perf: 优化 OIDC 支持选择认证方式

2025-09-16 07:18:22 +00:00 · 2022-04-29 12:54:15 +08:00
parent b1aadf1ee9
commit 00ed7bb025
8 changed files with 191 additions and 169 deletions
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@@ -103,9 +103,8 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
        # Prepares the token payload that will be used to request an authentication token to the
        # token endpoint of the OIDC provider.
        logger.debug(log_prompt.format('Prepares token payload'))
-
-        """ The reason for need not client_id and client_secret in token_payload.
-
+        """ 
+        The reason for need not client_id and client_secret in token_payload.
        OIDC protocol indicate client's token_endpoint_auth_method only accept one type in
            - client_secret_basic
            - client_secret_post
@@ -113,25 +112,35 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
            - private_key_jwt
            - none
        If the client offer more than one auth method type to OIDC, OIDC will auth client failed.
-        OIDC default use client_secret_basic, this type only need in headers add Authorization=Basic xxx.
+        OIDC default use client_secret_basic, 
+        this type only need in headers add Authorization=Basic xxx.
+        
        More info see: https://github.com/jumpserver/jumpserver/issues/8165
-
+        More info see: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
        """
        token_payload = {
-            # 'client_id': settings.AUTH_OPENID_CLIENT_ID,
-            # 'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
            'grant_type': 'authorization_code',
            'code': code,
            'redirect_uri': build_absolute_uri(
                request, path=reverse(settings.AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME)
            )
        }
-
-        # Prepares the token headers that will be used to request an authentication token to the
-        # token endpoint of the OIDC provider.
-        logger.debug(log_prompt.format('Prepares token headers'))
-        basic_token = "{}:{}".format(settings.AUTH_OPENID_CLIENT_ID, settings.AUTH_OPENID_CLIENT_SECRET)
-        headers = {"Authorization": "Basic {}".format(base64.b64encode(basic_token.encode()).decode())}
+        if settings.AUTH_OPENID_CLIENT_AUTH_METHOD == 'client_secret_post':
+            token_payload.update({
+                'client_id': settings.AUTH_OPENID_CLIENT_ID,
+                'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
+            })
+            headers = None
+        else:
+            # Prepares the token headers that will be used to request an authentication token to the
+            # token endpoint of the OIDC provider.
+            logger.debug(log_prompt.format('Prepares token headers'))
+            basic_token = "{}:{}".format(
+                settings.AUTH_OPENID_CLIENT_ID, settings.AUTH_OPENID_CLIENT_SECRET
+            )
+            headers = {
+                "Authorization": "Basic {}".format(base64.b64encode(basic_token.encode()).decode())
+            }

        # Calls the token endpoint.
        logger.debug(log_prompt.format('Call the token endpoint'))