django-auth-adfs 1.14.0__tar.gz → 1.15.0__tar.gz

{django_auth_adfs-1.14.0 → django_auth_adfs-1.15.0}/PKG-INFO

@@ -1,19 +1,19 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.3
 Name: django-auth-adfs
-Version: 1.14.0
+Version: 1.15.0
 Summary: A Django authentication backend for Microsoft ADFS and AzureAD
-Home-page: https://github.com/snok/django-auth-adfs
 License: BSD-1-Clause
 Keywords: django,authentication,adfs,azure,ad,oauth2
 Author: Joris Beckers
 Author-email: joris.beckers@gmail.com
 Maintainer: Jonas Krüger Svensson
 Maintainer-email: jonas-ks@hotmail.com
-Requires-Python: >=3.8,<4.0
+Requires-Python: >=3.9,<4.0
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Environment :: Web Environment
 Classifier: Framework :: Django :: 4.2
 Classifier: Framework :: Django :: 5.0
+Classifier: Framework :: Django :: 5.1
 Classifier: Intended Audience :: Developers
 Classifier: Intended Audience :: End Users/Desktop
 Classifier: License :: OSI Approved
@@ -21,11 +21,11 @@ Classifier: License :: OSI Approved :: BSD License
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python
 Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Internet :: WWW/HTTP
 Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
 Classifier: Topic :: Internet :: WWW/HTTP :: WSGI
@@ -33,11 +33,12 @@ Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Requires-Dist: PyJWT
 Requires-Dist: cryptography
-Requires-Dist: django (>=4.2,<5.0) ; python_version >= "3.8" and python_version < "3.10"
+Requires-Dist: django (>=4.2,<5.0) ; python_version >= "3.9" and python_version < "3.10"
 Requires-Dist: django (>=4.2,<6) ; python_version >= "3.10"
 Requires-Dist: requests
 Requires-Dist: urllib3
 Project-URL: Documentation, https://django-auth-adfs.readthedocs.io/en/latest
+Project-URL: Homepage, https://github.com/snok/django-auth-adfs
 Project-URL: Repository, https://github.com/snok/django-auth-adfs
 Description-Content-Type: text/x-rst
 
@@ -141,13 +142,36 @@ This will add these paths to Django:
 * ``/oauth2/callback`` where ADFS redirects back to after login. So make sure you set the redirect URI on ADFS to this.
 * ``/oauth2/logout`` which logs out the user from both Django and ADFS.
 
-You can use them like this in your django templates:
+Below is sample Django template code to use these paths depending if
+you'd like to use GET or POST requests. Logging out was deprecated in
+`Django 4.1 <https://docs.djangoproject.com/en/5.1/releases/4.1/#features-deprecated-in-4-1>`_.
 
-.. code-block:: html
+- Using GET requests:
 
-    <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
-    <a href="{% url 'django_auth_adfs:login' %}">Login</a>
-    <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+    .. code-block:: html
+
+        <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
+        <a href="{% url 'django_auth_adfs:login' %}">Login</a>
+        <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+
+- Using POST requests:
+
+    .. code-block:: html+django
+
+        <form method="post" action="{% url 'django_auth_adfs:logout' %}">
+            {% csrf_token %}
+            <button type="submit">Logout</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login-no-sso' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login (no SSO)</button>
+        </form>
 
 Contributing
 ------------

{django_auth_adfs-1.14.0 → django_auth_adfs-1.15.0}/README.rst

@@ -98,13 +98,36 @@ This will add these paths to Django:
 * ``/oauth2/callback`` where ADFS redirects back to after login. So make sure you set the redirect URI on ADFS to this.
 * ``/oauth2/logout`` which logs out the user from both Django and ADFS.
 
-You can use them like this in your django templates:
-
-.. code-block:: html
-
-    <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
-    <a href="{% url 'django_auth_adfs:login' %}">Login</a>
-    <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+Below is sample Django template code to use these paths depending if
+you'd like to use GET or POST requests. Logging out was deprecated in
+`Django 4.1 <https://docs.djangoproject.com/en/5.1/releases/4.1/#features-deprecated-in-4-1>`_.
+
+- Using GET requests:
+
+    .. code-block:: html
+
+        <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
+        <a href="{% url 'django_auth_adfs:login' %}">Login</a>
+        <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+
+- Using POST requests:
+
+    .. code-block:: html+django
+
+        <form method="post" action="{% url 'django_auth_adfs:logout' %}">
+            {% csrf_token %}
+            <button type="submit">Logout</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login</button>
+        </form>
+        <form method="post" action="{% url 'django_auth_adfs:login-no-sso' %}">
+            {% csrf_token %}
+            <input type="hidden" name="next" value="{{ next }}">
+            <button type="submit">Login (no SSO)</button>
+        </form>
 
 Contributing
 ------------

{django_auth_adfs-1.14.0 → django_auth_adfs-1.15.0}/django_auth_adfs/__init__.py

@@ -4,4 +4,4 @@ This file is imported by setup.py
 Adding imports here will break setup.py
 """
 
-__version__ = '1.14.0'
+__version__ = '1.15.0'

{django_auth_adfs-1.14.0 → django_auth_adfs-1.15.0}/django_auth_adfs/backend.py

@@ -15,19 +15,22 @@ logger = logging.getLogger("django_auth_adfs")
 
 
 class AdfsBaseBackend(ModelBackend):
-    def exchange_auth_code(self, authorization_code, request):
-        logger.debug("Received authorization code: %s", authorization_code)
-        data = {
-            'grant_type': 'authorization_code',
-            'client_id': settings.CLIENT_ID,
-            'redirect_uri': provider_config.redirect_uri(request),
-            'code': authorization_code,
-        }
-        if settings.CLIENT_SECRET:
-            data['client_secret'] = settings.CLIENT_SECRET
 
-        logger.debug("Getting access token at: %s", provider_config.token_endpoint)
-        response = provider_config.session.post(provider_config.token_endpoint, data, timeout=settings.TIMEOUT)
+    def _ms_request(self, action, url, data=None, **kwargs):
+        """
+        Make a Microsoft Entra/GraphQL request
+
+
+        Args:
+            action (callable): The callable for making a request.
+            url (str): The URL the request should be sent to.
+            data (dict): Optional dictionary of data to be sent in the request.
+
+        Returns:
+            response: The response from the server. If it's not a 200, a
+                      PermissionDenied is raised.
+        """
+        response = action(url, data=data, timeout=settings.TIMEOUT, **kwargs)
         # 200 = valid token received
         # 400 = 'something' is wrong in our request
         if response.status_code == 400:
@@ -39,7 +42,21 @@ class AdfsBaseBackend(ModelBackend):
         if response.status_code != 200:
             logger.error("Unexpected ADFS response: %s", response.content.decode())
             raise PermissionDenied
+        return response
 
+    def exchange_auth_code(self, authorization_code, request):
+        logger.debug("Received authorization code: %s", authorization_code)
+        data = {
+            'grant_type': 'authorization_code',
+            'client_id': settings.CLIENT_ID,
+            'redirect_uri': provider_config.redirect_uri(request),
+            'code': authorization_code,
+        }
+        if settings.CLIENT_SECRET:
+            data['client_secret'] = settings.CLIENT_SECRET
+
+        logger.debug("Getting access token at: %s", provider_config.token_endpoint)
+        response = self._ms_request(provider_config.session.post, provider_config.token_endpoint, data)
         adfs_response = response.json()
         return adfs_response
 
@@ -66,21 +83,30 @@ class AdfsBaseBackend(ModelBackend):
         else:
             data["resource"] = 'https://graph.microsoft.com'
 
-        response = provider_config.session.get(provider_config.token_endpoint, data=data, timeout=settings.TIMEOUT)
-        # 200 = valid token received
-        # 400 = 'something' is wrong in our request
-        if response.status_code == 400:
-            logger.error("ADFS server returned an error: %s", response.json()["error_description"])
-            raise PermissionDenied
-
-        if response.status_code != 200:
-            logger.error("Unexpected ADFS response: %s", response.content.decode())
-            raise PermissionDenied
-
+        response = self._ms_request(provider_config.session.get, provider_config.token_endpoint, data)
         obo_access_token = response.json()["access_token"]
         logger.debug("Received OBO access token: %s", obo_access_token)
         return obo_access_token
 
+    def get_group_memberships_from_ms_graph_params(self):
+        """
+        Return the parameters to be used in the querystring
+        when fetching the user's group memberships.
+
+        Possible keys to be used:
+            - $count
+            - $expand
+            - $filter
+            - $orderby
+            - $search
+            - $select
+            - $top
+
+        Docs:
+            https://learn.microsoft.com/en-us/graph/api/group-list-transitivememberof?view=graph-rest-1.0&tabs=python#http-request
+        """
+        return {}
+
     def get_group_memberships_from_ms_graph(self, obo_access_token):
         """
         Looks up a users group membership from the MS Graph API
@@ -95,17 +121,12 @@ class AdfsBaseBackend(ModelBackend):
             provider_config.msgraph_endpoint
         )
         headers = {"Authorization": "Bearer {}".format(obo_access_token)}
-        response = provider_config.session.get(graph_url, headers=headers, timeout=settings.TIMEOUT)
-        # 200 = valid token received
-        # 400 = 'something' is wrong in our request
-        if response.status_code in [400, 401]:
-            logger.error("MS Graph server returned an error: %s", response.json()["message"])
-            raise PermissionDenied
-
-        if response.status_code != 200:
-            logger.error("Unexpected MS Graph response: %s", response.content.decode())
-            raise PermissionDenied
-
+        response = self._ms_request(
+            action=provider_config.session.get,
+            url=graph_url,
+            data=self.get_group_memberships_from_ms_graph_params(),
+            headers=headers,
+        )
         claim_groups = []
         for group_data in response.json()["value"]:
             if group_data["displayName"] is None:

{django_auth_adfs-1.14.0 → django_auth_adfs-1.15.0}/django_auth_adfs/config.py

@@ -337,7 +337,10 @@ class ProviderConfig(object):
 
         """
         self.load_config()
-        redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
+        if request.method == 'POST':
+            redirect_to = request.POST.get(REDIRECT_FIELD_NAME, None)
+        else:
+            redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
         if not redirect_to:
             redirect_to = django_settings.LOGIN_REDIRECT_URL
         redirect_to = base64.urlsafe_b64encode(redirect_to.encode()).decode()

{django_auth_adfs-1.14.0 → django_auth_adfs-1.15.0}/django_auth_adfs/rest_framework.py

@@ -6,6 +6,8 @@ from rest_framework.authentication import (
     BaseAuthentication, get_authorization_header
 )
 
+from django_auth_adfs.exceptions import MFARequired
+
 
 class AdfsAccessTokenAuthentication(BaseAuthentication):
     """
@@ -33,7 +35,10 @@ class AdfsAccessTokenAuthentication(BaseAuthentication):
         # Authenticate the user
         # The AdfsAuthCodeBackend authentication backend will notice the "access_token" parameter
         # and skip the request for an access token using the authorization code
-        user = authenticate(access_token=auth[1])
+        try:
+            user = authenticate(access_token=auth[1])
+        except MFARequired as e:
+            raise exceptions.AuthenticationFailed('MFA auth is required.') from e
 
         if user is None:
             raise exceptions.AuthenticationFailed('Invalid access token.')

{django_auth_adfs-1.14.0 → django_auth_adfs-1.15.0}/django_auth_adfs/views.py

@@ -84,6 +84,15 @@ class OAuth2LoginView(View):
         """
         return redirect(provider_config.build_authorization_endpoint(request))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request))
+
 
 class OAuth2LoginNoSSOView(View):
     def get(self, request):
@@ -95,6 +104,15 @@ class OAuth2LoginNoSSOView(View):
         """
         return redirect(provider_config.build_authorization_endpoint(request, disable_sso=True))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request, disable_sso=True))
+
 
 class OAuth2LoginForceMFA(View):
     def get(self, request):
@@ -106,6 +124,15 @@ class OAuth2LoginForceMFA(View):
         """
         return redirect(provider_config.build_authorization_endpoint(request, force_mfa=True))
 
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        return redirect(provider_config.build_authorization_endpoint(request, force_mfa=True))
+
 
 class OAuth2LogoutView(View):
     def get(self, request):
@@ -117,3 +144,13 @@ class OAuth2LogoutView(View):
         """
         logout(request)
         return redirect(provider_config.build_end_session_endpoint())
+
+    def post(self, request):
+        """
+        Logs out the user from both Django and ADFS
+
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        logout(request)
+        return redirect(provider_config.build_end_session_endpoint())

{django_auth_adfs-1.14.0 → django_auth_adfs-1.15.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = 'django-auth-adfs'
-version = "1.14.0"  # Remember to also change __init__.py version
+version = "1.15.0"  # Remember to also change __init__.py version
 description = 'A Django authentication backend for Microsoft ADFS and AzureAD'
 authors = ['Joris Beckers <joris.beckers@gmail.com>']
 maintainers = ['Jonas Krüger Svensson <jonas-ks@hotmail.com>', 'Sondre Lillebø Gundersen <sondrelg@live.no>']
@@ -14,17 +14,18 @@ classifiers = [
     'Environment :: Web Environment',
     'Framework :: Django :: 4.2',
     'Framework :: Django :: 5.0',
+    'Framework :: Django :: 5.1',
     'Intended Audience :: Developers',
     'Intended Audience :: End Users/Desktop',
     'Operating System :: OS Independent',
     'License :: OSI Approved :: BSD License',
     'Programming Language :: Python',
     'Programming Language :: Python :: 3',
-    'Programming Language :: Python :: 3.8',
     'Programming Language :: Python :: 3.9',
     'Programming Language :: Python :: 3.10',
     'Programming Language :: Python :: 3.11',
     'Programming Language :: Python :: 3.12',
+    'Programming Language :: Python :: 3.13',
     'Topic :: Internet :: WWW/HTTP',
     'Topic :: Internet :: WWW/HTTP :: Dynamic Content',
     'Topic :: Internet :: WWW/HTTP :: WSGI',
@@ -34,9 +35,9 @@ classifiers = [
 ]
 
 [tool.poetry.dependencies]
-python = '^3.8'
+python = '^3.9'
 django = [
-    { version = '^4.2', python = '>=3.8 <3.10' },
+    { version = '^4.2', python = '>=3.9 <3.10' },
     { version = '^4.2 || ^5', python = '>=3.10' },
 ]
 requests = '*'