Django-allauth: Support for OpenID connect 1.0

Created on 24 Jul 2014  路  7Comments  路  Source: pennersr/django-allauth

It looks like OpenID have added a fancy new spec based on OAuth2. Any chance of getting this integrated.

The recommended library for python support is https://github.com/rohe/pyoidc

FIXME

Most helpful comment

Is this something on the roadmap?

All 7 comments

I have to read up a bit on OpenID connect. I only briefly scanned some articles, and I was under the impression that some things like OAuth endpoint URLs were either standardized and/or discoverable. If so, allauth could implement OpenID connect support in a more generic way (simply one OpenID connect provider, versus multiple specific ones like done in #629). But, I first I need to find some time to digest the spec ...

You can easily implement a OIDC basic-flow client by just using a standard OAuth2 library.
e.g.:
```import json
from pyoauth2 import Client

CLIENT_ID = 'THE ID'
CLIENT_SECRET = 'A SHARD SECRET'
REDIRECT_URL = 'http://your-page-to-get-secret-or-error'
SCOPE = 'openid profile address email phone' # dependant on the provider, and their permissions for you

client = Client(CLIENT_ID, CLIENT_SECRET,
site='https://some-site/oidc/',
authorize_url='https://some-site/oidc/auth',
token_url='https://some-site/oidc/token')

print '-' * 80
authorize_url = client.auth_code.authorize_url(redirect_uri=REDIRECT_URL, scope=SCOPE)
print 'Go to the following link in your browser:'
print authorize_url

code = raw_input('Enter the verification code and hit ENTER when you re done:')
code = code.strip()
access_token = client.auth_code.get_token(code, redirect_uri=REDIRECT_URL)
print 'token', access_token.headers

print '-' * 80
print 'get user info'
ret = access_token.get('userinfo')
print json.dumps(ret.parsed, indent=4, sort_keys=True)
```
This is safe as long as you also verify the SSL cert.

pyoidc implements all the functionality you would need to offer a complete OIDC ID provider.

@grigi but still django-aullauth should support this out of the box.

@grigi this should also support the webfinger part of the spec, so that users can just type their email address and have the OIDC config be auto-discovered.

@graingert I was not saying it shouldn't be supported by django-allauth, just what an absolute minimum implementation entails.
Also, supporting the auto-discovery part of the spec significantly complicates the implementation, and an initial implementation using a generic OIDC service will help quite a bit already. E.g. using a modern AD.

Is this something on the roadmap?

Two years since the last comment. Again, is this something on the roadmap?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

HemantNegi picture HemantNegi  路  5Comments

slimaidarismail picture slimaidarismail  路  3Comments

JohnnyKing94 picture JohnnyKing94  路  4Comments

blueyed picture blueyed  路  5Comments

gitdeepak picture gitdeepak  路  5Comments