studio/people
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
f759d318b9f70d6aed5b910dc52d9cd276c67fd3
people/src/backend/core/authentication/backends.py

249 lines
8.9 KiB
Python
Raw Normal View History

🚚(backend) create a dedicated authentication package Prepare adding advanced authentication features. Create a dedicated authentication Python package within the core app. This code organization will be more extensible.
2024-04-09 23:33:30 +02:00
"""Authentication Backends for the People core app."""
🚨(backend) follow Ruff 2024.2 style introduced in v0.3.0 We recently updated Ruff from 0.2.2 to v0.3, which introduced Ruff 2024.2 style. This new style updated Ruff formatter's behavior, making our make lint command fails. Ruff 2024.2 style add a blank line after the module docstring. Please take a look at Ruff ChangeLog to get more info.
2024-03-07 10:57:05 +01:00
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
import logging
from email.headerregistry import Address
from typing import Optional
🗃️(backend) add name field to identity We need a name for the user when we display the members in the frontend. This commit adds the name column to the identity model. We sync the Keycloak user with the identity model when the user logs in to fill and udpate the name automatically.
2024-02-15 12:55:00 +01:00
from django.conf import settings
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
from django.contrib.auth import get_user_model
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
from django.core.exceptions import SuspiciousOperation
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
from django.utils.translation import gettext_lazy as _
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
import requests
from mozilla_django_oidc.auth import (
OIDCAuthenticationBackend as MozillaOIDCAuthenticationBackend,
)
♻️(contacts) move user profile to contact Move the user <-> contact relation for "profile" to the contact model. Now the Contact model is the only one to point to User (and not backward). Contact: - FK to User for the owner - FK to User for the profile
2024-12-02 16:26:41 +01:00
from core.models import (
Contact,
Organization,
OrganizationAccess,
OrganizationRoleChoices,
)
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
logger = logging.getLogger(__name__)
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
User = get_user_model()
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
def get_domain_from_email(email: Optional[str]) -> Optional[str]:
"""Extract domain from email."""
try:
return Address(addr_spec=email).domain
except (ValueError, AttributeError):
return None
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
"""Custom OpenID Connect (OIDC) Authentication Backend.
This class overrides the default OIDC Authentication Backend to accommodate differences
♻️(models) remove multiple identities Multiple identities were complicating this project's code. We moved the management of multiple identities to our OIDC provider.
2024-06-09 22:43:42 +02:00
in the User model, and handles signed and/or encrypted UserInfo response.
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
"""
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
def get_userinfo(self, access_token, id_token, payload):
"""Return user details dictionary.
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
Parameters:
- access_token (str): The access token.
- id_token (str): The id token (unused).
- payload (dict): The token payload (unused).
Note: The id_token and payload parameters are unused in this implementation,
but were kept to preserve base method signature.
Note: It handles signed and/or encrypted UserInfo Response. It is required by
Agent Connect, which follows the OIDC standard. It forces us to override the
base method, which deal with 'application/json' response.
Returns:
- dict: User details dictionary obtained from the OpenID Connect user endpoint.
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
"""
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
user_response = requests.get(
self.OIDC_OP_USER_ENDPOINT,
headers={"Authorization": f"Bearer {access_token}"},
verify=self.get_settings("OIDC_VERIFY_SSL", True),
timeout=self.get_settings("OIDC_TIMEOUT", None),
proxies=self.get_settings("OIDC_PROXY", None),
)
user_response.raise_for_status()
userinfo = self.verify_token(user_response.text)
return userinfo
def get_or_create_user(self, access_token, id_token, payload):
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
"""Return a User based on userinfo. Create a new user if no match is found.
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
Parameters:
- access_token (str): The access token.
- id_token (str): The ID token.
- payload (dict): The user payload.
Returns:
- User: An existing or newly created User instance.
Raises:
- Exception: Raised when user creation is not allowed and no existing user is found.
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
"""
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
user_info = self.get_userinfo(access_token, id_token, payload)
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
sub = user_info.get("sub")
if not sub:
raise SuspiciousOperation(
_("User info contained no recognizable user identification")
)
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
# Get user's full name from OIDC fields defined in settings
full_name = self.compute_full_name(user_info)
email = user_info.get("email")
claims = {
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
"sub": sub,
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
"email": email,
"name": full_name,
}
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
if settings.OIDC_ORGANIZATION_REGISTRATION_ID_FIELD:
claims[settings.OIDC_ORGANIZATION_REGISTRATION_ID_FIELD] = user_info.get(
settings.OIDC_ORGANIZATION_REGISTRATION_ID_FIELD
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
)
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
# if sub is absent, try matching on email
user = self.get_existing_user(sub, email)
🛂(backend) do not duplicate user when disabled When a user is disabled and tries to login, we don't want the user to be duplicated, the user should not be able to login. Fixes https://github.com/numerique-gouv/people/issues/455
2024-10-11 12:57:13 +02:00
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
if user:
🛂(backend) do not duplicate user when disabled When a user is disabled and tries to login, we don't want the user to be duplicated, the user should not be able to login. Fixes https://github.com/numerique-gouv/people/issues/455
2024-10-11 12:57:13 +02:00
if not user.is_active:
raise SuspiciousOperation(_("User account is disabled"))
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
self.update_user_if_needed(user, claims)
elif self.get_settings("OIDC_CREATE_USER", True):
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
user = self.create_user(claims)
# Data cleaning, to be removed when user organization is null=False
# or all users have an organization.
# See https://github.com/numerique-gouv/people/issues/504
if not user.organization_id:
organization_registration_id = claims.get(
settings.OIDC_ORGANIZATION_REGISTRATION_ID_FIELD
)
domain = get_domain_from_email(email)
try:
organization, organization_created = (
Organization.objects.get_or_create_from_user_claims(
registration_id=organization_registration_id,
domain=domain,
)
)
if organization_created:
logger.info("Organization %s created", organization)
# For this case, we don't create an OrganizationAccess we will
# manage this manually later, because we don't want the first
# user who log in after the release to be the admin of their
# organization. We will keep organization without admin, and
# we will have to manually clean things up (while there is
# not that much organization in the database).
except ValueError as exc:
# Raised when there is no recognizable organization
# identifier (domain or registration_id)
logger.warning("Unable to update user organization: %s", exc)
else:
user.organization = organization
user.save()
logger.info(
"User %s updated with organization %s", user.pk, organization
)
✨(backend) support Authorization code flow Integrate 'mozilla-django-oidc' dependency, to support Authorization Code flow, which is required by Agent Connect. Thus, we provide a secure back channel OIDC flow, and return to the client only a session cookie. Done: - Replace JWT authentication by Session based authentication in DRF - Update Django settings to make OIDC configurations easily editable - Add 'mozilla-django-oidc' routes to our router - Implement a custom Django Authentication class to adapt 'mozilla-django-oidc' to our needs 'mozilla-django-oidc' routes added are: - /authenticate - /callback (the redirect_uri called back by the Idp) - /logout
2024-02-15 11:00:30 +01:00
return user
def create_user(self, claims):
"""Return a newly created User instance."""
sub = claims.get("sub")
if sub is None:
raise SuspiciousOperation(
_("Claims contained no recognizable user identification")
)
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
email = claims.get("email")
name = claims.get("name")
✨(project) first proof of concept based of Joanie Used https://github.com/openfun/joanie as boilerplate, ran a few transformations with ChapGPT and adapted models and endpoints to fit to my current vision of the project.
2024-01-03 10:09:31 +01:00
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
# Extract or create the organization from the data
organization_registration_id = claims.get(
settings.OIDC_ORGANIZATION_REGISTRATION_ID_FIELD
)
domain = get_domain_from_email(email)
try:
organization, organization_created = (
Organization.objects.get_or_create_from_user_claims(
registration_id=organization_registration_id,
domain=domain,
)
)
except ValueError as exc:
raise SuspiciousOperation(
_("Claims contained no recognizable organization identification")
) from exc
if organization_created:
logger.info("Organization %s created", organization)
logger.info("Creating user %s / %s", sub, email)
user = self.UserModel.objects.create(
organization=organization,
♻️(models) remove multiple identities Multiple identities were complicating this project's code. We moved the management of multiple identities to our OIDC provider.
2024-06-09 22:43:42 +02:00
password="!", # noqa: S106
sub=sub,
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
email=email,
name=name,
🗃️(backend) add name field to identity We need a name for the user when we display the members in the frontend. This commit adds the name column to the identity model. We sync the Keycloak user with the identity model when the user logs in to fill and udpate the name automatically.
2024-02-15 12:55:00 +01:00
)
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
if organization_created:
# Warning: we may remove this behavior in the near future when we
# add a feature to claim the organization ownership.
OrganizationAccess.objects.create(
organization=organization,
user=user,
role=OrganizationRoleChoices.ADMIN,
)
♻️(contacts) move user profile to contact Move the user <-> contact relation for "profile" to the contact model. Now the Contact model is the only one to point to User (and not backward). Contact: - FK to User for the owner - FK to User for the profile
2024-12-02 16:26:41 +01:00
# Initiate the user's profile
Contact.objects.create(
owner=user,
user=user,
full_name=name or email,
data={
"emails": [
{"type": "Work", "value": email},
],
},
)
👔(backend) add `Organization` model We introduce the Organization model has a "hat" for all users and team. Each User must have a "default" organization. Each Team must have an organization. When a User creates a new Team, the team is linked to their default Organization. For now the Organization should not be visible to end users this is a purely technical aspect as it. The models are also adding a permission to allow User to edit an Organization, but for now there are no endpoints for that. Next steps: - Add an Organization to each User and Team on all environments to mark Organization as mandatory in database. - Add scope to Organization to list the Service Provider list allowed for a User in an Organization. - Add endpoints + frontend to manage Organization's scopes
2024-10-17 15:30:00 +02:00
return user
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
def compute_full_name(self, user_info):
"""Compute user's full name based on OIDC fields in settings."""
name_fields = settings.USER_OIDC_FIELDS_TO_NAME
full_name = " ".join(
user_info[field] for field in name_fields if user_info.get(field)
)
return full_name or None
def get_existing_user(self, sub, email):
"""Fetch existing user by sub or email."""
try:
🛂(backend) do not duplicate user when disabled When a user is disabled and tries to login, we don't want the user to be duplicated, the user should not be able to login. Fixes https://github.com/numerique-gouv/people/issues/455
2024-10-11 12:57:13 +02:00
return User.objects.get(sub=sub)
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
except User.DoesNotExist:
if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
try:
🛂(backend) do not duplicate user when disabled When a user is disabled and tries to login, we don't want the user to be duplicated, the user should not be able to login. Fixes https://github.com/numerique-gouv/people/issues/455
2024-10-11 12:57:13 +02:00
return User.objects.get(email=email)
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
except User.DoesNotExist:
pass
return None
def update_user_if_needed(self, user, claims):
"""Update user claims if they have changed."""
🚑️(backend) fix claim contains non user field When we use the feature to get Organization registration number, the claim contains this value and it does not match with any user field. I switched to a whitelist instead of a blacklist (and two loops, with an if condition on each)
2024-11-21 23:06:49 +01:00
updated_claims = {}
for key in ["email", "name"]:
claim_value = claims.get(key)
if claim_value and claim_value != getattr(user, key):
updated_claims[key] = claim_value
if updated_claims:
🛂(backend) match email if no existing user matches the sub Some OIDC identity providers may provide a random value in the "sub" field instead of an identifying ID. In this case, it may be a good idea to fallback to matching the user on its email field.
2024-10-04 18:59:32 +02:00
self.UserModel.objects.filter(sub=user.sub).update(**updated_claims)
Reference in New Issue Copy Permalink