Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OpenID Connect Token authenticator #167

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

puiterwijk
Copy link

Signed-off-by: Patrick Uiterwijk [email protected]

@puiterwijk puiterwijk force-pushed the oidcauthn branch 2 times, most recently from cf4aabe to bdc2a78 Compare April 16, 2017 08:57
@codecov-io
Copy link

Codecov Report

Merging #167 into master will decrease coverage by 0.53%.
The diff coverage is 19.51%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #167      +/-   ##
==========================================
- Coverage   60.02%   59.48%   -0.54%     
==========================================
  Files          36       36              
  Lines        3042     3083      +41     
  Branches      338      345       +7     
==========================================
+ Hits         1826     1834       +8     
- Misses       1126     1159      +33     
  Partials       90       90
Impacted Files Coverage Δ
custodia/httpd/authenticators.py 30.53% <19.51%> (-5.03%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d717c05...9c2f03d. Read the comment docs.

Copy link
Member

@tiran tiran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Patrick, I left a couple of comments.



class OpenIDCTokenAuth(HTTPAuthenticator):
token_info_url = PluginOption(str, None,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use REQUIRED to make an option mandatory

return False
elif request.get('access_token'):
self.logger.debug('Token provided in form')
token = request.get('access_token')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

request['access_token]

self.logger.debug('Missing any credentials in request')
return False

if not token:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary to check token again?


try:
tokeninfo = self._get_token_info(token)
except:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't use a bare except. except Exception

scope = PluginOption(str, 'custodia', 'OAuth2 scope to require')

def _get_token_info(self, token):
return requests.post(self.token_info_url,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other plugins accept a CA cert argument to customize TLS verification. We could have global option for trusted CA cert, too.

@@ -131,3 +133,62 @@ def handle(self, request):
self.audit_svc_access(log.AUDIT_SVC_AUTH_FAIL,
request['client_id'], dn)
return False


class OpenIDCTokenAuth(HTTPAuthenticator):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a doc string with an example how to configure and use this plugin with e.g. Ipsilon.

@tiran tiran added this to the 0.6 milestone May 9, 2017
@tiran tiran modified the milestones: future, 0.6 Jun 29, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants