Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Basic Auth support for introspection (Fix issue #709) #725

Merged
merged 14 commits into from
Mar 23, 2020
Merged

HTTP Basic Auth support for introspection (Fix issue #709) #725

merged 14 commits into from
Mar 23, 2020

Conversation

Abhishek8394
Copy link
Contributor

@Abhishek8394 Abhishek8394 commented Jul 29, 2019
edited
Loading

Fixes #709

  • Add a new mixin that allows authenticating with HTTP basic auth, credentials in body or access tokens
  • Introduce and abstraction in views.generic to initialize the OauthLibMixin
  • Change parent class of IntrospectTokenView from 'ScopedProtectedResourceView' to 'ClientProtectedScopedResourceView'

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@Abhishek8394
fix issue jazzband#709
7aff8e3 
- Add a new mixin that allows authenticating with HTTP basic auth, credentials in body or access tokens
- Introduce and abstraction in views.generic to initialize the OauthLibMixin
- Change parent class of IntrospectTokenView from 'ScopedProtectedResourceView' to 'ClientProtectedScopedResourceView'
@coveralls
Copy link

coveralls commented Jul 29, 2019
edited
Loading

Pull Request Test Coverage Report for Build 1344

  • 33 of 34 (97.06%) changed or added relevant lines in 5 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.03%) to 94.795%
Changes Missing Coverage Covered Lines Changed/Added Lines %
oauth2_provider/views/mixins.py 15 16 93.75%
Totals Coverage Status
Change from base Build 1341: 0.03%
Covered Lines: 1293
Relevant Lines: 1364
💛 - Coveralls

@Abhishek8394
Copy link
Contributor Author

I can work on merging master in the branch if no one is already working on it

@auvipy
Copy link
Contributor

auvipy commented Sep 12, 2019

could you check the latest failures?

@Abhishek8394
fix failing tests after master merge
189796d 
- test failed because they sent url query params in a post request. That is no longer allowed for security purposes.
- Fix: send query params as POST body instead of query params
@Abhishek8394
Copy link
Contributor Author

Fixed the tests, issue was sending query params in a POST request. That is not allowed.
Also the travis test ran only on py34-django20? It should run on all versions till py37, correct?

@Abhishek8394
Copy link
Contributor Author

Also maybe update the docs to tell people that sending query params in any request except GET is a bad request.

@Abhishek8394
Copy link
Contributor Author

Abhishek8394 commented Oct 18, 2019 via email

IvanAnishchuk
IvanAnishchuk previously requested changes Oct 19, 2019
View reviewed changes
Copy link
Member

@IvanAnishchuk IvanAnishchuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the way tests were fixed. It might also be better to make a separate PR for test suite fixes. Accidentally, I prepared one already: #750

@Abhishek8394
Copy link
Contributor Author

I got the test fixes from master. Is there anything more required to get this PR merged?

@auvipy auvipy requested a review from IvanAnishchuk November 13, 2019 14:37
@vijithv
Copy link

vijithv commented Dec 30, 2019

Hi, any updates on merging this PR?

@auvipy auvipy requested review from IvanAnishchuk and removed request for IvanAnishchuk January 16, 2020 05:26
@vijithv
Copy link

vijithv commented Feb 11, 2020

Hey can we merge this? Tested the PR and it works fine. Just don't want to maintain a fork

@n2ygk n2ygk dismissed IvanAnishchuk’s stale review March 17, 2020 21:58

what was asked for was done via #750

@n2ygk n2ygk self-requested a review March 17, 2020 22:03
n2ygk
n2ygk requested changes Mar 17, 2020
View reviewed changes
Copy link
Member

@n2ygk n2ygk left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Abhishek8394 sorry for the moving target but we have a new PR template that asks you to do a few things. Can you review this and check off as appropriate and push up a commit to do that. Specifically, I believe this is good new functionality so it would be great if you could make sure to update the CHANGELOG and documentation. Also credit where credit is due: please add your name to AUTHORS.

Also, it appears the flake8 test (that somebody had incorrectly commented out of tox.ini and is now restored) is now failing, so you'll need to do some minor fixes.

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@n2ygk n2ygk changed the title Fix issue #709 HTTP Basic Auth support for introspection (Fix issue #709) Mar 18, 2020
@Abhishek8394
Copy link
Contributor Author

I'll get a fix out in a day or two. In the meanwhile do verify the checklist at the top of the page.

@Abhishek8394 Abhishek8394 requested a review from n2ygk March 21, 2020 20:36
n2ygk
n2ygk requested changes Mar 22, 2020
View reviewed changes
Copy link
Member

@n2ygk n2ygk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Abhishek8394 After pushing you to improve documentation, I'm embarrassed to admit that when I added RESOURCE_SERVER_INTROSPECTION_CREDENTIALS to settings, I failed to document it properly in #557! a093565 fixes that.

But have you documented somewhere how to configure use of HTTP Basic Auth for the introspect endpoint? Can you please add that?

@Abhishek8394
Copy link
Contributor Author

Abhishek8394 commented Mar 23, 2020
edited
Loading

There is not setting or configuration required, it just works and is backwards compatible so existing users won't fail. Detail explanation below:

So previously introspection only used to work with access tokens. Now it checks for client authentication first, if that fails then it falls back to checking the access token. Client authentication works as follows:

  • Check for HTTP Basic Auth
  • If prev fails, check for client_id and client_secret in request body (get/post params).
  • If prev fails, fail client auth.

I think it should be made clear that client_id and client_secret are credentials for each app, not something server-wide. So a user uses the client_id and secret corresponding to the app which is requesting the introspection.

@Abhishek8394
Copy link
Contributor Author

Also documentation at #setup-the-resource-server seems to document about using HTTP basic Auth for introspection. Let me know if I'm missing something on this.

@n2ygk n2ygk merged commit 9bb0703 into jazzband:master Mar 23, 2020
@n2ygk n2ygk added this to the 1.3.1 milestone Mar 23, 2020
This was referenced Mar 15, 2021
Closed
Closed
Closed
Closed
Closed
@obulat obulat mentioned this pull request Apr 21, 2021
Closed
@n2ygk n2ygk mentioned this pull request Aug 8, 2024
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@n2ygk n2ygk n2ygk approved these changes

@auvipy auvipy auvipy approved these changes

@IvanAnishchuk IvanAnishchuk Awaiting requested review from IvanAnishchuk

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.3.1
Development

Successfully merging this pull request may close these issues.

HTTP Basic Auth support for introspection
8 participants
@Abhishek8394 @coveralls @auvipy @vijithv @IvanAnishchuk @n2ygk @marianoeramirez @MattBlack85