suitenumerique
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 10 additions & 0 deletions b/‎pyproject.toml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/lasuite/oidc/__init__.py‎
Lines changed: 1 addition & 0 deletions b/‎src/lasuite/oidc/__init__.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/lasuite/oidc/backends.py‎
Lines changed: 178 additions & 0 deletions b/‎src/lasuite/oidc/backends.py‎
Lines changed: 178 additions & 0 deletions
diff --git a/‎src/lasuite/oidc/urls.py‎
Lines changed: 17 additions & 0 deletions b/‎src/lasuite/oidc/urls.py‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎src/lasuite/oidc/views.py‎
Lines changed: 136 additions & 0 deletions b/‎src/lasuite/oidc/views.py‎
Lines changed: 136 additions & 0 deletions
diff --git a/‎src/lasuite/oidc_resource_server/__init__.py‎
Lines changed: 1 addition & 0 deletions b/‎src/lasuite/oidc_resource_server/__init__.py‎
Lines changed: 1 addition & 0 deletions
@@ -11,5 +11,6 @@ and this project adheres to
 ### Added
 
 - ✨(tools) extract domain from email address #2
+- ✨(oidc) add the authentication backends #2
 
 [unreleased]: https://github.com/suitenumerique/django-lasuite/commits/main/
@@ -24,6 +24,11 @@ classifiers = [
 ]
 dependencies = [
     "django>=5.0",
+    "djangorestframework>=3.15.2",
+    "mozilla-django-oidc>=4.0.1",
+    "joserfc>=1.0.4",
+    "requests>=2.32.3",
+    "PyJWT>=2.10.1",
 ]
 
 [project.urls]
@@ -36,7 +41,10 @@ build = [
     "wheel",
 ]
 dev = [
+    "factory_boy",
     "pytest",
+    "pytest-django",
+    "responses",
     "ruff",
 ]
 
@@ -110,6 +118,8 @@ lint.per-file-ignores = {"**/tests/*"= [
     "S",
     # flake8-self
     "SLF",
+    # magic-value-comparison
+    "PLR2004",
 ]}
 
 
 
@@ -0,0 +1 @@
+"""OIDC authentication module."""
@@ -0,0 +1,178 @@
+"""Authentication Backends for the People core app."""
+
+import logging
+
+import requests
+from django.conf import settings
+from django.core.exceptions import SuspiciousOperation
+from django.utils.translation import gettext_lazy as _
+from mozilla_django_oidc.auth import (
+    OIDCAuthenticationBackend as MozillaOIDCAuthenticationBackend,
+)
+
+logger = logging.getLogger(__name__)
+
+
+OIDC_USER_SUB_FIELD = getattr(
+    settings,
+    "OIDC_USER_SUB_FIELD",
+    "sub",
+)  # Default to 'sub' if not set in settings
+
+
+class OIDCAuthenticationBackend(MozillaOIDCAuthenticationBackend):
+    """
+    Custom OpenID Connect (OIDC) Authentication Backend.
+
+    This class overrides the default OIDC Authentication Backend to accommodate differences
+    in the User model, and handles signed and/or encrypted UserInfo response.
+    """
+
+    def get_extra_claims(self, user_info):
+        """
+        Return extra claims from user_info.
+
+        Args:
+          user_info (dict): The user information dictionary.
+
+        Returns:
+          dict: A dictionary of extra claims.
+
+        """
+        return {
+            "name": self.compute_full_name(user_info),
+        }
+
+    def post_get_or_create_user(self, user, claims):
+        """
+        Post-processing after user creation or retrieval.
+
+        Args:
+          user (User): The user instance.
+          claims (dict): The claims dictionary.
+
+        Returns:
+        - None
+
+        """
+
+    def get_userinfo(self, access_token, id_token, payload):
+        """
+        Return user details dictionary.
+
+        Args:
+          access_token (str): The access token.
+          id_token (str): The id token (unused).
+          payload (dict): The token payload (unused).
+
+        Note: The id_token and payload parameters are unused in this implementation,
+        but were kept to preserve base method signature.
+
+        Note: It handles signed and/or encrypted UserInfo Response. It is required by
+        Agent Connect, which follows the OIDC standard. It forces us to override the
+        base method, which deal with 'application/json' response.
+
+        Returns:
+          dict: User details dictionary obtained from the OpenID Connect user endpoint.
+
+        """
+        user_response = requests.get(
+            self.OIDC_OP_USER_ENDPOINT,
+            headers={"Authorization": f"Bearer {access_token}"},
+            verify=self.get_settings("OIDC_VERIFY_SSL", True),
+            timeout=self.get_settings("OIDC_TIMEOUT", None),
+            proxies=self.get_settings("OIDC_PROXY", None),
+        )
+        user_response.raise_for_status()
+        return self.verify_token(user_response.text)
+
+    def get_or_create_user(self, access_token, id_token, payload):
+        """
+        Return a User based on userinfo. Create a new user if no match is found.
+
+        Args:
+          access_token (str): The access token.
+          id_token (str): The ID token.
+          payload (dict): The user payload.
+
+        Returns:
+          User: An existing or newly created User instance.
+
+        Raises:
+          Exception: Raised when user creation is not allowed and no existing user is found.
+
+        """
+        user_info = self.get_userinfo(access_token, id_token, payload)
+
+        sub = user_info.get("sub")
+        if not sub:
+            raise SuspiciousOperation(_("User info contained no recognizable user identification"))
+
+        # Get user's full name from OIDC fields defined in settings
+        email = user_info.get("email")
+
+        claims = {
+            OIDC_USER_SUB_FIELD: sub,
+            "email": email,
+        }
+        claims.update(**self.get_extra_claims(user_info))
+
+        # if sub is absent, try matching on email
+        user = self.get_existing_user(sub, email)
+
+        if user:
+            if not user.is_active:
+                raise SuspiciousOperation(_("User account is disabled"))
+            self.update_user_if_needed(user, claims)
+
+        elif self.get_settings("OIDC_CREATE_USER", True):
+            user = self.create_user(claims)
+
+        self.post_get_or_create_user(user, claims)
+        return user
+
+    def create_user(self, claims):
+        """Return a newly created User instance."""
+        sub = claims.get("sub")
+        if sub is None:
+            raise SuspiciousOperation(_("Claims contained no recognizable user identification"))
+
+        logger.info("Creating user %s", sub)
+
+        user = self.UserModel(**claims)
+        user.set_unusable_password()
+        user.save()
+
+        return user
+
+    def compute_full_name(self, user_info):
+        """Compute user's full name based on OIDC fields in settings."""
+        name_fields = settings.USER_OIDC_FIELDS_TO_NAME
+        full_name = " ".join(user_info[field] for field in name_fields if user_info.get(field))
+        return full_name or None
+
+    def get_existing_user(self, sub, email):
+        """Fetch existing user by sub or email."""
+        try:
+            return self.UserModel.objects.get(sub=sub)
+        except self.UserModel.DoesNotExist:
+            if email and settings.OIDC_FALLBACK_TO_EMAIL_FOR_IDENTIFICATION:
+                try:
+                    return self.UserModel.objects.get(email=email)
+                except self.UserModel.DoesNotExist:
+                    pass
+        return None
+
+    def update_user_if_needed(self, user, claims):
+        """Update user claims if they have changed."""
+        updated_claims = {}
+        for key in claims:
+            if not hasattr(user, key):
+                continue
+
+            claim_value = claims.get(key)
+            if claim_value and claim_value != getattr(user, key):
+                updated_claims[key] = claim_value
+
+        if updated_claims:
+            self.UserModel.objects.filter(sub=user.sub).update(**updated_claims)
@@ -0,0 +1,17 @@
+"""Authentication URLs for the People core app."""
+
+from django.urls import path
+from mozilla_django_oidc.urls import urlpatterns as mozilla_oidc_urls
+
+from .views import OIDCLogoutCallbackView, OIDCLogoutView
+
+urlpatterns = [
+    # Override the default 'logout/' path from Mozilla Django OIDC with our custom view.
+    path("logout/", OIDCLogoutView.as_view(), name="oidc_logout_custom"),
+    path(
+        "logout-callback/",
+        OIDCLogoutCallbackView.as_view(),
+        name="oidc_logout_callback",
+    ),
+    *mozilla_oidc_urls,
+]
@@ -0,0 +1,136 @@
+"""Authentication Views for the People core app."""
+
+from urllib.parse import urlencode
+
+from django.contrib import auth
+from django.core.exceptions import SuspiciousOperation
+from django.http import HttpResponseRedirect
+from django.urls import reverse
+from django.utils import crypto
+from mozilla_django_oidc.utils import (
+    absolutify,
+)
+from mozilla_django_oidc.views import (
+    OIDCLogoutView as MozillaOIDCOIDCLogoutView,
+)
+
+
+class OIDCLogoutView(MozillaOIDCOIDCLogoutView):
+    """
+    Custom logout view for handling OpenID Connect (OIDC) logout flow.
+
+    Adds support for handling logout callbacks from the identity provider (OP)
+    by initiating the logout flow if the user has an active session.
+
+    The Django session is retained during the logout process to persist the 'state' OIDC parameter.
+    This parameter is crucial for maintaining the integrity of the logout flow between this call
+    and the subsequent callback.
+    """
+
+    @staticmethod
+    def persist_state(request, state):
+        """
+        Persist the given 'state' parameter in the session's 'oidc_states' dictionary.
+
+        This method is used to store the OIDC state parameter in the session, according to the
+        structure expected by Mozilla Django OIDC's 'add_state_and_verifier_and_nonce_to_session'
+        utility function.
+        """
+        if "oidc_states" not in request.session or not isinstance(request.session["oidc_states"], dict):
+            request.session["oidc_states"] = {}
+
+        request.session["oidc_states"][state] = {}
+        request.session.save()
+
+    def construct_oidc_logout_url(self, request):
+        """
+        Create the redirect URL for interfacing with the OIDC provider.
+
+        Retrieves the necessary parameters from the session and constructs the URL
+        required to initiate logout with the OpenID Connect provider.
+
+        If no ID token is found in the session, the logout flow will not be initiated,
+        and the method will return the default redirect URL.
+
+        The 'state' parameter is generated randomly and persisted in the session to ensure
+        its integrity during the subsequent callback.
+        """
+        oidc_logout_endpoint = self.get_settings("OIDC_OP_LOGOUT_ENDPOINT")
+
+        if not oidc_logout_endpoint:
+            return self.redirect_url
+
+        reverse_url = reverse("oidc_logout_callback")
+        id_token = request.session.get("oidc_id_token", None)
+
+        if not id_token:
+            return self.redirect_url
+
+        query = {
+            "id_token_hint": id_token,
+            "state": crypto.get_random_string(self.get_settings("OIDC_STATE_SIZE", 32)),
+            "post_logout_redirect_uri": absolutify(request, reverse_url),
+        }
+
+        self.persist_state(request, query["state"])
+
+        return f"{oidc_logout_endpoint}?{urlencode(query)}"
+
+    def post(self, request):
+        """
+        Handle user logout.
+
+        If the user is not authenticated, redirects to the default logout URL.
+        Otherwise, constructs the OIDC logout URL and redirects the user to start
+        the logout process.
+
+        If the user is redirected to the default logout URL, ensure her Django session
+        is terminated.
+        """
+        logout_url = self.redirect_url
+
+        if request.user.is_authenticated:
+            logout_url = self.construct_oidc_logout_url(request)
+
+        # If the user is not redirected to the OIDC provider, ensure logout
+        if logout_url == self.redirect_url:
+            auth.logout(request)
+
+        return HttpResponseRedirect(logout_url)
+
+
+class OIDCLogoutCallbackView(MozillaOIDCOIDCLogoutView):
+    """
+    Custom view for handling the logout callback from the OpenID Connect (OIDC) provider.
+
+    Handles the callback after logout from the identity provider (OP).
+    Verifies the state parameter and performs necessary logout actions.
+
+    The Django session is maintained during the logout process to ensure the integrity
+    of the logout flow initiated in the previous step.
+    """
+
+    http_method_names = ["get"]
+
+    def get(self, request):
+        """
+        Handle the logout callback.
+
+        If the user is not authenticated, redirects to the default logout URL.
+        Otherwise, verifies the state parameter and performs necessary logout actions.
+        """
+        if not request.user.is_authenticated:
+            return HttpResponseRedirect(self.redirect_url)
+
+        state = request.GET.get("state")
+
+        if state not in request.session.get("oidc_states", {}):
+            msg = "OIDC callback state not found in session `oidc_states`!"
+            raise SuspiciousOperation(msg)
+
+        del request.session["oidc_states"][state]
+        request.session.save()
+
+        auth.logout(request)
+
+        return HttpResponseRedirect(self.redirect_url)
@@ -0,0 +1 @@
+"""Backend resource server module."""