudo()
  68. .get_param("galicea_openid_connect.id_token_jwk")
  69. )
  71. def __validate_client(self, req, **query):
  72. if "client_id" not in query:
  73. raise OAuthException(
  74. "client_id param is missing", OAuthException.INVALID_CLIENT,
  75. )
  76. client_id = query["client_id"]
  77. client = (
  78. req.env["galicea_openid_connect.client"]
  79. .sudo()
  80. .search([("client_id", "=", client_id)])
  81. )
  82. if not client:
  83. raise OAuthException(
  84. "client_id param is invalid", OAuthException.INVALID_CLIENT,
  85. )
  86. _logger.debug("#### openid client: %s" % client)
  87. return client
  89. def __validate_redirect_uri(self, client, req, **query):
  90. _logger.debug("#### openid client: %s" % query)
  91. if "redirect_uri" not in query:
  92. raise OAuthException(
  93. "redirect_uri param is missing", OAuthException.INVALID_GRANT,
  94. )
  96. redirect_uri = query["redirect_uri"]
  97. _logger.debug(
  98. "#### openid client: %s (%s)" % (client.auth_redirect_uri, redirect_uri)
  99. )
  100. if client.auth_redirect_uri != redirect_uri:
  101. raise OAuthException(
  102. "redirect_uri param doesn't match the pre-configured redirect URI",
  103. OAuthException.INVALID_GRANT,
  104. )
  106. return redirect_uri
  108. def __validate_client_secret(self, client, req, **query):
  109. if "client_secret" not in query or query["client_secret"] != client.secret:
  110. _logger.debug(
  111. "#### openid client: %s (%s)" % (query["client_secret"], client.secret)
  112. )
  113. raise OAuthException(
  114. "client_secret param is not valid", OAuthException.INVALID_CLIENT,
  115. )
  117. @http.route("/.well-known/openid-configuration", auth="public", type="http")
  118. def metadata(self, req, **query):
  119. base_url = http.request.httprequest.host_url
  120. data = {
  121. "issuer": base_url,
  122. "authorization_endpoint": base_url + "oauth/authorize",
  123. "token_endpoint": base_url + "oauth/token",
  124. "userinfo_endpoint": base_url + "oauth/userinfo",
  125. "jwks_uri": base_url + "oauth/jwks",
  126. "scopes_supported": ["openid"],
  127. "response_types_supported": RESPONSE_TYPES_SUPPORTED,
  128. "grant_types_supported": [
  129. "authorization_code",
  130. "implicit",
  131. "password",
  132. "client_credentials",
  133. ],
  134. "subject_types_supported": ["public"],
  135. "id_token_signing_alg_values_supported": ["RS256"],
  136. "token_endpoint_auth_methods_supported": ["client_secret_post"],
  137. }
  138. return json.dumps(data)
  140. @http.route("/oauth/jwks", auth="public", type="http")
  141. def jwks(self, req, **query):
  142. keyset = jwk.JWKSet()
  143. keyset.add(self.__get_id_token_jwk(req))
  144. return keyset.export(private_keys=False)
  146. @resource("/oauth/userinfo", method="GET")
  147. def userinfo(self, req, **query):
  148. user = req.env.user
  149. values = {
  150. "sub": str(user.id),
  151. # Needed in case the client is another Odoo instance
  152. "user_id": str(user.id),
  153. "name": user.name,
  154. }
  155. if user.email:
  156. values["email"] = user.email
  157. _logger.debug("#### OPENID (3): %s" % values)
  158. return values
  160. @resource("/oauth/clientinfo", method="GET", auth="client")
  161. def clientinfo(self, req, **query):
  162. client = req.env["galicea_openid_connect.client"].browse(
  163. req.context["client_id"]
  164. )
  165. return {"name": client.name}
  167. @http.route("/oauth/authorize", auth="public", type="http", csrf=False)
  168. def authorize(self, req, **query):
  169. # First, validate client_id and redirect_uri params.
  170. _logger.debug("#### OPENID (auth)")
  171. try:
  172. client = self.__validate_client(req, **query)
  173. redirect_uri = self.__validate_redirect_uri(client, req, **query)
  174. except OAuthException as e:
  175. # If those are not valid, we must not redirect back to the client
  176. # - instead, we display a message to the user
  177. _logger.debug("#### OPENID (4): %s" % e)
  178. return req.render("galicea_openid_connect.error", {"exception": e})
  180. scopes = query["scope"].split(" ") if query.get("scope") else []
  181. is_openid_request = "openid" in scopes
  183. # state, if present, is just mirrored back to the client
  184. response_params = {}
  185. if "state" in query:
  186. response_params["state"] = query["state"]
  188. response_mode = query.get("response_mode")
  189. try:
  190. if response_mode and response_mode not in ["query", "fragment"]:
  191. _logger.debug("#### OPENID (auth 1)")
  192. response_mode = None
  193. raise OAuthException(
  194. "The only supported response_modes are 'query' and 'fragment'",
  195. OAuthException.INVALID_REQUEST,
  196. )
  198. if "response_type" not in query:
  199. _logger.debug("#### OPENID (auth 2)")
  200. raise OAuthException(
  201. "response_type param is missing", OAuthException.INVALID_REQUEST,
  202. )
  203. response_type = query["response_type"]
  204. if response_type not in RESPONSE_TYPES_SUPPORTED:
  205. _logger.debug("#### OPENID (auth 3)")
  206. raise OAuthException(
  207. "The only supported response_types are: {}".format(
  208. ", ".join(RESPONSE_TYPES_SUPPORTED)
  209. ),
  210. OAuthException.UNSUPPORTED_RESPONSE_TYPE,
  211. )
  212. except OAuthException as e:
  213. _logger.debug("#### OPENID (5): %s" % e)
  214. response_params["error"] = e.type
  215. response_params["error_description"] = e
  216. return self.__redirect(
  217. redirect_uri, response_params, response_mode or "query"
  218. )
  220. _logger.debug("#### OPENID (auth 4)")
  221. if not response_mode:
  222. response_mode = "query" if response_type == "code" else "fragment"
  224. user = req.env.user
  225. # In case user is not logged in, we redirect to the login page and come back
  226. needs_login = user.login == "public"
  227. # Also if they didn't authenticate recently enough
  228. if (
  229. "max_age" in query
  230. and http.request.session.get("auth_time", 0) + int(query["max_age"])
  231. < time.time()
  232. ):
  233. needs_login = True
  234. if needs_login:
  235. params = {
  236. "force_auth_and_redirect": "/oauth/authorize?{}".format(
  237. werkzeug.url_encode(query)
  238. )
  239. }
  240. _logger.debug("#### OPENID (auth 4.2): %s" % params)
  241. return self.__redirect("/web/login", params, "query")
  243. response_types = response_type.split()
  245. extra_claims = {
  246. "sid": http.request.httprequest.session.sid,
  247. }
  248. if "nonce" in query:
  249. extra_claims["nonce"] = query["nonce"]
  251. if "code" in response_types:
  252. # Generate code that can be used by the client server to retrieve
  253. # the token. It's set to be valid for 60 seconds only.
  254. # TODO: The spec says the code should be single-use. We're not enforcing
  255. # that here.
  256. payload = {
  257. "redirect_uri": redirect_uri,
  258. "client_id": client.client_id,
  259. "user_id": user.id,
  260. "scopes": scopes,
  261. "exp": int(time.time()) + 60,
  262. }
  263. payload.update(extra_claims)
  264. key = self.__get_authorization_code_jwk(req)
  265. response_params["code"] = jwt_encode(payload, key)
  266. if "token" in response_types:
  267. access_token = (
  268. req.env["galicea_openid_connect.access_token"]
  269. .sudo()
  270. .retrieve_or_create(user.id, client.id)
  271. .token
  272. )
  273. response_params["access_token"] = access_token
  274. response_params["token_type"] = "bearer"
  276. digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
  277. digest.update(access_token.encode("ascii"))
  278. at_hash = digest.finalize()
  279. extra_claims["at_hash"] = base64.urlsafe_b64encode(at_hash[:16]).strip("=")
  280. if "id_token" in response_types:
  281. response_params["id_token"] = self.__create_id_token(
  282. req, user.id, client, extra_claims
  283. )
  284. _logger.debug(
  285. "#### OPENID (6): %s, %s, %s"
  286. % (redirect_uri, response_params, response_mode)
  287. )
  288. _logger.debug(
  289. "#### OPENID (6.1): %s"
  290. % self.__redirect(redirect_uri, response_params, response_mode)
  291. )
  292. return self.__redirect(redirect_uri, response_params, response_mode)
  294. @http.route(
  295. "/oauth/token",
  296. auth="public",
  297. type="http",
  298. methods=["POST", "OPTIONS"],
  299. csrf=False,
  300. )
  301. def token(self, req, **query):
  302. cors_headers = {
  303. "Access-Control-Allow-Origin": "*",
  304. "Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept, X-Debug-Mode, Authorization",
  305. "Access-Control-Max-Age": 60 * 60 * 24,
  306. }
  307. if req.httprequest.method == "OPTIONS":
  308. return http.Response(status=200, headers=cors_headers)
  310. try:
  311. _logger.debug("#### OPENID (7): %s" % query)
  312. if "grant_type" not in query:
  313. raise OAuthException(
  314. "grant_type param is missing", OAuthException.INVALID_REQUEST,
  315. )
  316. if query["grant_type"] == "authorization_code":
  317. return json.dumps(
  318. self.__handle_grant_type_authorization_code(req, **query)
  319. )
  320. elif query["grant_type"] == "client_credentials":
  321. return json.dumps(
  322. self.__handle_grant_type_client_credentials(req, **query)
  323. )
  324. elif query["grant_type"] == "password":
  325. return werkzeug.Response(
  326. response=json.dumps(
  327. self.__handle_grant_type_password(req, **query)
  328. ),
  329. headers=cors_headers,
  330. )
  331. else:
  332. raise OAuthException(
  333. "Unsupported grant_type param: '{}'".format(query["grant_type"]),
  334. OAuthException.UNSUPPORTED_GRANT_TYPE,
  335. )
  336. except OAuthException as e:
  337. body = json.dumps({"error": e.type, "error_description": e})
  338. return werkzeug.Response(response=body, status=400, headers=cors_headers)
  340. def __handle_grant_type_authorization_code(self, req, **query):
  341. client = self.__validate_client(req, **query)
  342. redirect_uri = self.__validate_redirect_uri(client, req, **query)
  343. self.__validate_client_secret(client, req, **query)
  345. if "code" not in query:
  346. raise OAuthException(
  347. "code param is missing", OAuthException.INVALID_GRANT,
  348. )
  349. try:
  350. payload = jwt_decode(query["code"], self.__get_authorization_code_jwk(req))
  351. _logger.debug("#### OPENID (8): %s" % payload)
  352. except jwt.JWTExpired:
  353. _logger.debug("#### OPENID (9): %s" % OAuthException.INVALID_GRANT)
  354. raise OAuthException(
  355. "Code expired", OAuthException.INVALID_GRANT,
  356. )
  357. except ValueError:
  358. _logger.debug("#### OPENID (10): %s" % OAuthException.INVALID_GRANT)
  359. raise OAuthException(
  360. "code malformed", OAuthException.INVALID_GRANT,
  361. )
  362. if payload["client_id"] != client.client_id:
  363. _logger.debug("#### OPENID (11): %s" % OAuthException.INVALID_GRANT)
  364. raise OAuthException(
  365. "client_id doesn't match the authorization request",
  366. OAuthException.INVALID_GRANT,
  367. )
  368. if payload["redirect_uri"] != redirect_uri:
  369. _logger.debug("#### OPENID (12): %s" % OAuthException.INVALID_GRANT)
  370. raise OAuthException(
  371. "redirect_uri doesn't match the authorization request",
  372. OAuthException.INVALID_GRANT,
  373. )
  375. # Retrieve/generate access token. We currently only store one per user/client
  376. token = (
  377. req.env["galicea_openid_connect.access_token"]
  378. .sudo()
  379. .retrieve_or_create(payload["user_id"], client.id)
  380. )
  381. response = {"access_token": token.token, "token_type": "bearer"}
  382. if "openid" in payload["scopes"]:
  383. extra_claims = {
  384. name: payload[name] for name in payload if name in ["sid", "nonce"]
  385. }
  386. response["id_token"] = self.__create_id_token(
  387. req, payload["user_id"], client, extra_claims
  388. )
  389. _logger.debug("#### OPENID (12): %s" % response)
  390. return response
  392. def __handle_grant_type_password(self, req, **query):
  393. client = self.__validate_client(req, **query)
  394. if not client.allow_password_grant:
  395. raise OAuthException(
  396. "This client is not allowed to perform password flow",
  397. OAuthException.UNSUPPORTED_GRANT_TYPE,
  398. )
  400. for param in ["username", "password"]:
  401. if param not in query:
  402. raise OAuthException(
  403. "{} is required".format(param), OAuthException.INVALID_REQUEST
  404. )
  405. user_id = req.env["res.users"].authenticate(
  406. req.env.cr.dbname, query["username"], query["password"], None
  407. )
  408. if not user_id:
  409. raise OAuthException(
  410. "Invalid username or password", OAuthException.INVALID_REQUEST
  411. )
  413. scopes = query["scope"].split(" ") if query.get("scope") else []
  414. # Retrieve/generate access token. We currently only store one per user/client
  415. token = (
  416. req.env["galicea_openid_connect.access_token"]
  417. .sudo()
  418. .retrieve_or_create(user_id, client.id)
  419. )
  420. response = {"access_token": token.token, "token_type": "bearer"}
  421. if "openid" in scopes:
  422. response["id_token"] = self.__create_id_token(req, user_id, client, {})
  423. return response
  425. def __handle_grant_type_client_credentials(self, req, **query):
  426. client = self.__validate_client(req, **query)
  427. self.__validate_client_secret(client, req, **query)
  428. token = (
  429. req.env["galicea_openid_connect.client_access_token"]
  430. .sudo()
  431. .retrieve_or_create(client.id)
  432. )
  433. return {"access_token": token.token, "token_type": "bearer"}
  435. def __create_id_token(self, req, user_id, client, extra_claims):
  436. claims = {
  437. "iss": http.request.httprequest.host_url,
  438. "sub": str(user_id),
  439. "aud": client.client_id,
  440. "iat": int(time.time()),
  441. "exp": int(time.time()) + 15 * 60,
  442. }
  443. auth_time = extra_claims.get("sid") and http.root.session_store.get(
  444. extra_claims["sid"]
  445. ).get("auth_time")
  446. if auth_time:
  447. claims["auth_time"] = auth_time
  448. if "nonce" in extra_claims:
  449. claims["nonce"] = extra_claims["nonce"]
  450. if "at_hash" in extra_claims:
  451. claims["at_hash"] = extra_claims["at_hash"]
  453. key = self.__get_id_token_jwk(req)
  454. return jwt_encode(claims, key)
  456. def __redirect(self, url, params, response_mode):
  457. location = "{}{}{}".format(
  458. url, "?" if response_mode == "query" else "#", werkzeug.url_encode(params)
  459. )
  460. return werkzeug.Response(
  461. headers={"Location": location}, response=None, status=302,
  462. )