Note: The default ITS GitLab runner is a shared resource and is subject to slowdowns during heavy usage.
You can run your own GitLab runner that is dedicated just to your group if you need to avoid processing delays.

README.md 1.84 KB
Newer Older
Patrick Steffes's avatar
Patrick Steffes committed
1
2
# drf_simplejwt_with_oidc

Patrick Steffes's avatar
Patrick Steffes committed
3
An extension of [djangorestframework-simplejwt](https://github.com/jazzband/djangorestframework-simplejwt) that replaces basic auth with a call to an OIDC UserInfo endpoint to validate a token.
Patrick Steffes's avatar
Patrick Steffes committed
4
5
6
7
8


## Installation

```sh
Patrick Steffes's avatar
Patrick Steffes committed
9
pip install git+https://gitlab.umich.edu/its-inf-iam/drf_simplejwt_with_oidc.git
Patrick Steffes's avatar
Patrick Steffes committed
10
11
12
13
14
15
```

## Configuration

Follow the djangorestframework-simplejwt [Getting Started](https://django-rest-framework-simplejwt.readthedocs.io/en/latest/getting_started.html) guide for the base django configuration.

Patrick Steffes's avatar
Patrick Steffes committed
16
Update the urls.py configuration to import this packages OIDCTokenObtainPairView as follows.
Patrick Steffes's avatar
Patrick Steffes committed
17
18
19
20
21
22
23
24
25
26
27
28

```py
from django.urls import include, path
from rest_framework_simplejwt.views import TokenRefreshView
from drf_simplejwt_with_oidc.views import OIDCTokenObtainPairView

urlpatterns = [
    path('api/token/', OIDCTokenObtainPairView.as_view(), name='token_obtain_pair'),
    path('api/token/refresh/', TokenRefreshView.as_view(), name='token_refresh'),
]
```

Patrick Steffes's avatar
Patrick Steffes committed
29
30
31
32
33
34
35
Set the following in settings.py

```py
OIDC_USERINFO_URL
OIDC_USERINFO_TIMEOUT
```

Patrick Steffes's avatar
Patrick Steffes committed
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
## Usage

The token endpoint replaces basic auth and expects an `idp_access_token`

```sh
curl \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"idp_access_token": "<insert_token>"}' \
  http://localhost:8000/api/token/

...
{
  "access":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiY29sZF9zdHVmZiI6IuKYgyIsImV4cCI6MTIzNDU2LCJqdGkiOiJmZDJmOWQ1ZTFhN2M0MmU4OTQ5MzVlMzYyYmNhOGJjYSJ9.NHlztMGER7UADHZJlxNG0WSi22a2KaYSfd1S-AuT7lU",
  "refresh":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX3BrIjoxLCJ0b2tlbl90eXBlIjoicmVmcmVzaCIsImNvbGRfc3R1ZmYiOiLimIMiLCJleHAiOjIzNDU2NywianRpIjoiZGUxMmY0ZTY3MDY4NDI3ODg5ZjE1YWMyNzcwZGEwNTEifQ.aEoAYkSJjoWH1boshQAaTkf8G3yn0kapko6HFRt7Rh4"
}
```
Patrick Steffes's avatar
Patrick Steffes committed
53
54

The refresh endpoint behavior is unchanged from djangorestframework-simplejwt.