Skip to content

Commit

Permalink
Version 3.0.0: Support Django 2, drop <1.11; drop OIDC
Browse files Browse the repository at this point in the history
- Add support for Django 2 and drop support for some older versions
  that are no longer supported (support changes from 1.8–1.11 to
  1.11–2.2)
- Remove (deprecated) OpenID Connect support, which we are not
  carrying into the Django 2 world
- Test with Python 3.5, not 3.6, to match rest of edX code

Also, update HISTORY.rst for recent releases.
  • Loading branch information
bradenmacdonald authored and timmc-edx committed Feb 5, 2020
1 parent 6bf9d85 commit 6cdc251
Show file tree
Hide file tree
Showing 14 changed files with 197 additions and 545 deletions.
14 changes: 8 additions & 6 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -1,19 +1,21 @@
sudo: false

dist: xenial
language: python

python:
- 2.7
- 3.5

env:
- TOXENV=django18
- TOXENV=django111
- TOXENV=django20
- TOXENV=django21
- TOXENV=django22
- TOXENV=quality

matrix:
include:
- python: 3.6
env: TOXENV=quality
- python: 3.6
- python: 2.7
env: TOXENV=django111

cache:
Expand All @@ -37,5 +39,5 @@ deploy:
distributions: sdist bdist_wheel
on:
tags: true
python: 3.6
python: 3.5
condition: '$TOXENV = django111'
82 changes: 82 additions & 0 deletions HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,88 @@
History
=======

3.0.0 (2020-02-05)
---------

- Add support for Django 2 and drop support for some older versions (support changes from 1.8–1.11 to 1.11–2.2)
- Remove (deprecated) OpenID Connect support
- Test with Python 3.5, not 3.6, to match rest of edX code

2.0.2 (2019-08-12)
------------------

Two new commits that changed functionality:

- Add EdXOAuth2.auth_complete_signal on auth_complete()
- Store refresh_token in extra_data

2.0.1 (2019-05-13)
------------------

Create new Version for auth-backends for release

2.0.0 (2019-03-28)
------------------

EdXOAuth2 will retrieve and store user_id claim

The EdXOAuth2 backend will now pull the user_id from the JWT and
store it in the UserSocialAuth.extra_data field.

BREAKING CHANGE: The user_id scope is now required when using the
EdXOAuth2 backend for oAuth+SSO. This means that the oauth
application must first be configured to have access to the user_id
scope, which is not available by default.

1.2.2 (2019-01-31)
------------------

Updates to the EdXOAuth2 backend:

- Supports the _PUBLIC_URL_ROOT social django setting.
- logout_url() allows _LOGOUT_REDIRECT_URL to be undefined.

1.2.1 (2018-10-26)
------------------

Fix urlencode bug with EdXOAuth2 backend logout url

1.2.0 (2018-10-26)
------------------

Allow for logout redirect with EdXOAuth2 backend.

1.1.5 (2018-10-19)
------------------

Add logout_url property to EdXOAuth2 backend.

1.1.4 (2018-10-12)
------------------

Remove token validation from EdXOAuth2 backend.

1.1.3 (2018-01-04)
------------------

Added support to update email address.

social_core consider email field protected and won't let it change.
Added a pipeline function to update email address.

1.1.2 (2017-05-12)
------------------

Updated LoginRedirectBaseView to include querystring

[unlisted]
----------

Intervening releases not documented here; see Releases:

https://github.com/edx/auth-backends/releases?after=1.1.2


0.1.3 (2015-03-31)
------------------

Expand Down
91 changes: 14 additions & 77 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,9 @@ auth-backends |Travis|_ |Codecov|_

This package contains custom authentication backends, views, and pipeline steps used by edX services for single sign-on.

This package is compatible with Python 2.7 and 3.5, and Django 1.8 through 1.11.
This package is compatible with Python 2.7 and 3.5, and Django 1.11 through 2.2.

We currently support two forms of authentication:

- OAuth 2.0
- OpenID Connect (deprecated)

Support for OpenID Connect (OIDC) is deprecated. Clients should use the OAuth 2.0 backend. This backend behaves
similarly to the OIDC backend, except we use a JWT as the access token instead of OIDC's ID token. This allows us to use
any OAuth provider, and not rely on an implementation of an OIDC provider.
We currently support OAuth 2.0 authentication. Support for OpenID Connect (OIDC) was removed as of version 3.0. Use version 2.x if you require OIDC and are not able to migrate to OAuth2.

Installation
------------
Expand Down Expand Up @@ -53,7 +46,11 @@ OAuth 2.0 Settings
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_SECRET | Client secret |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_ENDPOINT | Provider root (e.g. https://courses.stage.edx.org/oauth2) |
| SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT | LMS root, reachable from the application server |
| | (e.g. https://courses.stage.edx.org or http://edx.devstack.lms:18000) |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_PUBLIC_URL_ROOT | LMS root, reachable from the end user's browser |
| | (e.g. https://courses.stage.edx.org or http://localhost:18000) |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_JWS_HMAC_SIGNING_KEY | (Optional) Shared secret for JWT signed with HS512 algorithm |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
Expand All @@ -62,53 +59,10 @@ OAuth 2.0 Settings
| SOCIAL_AUTH_EDX_OAUTH2_JWKS_CACHE_TTL | (Optional) Cache timeout for provider's JWKS key data. Defaults to 1 day. |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+

Note that the OAuth 2.0 provider uses ``SOCIAL_AUTH_EDX_OAUTH2_ENDPOINT`` to read configuration from a special path,
``.well-known/openid-configuration`` (e.g. https://courses.stage.edx.org/oauth2/.well-known/openid-configuration). The
data returned from this endpoint provides the URLs necessary for authentication as well as the public keys used to
verify the signed JWT (JWS) access token.

As of auth-backends 2.0.0, oAuth2 Applications require access to the ``user_id`` scope in order for the ``EdXOAuth2`` backend to work. The backend will write the ``user_id`` into the social-auth extra_data, and can be accessed within the User model as follows::
OAuth2 Applications require access to the ``user_id`` scope in order for the ``EdXOAuth2`` backend to work. The backend will write the ``user_id`` into the social-auth extra_data, and can be accessed within the User model as follows::

self.social_auth.first().extra_data[u'user_id'] # pylint: disable=no-member


OIDC Settings (deprecated)
~~~~~~~~~~~~~~~~~~~~~~~~~~
The following settings MUST be set:

+----------------------------------------------+---------------------------------------------------------------------------------------------+
| Setting | Purpose |
+==============================================+=============================================================================================+
| SOCIAL_AUTH_EDX_OIDC_KEY | OAuth/OpenID Connect client key |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_SECRET | OAuth/OpenID Connect client secret |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_ID_TOKEN_DECRYPTION_KEY | Identity token decryption key (same value as the client secret for edX OpenID Connect) |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_URL_ROOT | OAuth/OpenID Connect provider root (e.g. https://courses.stage.edx.org/oauth2) |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_ISSUER | OAuth/OpenID Connect provider ID token issuer (e.g. https://courses.stage.edx.org/oauth2) |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL | OAuth/OpenID Connect provider's logout page URL (e.g. https://courses.stage.edx.org/logout) |
+----------------------------------------------+---------------------------------------------------------------------------------------------+

If your application requires additional user data in the identity token, you can specify additional claims by defining
the ``EXTRA_SCOPE`` setting. For example, if you wish to have a claim named `preferred_language`, you would include
the following in your settings:

.. code-block:: python
EXTRA_SCOPE = ['preferred_language']
Assuming the identity provider knows how to process that scope, the associated claim data will be included in the
identity token returned during authentication. Note that these scopes/claims are dependent on the identity provider
being used. The ``EdXOpenIdConnect`` backend is configured to be used by all edX services out-of-the-box.

The optional setting ``COURSE_PERMISSIONS_CLAIMS``, used primarily by
`edx-analytics-dashboard <https://github.com/edx/edx-analytics-dashboard>`_, can be used to designate scopes/claims that
should be requested in order to retrieve a list of courses the user is permitted to access/administer. The value of this
array depends on the authentication provider's available scopes.

Strategy
~~~~~~~~
We use a custom `strategy <http://python-social-auth.readthedocs.io/en/latest/strategies.html>`_ that includes many of
Expand All @@ -129,7 +83,7 @@ below is sufficient for all edX services.
.. code-block:: python
AUTHENTICATION_BACKENDS = (
'auth_backends.backends.EdXOpenIdConnect',
'auth_backends.backends.EdXOAuth2',
'django.contrib.auth.backends.ModelBackend',
)
Expand All @@ -139,39 +93,22 @@ In order to make use of the authentication backend, your service's login/logout
view should be updated to redirect to the authentication provider's login page. The logout view should be updated to
redirect to the authentication provider's logout page.

This package includes views and urlpatterns configured for OIDC and OAuth 2.0. To use them, simply append/prepend
either ``auth_urlpatterns`` or ``oauth2_urlpatterns`` to your service's urlpatterns in `urls.py`.
This package includes views and urlpatterns configured for OAuth 2.0. To use them, simply append/prepend
``oauth2_urlpatterns`` to your service's urlpatterns in `urls.py`.

.. code-block:: python
from auth_backends.urls import auth_urlpatterns
from auth_backends.urls import oauth2_urlpatterns
urlpatterns = auth_urlpatterns + [
urlpatterns = oauth2_urlpatterns + [
url(r'^admin/', include(admin.site.urls)),
...
]
It is recommended that you not modify the login view. If, however, you need to modify the logout view (to redirect to
a different URL, for example), you can subclass either ``EdxOAuth2LogoutView`` or ``EdxOpenIdConnectLogoutView`` for
a different URL, for example), you can subclass ``EdxOAuth2LogoutView`` for
the view and ``LogoutViewTestMixin`` for your tests.

Devstack
--------
When using the Docker-based devstack, it is necessary to have both internal and public URLs for the OAuth/OIDC
provider. To accommodate this need, set the ``SOCIAL_AUTH_EDX_OIDC_PUBLIC_URL_ROOT`` setting to the value of the
provider's browser-accessible URL.

.. code-block:: python
SOCIAL_AUTH_EDX_OIDC_URL_ROOT = 'http://edx.devstack.edxapp:18000/oauth2'
SOCIAL_AUTH_EDX_OIDC_PUBLIC_URL_ROOT = 'http://localhost:18000/oauth2'
Additionally, the logout URL should also be browser-accessible:

.. code-block:: python
SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL = 'http://localhost:18000/logout'
Testing
-------

Expand Down
2 changes: 1 addition & 1 deletion auth_backends/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
These package is designed to be used primarily with Open edX Django projects, but should be compatible with non-edX
projects as well.
"""
__version__ = '2.0.2' # pragma: no cover
__version__ = '3.0.0' # pragma: no cover
Loading

0 comments on commit 6cdc251

Please sign in to comment.