✨(backend) authenticate requests using an access token issued by AC

Overload mozilla-django-oidc class to support an authentication method with the resource server backend. This enables any route of the API to be called with an access token issued by Agent Connect.
2024-07-29 15:52:19 +02:00
parent 5634a7f390
commit f1a2b7c603
2 changed files with 50 additions and 0 deletions
--- a/src/backend/core/resource_server/authentication.py
+++ b/src/backend/core/resource_server/authentication.py
@@ -0,0 +1,49 @@
+"""Resource Server Authentication"""
+
+import base64
+import binascii
+import logging
+
+from django.conf import settings
+from django.core.exceptions import ImproperlyConfigured
+
+from mozilla_django_oidc.contrib.drf import OIDCAuthentication
+
+from .backend import ResourceServerBackend
+from .clients import AuthorizationServerClient
+
+logger = logging.getLogger(__name__)
+
+
+class ResourceServerAuthentication(OIDCAuthentication):
+    """Authenticate clients using the token received from the authorization server."""
+
+    def __init__(self):
+        super().__init__()
+
+        authorization_server_client = AuthorizationServerClient(
+            url=settings.OIDC_OP_URL,
+            verify_ssl=settings.OIDC_VERIFY_SSL,
+            timeout=settings.OIDC_TIMEOUT,
+            proxy=settings.OIDC_PROXY,
+            url_jwks=settings.OIDC_OP_JWKS_ENDPOINT,
+            url_introspection=settings.OIDC_OP_INTROSPECTION_ENDPOINT,
+        )
+
+        self.backend = ResourceServerBackend(authorization_server_client)
+
+    def get_access_token(self, request):
+        """Retrieve and decode the access token from the request.
+
+        This method overcharges the 'get_access_token' method from the parent class,
+        to support service providers that would base64 encode the bearer token.
+        """
+
+        access_token = super().get_access_token(request)
+
+        try:
+            access_token = base64.b64decode(access_token).decode("utf-8")
+        except (binascii.Error, TypeError):
+            pass
+
+        return access_token
--- a/src/backend/people/settings.py
+++ b/src/backend/people/settings.py
@@ -218,6 +218,7 @@ class Base(Configuration):

    REST_FRAMEWORK = {
        "DEFAULT_AUTHENTICATION_CLASSES": (
+            "core.resource_server.authentication.ResourceServerAuthentication",
            "mozilla_django_oidc.contrib.drf.OIDCAuthentication",
            "rest_framework.authentication.SessionAuthentication",
        ),