feat: enable oidc authz code flow (#317)

.template.env

@@ -39,3 +39,19 @@ POSTGRES_USER=river
 POSTGRES_PASSWORD=river
 POSTGRES_HOST=localhost
 POSTGRES_PORT=5432
+
+###
+### Mozilla OpenID Connect
+###
+
+OIDC_RP_CLIENT_ID=
+OIDC_RP_CLIENT_SECRET=
+OIDC_RP_EXTRA_SCOPES=
+OIDC_RP_SIGN_ALGO=
+# OIDC_OP_JWKS_ENDPOINT=
+LOGIN_REDIRECT_URL=
+LOGIN_REDIRECT_URL_FAILURE=
+LOGOUT_REDIRECT_URL=
+OIDC_OP_AUTHORIZATION_ENDPOINT=
+OIDC_OP_TOKEN_ENDPOINT=
+OIDC_OP_USER_ENDPOINT=

django/river/settings/base.py

@@ -46,6 +46,7 @@
     "rest_framework",
     "corsheaders",
     "django_filters",
+    "mozilla_django_oidc",
     # 1st parties
     "core",
     "extractor",
@@ -65,6 +66,8 @@
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    # Redirect requests to silently re-authenticated:
+    "mozilla_django_oidc.middleware.SessionRefresh",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
@@ -114,6 +117,7 @@
 # https://docs.djangoproject.com/en/3.1/topics/auth/customizing/#specifying-authentication-backends
 
 AUTHENTICATION_BACKENDS = [
+    "mozilla_django_oidc.auth.OIDCAuthenticationBackend",
     "django.contrib.auth.backends.ModelBackend",
 ]
 
@@ -247,3 +251,32 @@
 # Prometheus
 
 EXPORTER_PORT = os.environ.get("EXPORTER_PORT", 8001)
+
+# Mozilla OpenID Connect
+# https://mozilla-django-oidc.readthedocs.io/en/stable/settings.html
+
+OIDC_STORE_ID_TOKEN = True
+OIDC_STORE_ACCESS_TOKEN = True
+# Silently re-authenticated after following time:
+OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS = int(os.environ.get("OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS", 12 * 60 * 60))
+
+# Relying party
+OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID")
+OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET")
+OIDC_RP_EXTRA_SCOPES = os.environ.get("OIDC_RP_EXTRA_SCOPES", "").replace(",", " ").split(" ")
+OIDC_RP_SCOPES = " ".join(["openid", *OIDC_RP_EXTRA_SCOPES])
+OIDC_RP_SIGN_ALGO = os.environ.get("OIDC_RP_SIGN_ALGO")
+
+LOGIN_REDIRECT_URL = os.environ.get("LOGIN_REDIRECT_URL")
+LOGIN_REDIRECT_URL_FAILURE = os.environ.get("LOGIN_REDIRECT_URL_FAILURE")
+LOGOUT_REDIRECT_URL = os.environ.get("LOGOUT_REDIRECT_URL")
+
+# Provider
+OIDC_OP_AUTHORIZATION_ENDPOINT = os.environ.get("OIDC_OP_AUTHORIZATION_ENDPOINT")
+OIDC_OP_TOKEN_ENDPOINT = os.environ.get("OIDC_OP_TOKEN_ENDPOINT")
+OIDC_OP_USER_ENDPOINT = os.environ.get("OIDC_OP_USER_ENDPOINT")
+
+if OIDC_RP_SIGN_ALGO == "RS256":
+    OIDC_OP_JWKS_ENDPOINT = os.environ.get("OIDC_OP_JWKS_ENDPOINT")
+elif OIDC_RP_SIGN_ALGO == "HS256":
+    pass

django/river/urls.py

@@ -7,6 +7,7 @@
     path("", include("pagai.urls")),
     path("", include("pyrog.urls")),
     path("", include("users.urls")),
+    path("oidc/", include("mozilla_django_oidc.urls")),
 ]
 
 if settings.ADMIN_ENABLED:

docker-compose.yml

@@ -127,6 +127,19 @@ services:
       - DJANGO_SUPERUSER_USERNAME=admin
       - [email protected]
       - DJANGO_SUPERUSER_PASSWORD=admin
+      - OIDC_RP_CLIENT_ID=
+      - OIDC_RP_CLIENT_SECRET=
+      - OIDC_RP_EXTRA_SCOPES=email
+      - OIDC_RP_SIGN_ALGO=HS256
+      - LOGIN_REDIRECT_URL=http://localhost:3000/
+      - LOGIN_REDIRECT_URL_FAILURE=http://localhost:3000/error/
+      - LOGOUT_REDIRECT_URL=http://localhost:3000/
+      # LPT: Always use 127.0.0.1 (not localhost) in public URLs redirecting to the provider
+      # This is to prevent cookies in the browser from being shared and overridden by
+      # different services running on the host.
+      - OIDC_OP_AUTHORIZATION_ENDPOINT=http://127.0.0.1:8001/o/authorize/
+      - OIDC_OP_TOKEN_ENDPOINT=http://127.0.0.1:8001/o/token/
+      - OIDC_OP_USER_ENDPOINT=http://127.0.0.1:8001/o/userinfo/
 
   zookeeper:
     image: zookeeper:3.4.10

requirements/base.txt

@@ -14,6 +14,7 @@ fhir.resources @ git+https://github.com/arkhn/[email protected]#egg=fhir.reso
 fluent-logger==0.9.6
 hiredis==1.1.0
 jsonschema==3.0.2
+mozilla-django-oidc==1.2.4
 msgpack==0.6.2
 prometheus-client==0.8.0
 pyodbc==4.0.30