src/backend/core/authentication.py

"""Authentication for the People core app."""
from django.conf import settings
from django.core.exceptions import SuspiciousOperation
from django.db import models
from django.utils.translation import gettext_lazy as _

import requests
from mozilla_django_oidc.auth import (
    OIDCAuthenticationBackend as MozillaOIDCAuthenticationBackend,
)

from .models import Identity


class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
    """Custom OpenID Connect (OIDC) Authentication Backend.

    This class overrides the default OIDC Authentication Backend to accommodate differences
    in the User and Identity models, and handles signed and/or encrypted UserInfo response.
    """

    def get_userinfo(self, access_token, id_token, payload):
        """Return user details dictionary.

        Parameters:
        - access_token (str): The access token.
        - id_token (str): The id token (unused).
        - payload (dict): The token payload (unused).

        Note: The id_token and payload parameters are unused in this implementation,
        but were kept to preserve base method signature.

        Note: It handles signed and/or encrypted UserInfo Response. It is required by
        Agent Connect, which follows the OIDC standard. It forces us to override the
        base method, which deal with 'application/json' response.

        Returns:
        - dict: User details dictionary obtained from the OpenID Connect user endpoint.
        """

        user_response = requests.get(
            self.OIDC_OP_USER_ENDPOINT,
            headers={"Authorization": f"Bearer {access_token}"},
            verify=self.get_settings("OIDC_VERIFY_SSL", True),
            timeout=self.get_settings("OIDC_TIMEOUT", None),
            proxies=self.get_settings("OIDC_PROXY", None),
        )
        user_response.raise_for_status()
        userinfo = self.verify_token(user_response.text)
        return userinfo

    def get_or_create_user(self, access_token, id_token, payload):
        """Return a User based on userinfo. Get or create a new user if no user matches the Sub.

        Parameters:
        - access_token (str): The access token.
        - id_token (str): The ID token.
        - payload (dict): The user payload.

        Returns:
        - User: An existing or newly created User instance.

        Raises:
        - Exception: Raised when user creation is not allowed and no existing user is found.
        """

        user_info = self.get_userinfo(access_token, id_token, payload)

        # Compute user name from OIDC name fields as defined in settings
        names_list = [
            user_info[field]
            for field in settings.USER_OIDC_FIELDS_TO_NAME
            if user_info.get(field)
        ]
        user_info["name"] = " ".join(names_list) or None

        sub = user_info.get("sub")
        if sub is None:
            raise SuspiciousOperation(
                _("User info contained no recognizable user identification")
            )

        user = (
            self.UserModel.objects.filter(identities__sub=sub)
            .annotate(
                identity_email=models.F("identities__email"),
                identity_name=models.F("identities__name"),
            )
            .distinct()
            .first()
        )
        if user:
            email = user_info.get("email")
            name = user_info.get("name")
            if (
                email
                and email != user.identity_email
                or name
                and name != user.identity_name
            ):
                Identity.objects.filter(sub=sub).update(email=email, name=name)

        elif self.get_settings("OIDC_CREATE_USER", True):
            user = self.create_user(user_info)

        return user

    def create_user(self, claims):
        """Return a newly created User instance."""
        sub = claims.get("sub")
        if sub is None:
            raise SuspiciousOperation(
                _("Claims contained no recognizable user identification")
            )

        user = self.UserModel.objects.create(password="!")  # noqa: S106
        Identity.objects.create(
            user=user, sub=sub, email=claims.get("email"), name=claims.get("name")
        )

        return user
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`"""Authentication for the People core app."""`
🗃️(backend) add name field to identity We need a name for the user when we display the members in the frontend. This commit adds the name column to the identity model. We sync the Keycloak user with the identity model when the user logs in to fill and udpate the name automatically. 2024-02-15 12:55:00 +01:00			`from django.conf import settings`
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`from django.core.exceptions import SuspiciousOperation`
			`from django.db import models`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`from django.utils.translation import gettext_lazy as _`

✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`import requests`
			`from mozilla_django_oidc.auth import (`
			`OIDCAuthenticationBackend as MozillaOIDCAuthenticationBackend,`
			`)`

			`from .models import Identity`

✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):`
			`"""Custom OpenID Connect (OIDC) Authentication Backend.`

			`This class overrides the default OIDC Authentication Backend to accommodate differences`
			`in the User and Identity models, and handles signed and/or encrypted UserInfo response.`
			`"""`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`def get_userinfo(self, access_token, id_token, payload):`
			`"""Return user details dictionary.`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`Parameters:`
			`- access_token (str): The access token.`
			`- id_token (str): The id token (unused).`
			`- payload (dict): The token payload (unused).`

			`Note: The id_token and payload parameters are unused in this implementation,`
			`but were kept to preserve base method signature.`

			`Note: It handles signed and/or encrypted UserInfo Response. It is required by`
			`Agent Connect, which follows the OIDC standard. It forces us to override the`
			`base method, which deal with 'application/json' response.`

			`Returns:`
			`- dict: User details dictionary obtained from the OpenID Connect user endpoint.`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`"""`
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00
			`user_response = requests.get(`
			`self.OIDC_OP_USER_ENDPOINT,`
			`headers={"Authorization": f"Bearer {access_token}"},`
			`verify=self.get_settings("OIDC_VERIFY_SSL", True),`
			`timeout=self.get_settings("OIDC_TIMEOUT", None),`
			`proxies=self.get_settings("OIDC_PROXY", None),`
			`)`
			`user_response.raise_for_status()`
			`userinfo = self.verify_token(user_response.text)`
			`return userinfo`

			`def get_or_create_user(self, access_token, id_token, payload):`
			`"""Return a User based on userinfo. Get or create a new user if no user matches the Sub.`

			`Parameters:`
			`- access_token (str): The access token.`
			`- id_token (str): The ID token.`
			`- payload (dict): The user payload.`

			`Returns:`
			`- User: An existing or newly created User instance.`

			`Raises:`
			`- Exception: Raised when user creation is not allowed and no existing user is found.`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`"""`

✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`user_info = self.get_userinfo(access_token, id_token, payload)`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
🗃️(backend) add name field to identity We need a name for the user when we display the members in the frontend. This commit adds the name column to the identity model. We sync the Keycloak user with the identity model when the user logs in to fill and udpate the name automatically. 2024-02-15 12:55:00 +01:00			`# Compute user name from OIDC name fields as defined in settings`
			`names_list = [`
			`user_info[field]`
			`for field in settings.USER_OIDC_FIELDS_TO_NAME`
			`if user_info.get(field)`
			`]`
			`user_info["name"] = " ".join(names_list) or None`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
🗃️(backend) add name field to identity We need a name for the user when we display the members in the frontend. This commit adds the name column to the identity model. We sync the Keycloak user with the identity model when the user logs in to fill and udpate the name automatically. 2024-02-15 12:55:00 +01:00			`sub = user_info.get("sub")`
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`if sub is None:`
			`raise SuspiciousOperation(`
			`_("User info contained no recognizable user identification")`
			`)`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`user = (`
			`self.UserModel.objects.filter(identities__sub=sub)`
🗃️(backend) add name field to identity We need a name for the user when we display the members in the frontend. This commit adds the name column to the identity model. We sync the Keycloak user with the identity model when the user logs in to fill and udpate the name automatically. 2024-02-15 12:55:00 +01:00			`.annotate(`
			`identity_email=models.F("identities__email"),`
			`identity_name=models.F("identities__name"),`
			`)`
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`.distinct()`
			`.first()`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00			`)`
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`if user:`
🗃️(backend) add name field to identity We need a name for the user when we display the members in the frontend. This commit adds the name column to the identity model. We sync the Keycloak user with the identity model when the user logs in to fill and udpate the name automatically. 2024-02-15 12:55:00 +01:00			`email = user_info.get("email")`
			`name = user_info.get("name")`
			`if (`
			`email`
			`and email != user.identity_email`
			`or name`
			`and name != user.identity_name`
			`):`
			`Identity.objects.filter(sub=sub).update(email=email, name=name)`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`elif self.get_settings("OIDC_CREATE_USER", True):`
			`user = self.create_user(user_info)`

			`return user`

			`def create_user(self, claims):`
			`"""Return a newly created User instance."""`
			`sub = claims.get("sub")`
			`if sub is None:`
			`raise SuspiciousOperation(`
			`_("Claims contained no recognizable user identification")`
			`)`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
🗃️(backend) add name field to identity We need a name for the user when we display the members in the frontend. This commit adds the name column to the identity model. We sync the Keycloak user with the identity model when the user logs in to fill and udpate the name automatically. 2024-02-15 12:55:00 +01:00			`user = self.UserModel.objects.create(password="!") # noqa: S106`
			`Identity.objects.create(`
			`user=user, sub=sub, email=claims.get("email"), name=claims.get("name")`
			`)`
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project. 2024-01-03 10:09:31 +01:00
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout 2024-02-15 11:00:30 +01:00			`return user`