From 11f8009309a5b72e0fae7978f1089b436e96f59b Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Tue, 5 May 2020 15:30:17 +0200 Subject: [PATCH 09/10] idp_oidc: fix order of ALGO_CHOICES in migrations (#42504) Choices should not depend on environment. --- .../migrations/0001_initial.py | 2 +- src/authentic2_idp_oidc/models.py | 19 ++++++++----------- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git src/authentic2_idp_oidc/migrations/0001_initial.py src/authentic2_idp_oidc/migrations/0001_initial.py index 45fc27ce..778223f0 100644 --- src/authentic2_idp_oidc/migrations/0001_initial.py +++ src/authentic2_idp_oidc/migrations/0001_initial.py @@ -44,7 +44,7 @@ class Migration(migrations.Migration): ('redirect_uris', models.TextField(verbose_name='redirect URIs', validators=[authentic2_idp_oidc.models.validate_https_url])), ('sector_identifier_uri', models.URLField(verbose_name='sector identifier URI', blank=True)), ('identifier_policy', models.PositiveIntegerField(default=2, verbose_name='identifier policy', choices=[(1, 'uuid'), (2, 'pairwise'), (3, 'email')])), - ('idtoken_algo', models.PositiveIntegerField(default=2, verbose_name='IDToken signature algorithm', choices=[(2, 'HMAC')])), + ('idtoken_algo', models.PositiveIntegerField(default=2, verbose_name='IDToken signature algorithm', choices=[(2, 'HMAC'), (1, 'RSA'), (3, 'EC')])), ('created', models.DateTimeField(auto_now_add=True, verbose_name='created')), ('modified', models.DateTimeField(auto_now=True, verbose_name='modified')), ], diff --git src/authentic2_idp_oidc/models.py src/authentic2_idp_oidc/models.py index 7599823f..a10d9f83 100644 --- src/authentic2_idp_oidc/models.py +++ src/authentic2_idp_oidc/models.py @@ -143,19 +143,9 @@ class OIDCClient(Service): help_text=_('Permitted or default scopes (for credentials grant)'), default='', blank=True) - - @to_iter - def get_idtoken_algorithms(): - try: - utils.get_jwkset() - except ImproperlyConfigured: - return [(algo_id, algo_name) for algo_id, algo_name in OIDCClient.ALGO_CHOICES - if algo_id not in (OIDCClient.ALGO_RSA, OIDCClient.ALGO_EC)] - return OIDCClient.ALGO_CHOICES - idtoken_algo = models.PositiveIntegerField( default=ALGO_HMAC, - choices=get_idtoken_algorithms(), + choices=ALGO_CHOICES, verbose_name=_('IDToken signature algorithm')) has_api_access = models.BooleanField( verbose_name=_('has API access'), @@ -183,6 +173,13 @@ class OIDCClient(Service): def clean(self): self.redirect_uris = strip_words(self.redirect_uris) self.post_logout_redirect_uris = strip_words(self.post_logout_redirect_uris) + if self.idtoken_algo in (OIDCClient.ALGO_RSA, OIDCClient.ALGO_EC): + try: + utils.get_jwkset() + except ImproperlyConfigured: + raise ValidationError( + _('You cannot use algorithm %(algorithm)s, setting A2_IDP_OIDC_JWKSET is not defined') % + {'algorithm': self.get_idtoken_algo_display()}) def get_wanted_attributes(self): return self.oidcclaim_set.filter(name__isnull=False).values_list('value', flat=True) -- 2.26.0