🔧(backend) configure Authorization Code authentication

Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-24 00:21:10 +01:00
parent 23e92d12fb
commit b9eee3e643
10 changed files with 172 additions and 125 deletions
--- a/src/backend/publish/settings.py
+++ b/src/backend/publish/settings.py
@@ -181,6 +181,7 @@ class Base(Configuration):

    AUTHENTICATION_BACKENDS = [
        "django.contrib.auth.backends.ModelBackend",
+        "core.authentication.OIDCAuthenticationBackend",
    ]

    # Django applications from the highest priority to the lowest
@@ -204,6 +205,8 @@ class Base(Configuration):
        "django.contrib.sites",
        "django.contrib.messages",
        "django.contrib.staticfiles",
+        # OIDC third party
+        "mozilla_django_oidc",
    ]

    # Cache
@@ -213,7 +216,8 @@ class Base(Configuration):

    REST_FRAMEWORK = {
        "DEFAULT_AUTHENTICATION_CLASSES": (
-            "core.authentication.DelegatedJWTAuthentication",
+            "mozilla_django_oidc.contrib.drf.OIDCAuthentication",
+            "rest_framework.authentication.SessionAuthentication",
        ),
        "DEFAULT_PARSER_CLASSES": [
            "rest_framework.parsers.JSONParser",
@@ -242,23 +246,6 @@ class Base(Configuration):
        "REDOC_DIST": "SIDECAR",
    }

-    SIMPLE_JWT = {
-        "ALGORITHM": values.Value("HS256", environ_name="JWT_ALGORITHM"),
-        "SIGNING_KEY": values.SecretValue(
-            environ_name="JWT_PRIVATE_SIGNING_KEY",
-        ),
-        "AUTH_HEADER_TYPES": ("Bearer",),
-        "AUTH_HEADER_NAME": "HTTP_AUTHORIZATION",
-        "USER_ID_FIELD": "sub",
-        "USER_ID_CLAIM": "sub",
-        "AUTH_TOKEN_CLASSES": ("rest_framework_simplejwt.tokens.AccessToken",),
-    }
-    JWT_USER_GETTER = values.Value(
-        "core.models.oidc_user_getter",
-        environ_name="publish_JWT_USER_GETTER",
-        environ_prefix=None,
-    )
-
    # Mail
    EMAIL_BACKEND = values.Value("django.core.mail.backends.smtp.EmailBackend")
    EMAIL_HOST = values.Value(None)
@@ -288,6 +275,63 @@ class Base(Configuration):
    CELERY_BROKER_URL = values.Value("redis://redis:6379/0")
    CELERY_BROKER_TRANSPORT_OPTIONS = values.DictValue({})

+    # Session
+    SESSION_ENGINE = "django.contrib.sessions.backends.cache"
+    SESSION_COOKIE_AGE = 60 * 60 * 12
+
+    # OIDC - Authorization Code Flow
+    OIDC_CREATE_USER = values.BooleanValue(
+        default=True,
+        environ_name="OIDC_CREATE_USER",
+    )
+    OIDC_RP_SIGN_ALGO = values.Value(
+        "RS256", environ_name="OIDC_RP_SIGN_ALGO", environ_prefix=None
+    )
+    OIDC_RP_CLIENT_ID = values.Value(
+        "impress", environ_name="OIDC_RP_CLIENT_ID", environ_prefix=None
+    )
+    OIDC_RP_CLIENT_SECRET = values.Value(
+        None,
+        environ_name="OIDC_RP_CLIENT_SECRET",
+        environ_prefix=None,
+    )
+    OIDC_OP_JWKS_ENDPOINT = values.Value(
+        environ_name="OIDC_OP_JWKS_ENDPOINT", environ_prefix=None
+    )
+    OIDC_OP_AUTHORIZATION_ENDPOINT = values.Value(
+        environ_name="OIDC_OP_AUTHORIZATION_ENDPOINT", environ_prefix=None
+    )
+    OIDC_OP_TOKEN_ENDPOINT = values.Value(
+        None, environ_name="OIDC_OP_TOKEN_ENDPOINT", environ_prefix=None
+    )
+    OIDC_OP_USER_ENDPOINT = values.Value(
+        None, environ_name="OIDC_OP_USER_ENDPOINT", environ_prefix=None
+    )
+    OIDC_AUTH_REQUEST_EXTRA_PARAMS = values.DictValue(
+        {}, environ_name="OIDC_AUTH_REQUEST_EXTRA_PARAMS", environ_prefix=None
+    )
+    OIDC_RP_SCOPES = values.Value(
+        "openid email", environ_name="OIDC_RP_SCOPES", environ_prefix=None
+    )
+    LOGIN_REDIRECT_URL = values.Value(
+        None, environ_name="LOGIN_REDIRECT_URL", environ_prefix=None
+    )
+    LOGIN_REDIRECT_URL_FAILURE = values.Value(
+        None, environ_name="LOGIN_REDIRECT_URL_FAILURE", environ_prefix=None
+    )
+    LOGOUT_REDIRECT_URL = values.Value(
+        None, environ_name="LOGOUT_REDIRECT_URL", environ_prefix=None
+    )
+    OIDC_USE_NONCE = values.BooleanValue(
+        default=True, environ_name="OIDC_USE_NONCE", environ_prefix=None
+    )
+    OIDC_REDIRECT_REQUIRE_HTTPS = values.BooleanValue(
+        default=False, environ_name="OIDC_REDIRECT_REQUIRE_HTTPS", environ_prefix=None
+    )
+    OIDC_REDIRECT_ALLOWED_HOSTS = values.ListValue(
+        default=[], environ_name="OIDC_REDIRECT_ALLOWED_HOSTS", environ_prefix=None
+    )
+
    # pylint: disable=invalid-name
    @property
    def ENVIRONMENT(self):