RFC 7662 does not require the `iss` field in token introspection
responses. Some providers (e.g. GitLab via Doorkeeper) do not include
it, causing authentication to fail. The value is still validated when
present.
Signed-off-by: Bastien Wermeille <bastien.wermeille@gmail.com>
The documentation was incomplete: `oidc_op_url` is required to
instantiate the resource server client used by the resource server
backend.
Add this detail to the documentation, based on the configuration
used in the People deployment.
Enhance the log message to explicitly list which configuration
parameters are missing.
The previous message was too vague and required searching the
repository to understand its origin. This was made harder because
the class name is dynamically injected, preventing a direct search
of the full log string.
Note: instantiating JWTAuthorizationServerClient may emit two logs
when all required parameters are missing. This behavior can be
refined in a future change.
The docstring referenced a `url_jwks` parameter that is not used by
the AuthorizationServerClient constructor. It appears to have been
copied from JWTAuthorizationServerClient.
Update the docstring to reflect the actual behavior of the class.
Update all GitHub Actions to their latest major versions for improved
performance, security patches, and Node.js runtime compatibility.
Signed-off-by: Stephan Meijer <me@stephanmeijer.com>
See https://github.com/pypa/hatch/issues/2166
This will not change the extra install, as "-" and "_" are
mostly considered the same
(ie `django-lasuite[malware_detection]`
still works)
Some identity providers might change the case, but in our
products we don't consider case variation to be consider as
different email addresses.
Next step would be to normalize the DB value of email to
be lower-case.
The RefreshOIDCAccessToken middleware was checking for `oidc_token_expiration`
in the session, but mozilla-django-oidc sets `oidc_id_token_expiration`.
This caused the middleware to always think the token was expired (defaulting
to 0), triggering unnecessary token refreshes on every request.
This fix aligns the session key name with mozilla-django-oidc's convention.
Fixessuitenumerique/messages#487
When a task is rescheduled, the file_hash saved in the table is not reused
leading to redownloading the file to compute its hash. This download can
be avoided if the file_hash is correctly reused.
To ease the use of this module, we added a shared task which a wrapper
arount the configured backend and will only call the
create_or_update_contact in a celery task.
Like we did for the malware_detection module, we want helpers allowing
use to instantiate a backend without knowing in the code how to do it,
just importing a module and the marketing service is ready to be used.
Added
- ✨(backend) keep traces of failed malware analysis tasks
- ✨(backend) save backend used in a malware analysis task
- ✨(backend) allow a malware detection backend to reschedule a task
- ✨(malware) add management command to reschedule processing
- ✨(malware) add an admin view to ease tracking tasks
We want to reschedule processing task when they are older than 3 days.
A settings is used to modify this delay. The current backend is
instanciated and it is the backend responsability to determine if it
should reschedule it or not.
We want to keep in the database the failed tasks with the reason why
they failed. The idea is to take a decision later on what to do for
tasks reaching a max retries for example.
The previous code was loading the `get_oidc_backend` before
override it after. Loading loading an unused backend is a
waste of resource ^^
While the default OIDC backend requires
more settings, like `OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION`
which might be useless for resource server only project, it
could raise error for missing, unused parameter.
The base implementation from Mozilla let the backend in charge
of making the introspection (probably to stay generic), but
in LaSuite project we will always perform introspection when
acting as resource server.
To improve domain consistency and "payload" access to other part
of the code, we chose to make the introspection earlier in the
authentication process.
Note the introspection payload, does not contain much information,
in our current implementation we need it to contain at least the
user's `sub``.
Currently, only `GET` method as considered as refreshable url as it could
be weird to return a redirect response for other kind of HTTP methods.
On our side, we assume to be always in a XHR context so we don't want
to be bothered by redirects and in case the session has expired
we returned a 401 status. So we can safely ignore the request HTTP method
to check if the url is refreshable.
