forked from juanifioren/django-oidc-provider
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsettings.py
210 lines (175 loc) · 6.17 KB
/
settings.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
import importlib
import random
import string
from django.conf import settings
class DefaultSettings(object):
required_attrs = ()
def __init__(self):
self._unauthenticated_session_management_key = None
@property
def OIDC_LOGIN_URL(self):
"""
REQUIRED. Used to log the user in. By default Django's LOGIN_URL will be used.
"""
return settings.LOGIN_URL
@property
def SITE_URL(self):
"""
OPTIONAL. The OP server url.
"""
return None
@property
def OIDC_AFTER_USERLOGIN_HOOK(self):
"""
OPTIONAL. Provide a way to plug into the process after
the user has logged in, typically to perform some business logic.
"""
return 'oidc_provider.lib.utils.common.default_after_userlogin_hook'
@property
def OIDC_AFTER_END_SESSION_HOOK(self):
"""
OPTIONAL. Provide a way to plug into the end session process just before calling
Django's logout function, typically to perform some business logic.
"""
return 'oidc_provider.lib.utils.common.default_after_end_session_hook'
@property
def OIDC_CODE_EXPIRE(self):
"""
OPTIONAL. Code expiration time expressed in seconds.
"""
return 60*10
@property
def OIDC_EXTRA_SCOPE_CLAIMS(self):
"""
OPTIONAL. A string with the location of your class.
Used to add extra scopes specific for your app.
"""
return None
@property
def OIDC_IDTOKEN_EXPIRE(self):
"""
OPTIONAL. Id token expiration time expressed in seconds.
"""
return 60*10
@property
def OIDC_IDTOKEN_SUB_GENERATOR(self):
"""
OPTIONAL. Subject Identifier. A locally unique and never
reassigned identifier within the Issuer for the End-User,
which is intended to be consumed by the Client.
"""
return 'oidc_provider.lib.utils.common.default_sub_generator'
@property
def OIDC_IDTOKEN_INCLUDE_CLAIMS(self):
"""
OPTIONAL. If enabled, id_token will include standard claims of the user.
"""
return False
@property
def OIDC_SESSION_MANAGEMENT_ENABLE(self):
"""
OPTIONAL. If enabled, the Server will support Session Management 1.0 specification.
"""
return False
@property
def OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY(self):
"""
OPTIONAL. Supply a fixed string to use as browser-state key for unauthenticated clients.
"""
# Memoize generated value
if not self._unauthenticated_session_management_key:
self._unauthenticated_session_management_key = ''.join(
random.choice(string.ascii_uppercase + string.digits) for _ in range(100))
return self._unauthenticated_session_management_key
@property
def OIDC_SKIP_CONSENT_EXPIRE(self):
"""
OPTIONAL. User consent expiration after been granted.
"""
return 30*3
@property
def OIDC_TOKEN_EXPIRE(self):
"""
OPTIONAL. Token object expiration after been created.
Expressed in seconds.
"""
return 60*60
@property
def OIDC_USERINFO(self):
"""
OPTIONAL. A string with the location of your function.
Used to populate standard claims with your user information.
"""
return 'oidc_provider.lib.utils.common.default_userinfo'
@property
def OIDC_IDTOKEN_PROCESSING_HOOK(self):
"""
OPTIONAL. A string with the location of your hook.
Used to add extra dictionary values specific for your app into id_token.
"""
return 'oidc_provider.lib.utils.common.default_idtoken_processing_hook'
@property
def OIDC_INTROSPECTION_PROCESSING_HOOK(self):
"""
OPTIONAL. A string with the location of your function.
Used to update the response for a valid introspection token request.
"""
return 'oidc_provider.lib.utils.common.default_introspection_processing_hook'
@property
def OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE(self):
"""
OPTIONAL: A boolean to specify whether or not to verify that the introspection
resource has the requesting client id as one of its scopes.
"""
return True
@property
def OIDC_GRANT_TYPE_PASSWORD_ENABLE(self):
"""
OPTIONAL. A boolean to set whether to allow the Resource Owner Password
Credentials Grant. https://tools.ietf.org/html/rfc6749#section-4.3
From the specification:
Since this access token request utilizes the resource owner's
password, the authorization server MUST protect the endpoint
against brute force attacks (e.g., using rate-limitation or
generating alerts).
How you do this, is up to you.
"""
return False
@property
def OIDC_TEMPLATES(self):
return {
'authorize': 'oidc_provider/authorize.html',
'error': 'oidc_provider/error.html'
}
default_settings = DefaultSettings()
def import_from_str(value):
"""
Attempt to import a class from a string representation.
"""
try:
parts = value.split('.')
module_path, class_name = '.'.join(parts[:-1]), parts[-1]
module = importlib.import_module(module_path)
return getattr(module, class_name)
except ImportError as e:
msg = 'Could not import %s for settings. %s: %s.' % (value, e.__class__.__name__, e)
raise ImportError(msg)
def get(name, import_str=False):
"""
Helper function to use inside the package.
"""
value = None
default_value = getattr(default_settings, name)
try:
value = getattr(settings, name)
except AttributeError:
if name in default_settings.required_attrs:
raise Exception('You must set ' + name + ' in your settings.')
if isinstance(default_value, dict) and value:
default_value.update(value)
value = default_value
else:
if value is None:
value = default_value
value = import_from_str(value) if import_str else value
return value