fix: integrate with azure oidc

apps/authentication/backends/oidc/backends.py

@@ -224,7 +224,6 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
             user_auth_failed.send(
                 sender=self.__class__, request=request, username=user.username,
                 reason="User is invalid", backend=settings.AUTH_BACKEND_OIDC_CODE
-
             )
             return None
 

apps/authentication/backends/oidc/utils.py

@@ -10,16 +10,15 @@ import datetime as dt
 from calendar import timegm
 from urllib.parse import urlparse
 
+from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
 from django.utils.encoding import force_bytes, smart_bytes
 from jwkest import JWKESTException
 from jwkest.jwk import KEYS
 from jwkest.jws import JWS
-from django.conf import settings
 
 from common.utils import get_logger
 
-
 logger = get_logger(__file__)
 
 
@@ -99,7 +98,8 @@ def _validate_claims(id_token, nonce=None, validate_nonce=True):
         raise SuspiciousOperation('Incorrect id_token: nbf')
 
     # Verifies that the token was issued in the allowed timeframe.
-    if utc_timestamp > id_token['iat'] + settings.AUTH_OPENID_ID_TOKEN_MAX_AGE:
+    max_age = settings.AUTH_OPENID_ID_TOKEN_MAX_AGE
+    if utc_timestamp > id_token['iat'] + max_age:
         logger.debug(log_prompt.format('Incorrect id_token: iat'))
         raise SuspiciousOperation('Incorrect id_token: iat')
 

apps/jumpserver/conf.py

@@ -349,7 +349,7 @@ class Config(dict):
         'AUTH_OPENID_PROVIDER_SIGNATURE_ALG': 'HS256',
         'AUTH_OPENID_PROVIDER_SIGNATURE_KEY': None,
         'AUTH_OPENID_SCOPES': 'openid profile email',
-        'AUTH_OPENID_ID_TOKEN_MAX_AGE': 60,
+        'AUTH_OPENID_ID_TOKEN_MAX_AGE': 600,
         'AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS': True,
         'AUTH_OPENID_USE_STATE': True,
         'AUTH_OPENID_USE_NONCE': True,

apps/users/signal_handlers.py

@@ -155,11 +155,13 @@ def radius_create_user(sender, user, **kwargs):
 
 @receiver(openid_create_or_update_user)
 def on_openid_create_or_update_user(sender, user, created, attrs, **kwargs):
+    group_names = attrs.get('groups')
     if created:
         org_ids = bind_user_to_org_role(user)
-        group_names = attrs.get('groups')
+    else:
-        bind_user_to_group(org_ids, group_names, user)
+        org_ids = user.joined_orgs.values_list('id', flat=True)
 
+    bind_user_to_group(org_ids, group_names, user)
     source = User.Source.openid.value
     user_authenticated_handle(user, created, source, attrs, **kwargs)
 
@@ -235,6 +237,7 @@ def bind_user_to_group(org_ids, group_names, user):
         return
 
     org_ids = org_ids or [Organization.DEFAULT_ID]
+    org_ids = [str(i) for i in org_ids if i]
 
     with tmp_to_root_org():
         existing_groups = UserGroup.objects.filter(org_id__in=org_ids).values_list('org_id', 'name')
@@ -252,12 +255,19 @@ def bind_user_to_group(org_ids, group_names, user):
             )
 
         UserGroup.objects.bulk_create(groups_to_create)
-
         user_groups = UserGroup.objects.filter(org_id__in=org_ids, name__in=group_names)
 
+        user_group_ids = set(user_groups.values_list('id', flat=True))
+        exist_group_ids = set(
+            User.groups.through.objects.filter(user_id=user.id)
+            .values_list('usergroup_id', flat=True)
+        )
+        need_add_group_ids = user_group_ids - exist_group_ids
+
         user_group_links = [
-            User.groups.through(user_id=user.id, usergroup_id=group.id)
+            User.groups.through(user_id=user.id, usergroup_id=group_id)
-            for group in user_groups
+            for group_id in need_add_group_ids
         ]
+
         if user_group_links:
-            User.groups.through.objects.bulk_create(user_group_links)
+            User.groups.through.objects.bulk_create(user_group_links, ignore_conflicts=True)