Skip to content
This repository has been archived by the owner on Jun 12, 2021. It is now read-only.

New session management #109

Open
wants to merge 168 commits into
base: master
Choose a base branch
from
Open

New session management #109

wants to merge 168 commits into from

Conversation

rohe
Copy link
Contributor

@rohe rohe commented Apr 8, 2021

The old session management system is rewritten.

The New Session Management subsystem are designed to support a couple of
different services that we have in, or are in the process of adding to, the
system as it is:

Single Logout
Described in a set of specifications:
- Session Management
- Back-Channel Logout
- RP-Initiated Logout
- Front-Channel Logout

Authorization management
Information about which tokens can be issued and what they are
supposed to be used for and by whom, must be managed somewhere.

Token exchange
As described in RFC 8693 - OAuth 2.0 Token Exchange

And some new functionality that we might want to support:

OAuth 2.0 Rich Authorization Requests
Allows clients to specify their fine-grained authorization
requirements using the expressiveness of JSON data structures.

FAPI Grant management
Wants to extend OAuth to include explicit representation of grants in
the OAuth protocol.

angelakis and others added 30 commits October 21, 2020 18:09
@angelakis
Add more tests for PKCE
9141639 
The tests added reflect current bugs that were not covered until now
and were missed.
@rohe
Handle different types of input.
82c8730 
There might not be any client information at this time. This is an effect of automatic client registration as defined in the OIDC federation specification.
@rohe
Allow for adding extra response arguments. Not used here but used in …
5d52f0b 
…classes that are built on this.
@rohe
Bumped version.
dc6f366
@angelakis
Check for token and authorization when adding PKCE
6ddedb2 
A warning is logged, as there can't be PKCE functionality without
authorization and token endpoints.
@angelakis
Check for code_challenge before checking method
58f5c55 
There was a bug when plain code challenge method is not supported based
on the configuration and PKCE is not essential, where all flows
authentication requests without PKCE would fail because plain is not
supported and is the default method.

It's fixed now, but maybe there is an underlying issue here, concerning
this use case; the PKCE RFC states that plain is the default method
and we follow it, however we provide the option to not support plain.
As a result each authentication request which has a code_challenge and
omits code_challenge_method will fail. Is that behaviour expected or we
should default in a code challenge method we support. Or should we
always support plain?
@nsklikas
Merge pull request #94 from angelakis/fix-pkce-bugs
f114cd9 
Fix pkce bugs
@nsklikas
Add add_scope option for JWT access token
d5bc366 
Add add_scope option JWT access tokens, enabling this will add a list
with the allowed scopes that were requested in the returned JWT.
@rohe
clean up
7f383d7
@rohe
Change so the method definition is the same.
2f2e388
@rohe
Basic functionality.
5cca27b
@rohe
Fixed tests.
acbe780
@rohe
Refactoring and adding more usecases.
35e667e
@rohe
Deal with commonality.
cbd4d32
@rohe
Merge branch 'new_session_handling' of github.com:IdentityPython/oidc…
e15dfb5 
…endpoint into new_session_handling
@rohe
Getting closer
4c09c3a
@rohe @angelakis
Refactored module.
166cf5c
@angelakis
Change how supported grant types are configured
68b3b63 
The user can now set the usual grant types to have a default
configuration and class, without the need to set the oidcendpoint
class path. This can be done by setting a value of "default" or
None (no value in yaml dict).
@angelakis
Make multiple fixes
a8ab2d8
@angelakis
Add tests for configurable grant types
9f8c94e
@angelakis
Clean up things in token_coop and minor changes
da4e5d8 
Removed "default" value for grant types and added True instead.

So now None or True enables the grant_type with the default class,
while False disables it and of course a dict with a custom class
uses that instead.
@angelakis
Improve exception handling in TokenCoop
02a1868
@angelakis
Improve TokenCoop tests and add more
ec006ad
@nsklikas
Add the option to include hashes in the idtoken
620eed7 
Add the options add_c_hash and add_at_hash to retrieve the tokens from
the session_info and add their hashes to the id token
@nsklikas
Remove call to map_kv2sid
62fb080 
State can't be assumed to be unique ince the client chooses it so we
can't use it as an identifier for getting the sid
@jschlyter
fail gracefully when clean_sessions() fails
cef1800
@rohe
A couple more done.
aa6838d
@peppelinux
Merge pull request #95 from nsklikas/feature-add-scopes
94db778 
Good feature, fully approved by reviewers
@peppelinux
Merge pull request #88 from angelakis/feature-configurable-grant-types
e923f21 
Feature configurable grant types
@peppelinux
Merge pull request #67 from nsklikas/feature-remove-state-2-sid
e7cfca8 
Remove call to map_kv2sid

> There will probably be conflicts but that can be dealt with then.

Ok, there Will be a new begin from this!
rohe and others added 21 commits February 24, 2021 16:12
@rohe
Added method filer_scopes().
c5908b6
@rohe
Test for get_usage_rules
9acd015
@rohe
Don't depend on order.
f71b1aa
@rohe
Don't depend on order.
ae2e5eb
@rohe
Removed code that didn't make sense since 'state' is not required in …
44066dc 
…token request.
@rohe
Made add_claims_by_scope being the default.
a4afb20
@nsklikas
Properly handle dict
3d38ae1
@nsklikas
Allow grant to infer token_handler
1db7d76 
The access_token handler was used to mint auth codes
@nsklikas
State is optional
9c4a825
@nsklikas
Check if token and authorization exist on pkce
15b257d
@nsklikas
Handle unknown token
7a29c5d
@nsklikas
Don't return state in token response
28507c7
@nsklikas
Get token from grant instead of manager
3010dcc
@nsklikas
Keep backwards compatibility with client claims
aa2dad9
@nsklikas
Filter scopes per client
58e8a09
@angelakis
Merge pull request #106 from nsklikas/new_session_handling
6fc96d3 
New session handling
@nsklikas
Fix bug, default token_handler to None
f09bfee
@nsklikas
Merge pull request #107 from nsklikas/new_session_handling
2dba1d5 
Fix bug, default token_handler to None
@angelakis
Replace find_token with get_token to avoid DB call
672f0f0 
We already have the grant in most cases so we can fetch the token from
inside it instead of querying the DB again.
@rohe
Merge pull request #108 from angelakis/new-session-handling-fixes
da6c214 
WIP: Make more fixes to the new_session_handling before it gets merged
@rohe
Merge pull request #104 from IdentityPython/new_session_handling
25466cc 
New session handling
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nsklikas nsklikas nsklikas approved these changes

@peppelinux peppelinux peppelinux approved these changes

@angelakis angelakis Awaiting requested review from angelakis

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rohe @peppelinux @nsklikas @angelakis @jschlyter