➕(backend) add django-lasuite dependency

Use the OIDC backend from the new library and add settings to setup OIDC
token storage required for later calls to OIDC Resource Servers.

Author: qbey

CHANGELOG.md

@@ -19,6 +19,7 @@ and this project adheres to
 - ✨(settings) Allow configuring PKCE for the SSO #886
 - 🌐(i18n) activate chinese and spanish languages #884
 - 🔧(backend) allow overwriting the data directory #893
+- ➕(backend) add  `django-lasuite` dependency #839
 
 ## Changed
 

docs/env.md

@@ -78,8 +78,8 @@ These are the environmental variables you can set for the impress-backend contai
 | OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION       | faillback to email for identification                                                         | true                                                    |
 | OIDC_ALLOW_DUPLICATE_EMAILS                     | Allow dupplicate emails                                                                       | false                                                   |
 | USER_OIDC_ESSENTIAL_CLAIMS                      | essential claims in OIDC token                                                                | []                                                      |
-| USER_OIDC_FIELDS_TO_FULLNAME                    | OIDC token claims to create full name                                                         | ["first_name", "last_name"]                             |
-| USER_OIDC_FIELD_TO_SHORTNAME                    | OIDC token claims to create shortname                                                         | first_name                                              |
+| OIDC_USERINFO_FULLNAME_FIELDS                   | OIDC token claims to create full name                                                         | ["first_name", "last_name"]                             |
+| OIDC_USERINFO_SHORTNAME_FIELD                   | OIDC token claims to create shortname                                                         | first_name                                              |
 | ALLOW_LOGOUT_GET_METHOD                         | Allow get logout method                                                                       | true                                                    |
 | AI_API_KEY                                      | AI key to be used for AI Base url                                                             |                                                         |
 | AI_BASE_URL                                     | OpenAI compatible AI base url                                                                 |                                                         |

docs/examples/impress.values.yaml

@@ -33,8 +33,8 @@ backend:
     OIDC_RP_SIGN_ALGO: RS256
     OIDC_RP_SCOPES: "openid email"
     OIDC_VERIFY_SSL: False
-    USER_OIDC_FIELD_TO_SHORTNAME: "given_name"
-    USER_OIDC_FIELDS_TO_FULLNAME: "given_name,usual_name"
+    OIDC_USERINFO_SHORTNAME_FIELD: "given_name"
+    OIDC_USERINFO_FULLNAME_FIELDS: "given_name,usual_name"
     OIDC_REDIRECT_ALLOWED_HOSTS: https://impress.127.0.0.1.nip.io
     OIDC_AUTH_REQUEST_EXTRA_PARAMS: "{'acr_values': 'eidas1'}"
     LOGIN_REDIRECT_URL: https://impress.127.0.0.1.nip.io

src/backend/core/authentication/backends.py

@@ -1,130 +1,59 @@
 """Authentication Backends for the Impress core app."""
 
 import logging
+import os
 
 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
-from django.utils.translation import gettext_lazy as _
 
-import requests
-from mozilla_django_oidc.auth import (
-    OIDCAuthenticationBackend as MozillaOIDCAuthenticationBackend,
+from lasuite.oidc_login.backends import (
+    OIDCAuthenticationBackend as LaSuiteOIDCAuthenticationBackend,
 )
 
-from core.models import DuplicateEmailError, User
+from core.models import DuplicateEmailError
 
 logger = logging.getLogger(__name__)
 
+# Settings renamed warnings
+if os.environ.get("USER_OIDC_FIELDS_TO_FULLNAME"):
+    logger.warning(
+        "USER_OIDC_FIELDS_TO_FULLNAME has been renamed to "
+        "OIDC_USERINFO_FULLNAME_FIELDS please update your settings."
+    )
 
-class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
+if os.environ.get("USER_OIDC_FIELD_TO_SHORTNAME"):
+    logger.warning(
+        "USER_OIDC_FIELD_TO_SHORTNAME has been renamed to "
+        "OIDC_USERINFO_SHORTNAME_FIELD please update your settings."
+    )
+
+
+class OIDCAuthenticationBackend(LaSuiteOIDCAuthenticationBackend):
     """Custom OpenID Connect (OIDC) Authentication Backend.
 
     This class overrides the default OIDC Authentication Backend to accommodate differences
     in the User and Identity models, and handles signed and/or encrypted UserInfo response.
     """
 
-    def get_userinfo(self, access_token, id_token, payload):
-        """Return user details dictionary.
-
-        Parameters:
-        - access_token (str): The access token.
-        - id_token (str): The id token (unused).
-        - payload (dict): The token payload (unused).
-
-        Note: The id_token and payload parameters are unused in this implementation,
-        but were kept to preserve base method signature.
-
-        Note: It handles signed and/or encrypted UserInfo Response. It is required by
-        Agent Connect, which follows the OIDC standard. It forces us to override the
-        base method, which deal with 'application/json' response.
-
-        Returns:
-        - dict: User details dictionary obtained from the OpenID Connect user endpoint.
+    def get_extra_claims(self, user_info):
         """
+        Return extra claims from user_info.
 
-        user_response = requests.get(
-            self.OIDC_OP_USER_ENDPOINT,
-            headers={"Authorization": f"Bearer {access_token}"},
-            verify=self.get_settings("OIDC_VERIFY_SSL", True),
-            timeout=self.get_settings("OIDC_TIMEOUT", None),
-            proxies=self.get_settings("OIDC_PROXY", None),
-        )
-        user_response.raise_for_status()
+        Args:
+          user_info (dict): The user information dictionary.
 
-        try:
-            userinfo = user_response.json()
-        except ValueError:
-            try:
-                userinfo = self.verify_token(user_response.text)
-            except Exception as e:
-                raise SuspiciousOperation(
-                    _("Invalid response format or token verification failed")
-                ) from e
-
-        return userinfo
-
-    def verify_claims(self, claims):
-        """
-        Verify the presence of essential claims and the "sub" (which is mandatory as defined
-        by the OIDC specification) to decide if authentication should be allowed.
+        Returns:
+          dict: A dictionary of extra claims.
         """
-        essential_claims = settings.USER_OIDC_ESSENTIAL_CLAIMS
-        missing_claims = [claim for claim in essential_claims if claim not in claims]
-
-        if missing_claims:
-            logger.error("Missing essential claims: %s", missing_claims)
-            return False
-
-        return True
-
-    def get_or_create_user(self, access_token, id_token, payload):
-        """Return a User based on userinfo. Create a new user if no match is found."""
-
-        user_info = self.get_userinfo(access_token, id_token, payload)
-
-        if not self.verify_claims(user_info):
-            raise SuspiciousOperation("Claims verification failed.")
-
-        sub = user_info["sub"]
-        email = user_info.get("email")
-
-        # Get user's full name from OIDC fields defined in settings
-        full_name = self.compute_full_name(user_info)
-        short_name = user_info.get(settings.USER_OIDC_FIELD_TO_SHORTNAME)
-
-        claims = {
-            "email": email,
-            "full_name": full_name,
-            "short_name": short_name,
+        return {
+            "full_name": self.compute_full_name(user_info),
+            "short_name": user_info.get(settings.OIDC_USERINFO_SHORTNAME_FIELD),
         }
 
+    def get_existing_user(self, sub, email):
+        """Fetch existing user by sub or email."""
+
         try:
-            user = User.objects.get_user_by_sub_or_email(sub, email)
+            return self.UserModel.objects.get_user_by_sub_or_email(sub, email)
         except DuplicateEmailError as err:
             raise SuspiciousOperation(err.message) from err
-
-        if user:
-            if not user.is_active:
-                raise SuspiciousOperation(_("User account is disabled"))
-            self.update_user_if_needed(user, claims)
-        elif self.get_settings("OIDC_CREATE_USER", True):
-            user = User.objects.create(sub=sub, password="!", **claims)  # noqa: S106
-
-        return user
-
-    def compute_full_name(self, user_info):
-        """Compute user's full name based on OIDC fields in settings."""
-        name_fields = settings.USER_OIDC_FIELDS_TO_FULLNAME
-        full_name = " ".join(
-            user_info[field] for field in name_fields if user_info.get(field)
-        )
-        return full_name or None
-
-    def update_user_if_needed(self, user, claims):
-        """Update user claims if they have changed."""
-        has_changed = any(
-            value and value != getattr(user, key) for key, value in claims.items()
-        )
-        if has_changed:
-            updated_claims = {key: value for key, value in claims.items() if value}
-            self.UserModel.objects.filter(id=user.id).update(**updated_claims)