UA-4020 | Pulled in changes from upstream 0.8.3 (#14)

* Update settings.rst

* Update LICENSE

* Default ordering RSA keys + example app for Django 4.2

* Update docs

* Update docs

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Work on end_session_endpoint

* Fix create_id_token with extra scope claims + add ruff as formatter.

* Fix create_id_token with extra scope claims + add ruff as formatter.

* Fix create_id_token with extra scope claims + add ruff as formatter.

* Bump version 0.8.3

* UA-4020 | reducing the diff between ours/theirs where its reasonable.

* UA-4020 | reducing the diff between ours/theirs where its reasonable.

* UA-4020 | reducing the diff between ours/theirs where its reasonable.

---------

Co-authored-by: Juan Ignacio Fiorentino <[email protected]>
Co-authored-by: juanifioren <[email protected]>

Author: kdallege

.vscode/settings.json

@@ -0,0 +1,10 @@
+{
+    "[python]": {
+        "editor.formatOnSave": true,
+        "editor.codeActionsOnSave": {
+            "source.fixAll": "explicit",
+            "source.organizeImports": "explicit"
+        },
+        "editor.defaultFormatter": "charliermarsh.ruff"
+    }
+}

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2014-2019 Juan Ignacio Fiorentino
+Copyright (c) 2014-2024 Juan Ignacio Fiorentino
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

docs/conf.py

@@ -45,7 +45,7 @@
 
 # General information about the project.
 project = u'django-oidc-provider'
-copyright = u'2023, Juan Ignacio Fiorentino'
+copyright = u'2025, Juan Ignacio Fiorentino'
 author = u'Juan Ignacio Fiorentino'
 
 # The version info for the project you're documenting, acts as replacement for
@@ -55,7 +55,7 @@
 # The short X.Y version.
 version = u'0.8'
 # The full version, including alpha/beta/rc tags.
-release = u'0.8.0'
+release = u'0.8'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/images/add_rsa_key.png

@@ -8,6 +8,17 @@ All notable changes to this project will be documented in this file.
 Unreleased
 ==========
 
+None
+
+0.8.3
+=====
+
+*2024-12-06*
+
+* Changed: Improved "OpenID Connect RP-Initiated Logout" implementation.
+* Fixed: Fix ID Tokens not including standard claims when using extra scope claims.
+* Fixed: RSA server keys random ordering.
+* Fixed: Example app working with Django 4.
 
 0.8.2
 =====

docs/sections/changelog.rst

@@ -24,8 +24,8 @@ Use `tox <https://pypi.python.org/pypi/tox>`_ for running tests in each of the e
     # Run with Python 3.11 and Django 4.2.
     $ tox -e py311-django42
 
-    # Run single test file on specific environment.
-    $ tox -e py311-django42 -- tests/cases/test_authorize_endpoint.py
+    # Run a single test method.
+    $ tox -e py311-django42 -- tests/cases/test_authorize_endpoint.py::TestClass::test_some_method
 
 We use `Github Actions <https://github.com/juanifioren/django-oidc-provider/actions>`_ to automatically test every commit to the project.
 
@@ -34,7 +34,7 @@ Improve Documentation
 
 We use `Sphinx <http://www.sphinx-doc.org/>`_ to generate this documentation. If you want to add or modify something just:
 
-* Install Sphinx (``pip install sphinx``) and the auto-build tool (``pip install sphinx-autobuild``).
+* Install Sphinx (``pip install sphinx sphinx_rtd_theme``) and the auto-build tool (``pip install sphinx-autobuild``).
 * Move inside the docs folder. ``cd docs/``
 * Generate and watch docs by running ``sphinx-autobuild . _build/``.
 * Open ``http://127.0.0.1:8000`` in a browser.

docs/sections/contribute.rst

@@ -111,3 +111,11 @@ Inside your oidc_provider_settings.py file add the following class::
 
 .. note::
     If a field is empty or ``None`` inside the dictionary you return on the ``scope_scopename`` method, it will be cleaned from the response.
+
+Include claims in the ID Token
+==============================
+
+The draft specifies that ID Tokens MAY include additional claims. You can add claims to the ID Token using ``OIDC_IDTOKEN_INCLUDE_CLAIMS``. Note that the claims will be filtered based on the token's scope.
+
+.. note::
+    Any extra claims defined with ``OIDC_EXTRA_SCOPE_CLAIMS`` will also be included. 

docs/sections/scopesclaims.rst

@@ -7,7 +7,7 @@ Server RSA keys are used to sign/encrypt ID Tokens. These keys are stored in the
 
 You can easily create them with the admin:
 
-.. image:: http://i64.tinypic.com/vj2ma.png
+.. image:: ../images/add_rsa_key.png
     :align: center
 
 Or by using ``python manage.py creatersakey`` command.

docs/sections/serverkeys.rst

@@ -22,6 +22,47 @@ Somewhere in your Django ``settings.py``::
 If you're in a multi-server setup, you might also want to add ``OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY`` to your settings and set it to some random but fixed string. While authenticated clients have a session that can be used to calculate the browser state, there is no such thing for unauthenticated clients. Hence this value. By default a value is generated randomly on startup, so this will be different on each server. To get a consistent value across all servers you should set this yourself.
 
 
+RP-Initiated Logout
+===================
+
+An RP can notify the OP that the End-User has logged out of the site, and might want to log out of the OP as well. In this case, the RP, after having logged the End-User out of the RP, redirects the End-User's User Agent to the OP's logout endpoint URL.
+
+This URL is normally obtained via the ``end_session_endpoint`` element of the OP's Discovery response.
+
+Parameters that are passed as query parameters in the logout request:
+
+* ``id_token_hint``
+    RECOMMENDED. Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client.
+* ``post_logout_redirect_uri``
+    OPTIONAL. URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed.
+    
+    The value must be a valid, encoded URL that has been registered in the list of "Post Logout Redirect URIs" in your Client (RP) page.
+* ``state``
+    OPTIONAL. Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the ``post_logout_redirect_uri`` query parameter.
+
+Example redirect::
+
+    http://localhost:8000/end-session/?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6ImQwM...&post_logout_redirect_uri=http%3A%2F%2Frp.example.com%2Flogged-out%2F&state=c91c03ea6c46a86
+
+**Logout consent prompt**
+
+The standard defines that the logout flow should be interrupted to prompt the user for consent if the OpenID provider cannot verify that the request was made by the user.
+
+We enforce this behavior by displaying a logout consent prompt if it detects any of the following conditions:
+
+* If ``id_token_hint`` is not present or is invalid (we could not validate the client from it).
+* If ``post_logout_redirect_uri`` is not registered in the list of "Post Logout Redirect URIs".
+
+If the user confirms the logout request, we continue the logout flow. To modify the logout consent template create your own ``oidc_provider/end_session_prompt.html``.
+
+**Other scenarios**
+
+In some cases, there may be no valid redirect URI for the user after logging out (e.g., the OP could not find a post-logout URI). If the user ends up being logged out, the system will render the ``oidc_provider/end_session_completed.html`` template.
+
+On the other hand, if the session remains active for any reason, the ``oidc_provider/end_session_failed.html`` template will be used.
+
+Both templates will receive the ``{{ client }}`` variable in their context.
+
 Example RP iframe
 =================
 
@@ -70,22 +111,4 @@ Example RP iframe
     </script>
     </html>
 
-RP-Initiated Logout
-===================
-
-An RP can notify the OP that the End-User has logged out of the site, and might want to log out of the OP as well. In this case, the RP, after having logged the End-User out of the RP, redirects the End-User's User Agent to the OP's logout endpoint URL.
-
-This URL is normally obtained via the ``end_session_endpoint`` element of the OP's Discovery response.
-
-Parameters that are passed as query parameters in the logout request:
-
-* ``id_token_hint``
-    Previously issued ID Token passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client.
-* ``post_logout_redirect_uri``
-    URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed.
-* ``state``
-    OPTIONAL. Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the ``post_logout_redirect_uri`` query parameter.
-
-Example redirect::
 
-    http://localhost:8000/end-session/?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6ImQwM...&post_logout_redirect_uri=http://rp.example.com/logged-out/&state=c91c03ea6c46a86

docs/sections/sessionmanagement.rst

@@ -53,7 +53,7 @@ OIDC_CODE_EXPIRE
 
 OPTIONAL. ``int``. Code object expiration after been delivered.
 
-Expressed in seconds. Default is ``60*10``.
+Expressed in seconds. Default is ``10 mins``.
 
 OIDC_DISCOVERY_CACHE_ENABLE
 ===========================
@@ -67,7 +67,7 @@ OIDC_DISCOVERY_CACHE_EXPIRE
 
 OPTIONAL. ``int``. Discovery endpoint cache expiration time expressed in seconds.
 
-Expressed in seconds. Default is ``60*10``.
+Expressed in seconds. Default is ``1 day``.
 
 OIDC_EXTRA_SCOPE_CLAIMS
 =======================
@@ -81,7 +81,7 @@ Read more about how to implement it in :ref:`scopesclaims` section.
 OIDC_IDTOKEN_INCLUDE_CLAIMS
 ==============================
 
-OPTIONAL. ``bool``. If enabled, id_token will include standard claims of the user (email, first name, etc.).
+OPTIONAL. ``bool``. If enabled, id_token will include standard (and extra if defined) claims of the user (email, first name, etc.).
 
 Default is ``False``.
 
@@ -90,7 +90,7 @@ OIDC_IDTOKEN_EXPIRE
 
 OPTIONAL. ``int``. ID Token expiration after been delivered.
 
-Expressed in seconds. Default is ``60*10``.
+Expressed in seconds. Default is ``10 mins``.
 
 OIDC_IDTOKEN_PROCESSING_HOOK
 ============================
@@ -188,14 +188,14 @@ OIDC_SKIP_CONSENT_EXPIRE
 
 OPTIONAL. ``int``. How soon User Consent expires after being granted.
 
-Expressed in days. Default is ``30*3``.
+Expressed in days. Default is ``90 days``.
 
 OIDC_TOKEN_EXPIRE
 =================
 
 OPTIONAL. ``int``. Token object (access token) expiration after being created.
 
-Expressed in seconds. Default is ``60*60``.
+Expressed in seconds. Default is ``1 hour``.
 
 OIDC_USERINFO
 =============
@@ -258,4 +258,4 @@ A flag which toggles whether the scope is returned with successful response on i
 
 Must be ``True`` to include ``scope`` into the successful response
 
-Default is ``False``.
+Default is ``False``.

docs/sections/settings.rst

@@ -1,75 +1,76 @@
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 import os
+
 BASE_DIR = os.path.dirname(os.path.dirname(__file__))
 
 DEFAULT_AUTO_FIELD = 'django.db.models.AutoField' 
 
-SECRET_KEY = 'c14d549c574e4d8cf162404ef0b04598'
+SECRET_KEY = "c14d549c574e4d8cf162404ef0b04598"
 
 DEBUG = True
 
 TEMPLATE_DEBUG = False
 
-ALLOWED_HOSTS = ['*']
+ALLOWED_HOSTS = ["*"]
 
 # Application definition
 
 INSTALLED_APPS = [
-    'django.contrib.admin',
-    'django.contrib.auth',
-    'django.contrib.contenttypes',
-    'django.contrib.sessions',
-    'django.contrib.messages',
-    'django.contrib.staticfiles',
-    'app',
-    'oidc_provider',
+    "django.contrib.admin",
+    "django.contrib.auth",
+    "django.contrib.contenttypes",
+    "django.contrib.sessions",
+    "django.contrib.messages",
+    "django.contrib.staticfiles",
+    "app",
+    "oidc_provider",
 ]
 
 MIDDLEWARE_CLASSES = [
-    'django.contrib.sessions.middleware.SessionMiddleware',
-    'django.middleware.common.CommonMiddleware',
-    'django.middleware.csrf.CsrfViewMiddleware',
-    'django.contrib.auth.middleware.AuthenticationMiddleware',
-    'django.contrib.messages.middleware.MessageMiddleware',
-    'django.middleware.clickjacking.XFrameOptionsMiddleware',
-    'oidc_provider.middleware.SessionManagementMiddleware',
+    "django.contrib.sessions.middleware.SessionMiddleware",
+    "django.middleware.common.CommonMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
+    "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "django.contrib.messages.middleware.MessageMiddleware",
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "oidc_provider.middleware.SessionManagementMiddleware",
 ]
 MIDDLEWARE = MIDDLEWARE_CLASSES
 
 TEMPLATES = [
     {
-        'BACKEND': 'django.template.backends.django.DjangoTemplates',
-        'DIRS': [],
-        'APP_DIRS': True,
-        'OPTIONS': {
-            'context_processors': [
-                'django.template.context_processors.debug',
-                'django.template.context_processors.request',
-                'django.contrib.auth.context_processors.auth',
-                'django.contrib.messages.context_processors.messages',
+        "BACKEND": "django.template.backends.django.DjangoTemplates",
+        "DIRS": [],
+        "APP_DIRS": True,
+        "OPTIONS": {
+            "context_processors": [
+                "django.template.context_processors.debug",
+                "django.template.context_processors.request",
+                "django.contrib.auth.context_processors.auth",
+                "django.contrib.messages.context_processors.messages",
             ],
         },
     },
 ]
 
-ROOT_URLCONF = 'app.urls'
+ROOT_URLCONF = "app.urls"
 
-WSGI_APPLICATION = 'app.wsgi.application'
+WSGI_APPLICATION = "app.wsgi.application"
 
 # Database
 
 DATABASES = {
-    'default': {
-        'ENGINE': 'django.db.backends.sqlite3',
-        'NAME': os.path.join(BASE_DIR, 'DATABASE.sqlite3'),
+    "default": {
+        "ENGINE": "django.db.backends.sqlite3",
+        "NAME": os.path.join(BASE_DIR, "DATABASE.sqlite3"),
     }
 }
 
 # Internationalization
 
-LANGUAGE_CODE = 'en-us'
+LANGUAGE_CODE = "en-us"
 
-TIME_ZONE = 'UTC'
+TIME_ZONE = "UTC"
 
 USE_I18N = True
 
@@ -79,14 +80,14 @@
 
 # Static files (CSS, JavaScript, Images)
 
-STATIC_URL = '/static/'
-STATIC_ROOT = os.path.join(BASE_DIR, 'static/')
+STATIC_URL = "/static/"
+STATIC_ROOT = os.path.join(BASE_DIR, "static/")
 
 # Custom settings
 
-LOGIN_REDIRECT_URL = '/'
+LOGIN_REDIRECT_URL = "/"
 
 # OIDC Provider settings
 
-SITE_URL = 'http://localhost:8000'
+SITE_URL = "http://localhost:8000"
 OIDC_SESSION_MANAGEMENT_ENABLE = True

example/app/settings.py

@@ -1,4 +1,4 @@
-{% load i18n staticfiles %}
+{% load i18n static %}
 
 <!DOCTYPE html>
 <html lang="en">

example/app/templates/base.html

@@ -1,5 +1,5 @@
 {% extends "base.html" %}
-{% load i18n staticfiles %}
+{% load i18n static %}
 
 {% block content %}
 

example/app/templates/home.html

@@ -1,5 +1,5 @@
 {% extends 'base.html' %}
-{% load i18n staticfiles %}
+{% load i18n static %}
 
 {% block content %}
 
@@ -16,10 +16,10 @@ <h2>{% trans 'Request for Permission' %}</h2>
                 {% endfor %}
             </ul>
             <br>
-            <input type="submit" class="btn btn-primary btn-block btn-lg" name="allow"  value="{% trans 'Accept' %}" />
+            <input type="submit" class="btn btn-primary btn-block btn-lg" name="allow" value="{% trans 'Accept' %}" />
             <input type="submit" class="btn btn-secondary btn-block" value="{% trans 'Decline' %}" />
         </form>
     </div>
 </div>
 
-{% endblock %}
+{% endblock %}