From 7cc6e08f8664c3c12e8ab014db3bcbe00685c90b Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Thu, 22 Nov 2018 12:13:48 +0100 Subject: [PATCH 2/2] idp_oidc: hide RSA algorithms if no JWKSET is defined (fixes #28249) --- .../migrations/0001_initial.py | 2 +- src/authentic2_idp_oidc/models.py | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/authentic2_idp_oidc/migrations/0001_initial.py b/src/authentic2_idp_oidc/migrations/0001_initial.py index 4948c809..a965f0ec 100644 --- a/src/authentic2_idp_oidc/migrations/0001_initial.py +++ b/src/authentic2_idp_oidc/migrations/0001_initial.py @@ -44,7 +44,7 @@ class Migration(migrations.Migration): ('redirect_uris', models.TextField(verbose_name='redirect URIs', validators=[authentic2_idp_oidc.models.validate_https_url])), ('sector_identifier_uri', models.URLField(verbose_name='sector identifier URI', blank=True)), ('identifier_policy', models.PositiveIntegerField(default=2, verbose_name='identifier policy', choices=[(1, 'uuid'), (2, 'pairwise'), (3, 'email')])), - ('idtoken_algo', models.PositiveIntegerField(default=1, verbose_name='IDToken signature algorithm', choices=[(1, 'RSA'), (2, 'HMAC')])), + ('idtoken_algo', models.PositiveIntegerField(default=1, verbose_name='IDToken signature algorithm', choices=[(2, 'HMAC')])), ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')), ('modified', models.DateTimeField(auto_now=True, verbose_name='modified')), ], diff --git a/src/authentic2_idp_oidc/models.py b/src/authentic2_idp_oidc/models.py index f6c69e98..58775e61 100644 --- a/src/authentic2_idp_oidc/models.py +++ b/src/authentic2_idp_oidc/models.py @@ -4,7 +4,7 @@ from importlib import import_module from django.db import models from django.contrib.contenttypes.models import ContentType from django.core.validators import URLValidator -from django.core.exceptions import ValidationError +from django.core.exceptions import ValidationError, ImproperlyConfigured from django.utils.translation import ugettext_lazy as _ from django.conf import settings from django.utils.timezone import now @@ -12,6 +12,7 @@ from django.contrib.contenttypes.fields import GenericForeignKey, GenericRelatio from authentic2.managers import GenericManager from authentic2.models import Service +from authentic2.utils import to_iter from . import utils, managers @@ -110,9 +111,19 @@ class OIDCClient(Service): verbose_name=_('identifier policy'), default=POLICY_PAIRWISE, choices=IDENTIFIER_POLICIES) + + @to_iter + def get_idtoken_algorithms(): + try: + utils.get_jwkset() + except ImproperlyConfigured: + return [(algo_id, algo_name) for algo_id, algo_name in OIDCClient.ALGO_CHOICES + if algo_id != OIDCClient.ALGO_RSA] + return OIDCClient.ALGO_CHOICES + idtoken_algo = models.PositiveIntegerField( default=ALGO_RSA, - choices=ALGO_CHOICES, + choices=get_idtoken_algorithms(), verbose_name=_('IDToken signature algorithm')) has_api_access = models.BooleanField( verbose_name=_('has API access'), -- 2.18.0