Merge pull request #3949 from jumpserver/dev_openid

Dev openid

apps/audits/signals_handler.py

@@ -136,8 +136,8 @@ def on_user_auth_success(sender, user, request, **kwargs):
 
 
 @receiver(post_auth_failed)
-def on_user_auth_failed(sender, username, request, reason, **kwargs):
+def on_user_auth_failed(sender, username, request, reason='', **kwargs):
     logger.debug('User login failed: {}'.format(username))
     data = generate_data(username, request)
-    data.update({'reason': reason, 'status': False})
+    data.update({'reason': reason[:128], 'status': False})
     write_login_log(**data)

apps/authentication/signals_handlers.py

@@ -1,15 +1,15 @@
 from django.dispatch import receiver
 
-from jms_oidc_rp.signals import oidc_user_login_success, oidc_user_login_failed
+from jms_oidc_rp.signals import openid_user_login_failed, openid_user_login_success
 
 from .signals import post_auth_success, post_auth_failed
 
 
-@receiver(oidc_user_login_success)
+@receiver(openid_user_login_success)
 def on_oidc_user_login_success(sender, request, user, **kwargs):
     post_auth_success.send(sender, user=user, request=request)
 
 
-@receiver(oidc_user_login_failed)
+@receiver(openid_user_login_failed)
 def on_oidc_user_login_failed(sender, username, request, reason, **kwargs):
     post_auth_failed.send(sender, username=username, request=request, reason=reason)

apps/authentication/templates/authentication/login.html

@@ -56,7 +56,7 @@
             <div class="hr-line-dashed"></div>
             <p class="text-muted text-center">{% trans "More login options" %}</p>
             <div>
-                <button type="button" class="btn btn-default btn-sm btn-block" onclick="location.href='{% url 'authentication:oidc:login' %}'">
+                <button type="button" class="btn btn-default btn-sm btn-block" onclick="location.href='{% url 'authentication:openid:login' %}'">
                     <i class="fa fa-openid"></i>
                     {% trans 'OpenID' %}
                 </button>

apps/authentication/urls/view_urls.py

@@ -17,5 +17,5 @@ urlpatterns = [
 
     # openid
     path('cas/', include(('authentication.backends.cas.urls', 'authentication'), namespace='cas')),
-    path('oidc/', include(('jms_oidc_rp.urls', 'authentication'), namespace='oidc')),
+    path('openid/', include(('jms_oidc_rp.urls', 'authentication'), namespace='openid')),
 ]

apps/jumpserver/conf.py

@@ -184,15 +184,12 @@ class Config(dict):
         'AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT': 'https://op-example.com/logout',
         'AUTH_OPENID_PROVIDER_SIGNATURE_ALG': 'HS256',
         'AUTH_OPENID_PROVIDER_SIGNATURE_KEY': None,
-        'AUTH_OPENID_PROVIDER_CLAIMS_NAME': None,
-        'AUTH_OPENID_PROVIDER_CLAIMS_USERNAME': None,
-        'AUTH_OPENID_PROVIDER_CLAIMS_EMAIL': None,
         'AUTH_OPENID_SCOPES': 'openid profile email',
         'AUTH_OPENID_ID_TOKEN_MAX_AGE': 60,
-        'AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO': True,
+        'AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS': True,
         'AUTH_OPENID_USE_STATE': True,
         'AUTH_OPENID_USE_NONCE': True,
-        'AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION': True,
+        'AUTH_OPENID_ALWAYS_UPDATE_USER': True,
         # OpenID 旧配置参数 (version <= 1.5.8 (discarded))
         'BASE_SITE_URL': 'http://localhost:8080',
         'AUTH_OPENID_SERVER_URL': 'http://openid',
@@ -430,8 +427,8 @@ class DynamicConfig:
         if self.static_config.get('AUTH_CAS'):
             backends.insert(0, 'authentication.backends.cas.CASBackend')
         if self.static_config.get('AUTH_OPENID'):
-            backends.insert(0, 'jms_oidc_rp.backends.OIDCAuthCodeBackend')
             backends.insert(0, 'jms_oidc_rp.backends.OIDCAuthPasswordBackend')
+            backends.insert(0, 'jms_oidc_rp.backends.OIDCAuthCodeBackend')
         if self.static_config.get('AUTH_RADIUS'):
             backends.insert(0, 'authentication.backends.radius.RadiusBackend')
         return backends

apps/jumpserver/settings/auth.py

@@ -58,20 +58,18 @@ AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_USERINFO_EN
 AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT
 AUTH_OPENID_PROVIDER_SIGNATURE_ALG = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_ALG
 AUTH_OPENID_PROVIDER_SIGNATURE_KEY = CONFIG.AUTH_OPENID_PROVIDER_SIGNATURE_KEY
-AUTH_OPENID_PROVIDER_CLAIMS_NAME = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_NAME
-AUTH_OPENID_PROVIDER_CLAIMS_USERNAME = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_USERNAME
-AUTH_OPENID_PROVIDER_CLAIMS_EMAIL = CONFIG.AUTH_OPENID_PROVIDER_CLAIMS_EMAIL
 AUTH_OPENID_SCOPES = CONFIG.AUTH_OPENID_SCOPES
 AUTH_OPENID_ID_TOKEN_MAX_AGE = CONFIG.AUTH_OPENID_ID_TOKEN_MAX_AGE
-AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_USERINFO
+AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS = CONFIG.AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS
-AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION
-AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION
 AUTH_OPENID_USE_STATE = CONFIG.AUTH_OPENID_USE_STATE
 AUTH_OPENID_USE_NONCE = CONFIG.AUTH_OPENID_USE_NONCE
-AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION
+
-AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:oidc:login'
+AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION
-AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:oidc:login-callback'
+AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION
-AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:oidc:logout'
+AUTH_OPENID_ALWAYS_UPDATE_USER = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER
+AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:openid:login'
+AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:openid:login-callback'
+AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:openid:logout'
 # ==============================================================================
 
 # Radius Auth

apps/users/signals_handler.py

@@ -7,11 +7,9 @@ from django_auth_ldap.backend import populate_user
 from django.conf import settings
 from django_cas_ng.signals import cas_user_authenticated
 
-from jms_oidc_rp.signals import oidc_user_created, oidc_user_updated
+from jms_oidc_rp.signals import openid_create_or_update_user
-from jms_oidc_rp.backends import get_userinfo_from_claims
 
 from common.utils import get_logger
-from .utils import construct_user_email
 from .signals import post_user_create
 from .models import User
 
@@ -55,19 +53,22 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs):
             user.save()
 
 
-@receiver(oidc_user_created)
+@receiver(openid_create_or_update_user)
-def on_oidc_user_created(sender, request, oidc_user, **kwargs):
+def on_openid_create_or_update_user(sender, request, user, created, name, username, email, **kwargs):
-    oidc_user.user.source = User.SOURCE_OPENID
+    if created:
-    oidc_user.user.save()
+        logger.debug(
-
+            "Receive OpenID user created signal: {}, "
-
+            "Set user source is: {}".format(user, User.SOURCE_OPENID)
-@receiver(oidc_user_updated)
+        )
-def on_oidc_user_updated(sender, request, oidc_user, **kwargs):
+        user.source = User.SOURCE_OPENID
-    if not settings.AUTH_OPENID_ALWAYS_UPDATE_USER_INFORMATION:
+        user.save()
-        return
+    elif not created and settings.AUTH_OPENID_ALWAYS_UPDATE_USER:
-    name, username, email = get_userinfo_from_claims(oidc_user.userinfo)
+        logger.debug(
-    email = construct_user_email(username, email)
+            "Receive OpenID user updated signal: {}, "
-    oidc_user.user.name = name
+            "Update user info: {}"
-    oidc_user.user.username = username
+            "".format(user, "name: {}|username: {}|email: {}".format(name, username, email))
-    oidc_user.user.email = email
+        )
-    oidc_user.user.save()
+        user.name = name
+        user.username = username
+        user.email = email
+        user.save()

requirements/requirements.txt

@@ -96,4 +96,4 @@ ipython
 huaweicloud-sdk-python==1.0.21
 django-redis==4.11.0
 python-redis-lock==3.5.0
-jumpserver-django-oidc-rp==0.3.7.1
+jumpserver-django-oidc-rp==0.3.7.2