thunderbird_accounts.authentication.middleware

Functions

store_tokens(request, access_token, ...)

Store OIDC tokens.

Classes

`AccountsOIDCBackend`(args, *kwargs)	User authentication middleware for OIDC
`OIDCRefreshSession`(get_response)	A middleware that will refresh the access token following proper OIDC protocol: https://auth0.com/docs/tokens/refresh-token/current
`SetHostIPInAllowedHostsMiddleware`(get_response)

thunderbird_accounts.authentication.middleware.store_tokens(request, access_token, id_token, refresh_token)[source]: Store OIDC tokens. Mostly copy and paste from base package, but adjusted to live outside of OIDCAuthenticationBackend, and take in refresh_token

class thunderbird_accounts.authentication.middleware.AccountsOIDCBackend(*args, **kwargs)[source]

Bases: OIDCAuthenticationBackend

User authentication middleware for OIDC

This is our slightly customized mozilla-django-oidc middleware used to create/update/authenticate users against oidc flows.

get_user(user_id)[source]: Retrieve the user from OIDC get_user and additionally check if they’re active. Fixes https://github.com/mozilla/mozilla-django-oidc/issues/520

create_user(claims)[source]: Return object for a newly created user account.

update_user(user, claims)[source]: Update existing user with new claims, if necessary save, and return user

filter_users_by_claims(claims)[source]: Return all users matching the specified oidc_id.

authenticate(request, **kwargs)[source]: Authenticates a user based on the OIDC code flow. Note: This is mostly a copy & paste from the middleware to accomondate refresh tokens. See https://github.com/thunderbird/thunderbird-accounts/issues/498 for more information

get_userinfo(access_token, id_token, payload)[source]: Return user details dictionary. The id_token and payload are not used in the default implementation, but may be used when overriding this method

class thunderbird_accounts.authentication.middleware.OIDCRefreshSession(get_response)[source]

Bases: SessionRefresh

A middleware that will refresh the access token following proper OIDC protocol: https://auth0.com/docs/tokens/refresh-token/current

Code is based on https://github.com/mozilla/mozilla-django-oidc/pull/377

is_refreshable_url(request)[source]: Is the session refreshable, and do we have a refresh token?

process_request(request)[source]: Handle a refresh session request. If it’s not refreshable or the token is not expired then we skip this and deal with the consequences elsewhere

finish(request, prompt_reauth=True)[source]

Finish request handling and handle sending downstream responses for XHR.

This function should only be run if the session is determind to be expired.

Almost all XHR request handling in client-side code struggles with redirects since redirecting to a page where the user is supposed to do something is extremely unlikely to work in an XHR request. Make a special response for these kinds of requests.

The use of 403 Forbidden is to match the fact that this middleware doesn’t really want the user in if they don’t refresh their session.