auth_oidc/models/auth_oauth_provider.py

# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)

import logging
import secrets

import requests

from odoo import fields, models, tools

try:
    from jose import jwt
    from jose.exceptions import JWSError, JWTError
except ImportError:
    logging.getLogger(__name__).debug("jose library not installed")


class AuthOauthProvider(models.Model):
    _inherit = "auth.oauth.provider"

    flow = fields.Selection(
        [
            ("access_token", "OAuth2"),
            ("id_token_code", "OpenID Connect (authorization code flow)"),
            ("id_token", "OpenID Connect (implicit flow, not recommended)"),
        ],
        string="Auth Flow",
        required=True,
        default="access_token",
    )
    token_map = fields.Char(
        help="Some Oauth providers don't map keys in their responses "
        "exactly as required.  It is important to ensure user_id and "
        "email at least are mapped. For OpenID Connect user_id is "
        "the sub key in the standard."
    )
    client_secret = fields.Char(
        help="Used in OpenID Connect authorization code flow for confidential clients.",
    )
    code_verifier = fields.Char(
        default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE."
    )
    validation_endpoint = fields.Char(required=False)
    token_endpoint = fields.Char(
        string="Token URL", help="Required for OpenID Connect authorization code flow."
    )
    jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")

    @tools.ormcache("self.jwks_uri", "kid")
    def _get_keys(self, kid):
        r = requests.get(self.jwks_uri, timeout=10)
        r.raise_for_status()
        response = r.json()
        # the keys returned here should follow
        # JWS Notes on Key Selection
        # https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D
        return [
            key
            for key in response["keys"]
            if kid is None or key.get("kid", None) == kid
        ]

    def _map_token_values(self, res):
        if self.token_map:
            for pair in self.token_map.split(" "):
                from_key, to_key = (k.strip() for k in pair.split(":", 1))
                if to_key not in res:
                    res[to_key] = res.get(from_key, "")
        return res

    def _parse_id_token(self, id_token, access_token):
        self.ensure_one()
        res = {}
        header = jwt.get_unverified_header(id_token)
        res.update(self._decode_id_token(access_token, id_token, header.get("kid")))
        res.update(self._map_token_values(res))
        return res

    def _decode_id_token(self, access_token, id_token, kid):
        keys = self._get_keys(kid)
        if len(keys) > 1 and kid is None:
            # https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1
            # If there are multiple keys in the referenced JWK Set document, a kid
            # value MUST be provided in the JOSE Header.
            raise JWTError(
                "OpenID Connect requires kid to be set if there is more"
                " than one key in the JWKS"
            )
        error = None
        # we accept multiple keys with the same kid in case a key gets rotated.
        for key in keys:
            try:
                values = jwt.decode(
                    id_token,
                    key,
                    algorithms=["RS256"],
                    audience=self.client_id,
                    access_token=access_token,
                )
                return values
            except (JWTError, JWSError) as e:
                error = e
        if error:
            raise error
        return {}
up 2025-01-13 18:00:03 +08:00			`# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>`
			`# Copyright 2021 ACSONE SA/NV <https://acsone.eu>`
			`# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)`

			`import logging`
			`import secrets`

			`import requests`

			`from odoo import fields, models, tools`

			`try:`
			`from jose import jwt`
			`from jose.exceptions import JWSError, JWTError`
			`except ImportError:`
			`logging.getLogger(__name__).debug("jose library not installed")`


			`class AuthOauthProvider(models.Model):`
			`_inherit = "auth.oauth.provider"`

			`flow = fields.Selection(`
			`[`
			`("access_token", "OAuth2"),`
			`("id_token_code", "OpenID Connect (authorization code flow)"),`
			`("id_token", "OpenID Connect (implicit flow, not recommended)"),`
			`],`
			`string="Auth Flow",`
			`required=True,`
			`default="access_token",`
			`)`
			`token_map = fields.Char(`
			`help="Some Oauth providers don't map keys in their responses "`
			`"exactly as required. It is important to ensure user_id and "`
			`"email at least are mapped. For OpenID Connect user_id is "`
			`"the sub key in the standard."`
			`)`
			`client_secret = fields.Char(`
			`help="Used in OpenID Connect authorization code flow for confidential clients.",`
			`)`
			`code_verifier = fields.Char(`
			`default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE."`
			`)`
			`validation_endpoint = fields.Char(required=False)`
			`token_endpoint = fields.Char(`
			`string="Token URL", help="Required for OpenID Connect authorization code flow."`
			`)`
			`jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")`

			`@tools.ormcache("self.jwks_uri", "kid")`
			`def _get_keys(self, kid):`
			`r = requests.get(self.jwks_uri, timeout=10)`
			`r.raise_for_status()`
			`response = r.json()`
			`# the keys returned here should follow`
			`# JWS Notes on Key Selection`
			`# https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D`
			`return [`
			`key`
			`for key in response["keys"]`
			`if kid is None or key.get("kid", None) == kid`
			`]`

			`def _map_token_values(self, res):`
			`if self.token_map:`
			`for pair in self.token_map.split(" "):`
			`from_key, to_key = (k.strip() for k in pair.split(":", 1))`
			`if to_key not in res:`
			`res[to_key] = res.get(from_key, "")`
			`return res`

			`def _parse_id_token(self, id_token, access_token):`
			`self.ensure_one()`
			`res = {}`
			`header = jwt.get_unverified_header(id_token)`
			`res.update(self._decode_id_token(access_token, id_token, header.get("kid")))`
			`res.update(self._map_token_values(res))`
			`return res`

			`def _decode_id_token(self, access_token, id_token, kid):`
			`keys = self._get_keys(kid)`
			`if len(keys) > 1 and kid is None:`
			`# https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1`
			`# If there are multiple keys in the referenced JWK Set document, a kid`
			`# value MUST be provided in the JOSE Header.`
			`raise JWTError(`
			`"OpenID Connect requires kid to be set if there is more"`
			`" than one key in the JWKS"`
			`)`
			`error = None`
			`# we accept multiple keys with the same kid in case a key gets rotated.`
			`for key in keys:`
			`try:`
			`values = jwt.decode(`
			`id_token,`
			`key,`
			`algorithms=["RS256"],`
			`audience=self.client_id,`
			`access_token=access_token,`
			`)`
			`return values`
			`except (JWTError, JWSError) as e:`
			`error = e`
			`if error:`
			`raise error`
			`return {}`