Bump django-oauth-toolkit to 2.2.* (#2985)

src/pretix/api/migrations/0009_auto_20221217_1847.py

@@ -0,0 +1,77 @@
+# Generated by Django 3.2.16 on 2022-12-17 18:47
+
+import uuid
+
+import django.db.models.deletion
+import oauth2_provider.generators
+import oauth2_provider.models
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0226_itemvariationmetavalue'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('pretixapi', '0008_webhookcallretry'),
+    ]
+    run_before = [
+        ('oauth2_provider', '0002_auto_20190406_1805'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='oauthapplication',
+            name='algorithm',
+            field=models.CharField(default='', max_length=5),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='claims',
+            field=models.TextField(default=''),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='code_challenge',
+            field=models.CharField(default='', max_length=128),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='code_challenge_method',
+            field=models.CharField(default='', max_length=10),
+        ),
+        migrations.AddField(
+            model_name='oauthgrant',
+            name='nonce',
+            field=models.CharField(default='', max_length=255),
+        ),
+        migrations.AlterField(
+            model_name='oauthapplication',
+            name='client_secret',
+            field=oauth2_provider.models.ClientSecretField(db_index=True, default=oauth2_provider.generators.generate_client_secret, max_length=255),
+        ),
+        migrations.CreateModel(
+            name='OAuthIDToken',
+            fields=[
+                ('id', models.BigAutoField(primary_key=True, serialize=False)),
+                ('jti', models.UUIDField(default=uuid.uuid4, unique=True)),
+                ('expires', models.DateTimeField()),
+                ('scope', models.TextField()),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+                ('application', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL)),
+                ('organizers', models.ManyToManyField(to='pretixbase.Organizer')),
+                ('user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='pretixapi_oauthidtoken', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+        migrations.AddField(
+            model_name='oauthaccesstoken',
+            name='id_token',
+            field=models.OneToOneField(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='access_token', to='pretixapi.oauthidtoken'),
+        ),
+    ]

src/pretix/api/models.py

@@ -29,8 +29,8 @@ from oauth2_provider.generators import (
     generate_client_id, generate_client_secret,
 )
 from oauth2_provider.models import (
-    AbstractAccessToken, AbstractApplication, AbstractGrant,
-    AbstractRefreshToken,
+    AbstractAccessToken, AbstractApplication, AbstractGrant, AbstractIDToken,
+    AbstractRefreshToken, ClientSecretField,
 )
 from oauth2_provider.validators import URIValidator
 
@@ -46,7 +46,7 @@ class OAuthApplication(AbstractApplication):
         verbose_name=_("Client ID"),
         max_length=100, unique=True, default=generate_client_id, db_index=True
     )
-    client_secret = models.CharField(
+    client_secret = ClientSecretField(
         verbose_name=_("Client secret"),
         max_length=255, blank=False, default=generate_client_secret, db_index=True
     )
@@ -67,12 +67,26 @@ class OAuthGrant(AbstractGrant):
     redirect_uri = models.CharField(max_length=2500)  # Only 255 in AbstractGrant, which caused problems
 
 
+class OAuthIDToken(AbstractIDToken):
+    application = models.ForeignKey(
+        OAuthApplication, on_delete=models.CASCADE,
+    )
+    organizers = models.ManyToManyField('pretixbase.Organizer')
+
+
 class OAuthAccessToken(AbstractAccessToken):
     source_refresh_token = models.OneToOneField(
         # unique=True implied by the OneToOneField
         'OAuthRefreshToken', on_delete=models.SET_NULL, blank=True, null=True,
         related_name="refreshed_access_token"
     )
+    id_token = models.OneToOneField(
+        OAuthIDToken,
+        on_delete=models.CASCADE,
+        blank=True,
+        null=True,
+        related_name="access_token",
+    )
     application = models.ForeignKey(
         OAuthApplication, on_delete=models.CASCADE, blank=True, null=True,
     )

src/pretix/control/views/oauth.py

@@ -65,6 +65,10 @@ class OAuthApplicationRegistrationView(ApplicationRegistration):
     def form_valid(self, form):
         form.instance.client_type = 'confidential'
         form.instance.authorization_grant_type = 'authorization-code'
+        secret = generate_client_secret()
+        messages.success(self.request, _('Your application has been created and an application secret has been generated. '
+                                         'Please copy and save it right now as it will not be shown again: {secret}').format(secret=secret))
+        form.instance.client_secret = secret
         oauth_application_registered.send(
             sender=self.request, user=self.request.user, application=form.instance
         )
@@ -74,18 +78,14 @@ class OAuthApplicationRegistrationView(ApplicationRegistration):
 class ApplicationUpdateForm(forms.ModelForm):
     class Meta:
         model = OAuthApplication
-        fields = ("name", "client_id", "client_secret", "redirect_uris")
+        fields = ("name", "client_id", "redirect_uris")
 
     def clean_client_id(self):
         return self.instance.client_id
 
-    def clean_client_secret(self):
-        return self.instance.client_secret
-
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields['client_id'].widget.attrs['readonly'] = True
-        self.fields['client_secret'].widget.attrs['readonly'] = True
 
 
 class OAuthApplicationUpdateView(ApplicationUpdate):
@@ -103,8 +103,10 @@ class OAuthApplicationRollView(ApplicationDetail):
 
     def post(self, request, *args, **kwargs):
         self.object = self.get_object()
-        messages.success(request, _('A new client secret has been generated and is now effective.'))
-        self.object.client_secret = generate_client_secret()
+        secret = generate_client_secret()
+        messages.success(request, _('A new client secret has been generated. Please copy and save it right now as '
+                                    'it will not be shown again: {secret}').format(secret=secret))
+        self.object.client_secret = secret
         self.object.save()
         return HttpResponseRedirect(self.object.get_absolute_url())
 

src/pretix/settings.py

@@ -861,6 +861,7 @@ AUTH_PASSWORD_VALIDATORS = [
 OAUTH2_PROVIDER_APPLICATION_MODEL = 'pretixapi.OAuthApplication'
 OAUTH2_PROVIDER_GRANT_MODEL = 'pretixapi.OAuthGrant'
 OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL = 'pretixapi.OAuthAccessToken'
+OAUTH2_PROVIDER_ID_TOKEN_MODEL = 'pretixapi.OAuthIDToken'
 OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL = 'pretixapi.OAuthRefreshToken'
 OAUTH2_PROVIDER = {
     'SCOPES': {
@@ -872,7 +873,8 @@ OAUTH2_PROVIDER = {
     'ALLOWED_REDIRECT_URI_SCHEMES': ['https'] if not DEBUG else ['http', 'https'],
     'ACCESS_TOKEN_EXPIRE_SECONDS': 3600 * 24,
     'ROTATE_REFRESH_TOKEN': False,
-
+    'PKCE_REQUIRED': False,
+    'OIDC_RESPONSE_TYPES_SUPPORTED': ["code"],  # We don't support proper OIDC for now
 }
 
 COUNTRIES_OVERRIDE = {