From bcee356c24e6018fad1b21565f1600f97ced7613 Mon Sep 17 00:00:00 2001
From: Corey Shields <cshields@gmail.com>
Date: Wed, 30 Dec 2020 10:29:28 -0500
Subject: [PATCH] auth0login updates

Start using JWT from auth0, along with updated social-auth-app plugin and newer jose.  Tested locally but only with a http redirect, will test ssl in dev

Signed-off-by: Corey Shields <cshields@gmail.com>
---
 auth0login/auth0backend.py | 23 +++++++++++++++--------
 requirements.txt           |  6 +++++-
 setup.cfg                  |  3 ++-
 3 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/auth0login/auth0backend.py b/auth0login/auth0backend.py
index f647db2..380edf6 100644
--- a/auth0login/auth0backend.py
+++ b/auth0login/auth0backend.py
@@ -1,5 +1,6 @@
 """SatNOGS DB Auth0 login module auth backend"""
 import requests
+from jose import jwt
 from social_core.backends.oauth import BaseOAuth2
 
 
@@ -8,6 +9,7 @@ class Auth0(BaseOAuth2):
     name = 'auth0'
     SCOPE_SEPARATOR = ' '
     ACCESS_TOKEN_METHOD = 'POST'
+    REDIRECT_STATE = False
     EXTRA_DATA = [('email', 'email')]
 
     def authorization_url(self):
@@ -27,14 +29,19 @@ class Auth0(BaseOAuth2):
         return details['user_id']
 
     def get_user_details(self, response):
-        url = 'https://' + self.setting('DOMAIN') + '/userinfo'
-        headers = {'authorization': 'Bearer ' + response['access_token']}
-        resp = requests.get(url, headers=headers)
-        userinfo = resp.json()
+        # Obtain JWT and the keys to validate the signature
+        id_token = response.get('id_token')
+        jwks = requests.get('https://' + self.setting('DOMAIN') + '/.well-known/jwks.json')
+        issuer = 'https://' + self.setting('DOMAIN') + '/'
+        audience = self.setting('KEY')  # CLIENT_ID
+        payload = jwt.decode(
+            id_token, jwks.json(), algorithms=['RS256'], audience=audience, issuer=issuer
+        )
 
         return {
-            'username': userinfo['nickname'],
-            'email': userinfo['email'],
-            # 'first_name': userinfo['name'],
-            'user_id': userinfo['sub']
+            'username': payload['nickname'],
+            # 'first_name': payload['name'],
+            # 'picture': payload['picture'],
+            'user_id': payload['sub'],
+            'email': payload['email']
         }
diff --git a/requirements.txt b/requirements.txt
index 2d06d32..1921716 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -33,6 +33,7 @@ django-shortuuidfield==0.1.3
 django-widget-tweaks==1.4.8
 djangorestframework==3.12.2
 dnspython==1.16.0
+ecdsa==0.14.1
 enum34==1.1.10
 eventlet==0.30.0
 frozendict==1.2
@@ -52,12 +53,14 @@ mysqlclient==2.0.2
 numpy==1.19.4
 oauthlib==3.1.0
 Pillow==8.0.1
+pyasn1==0.4.8
 pycparser==2.20
 PyJWT==2.0.0
 PyLD==2.0.3
 python-dateutil==2.8.1
 python-decouple==3.3
 python-dotenv==0.15.0
+python-jose==3.2.0
 python3-openid==3.2.0
 pytz==2020.5
 PyYAML==5.3.1
@@ -67,6 +70,7 @@ Represent==1.6.0.post0
 requests==2.25.1
 requests-oauthlib==1.3.0
 rjsmin==1.1.0
+rsa==4.6
 rush==2018.12.1
 satellitetle==0.10.1
 satnogs-decoders~=1.0
@@ -75,7 +79,7 @@ sgp4==2.14
 shortuuid==1.0.1
 simplejson==3.17.2
 six==1.15.0
-social-auth-app-django==3.4.0
+social-auth-app-django==4.0.0
 social-auth-core==3.3.3
 spacetrack==0.15.0
 sqlparse==0.4.1
diff --git a/setup.cfg b/setup.cfg
index efaff7c..08605b4 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -47,7 +47,8 @@ install_requires =
     django-allauth~=0.44.0
     django-avatar~=5.0.0
     django-crispy-forms~=1.10.0
-    social-auth-app-django~=3.4.0
+    python-jose[cryptography]~=3.2.0
+    social-auth-app-django~=4.0.0
     # Static
     django_compressor~=2.4.0
     # API