From 19335439bdee97331f2e8627686c1a927e5abd74 Mon Sep 17 00:00:00 2001 From: Matt Scott Date: Sun, 2 Apr 2023 09:19:05 -0400 Subject: [PATCH] Completed the removal of the OAuth JWKS URL setting as well as the update of how the existing metadata URL settings are being used. For additional information, reference GitHub issue #1499. --- powerdnsadmin/models/setting.py | 4 -- powerdnsadmin/routes/admin.py | 8 ---- powerdnsadmin/services/azure.py | 27 +++++++----- powerdnsadmin/services/github.py | 32 +++++++++----- powerdnsadmin/services/google.py | 30 ++++++++----- powerdnsadmin/services/oidc.py | 30 ++++++++----- .../admin_setting_authentication.html | 44 ------------------- 7 files changed, 75 insertions(+), 100 deletions(-) diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index 48f929f..dedaaab 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -73,7 +73,6 @@ class Setting(db.Model): 'https://github.com/login/oauth/access_token', 'github_oauth_authorize_url': 'https://github.com/login/oauth/authorize', - 'github_oauth_jwks_url': '', 'github_oauth_metadata_url': '', 'google_oauth_enabled': False, 'google_oauth_client_id': '', @@ -81,7 +80,6 @@ class Setting(db.Model): 'google_token_url': 'https://oauth2.googleapis.com/token', 'google_oauth_scope': 'openid email profile', 'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth', - 'google_oauth_jwks_url': '', 'google_oauth_metadata_url': '', 'google_base_url': 'https://www.googleapis.com/oauth2/v3/', 'azure_oauth_enabled': False, @@ -93,7 +91,6 @@ class Setting(db.Model): 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/token', 'azure_oauth_authorize_url': 'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize', - 'azure_oauth_jwks_url': '', 'azure_oauth_metadata_url': '', 'azure_sg_enabled': False, 'azure_admin_group': '', @@ -111,7 +108,6 @@ class Setting(db.Model): 'oidc_oauth_api_url': '', 'oidc_oauth_token_url': '', 'oidc_oauth_authorize_url': '', - 'oidc_oauth_jwks_url': '', 'oidc_oauth_metadata_url': '', 'oidc_oauth_logout_url': '', 'oidc_oauth_username': 'preferred_username', diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py index 3e44fd6..eedabdc 100644 --- a/powerdnsadmin/routes/admin.py +++ b/powerdnsadmin/routes/admin.py @@ -1680,8 +1680,6 @@ def setting_authentication(): request.form.get('google_oauth_scope')) Setting().set('google_authorize_url', request.form.get('google_authorize_url')) - Setting().set('google_oauth_jwks_url', - request.form.get('google_oauth_jwks_url')) Setting().set('google_base_url', request.form.get('google_base_url')) result = { @@ -1715,8 +1713,6 @@ def setting_authentication(): request.form.get('github_oauth_token_url')) Setting().set('github_oauth_authorize_url', request.form.get('github_oauth_authorize_url')) - Setting().set('github_oauth_jwks_url', - request.form.get('github_oauth_jwks_url')) result = { 'status': True, 'msg': @@ -1748,8 +1744,6 @@ def setting_authentication(): request.form.get('azure_oauth_token_url')) Setting().set('azure_oauth_authorize_url', request.form.get('azure_oauth_authorize_url')) - Setting().set('azure_oauth_jwks_url', - request.form.get('azure_oauth_jwks_url')) Setting().set( 'azure_sg_enabled', True if request.form.get('azure_sg_enabled') == 'ON' else False) @@ -1803,8 +1797,6 @@ def setting_authentication(): request.form.get('oidc_oauth_token_url')) Setting().set('oidc_oauth_authorize_url', request.form.get('oidc_oauth_authorize_url')) - Setting().set('oidc_oauth_jwks_url', - request.form.get('oidc_oauth_jwks_url')) Setting().set('oidc_oauth_logout_url', request.form.get('oidc_oauth_logout_url')) Setting().set('oidc_oauth_username', diff --git a/powerdnsadmin/services/azure.py b/powerdnsadmin/services/azure.py index c1fb626..65f3bf3 100644 --- a/powerdnsadmin/services/azure.py +++ b/powerdnsadmin/services/azure.py @@ -15,18 +15,25 @@ def azure_oauth(): session['azure_token'] = token return token + authlib_params = { + 'client_id': Setting().get('azure_oauth_key'), + 'client_secret': Setting().get('azure_oauth_secret'), + 'api_base_url': Setting().get('azure_oauth_api_url'), + 'request_token_url': None, + 'access_token_url': Setting().get('azure_oauth_token_url'), + 'authorize_url': Setting().get('azure_oauth_authorize_url'), + 'client_kwargs': {'scope': Setting().get('azure_oauth_scope')}, + 'fetch_token': fetch_azure_token, + } + + server_metadata_url = Setting().get('azure_oauth_metadata_url') + + if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0: + authlib_params['server_metadata_url'] = server_metadata_url + azure = authlib_oauth_client.register( 'azure', - client_id=Setting().get('azure_oauth_key'), - client_secret=Setting().get('azure_oauth_secret'), - api_base_url=Setting().get('azure_oauth_api_url'), - request_token_url=None, - access_token_url=Setting().get('azure_oauth_token_url'), - authorize_url=Setting().get('azure_oauth_authorize_url'), - jwks_url=Setting().get('azure_oauth_jwks_url'), - server_metadata_url=Setting().get('azure_oauth_metadata_url'), - client_kwargs={'scope': Setting().get('azure_oauth_scope')}, - fetch_token=fetch_azure_token, + **authlib_params ) @current_app.route('/azure/authorized') diff --git a/powerdnsadmin/services/github.py b/powerdnsadmin/services/github.py index 13c2f00..ff4a20f 100644 --- a/powerdnsadmin/services/github.py +++ b/powerdnsadmin/services/github.py @@ -15,20 +15,28 @@ def github_oauth(): session['github_token'] = token return token + authlib_params = { + 'client_id': Setting().get('github_oauth_key'), + 'client_secret': Setting().get('github_oauth_secret'), + 'request_token_params': {'scope': Setting().get('github_oauth_scope')}, + 'api_base_url': Setting().get('github_oauth_api_url'), + 'request_token_url': None, + 'access_token_url': Setting().get('github_oauth_token_url'), + 'authorize_url': Setting().get('github_oauth_authorize_url'), + 'client_kwargs': {'scope': Setting().get('github_oauth_scope')}, + 'fetch_token': fetch_github_token, + 'update_token': update_token + } + + server_metadata_url = Setting().get('github_oauth_metadata_url') + + if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0: + authlib_params['server_metadata_url'] = server_metadata_url + github = authlib_oauth_client.register( 'github', - client_id=Setting().get('github_oauth_key'), - client_secret=Setting().get('github_oauth_secret'), - request_token_params={'scope': Setting().get('github_oauth_scope')}, - api_base_url=Setting().get('github_oauth_api_url'), - request_token_url=None, - access_token_url=Setting().get('github_oauth_token_url'), - authorize_url=Setting().get('github_oauth_authorize_url'), - jwks_url=Setting().get('github_oauth_jwks_url'), - server_metadata_url=Setting().get('github_oauth_metadata_url'), - client_kwargs={'scope': Setting().get('github_oauth_scope')}, - fetch_token=fetch_github_token, - update_token=update_token) + **authlib_params + ) @current_app.route('/github/authorized') def github_authorized(): diff --git a/powerdnsadmin/services/google.py b/powerdnsadmin/services/google.py index fc9af12..5604819 100644 --- a/powerdnsadmin/services/google.py +++ b/powerdnsadmin/services/google.py @@ -15,19 +15,27 @@ def google_oauth(): session['google_token'] = token return token + authlib_params = { + 'client_id': Setting().get('google_oauth_client_id'), + 'client_secret': Setting().get('google_oauth_client_secret'), + 'api_base_url': Setting().get('google_base_url'), + 'request_token_url': None, + 'access_token_url': Setting().get('google_token_url'), + 'authorize_url': Setting().get('google_authorize_url'), + 'client_kwargs': {'scope': Setting().get('google_oauth_scope')}, + 'fetch_token': fetch_google_token, + 'update_token': update_token + } + + server_metadata_url = Setting().get('google_oauth_metadata_url') + + if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0: + authlib_params['server_metadata_url'] = server_metadata_url + google = authlib_oauth_client.register( 'google', - client_id=Setting().get('google_oauth_client_id'), - client_secret=Setting().get('google_oauth_client_secret'), - api_base_url=Setting().get('google_base_url'), - request_token_url=None, - access_token_url=Setting().get('google_token_url'), - authorize_url=Setting().get('google_authorize_url'), - jwks_url=Setting().get('google_oauth_jwks_url'), - server_metadata_url=Setting().get('google_oauth_metadata_url'), - client_kwargs={'scope': Setting().get('google_oauth_scope')}, - fetch_token=fetch_google_token, - update_token=update_token) + **authlib_params + ) @current_app.route('/google/authorized') def google_authorized(): diff --git a/powerdnsadmin/services/oidc.py b/powerdnsadmin/services/oidc.py index 432457f..7b0cd46 100644 --- a/powerdnsadmin/services/oidc.py +++ b/powerdnsadmin/services/oidc.py @@ -15,19 +15,27 @@ def oidc_oauth(): session['oidc_token'] = token return token + authlib_params = { + 'client_id': Setting().get('oidc_oauth_key'), + 'client_secret': Setting().get('oidc_oauth_secret'), + 'api_base_url': Setting().get('oidc_oauth_api_url'), + 'request_token_url': None, + 'access_token_url': Setting().get('oidc_oauth_token_url'), + 'authorize_url': Setting().get('oidc_oauth_authorize_url'), + 'client_kwargs': {'scope': Setting().get('oidc_oauth_scope')}, + 'fetch_token': fetch_oidc_token, + 'update_token': update_token + } + + server_metadata_url = Setting().get('oidc_oauth_metadata_url') + + if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0: + authlib_params['server_metadata_url'] = server_metadata_url + oidc = authlib_oauth_client.register( 'oidc', - client_id=Setting().get('oidc_oauth_key'), - client_secret=Setting().get('oidc_oauth_secret'), - api_base_url=Setting().get('oidc_oauth_api_url'), - request_token_url=None, - access_token_url=Setting().get('oidc_oauth_token_url'), - authorize_url=Setting().get('oidc_oauth_authorize_url'), - jwks_url=Setting().get('oidc_oauth_jwks_url'), - server_metadata_url=Setting().get('oidc_oauth_metadata_url'), - client_kwargs={'scope': Setting().get('oidc_oauth_scope')}, - fetch_token=fetch_oidc_token, - update_token=update_token) + **authlib_params + ) @current_app.route('/oidc/authorized') def oidc_authorized(): diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index c545958..cbe6800 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -806,17 +806,6 @@ value="{{ SETTING.get('google_authorize_url') }}"> -
- - - -
-
- - - -
@@ -1096,17 +1074,6 @@ value="{{ SETTING.get('azure_oauth_authorize_url') }}"> -
- - - -
Group Security @@ -1413,17 +1380,6 @@ value="{{ SETTING.get('oidc_oauth_authorize_url') }}"> -
- - - -