Add working OIDC implementation with user and groups sync

Teknologforeningen · Nov 21, 2020 · 75e24dd · 75e24dd
1 parent 28304e0
commit 75e24dd
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 5 deletions.
diff --git a/fars/.env.example b/fars/.env.example
@@ -41,4 +41,14 @@ BILL_API_URL="https://bill.teknologforeningen.fi/api/"
 BILL_API_USER="user"
 
 # BILL API password
-BILL_API_PW="hunter2"
+BILL_API_PW="hunter2"
+
+# OIDC configurations
+OIDC_RP_CLIENT_ID="fars"
+OIDC_RP_CLIENT_SECRET=""
+
+OIDC_OP_AUTHORIZATION_ENDPOINT=""
+OIDC_OP_TOKEN_ENDPOINT=""
+OIDC_OP_USER_ENDPOINT=""
+OIDC_OP_JWKS_ENDPOINT=""
+
diff --git a/fars/booking/templates/base.html b/fars/booking/templates/base.html
@@ -37,7 +37,7 @@
           <span class="navbar-text" id="toolbar-user-name"><a href="{% url 'profile' %}">{{user.get_full_name}}</a></span>
           <form action="{% url 'oidc_logout' %}" method="post">
             {% csrf_token %}
-            <input class="btn btn-outline-danger" id="toolbar-btn" type="submit" value="logout">
+            <input class="btn btn-outline-danger" id="toolbar-btn" type="submit" value="{% trans 'Logout' %}">
           </form>
         </span>
       {% else %}

diff --git a/fars/fars/oidc.py b/fars/fars/oidc.py
@@ -0,0 +1,34 @@
+from mozilla_django_oidc.auth import OIDCAuthenticationBackend
+from django.contrib.auth.models import Group
+
+class TeknologOIDCAB(OIDCAuthenticationBackend):
+    def get_username(self, claims):
+        return claims.get('preferred_username')
+
+    def create_user(self, claims):
+        user = super(TeknologOIDCAB, self).create_user(claims)
+
+        user.first_name = claims.get('given_name', '')
+        user.last_name = claims.get('family_name', '')
+        groups = self.get_or_create_groups(claims.get('groups'))
+        user.groups.set(groups)
+        user.save()
+
+        return user
+
+    def update_user(self, user, claims):
+        user.first_name = claims.get('given_name', '')
+        user.last_name = claims.get('family_name', '')
+        groups = self.get_or_create_groups(claims.get('groups'))
+        user.groups.set(groups)
+        user.save()
+
+        return user
+
+    def get_or_create_groups(self, group_names):
+        groups = []
+        for group_name in group_names:
+            obj, _ = Group.objects.get_or_create(name=group_name)
+            groups.append(obj)
+
+        return groups
diff --git a/fars/fars/settings.py b/fars/fars/settings.py
@@ -131,7 +131,8 @@
     },
 ]
 
-LOGIN_REDIRECT_URL = 'home'
+LOGIN_REDIRECT_URL = '/'
+LOGOUT_REDIRECT_URL = '/'
 
 # Internationalization
 # https://docs.djangoproject.com/en/1.10/topics/i18n/
@@ -199,8 +200,8 @@
 # Keep ModelBackend around for per-user permissions and maybe a local
 # superuser.
 AUTHENTICATION_BACKENDS = (
-    'mozilla_django_oidc.auth.OIDCAuthenticationBackend',
-    #'django.contrib.auth.backends.ModelBackend',
+    'fars.oidc.TeknologOIDCAB',
+    'django.contrib.auth.backends.ModelBackend',
 )
 
 # Never require cert
@@ -215,3 +216,6 @@
 OIDC_OP_AUTHORIZATION_ENDPOINT = env('OIDC_OP_AUTHORIZATION_ENDPOINT')
 OIDC_OP_TOKEN_ENDPOINT = env('OIDC_OP_TOKEN_ENDPOINT')
 OIDC_OP_USER_ENDPOINT = env('OIDC_OP_USER_ENDPOINT')
+
+OIDC_RP_SIGN_ALGO = 'RS256'
+OIDC_OP_JWKS_ENDPOINT = env('OIDC_OP_JWKS_ENDPOINT')