From 7c5152c5b0115f173dfc6b986bdcfc20db264884 Mon Sep 17 00:00:00 2001
From: Christian Merten <christian@merten.dev>
Date: Sun, 9 Mar 2025 20:10:21 +0100
Subject: [PATCH] feat: oauth provider

---
 jdav_web/jdav_web/settings/__init__.py         |  1 +
 jdav_web/jdav_web/settings/components/base.py  |  3 +++
 jdav_web/jdav_web/settings/components/oauth.py | 11 +++++++++++
 jdav_web/jdav_web/urls.py                      |  4 +++-
 jdav_web/logindata/oauth.py                    | 11 +++++++++++
 requirements.txt                               |  6 ++++++
 6 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 jdav_web/jdav_web/settings/components/oauth.py
 create mode 100644 jdav_web/logindata/oauth.py

diff --git a/jdav_web/jdav_web/settings/__init__.py b/jdav_web/jdav_web/settings/__init__.py
index 1fe9471..248f7d1 100644
--- a/jdav_web/jdav_web/settings/__init__.py
+++ b/jdav_web/jdav_web/settings/__init__.py
@@ -58,6 +58,7 @@ base_settings = [
     'components/emails.py',
     'components/texts.py',
     'components/locale.py',
+    'components/oauth.py',
 ]
 
 include(*base_settings)
diff --git a/jdav_web/jdav_web/settings/components/base.py b/jdav_web/jdav_web/settings/components/base.py
index e546624..f3b5d89 100644
--- a/jdav_web/jdav_web/settings/components/base.py
+++ b/jdav_web/jdav_web/settings/components/base.py
@@ -52,6 +52,7 @@ INSTALLED_APPS = [
     'django_celery_beat',
     'rules',
     'jet',
+    'oauth2_provider',
     'django.contrib.admin',
     'django.contrib.auth',
     'django.contrib.contenttypes',
@@ -196,3 +197,5 @@ STARTPAGE_URL_NAME_PATTERN = "[\w\-: *]"
 
 # admins to contact on error messages
 ADMINS = get_var('section', 'admins', default=[])
+
+LOGIN_URL = '/de/kompass/login/'
diff --git a/jdav_web/jdav_web/settings/components/oauth.py b/jdav_web/jdav_web/settings/components/oauth.py
new file mode 100644
index 0000000..5e8b831
--- /dev/null
+++ b/jdav_web/jdav_web/settings/components/oauth.py
@@ -0,0 +1,11 @@
+OAUTH2_PROVIDER = {
+    "OIDC_ENABLED": True,
+    "PKCE_REQUIRED": False,
+    "OAUTH2_VALIDATOR_CLASS": "logindata.oauth.CustomOAuth2Validator",
+    "OIDC_RSA_PRIVATE_KEY": get_var('oauth', 'oidc_rsa_private_key', default=''),
+    "SCOPES": {
+        "openid": "OpenID Connect scope",
+        "profile": "profile scope",
+        "email": "email scope",
+    },
+}
diff --git a/jdav_web/jdav_web/urls.py b/jdav_web/jdav_web/urls.py
index b32210c..1b034c0 100644
--- a/jdav_web/jdav_web/urls.py
+++ b/jdav_web/jdav_web/urls.py
@@ -13,13 +13,14 @@ Including another URLconf
     1. Import the include() function: from django.conf.urls import url, include
     2. Add a URL to urlpatterns:  url(r'^blog/', include('blog.urls'))
 """
-from django.urls import re_path, include
+from django.urls import path, re_path, include
 from django.contrib import admin
 from django.conf.urls.static import static
 from django.conf.urls.i18n import i18n_patterns
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from django.views.generic.base import RedirectView
+from oauth2_provider import urls as oauth2_urls
 from .views import media_access
 
 admin.site.index_title = _('Startpage')
@@ -36,6 +37,7 @@ urlpatterns = i18n_patterns(
     re_path(r'^LBAlpin/Programm(/)?(20)?[0-9]{0,2}', include('ludwigsburgalpin.urls',
             namespace="ludwigsburgalpin")),
     re_path(r'^_nested_admin/', include('nested_admin.urls')),
+    path('o/', include(oauth2_urls)),
     re_path(r'^', include('startpage.urls', namespace="startpage")),
 )
 
diff --git a/jdav_web/logindata/oauth.py b/jdav_web/logindata/oauth.py
new file mode 100644
index 0000000..06d870b
--- /dev/null
+++ b/jdav_web/logindata/oauth.py
@@ -0,0 +1,11 @@
+from oauth2_provider.oauth2_validators import OAuth2Validator
+
+
+class CustomOAuth2Validator(OAuth2Validator):
+    # Set `oidc_claim_scope = None` to ignore scopes that limit which claims to return,
+    # otherwise the OIDC standard scopes are used.
+
+    def get_additional_claims(self, request):
+        return {
+            "preferred_username": request.user.username
+        }
diff --git a/requirements.txt b/requirements.txt
index 9e3be3a..abfb4de 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,6 +9,7 @@ billiard==3.6.4.0
 bleach==6.0.0
 celery==5.2.3
 certifi==2021.10.8
+cffi==1.17.1
 charset-normalizer==2.0.10
 click==8.0.3
 click-didyoumean==0.3.0
@@ -16,6 +17,7 @@ click-plugins==1.1.1
 click-repl==0.2.0
 coverage==7.5.4
 cron-descriptor==1.2.35
+cryptography==44.0.2
 Deprecated==1.2.13
 Django==4.2.20
 django-appconf==1.0.5
@@ -25,6 +27,7 @@ django-jet-reboot==1.3.10
 django-markdownify==0.9.3
 django-markdownx==4.0.2
 django-nested-admin==4.0.2
+django-oauth-toolkit==3.0.1
 django-split-settings==1.2.0
 django-timezone-field==5.0
 docutils==0.21.2
@@ -34,15 +37,18 @@ imagesize==1.4.1
 importlib-metadata==6.2.0
 importlib_resources==6.5.2
 Jinja2==3.1.4
+jwcrypto==1.5.6
 kombu==5.2.3
 Markdown==3.4.3
 MarkupSafe==3.0.2
 mysqlclient==2.1.0
+oauthlib==3.2.2
 openpyxl==3.1.5
 packaging==24.2
 Pillow==9.0.0
 prompt-toolkit==3.0.24
 pycountry==24.6.1
+pycparser==2.22
 Pygments==2.18.0
 pymemcache==4.0.0
 pyparsing==3.0.6