uc-cdis · tianj7 · Jun 28, 2024 · Jul 31, 2023 · Aug 3, 2023 · Aug 3, 2023
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -20,6 +20,9 @@
     {
       "name": "CloudantDetector"
     },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
     {
       "name": "GitHubTokenDetector"
     },
@@ -106,12 +109,6 @@
     },
     {
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
-    },
-    {
-      "path": "detect_secrets.filters.regex.should_exclude_file",
-      "pattern": [
-        "poetry.lock"
-      ]
     }
   ],
   "results": {
@@ -207,7 +204,7 @@
         "filename": "fence/utils.py",
         "hashed_secret": "8318df9ecda039deac9868adf1944a29a95c7114",
         "is_verified": false,
-        "line_number": 128
+        "line_number": 129
       }
     ],
     "migrations/versions/a04a70296688_non_unique_client_name.py": [
@@ -250,14 +247,14 @@
         "filename": "tests/conftest.py",
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_verified": false,
-        "line_number": 1556
+        "line_number": 1558
       },
       {
         "type": "Base64 High Entropy String",
         "filename": "tests/conftest.py",
         "hashed_secret": "227dea087477346785aefd575f91dd13ab86c108",
         "is_verified": false,
-        "line_number": 1579
+        "line_number": 1581
       }
     ],
     "tests/credentials/google/test_credentials.py": [
@@ -321,7 +318,7 @@
         "filename": "tests/login/test_fence_login.py",
         "hashed_secret": "d300421e208bfd0d432294de15169fd9b8975def",
         "is_verified": false,
-        "line_number": 48
+        "line_number": 49
       }
     ],
     "tests/login/test_idp_oauth2.py": [
@@ -333,31 +330,6 @@
         "line_number": 8
       }
     ],
-    "tests/migrations/test_a04a70296688.py": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "tests/migrations/test_a04a70296688.py",
-        "hashed_secret": "bb2372fb50034d559d2920e7229fb5879cf1be72",
-        "is_verified": false,
-        "line_number": 27
-      }
-    ],
-    "tests/migrations/test_ea7e1b843f82.py": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "tests/migrations/test_ea7e1b843f82.py",
-        "hashed_secret": "adb1fcd33b07abf9b6a064745759accea5cb341f",
-        "is_verified": false,
-        "line_number": 26
-      },
-      {
-        "type": "Hex High Entropy String",
-        "filename": "tests/migrations/test_ea7e1b843f82.py",
-        "hashed_secret": "bb2372fb50034d559d2920e7229fb5879cf1be72",
-        "is_verified": false,
-        "line_number": 43
-      }
-    ],
     "tests/ras/test_ras.py": [
       {
         "type": "Hex High Entropy String",
@@ -386,5 +358,5 @@
       }
     ]
   },
-  "generated_at": "2023-08-08T00:23:28Z"
+  "generated_at": "2023-09-07T21:24:28Z"
 }
diff --git a/bin/fence_create.py b/bin/fence_create.py
@@ -329,6 +329,9 @@ def parse_arguments():
         help='scopes to include in the token (e.g. "user" or "data")',
     )
     token_create.add_argument("--exp", help="time in seconds until token expiration")
+    token_create.add_argument(
+        "--client_id", help="Client Id, required to generate refresh token"
+    )
 
     force_link_google = subparsers.add_parser("force-link-google")
     force_link_google.add_argument(
@@ -581,6 +584,7 @@ def main():
             username=args.username,
             scopes=args.scopes,
             expires_in=args.exp,
+            client_id=args.client_id,
         )
         token_type = str(args.type).strip().lower()
         if token_type == "access_token" or token_type == "access":

diff --git a/fence/__init__.py b/fence/__init__.py
@@ -481,7 +481,10 @@ def _setup_oidc_clients(app):
                 logger=logger,
             )
         elif idp == "fence":
-            app.fence_client = OAuthClient(**settings)
+            # https://docs.authlib.org/en/latest/client/flask.html#flask-client
+            app.fence_client = OAuthClient(app)
+            # https://docs.authlib.org/en/latest/client/frameworks.html
+            app.fence_client.register(**settings)
         else:  # generic OIDC implementation
             client = Oauth2ClientBase(
                 settings=settings,

diff --git a/fence/blueprints/login/__init__.py b/fence/blueprints/login/__init__.py
@@ -368,6 +368,8 @@ def get_all_shib_idps():
     Returns:
         list: list of {"idp": "", "name": ""} dictionaries
     """
+    # TODO Config is only returning {'client_id': '', 'client_secret': '', 'redirect_url': 'http://localhost/user/login/fence/login'}
+    # Why does it only have 3 attributes left when there are so many in the config, including shibboleth_discovery_url
     url = config["OPENID_CONNECT"].get("fence", {}).get("shibboleth_discovery_url")
     if not url:
         raise InternalError(

diff --git a/fence/blueprints/login/fence_login.py b/fence/blueprints/login/fence_login.py
@@ -30,19 +30,22 @@ def __init__(self):
 
     def get(self):
         """Handle ``GET /login/fence``."""
-        oauth2_redirect_uri = flask.current_app.fence_client.client_kwargs.get(
-            "redirect_uri"
-        )
+
+        # OAuth class can have mutliple clients
+        client = flask.current_app.fence_client._clients[
+            flask.current_app.config["OPENID_CONNECT"]["fence"]["name"]
+        ]
+
+        oauth2_redirect_uri = client.client_kwargs.get("redirect_uri")
+
         redirect_url = flask.request.args.get("redirect")
         if redirect_url:
             validate_redirect(redirect_url)
             flask.session["redirect"] = redirect_url
-        (
-            authorization_url,
-            state,
-        ) = flask.current_app.fence_client.generate_authorize_redirect(
-            oauth2_redirect_uri, prompt="login"
-        )
+
+        rv = client.create_authorization_url(oauth2_redirect_uri, prompt="login")
+
+        authorization_url = rv["url"]
 
         # add idp parameter to the authorization URL
         if "idp" in flask.request.args:
@@ -57,7 +60,7 @@ def get(self):
                 flask.session["shib_idp"] = shib_idp
             authorization_url = add_params_to_uri(authorization_url, params)
 
-        flask.session["state"] = state
+        flask.session["state"] = rv["state"]
         return flask.redirect(authorization_url)
 
 
@@ -88,16 +91,24 @@ def get(self):
                 " login page for the original application to continue."
             )
         # Get the token response and log in the user.
-        redirect_uri = flask.current_app.fence_client._get_session().redirect_uri
-        tokens = flask.current_app.fence_client.fetch_access_token(
-            redirect_uri, **flask.request.args.to_dict()
+        # TODO: fence_client <authlib.integrations.flask_client.OAuth> no longer has _get_session(), need to get redirect_uri from elsewhere
+        # This has to do with how authutils implement OAuth Client
+        # Look at https://github.com/uc-cdis/authutils/tree/feat/authlib
+
+        # redirect_uri = flask.current_app.fence_client._get_session().redirect_uri
+        client_name = config["OPENID_CONNECT"]["fence"].get("name", "fence")
+        client = flask.current_app.fence_client._clients[client_name]
+        oauth2_redirect_uri = client.client_kwargs.get("redirect_uri")
+
+        tokens = client.fetch_access_token(
+            oauth2_redirect_uri, **flask.request.args.to_dict()
         )
 
         try:
             # For multi-Fence setup with two Fences >=5.0.0
             id_token_claims = validate_jwt(
                 tokens["id_token"],
-                aud=self.client.client_id,
+                aud=client.client_id,
                 scope={"openid"},
                 purpose="id",
                 attempt_refresh=True,

diff --git a/fence/blueprints/login/utils.py b/fence/blueprints/login/utils.py
@@ -21,7 +21,10 @@ def allowed_login_redirects():
     with flask.current_app.db.session as session:
         clients = session.query(Client).all()
         for client in clients:
-            allowed.extend(client.redirect_uris)
+            if isinstance(client.redirect_uris, list):
+                allowed.extend(client.redirect_uris)
+            elif isinstance(client.redirect_uris, str):
+                allowed.append(client.redirect_uris)
     return {domain(url) for url in allowed}
 
 

diff --git a/fence/blueprints/oauth2.py b/fence/blueprints/oauth2.py
@@ -32,7 +32,10 @@
 from fence.utils import clear_cookies
 from fence.user import get_current_user
 from fence.config import config
-
+from authlib.oauth2.rfc6749.errors import (
+    InvalidScopeError,
+)
+from fence.utils import validate_scopes
 
 blueprint = flask.Blueprint("oauth2", __name__)
 
@@ -114,14 +117,21 @@ def authorize(*args, **kwargs):
         return flask.redirect(login_url)
 
     try:
-        grant = server.validate_consent_request(end_user=user)
+        grant = server.get_consent_grant(end_user=user)
     except OAuth2Error as e:
         raise Unauthorized("Failed to authorize: {}".format(str(e)))
 
     client_id = grant.client.client_id
     with flask.current_app.db.session as session:
         client = session.query(Client).filter_by(client_id=client_id).first()
 
+    # Need to do scope check here now due to our design of putting allowed_scope on client
+    # Authlib now put allowed scope on OIDC server side which doesn't work with our design without modification to the lib
+    # Doing the scope check here because both client and grant is available here
+    # Either Get or Post request
+    request_scopes = flask.request.args.get("scope") or flask.request.form.get("scope")
+    validate_scopes(request_scopes, client)
+
     # TODO: any way to get from grant?
     confirm = flask.request.form.get("confirm") or flask.request.args.get("confirm")
     if client.auto_approve:

diff --git a/fence/config-default.yaml b/fence/config-default.yaml
@@ -138,6 +138,9 @@ OPENID_CONNECT:
   # If this fence instance is a client of another fence, fill this cfg out.
   # REMOVE if not needed
   fence:
+    # Custom name to display for consent screens. If not provided, will use `fence`.
+    # If the other fence is using NIH Login, you should make name: `NIH Login`
+    name: ''
     # this api_base_url should be the root url for the OTHER fence
     # something like: https://example.com
     api_base_url: ''
@@ -155,9 +158,6 @@ OPENID_CONNECT:
     authorize_url: '{{api_base_url}}/oauth2/authorize'
     access_token_url: '{{api_base_url}}/oauth2/token'
     refresh_token_url: '{{api_base_url}}/oauth2/token'
-    # Custom name to display for consent screens. If not provided, will use `fence`.
-    # If the other fence is using NIH Login, you should make name: `NIH Login`
-    name: ''
     # if mock is true, will fake a successful login response for login
     # WARNING: DO NOT ENABLE IN PRODUCTION (for testing purposes only)
     mock: false