django-auth-adfs 1.13.0__py3-none-any.whl → 1.15.0__py3-none-any.whl

django_auth_adfs/__init__.py

@@ -4,4 +4,4 @@ This file is imported by setup.py
 Adding imports here will break setup.py
 """
 
-__version__ = '1.13.0'
+__version__ = '1.15.0'

django_auth_adfs/backend.py

@@ -15,19 +15,22 @@ logger = logging.getLogger("django_auth_adfs")
 
 
 class AdfsBaseBackend(ModelBackend):
-    def exchange_auth_code(self, authorization_code, request):
-        logger.debug("Received authorization code: %s", authorization_code)
-        data = {
-            'grant_type': 'authorization_code',
-            'client_id': settings.CLIENT_ID,
-            'redirect_uri': provider_config.redirect_uri(request),
-            'code': authorization_code,
-        }
-        if settings.CLIENT_SECRET:
-            data['client_secret'] = settings.CLIENT_SECRET
 
-        logger.debug("Getting access token at: %s", provider_config.token_endpoint)
-        response = provider_config.session.post(provider_config.token_endpoint, data, timeout=settings.TIMEOUT)
+    def _ms_request(self, action, url, data=None, **kwargs):
+        """
+        Make a Microsoft Entra/GraphQL request
+
+
+        Args:
+            action (callable): The callable for making a request.
+            url (str): The URL the request should be sent to.
+            data (dict): Optional dictionary of data to be sent in the request.
+
+        Returns:
+            response: The response from the server. If it's not a 200, a
+                      PermissionDenied is raised.
+        """
+        response = action(url, data=data, timeout=settings.TIMEOUT, **kwargs)
         # 200 = valid token received
         # 400 = 'something' is wrong in our request
         if response.status_code == 400:
@@ -39,7 +42,21 @@ class AdfsBaseBackend(ModelBackend):
         if response.status_code != 200:
             logger.error("Unexpected ADFS response: %s", response.content.decode())
             raise PermissionDenied
+        return response
 
+    def exchange_auth_code(self, authorization_code, request):
+        logger.debug("Received authorization code: %s", authorization_code)
+        data = {
+            'grant_type': 'authorization_code',
+            'client_id': settings.CLIENT_ID,
+            'redirect_uri': provider_config.redirect_uri(request),
+            'code': authorization_code,
+        }
+        if settings.CLIENT_SECRET:
+            data['client_secret'] = settings.CLIENT_SECRET
+
+        logger.debug("Getting access token at: %s", provider_config.token_endpoint)
+        response = self._ms_request(provider_config.session.post, provider_config.token_endpoint, data)
         adfs_response = response.json()
         return adfs_response
 
@@ -66,21 +83,30 @@ class AdfsBaseBackend(ModelBackend):
         else:
             data["resource"] = 'https://graph.microsoft.com'
 
-        response = provider_config.session.get(provider_config.token_endpoint, data=data, timeout=settings.TIMEOUT)
-        # 200 = valid token received
-        # 400 = 'something' is wrong in our request
-        if response.status_code == 400:
-            logger.error("ADFS server returned an error: %s", response.json()["error_description"])
-            raise PermissionDenied
-
-        if response.status_code != 200:
-            logger.error("Unexpected ADFS response: %s", response.content.decode())
-            raise PermissionDenied
-
+        response = self._ms_request(provider_config.session.get, provider_config.token_endpoint, data)
         obo_access_token = response.json()["access_token"]
         logger.debug("Received OBO access token: %s", obo_access_token)
         return obo_access_token
 
+    def get_group_memberships_from_ms_graph_params(self):
+        """
+        Return the parameters to be used in the querystring
+        when fetching the user's group memberships.
+
+        Possible keys to be used:
+            - $count
+            - $expand
+            - $filter
+            - $orderby
+            - $search
+            - $select
+            - $top
+
+        Docs:
+            https://learn.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0&tabs=python#http-request
+        """
+        return {}
+
     def get_group_memberships_from_ms_graph(self, obo_access_token):
         """
         Looks up a users group membership from the MS Graph API
@@ -95,17 +121,12 @@ class AdfsBaseBackend(ModelBackend):
             provider_config.msgraph_endpoint
         )
         headers = {"Authorization": "Bearer {}".format(obo_access_token)}
-        response = provider_config.session.get(graph_url, headers=headers, timeout=settings.TIMEOUT)
-        # 200 = valid token received
-        # 400 = 'something' is wrong in our request
-        if response.status_code in [400, 401]:
-            logger.error("MS Graph server returned an error: %s", response.json()["message"])
-            raise PermissionDenied
-
-        if response.status_code != 200:
-            logger.error("Unexpected MS Graph response: %s", response.content.decode())
-            raise PermissionDenied
-
+        response = self._ms_request(
+            action=provider_config.session.get,
+            url=graph_url,
+            data=self.get_group_memberships_from_ms_graph_params(),
+            headers=headers,
+        )
         claim_groups = []
         for group_data in response.json()["value"]:
             if group_data["displayName"] is None:

django_auth_adfs/config.py

@@ -337,7 +337,10 @@ class ProviderConfig(object):
 
         """
         self.load_config()
-        redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
+        if request.method == 'POST':
+            redirect_to = request.POST.get(REDIRECT_FIELD_NAME, None)
+        else:
+            redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
         if not redirect_to:
             redirect_to = django_settings.LOGIN_REDIRECT_URL
         redirect_to = base64.urlsafe_b64encode(redirect_to.encode()).decode()

django_auth_adfs/rest_framework.py

@@ -6,6 +6,8 @@ from rest_framework.authentication import (
     BaseAuthentication, get_authorization_header
 )
 
+from django_auth_adfs.exceptions import MFARequired
+
 
 class AdfsAccessTokenAuthentication(BaseAuthentication):
     """
@@ -33,7 +35,10 @@ class AdfsAccessTokenAuthentication(BaseAuthentication):
         # Authenticate the user
         # The AdfsAuthCodeBackend authentication backend will notice the "access_token" parameter
         # and skip the request for an access token using the authorization code
-        user = authenticate(access_token=auth[1])
+        try:
+            user = authenticate(access_token=auth[1])
+        except MFARequired as e:
+            raise exceptions.AuthenticationFailed('MFA auth is required.') from e
 
         if user is None:
             raise exceptions.AuthenticationFailed('Invalid access token.')

django_auth_adfs/views.py

@@ -84,6 +84,15 @@ class OAuth2LoginView(View):
         """
         return redirect(provider_config.build_authorization_endpoint(request))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request))
+
 
 class OAuth2LoginNoSSOView(View):
     def get(self, request):
@@ -95,6 +104,15 @@ class OAuth2LoginNoSSOView(View):
         """
         return redirect(provider_config.build_authorization_endpoint(request, disable_sso=True))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request, disable_sso=True))
+
 
 class OAuth2LoginForceMFA(View):
     def get(self, request):
@@ -106,6 +124,15 @@ class OAuth2LoginForceMFA(View):
         """
         return redirect(provider_config.build_authorization_endpoint(request, force_mfa=True))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request, force_mfa=True))
+
 
 class OAuth2LogoutView(View):
     def get(self, request):
@@ -117,3 +144,13 @@ class OAuth2LogoutView(View):
         """
         logout(request)
         return redirect(provider_config.build_end_session_endpoint())
+
+    def post(self, request):
+        """
+        Logs out the user from both Django and ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        logout(request)
+        return redirect(provider_config.build_end_session_endpoint())

{django_auth_adfs-1.13.0.dist-info → django_auth_adfs-1.15.0.dist-info}/METADATA

@@ -1,22 +1,19 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.3
 Name: django-auth-adfs
-Version: 1.13.0
+Version: 1.15.0
 Summary: A Django authentication backend for Microsoft ADFS and AzureAD
-Home-page: https://github.com/snok/django-auth-adfs
 License: BSD-1-Clause
 Keywords: django,authentication,adfs,azure,ad,oauth2
 Author: Joris Beckers
 Author-email: joris.beckers@gmail.com
 Maintainer: Jonas Krüger Svensson
 Maintainer-email: jonas-ks@hotmail.com
-Requires-Python: >=3.8,<4.0
+Requires-Python: >=3.9,<4.0
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Environment :: Web Environment
-Classifier: Framework :: Django :: 3.2
-Classifier: Framework :: Django :: 4.0
-Classifier: Framework :: Django :: 4.1
 Classifier: Framework :: Django :: 4.2
 Classifier: Framework :: Django :: 5.0
+Classifier: Framework :: Django :: 5.1
 Classifier: Intended Audience :: Developers
 Classifier: Intended Audience :: End Users/Desktop
 Classifier: License :: OSI Approved
@@ -24,11 +21,11 @@ Classifier: License :: OSI Approved :: BSD License
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Internet :: WWW/HTTP
 Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
 Classifier: Topic :: Internet :: WWW/HTTP :: WSGI
@@ -36,11 +33,12 @@ Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Requires-Dist: PyJWT
 Requires-Dist: cryptography
-Requires-Dist: django (>=3,<5) ; python_version >= "3.8" and python_version < "3.10"
-Requires-Dist: django (>=4,<6) ; python_version >= "3.10"
+Requires-Dist: django (>=4.2,<5.0) ; python_version >= "3.9" and python_version < "3.10"
+Requires-Dist: django (>=4.2,<6) ; python_version >= "3.10"
 Requires-Dist: requests
 Requires-Dist: urllib3
 Project-URL: Documentation, https://django-auth-adfs.readthedocs.io/en/latest
+Project-URL: Homepage, https://github.com/snok/django-auth-adfs
 Project-URL: Repository, https://github.com/snok/django-auth-adfs
 Description-Content-Type: text/x-rst
 
@@ -144,13 +142,36 @@ This will add these paths to Django:
 * ``/oauth2/callback`` where ADFS redirects back to after login. So make sure you set the redirect URI on ADFS to this.
 * ``/oauth2/logout`` which logs out the user from both Django and ADFS.
 
-You can use them like this in your django templates:
+Below is sample Django template code to use these paths depending if
+you'd like to use GET or POST requests. Logging out was deprecated in
+`Django 4.1 <https://docs.djangoproject.com/en/5.1/releases/4.1/#features-deprecated-in-4-1>`_.
 
-.. code-block:: html
+- Using GET requests:
 
-    <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
-    <a href="{% url 'django_auth_adfs:login' %}">Login</a>
-    <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+    .. code-block:: html
+
+        <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
+        <a href="{% url 'django_auth_adfs:login' %}">Login</a>
+        <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+
+- Using POST requests:
+
+    .. code-block:: html+django
+
+        <form method="post" action="{% url 'django_auth_adfs:logout' %}">
+            {% csrf_token %}
+            <button type="submit">Logout</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login-no-sso' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login (no SSO)</button>
+        </form>
 
 Contributing
 ------------

django_auth_adfs-1.15.0.dist-info/RECORD

@@ -0,0 +1,16 @@
+django_auth_adfs/__init__.py,sha256=1Bo5CRC7tY7wU69FiC93k65bICYiU4o1J3B8MKONPu0,137
+django_auth_adfs/backend.py,sha256=c18wj5UvViQE-ZYmocz_bS9Iv-6sFdnzRnemlHNxmBg,18442
+django_auth_adfs/config.py,sha256=Q6rsJHqVGESEdoLbLRn_H4qeH5c4knh3hKShdpjsSZ8,16376
+django_auth_adfs/drf-urls.py,sha256=bBnN1WrgbHoiAs5hTGe-ovmVwwJ4D2xXpYtZVfE8l5U,221
+django_auth_adfs/drf_urls.py,sha256=YKH7he1cCDr_eo0kgPJQiJ3kmo1FBS46JzSiBOOqwE0,430
+django_auth_adfs/exceptions.py,sha256=yxwKHtDSMnskgBdIQoCWerYVr8sGtIn26GWVVdhA2YU,110
+django_auth_adfs/middleware.py,sha256=st8Hx5pHWNcYUNWrCQht3QJqjw6RLQhWyxneTWal0Nw,2249
+django_auth_adfs/rest_framework.py,sha256=ajt2iCb02Yqzbv1TAyV3evAnY8z-YEDdsg7zHtx6120,1841
+django_auth_adfs/signals.py,sha256=HGD79-dZNEwqVuINoqe6jB_8K1RfuK5Q288RGamTtEU,137
+django_auth_adfs/templates/django_auth_adfs/login_failed.html,sha256=1NQ5aCjo7iTLSxy2IXJZbzBp5MaxpfsfQwQ_PDFvgr4,652
+django_auth_adfs/urls.py,sha256=4Cec5XbxrAqPHc_N3yMTC_m9UKZXsZktf3rO2niF4Bw,533
+django_auth_adfs/views.py,sha256=MHKDCUEvBpNyBCUreX-cCnpp7ThfeoKt_rTt_1CBq9s,5319
+django_auth_adfs-1.15.0.dist-info/LICENSE,sha256=WGMaA474V3mIMiWEkbMc-rCVt-uZvIjF4NqP1AIvNZo,1277
+django_auth_adfs-1.15.0.dist-info/METADATA,sha256=t1GQ3og2Nlw5s3M8qGpV2ph_a-iAGk1ebIORTKzwUio,6913
+django_auth_adfs-1.15.0.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
+django_auth_adfs-1.15.0.dist-info/RECORD,,

{django_auth_adfs-1.13.0.dist-info → django_auth_adfs-1.15.0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 1.8.1
+Generator: poetry-core 2.0.1
 Root-Is-Purelib: true
 Tag: py3-none-any

django_auth_adfs-1.13.0.dist-info/RECORD

@@ -1,16 +0,0 @@
-django_auth_adfs/__init__.py,sha256=9vYn5rXOE0Yseenm9R6nNk1venk-5LOByXYVfektj7g,137
-django_auth_adfs/backend.py,sha256=UxKnlMrQ3IMOnIiBd3itYtFOer-QxLTSHXXt5deew-s,18055
-django_auth_adfs/config.py,sha256=p9uNhl4C6OIuiUHAdYmW6LiqhvoI_ZnR_W-mh-u3Z6w,16251
-django_auth_adfs/drf-urls.py,sha256=bBnN1WrgbHoiAs5hTGe-ovmVwwJ4D2xXpYtZVfE8l5U,221
-django_auth_adfs/drf_urls.py,sha256=YKH7he1cCDr_eo0kgPJQiJ3kmo1FBS46JzSiBOOqwE0,430
-django_auth_adfs/exceptions.py,sha256=yxwKHtDSMnskgBdIQoCWerYVr8sGtIn26GWVVdhA2YU,110
-django_auth_adfs/middleware.py,sha256=st8Hx5pHWNcYUNWrCQht3QJqjw6RLQhWyxneTWal0Nw,2249
-django_auth_adfs/rest_framework.py,sha256=spWIXpb8UtVDvZ0_W_sJB-5u0hwvLNUCqbAhHf9N0W4,1656
-django_auth_adfs/signals.py,sha256=HGD79-dZNEwqVuINoqe6jB_8K1RfuK5Q288RGamTtEU,137
-django_auth_adfs/templates/django_auth_adfs/login_failed.html,sha256=1NQ5aCjo7iTLSxy2IXJZbzBp5MaxpfsfQwQ_PDFvgr4,652
-django_auth_adfs/urls.py,sha256=4Cec5XbxrAqPHc_N3yMTC_m9UKZXsZktf3rO2niF4Bw,533
-django_auth_adfs/views.py,sha256=kwMqcsDAgcuQRBgxpRVnFZY79ZkVo28LB3KOIbayI3E,4100
-django_auth_adfs-1.13.0.dist-info/LICENSE,sha256=WGMaA474V3mIMiWEkbMc-rCVt-uZvIjF4NqP1AIvNZo,1277
-django_auth_adfs-1.13.0.dist-info/METADATA,sha256=8RdnxYJtbsL9dMtSkQRrtXoBtNFV84GQfBiCuJVAaqk,6044
-django_auth_adfs-1.13.0.dist-info/WHEEL,sha256=FMvqSimYX_P7y0a7UY-_Mc83r5zkBZsCYPm7Lr0Bsq4,88
-django_auth_adfs-1.13.0.dist-info/RECORD,,