From b3a4fa5722dcd15e3e24225a4619faa93e4ceed9 Mon Sep 17 00:00:00 2001 From: Kyle Ferriter Date: Tue, 19 Mar 2019 09:24:27 -0400 Subject: [PATCH] ref #37, add general oauth2 params to all authorize urls --- README.md | 13 +++++++++++-- token_service/redirect_handler.py | 12 ++++++------ 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 30cd444..a7de01c 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Switch to this account, all app-specific operations will be executed as the serv which does not have admin privileges ``` $ sudo su - auth_microservice -[auth_microservice] $ +[auth_microservice] $ ``` Install python 2.7 or greater. This example uses 3.6. @@ -119,6 +119,15 @@ first existing attribute wins) (default to `name`) * prompt: boolean (default True): adds `prompt` parameter for `login` and `consent` to the authorization url +## Registering clients + +To enable authorized clients to perform privileged operations like fetching tokens, a client token must be generated at runtime for the particular server instance the client wants to use. Using the `/etc/auth_microservice/admin.key` value generated earlier at installation time, send a request to the `/admin/key` endpoint with an `owner` field which describes the client. This `owner` field is purely for auditing purposes as each authenticated request can be tied back to a client after the fact. + +``` +curl -H "Authorization: Basic " "https://example.org/admin/key?owner=test-client" +{"key": "<64 byte hex string>"} +``` + # Development ## Unittests @@ -187,7 +196,7 @@ Please select a fix: Select an option: 1 Please enter the default value now, as valid Python The datetime and django.utils.timezone modules are available, so you can do e.g. timezone.now() ->>> '' +>>> '' You are trying to add a non-nullable field 'access_token_hash' to token without a default; we can't do that (the database needs something to populate existing rows). Please select a fix: 1) Provide a one-off default now (will be set on all existing rows) diff --git a/token_service/redirect_handler.py b/token_service/redirect_handler.py index 5e6191e..8e681f1 100644 --- a/token_service/redirect_handler.py +++ b/token_service/redirect_handler.py @@ -465,7 +465,7 @@ def _handle_token_response(self, w, response): user_name, name = self.get_user_name_name(provider, id_token) user = get_user(provider, sub, user_name, name) - + # add email for email_key in self.IDTOKEN_EMAIL: if email_key in id_token: @@ -577,17 +577,17 @@ def _generate_authorization_url(self, state, nonce, scopes, provider_tag): redirect_uri = Config['redirect_uri'] additional_params = '&' + provider_config.get('additional_params', '') + additional_params += '&response_type=code' + additional_params += '&access_type=offline' # Google-specific addition, should be ignored if not supported + scope = quote(' '.join(scopes)) + additional_params += '&scope=' + scope # get auth endpoint if is_openid(provider_tag): - scope = quote(' '.join(scopes)) - - additional_params += '&scope=' + scope - additional_params += '&response_type=code' - additional_params += '&access_type=offline' if provider_config.get('prompt', True): additional_params += '&prompt=login%20consent' + if additional_params == '&': additional_params = ''