Example Missing?

[thejimmyg]

I'm trying to follow the example instructions, but the example folder is missing. Please could it be added?

[thejimmyg]

Found example in oidc_provider/tests.

Here's what I had to do to be able to log into the Django admin. Will add more findings here.

git clone https://github.com/peppelinux/django-oidc-op.git
cd django-oidc-op
python3 -m venv venv
. venv/bin/activate
pip install -r requirements.txt
cd oidc_provider/tests/example
ln -s ../../../oidc_provider oidc_provider
./manage.py makemigrations
./manage.py migrate
./manage.py createsuperuser
./manage.py runserver

[peppelinux]

yes, feel free to open a PR to fix this in the README

[thejimmyg]

Thanks @peppelinux. I'll do some more experimenting first.

For example on macOS, run.sh fails with:

uwsgi: unrecognized option `--https'

and if you try ./manage.py runserver without the HTTPS certificates, Django admin login fails on Safari with a 403 CSRF error (but it works in Chrome).

You seem to need to re-compile uwsgi like this:

CFLAGS="-I/usr/local/opt/openssl/include" LDFLAGS="-L/usr/local/opt/openssl/lib" UWSGI_PROFILE_OVERRIDE=ssl=true pip install uwsgi -Iv

Then you can run:

uwsgi --wsgi-file example/wsgi.py --https 0.0.0.0:8000,./data/oidc_op/certs/cert.pem,./data/oidc_op/certs/key.pem -b 32768 --honour-stdin

and visit https://localhost:8000/admin/ in Safari. Once you accept the certificate it works.

You can then run the tests successfully like this:

./manage.py test oidc_provider

I also found this worked from the project root directory:

python3 snippets/rp_handler.py -c oidc_provider/tests/oidc_rp/conf.json -u test -p testami18 -iss django_provider

But I couldn't find the conf.django.yaml file for the other example mentioned in the README.md.

[thejimmyg]

OK, found a copy of it in the history here:

https://github.com/peppelinux/django-oidc-op/blob/834ceada50cb719659e6e72ceac8c4c7824184a2/example/data/oidc_rp/conf.django.yaml

But having tried it and adjusted port and domain it doesn't work.

I think instead you are supposed to use:

git clone https://github.com/IdentityPython/JWTConnect-Python-OidcRP.git
cd JWTConnect-Python-OidcRP/example
RP_LOGFILE_NAME="./flrp.django.log" python3 -m flask_rp.wsgi ../../django-oidc-op/oidc_provider/tests/oidc_rp/conf.json

In order to get this to work you need to edit that conf.json file and remove a trailing comma on line 267 otherwise you get an error:

json.decoder.JSONDecodeError: Expecting property name enclosed in double quotes: line 266 column 7 (char 6172)

Now if I choose django-provider as one of the preconfigured OpenID Connect Providers I get a bit further. I can enter my admin credentials, but it redirects to example.org which is a domain that is not set up. Perhaps that needs changing.

[thejimmyg]

OK, if you apply this patch to conf.json the JWTConnect-Python-OidcRP example works:

diff --git a/oidc_provider/tests/oidc_rp/conf.json b/oidc_provider/tests/oidc_rp/conf.json
index 46b11d6..c92761c 100644
--- a/oidc_provider/tests/oidc_rp/conf.json
+++ b/oidc_provider/tests/oidc_rp/conf.json
@@ -34,7 +34,7 @@
   },
   "port": 8090,
   "domain": "127.0.0.1",
-  "base_url": "https://example.org",
+  "base_url": "https://localhost:8090",
   "httpc_params": {
     "verify": false
   },
@@ -263,22 +263,18 @@
         "token_endpoint_auth_method": [
           "client_secret_basic",
           "client_secret_post"
-        ],
+        ]
       },
       "issuer": "https://127.0.0.1:8000/",
-
-     # "client_id": "DBP60x3KUQfCYWZlqFaS_Q",
-     # "client_secret": "8526270403788522b2444e87ea90c53bcafb984119cec92eeccc12f1",
-
       "redirect_uris": [
-        "https://example.org/authz_cb/django_provider"
+        "https://localhost:8090/authz_cb/django_provider"
       ],
       "post_logout_redirect_uris": [
-        "https://example.org/session_logout/django_provider"
+        "https://localhost:8090/session_logout/django_provider"
       ],
-      "frontchannel_logout_uri": "https://example.org/fc_logout/django_provider",
+      "frontchannel_logout_uri": "https://localhost:8090/fc_logout/django_provider",
       "frontchannel_logout_session_required": true,
-      "backchannel_logout_uri": "https://example.org/bc_logout/django_provider",
+      "backchannel_logout_uri": "https://localhost:8090/bc_logout/django_provider",
       "backchannel_logout_session_required": true,
       "services": {
         "discovery": {

@@ -323,5 +319,7 @@
     "server_cert": "certs/cert.pem",
     "server_key": "certs/key.pem",
     "debug": true
-  }
+  },
+  "port": 8090,
+  "domain": "127.0.0.1"
 }

The tests still pass with this config, even if you rename this one so that it is enabled too:

../_test_02_oidcrp.py -> ../test_02_oidcrp.py

Just change the sleep to 5 seconds instead of 2 to give uWSGI chance to load.

git clone https://github.com/IdentityPython/JWTConnect-Python-OidcRP.git
cd JWTConnect-Python-OidcRP/example
RP_LOGFILE_NAME="./flrp.django.log" python3 -m flask_rp.wsgi ../../django-oidc-op/oidc_provider/tests/oidc_rp/conf.json

Visit https://127.0.0.1:8090 and choose django_provider then login with test and testami18 and you'll see this: