search

eduNEXT / eox-core

eox-core is a plugin to extend the core functionality in Open edX
GNU Affero General Public License v3.0
15 stars 9 forks source link

feat: add endpoint to generate Oauth Application #223

Closed magajh closed 1 year ago

magajh commented 2 years ago

Description

In this PR we add a new endpoint in the support API that creates a new Oauth Application in edxapp

Request example

`POST <domain>/eox-core/support-api/v1/oauth-application/`

body: {
    "user": {
        "fullname": "John Doe",
        "email": "johndoe@example.com",
        "username": "johndoe",
        "permissions": ["can_call_eox_core", "can_call_eox_tenant"]
    },
    "redirect_uris": "http://testing-site.io/ http://testing-site.io",
    "client_type":"confidential",
    "authorization_grant_type":"client-credentials",
    "name": "test-application",
    "skip_authorization": true
}

More details on the implementation

In order to create a valid Application, the method has to perform multiple operations:

  1. Create a new edxapp user, who will be the owner of the Application. In case there is already a user with the username or email sent, then the existing user is simply returned and assigned to the new application.
  2. Grant all permissions to the user in the "permissions" list sent in the request body. This list must contain the codename field from the Django permissions that the application owner should have.
  3. Create a new Application instance https://github.com/jazzband/django-oauth-toolkit/blob/master/oauth2_provider/models.py#L233

Any of the Application model fields can be sent in the request body for the creation of the application (with the exception of the create and update DateTime fields, who are marked in the serializer as read-only), but it works when only sending the basic information such as 

-     "redirect_uris"
-     "client_type"
-     "authorization_grant_type"
-     "name"
-     "skip_authorization"

The client_id and client_secret credentials will be automatically generated

Why is this feature necessary?

The Xman service makes requests to multiple APIs from eox-core and eox-tenant and these endpoints normally use a Bearer Token authentication schema. We need to be able to programmatically generate an Oauth Application in edxapp from the Xman service, so the users in Control Center can successfully authenticate to the APIs via Xman and perform operations on their remote Site in edxapp.

Testing instructions

You can test this by making the following requests to the eox-core API


POST <domain>/eox-core/support-api/v1/oauth-application/

Request body:
{
    "user": {
        "fullname": "John Doe",
        "email": "johndoe@example.com",
        "username": "johndoe",
        "permissions": ["can_call_eox_core", "can_call_eox_tenant"]
    },
    "redirect_uris": "http://testing-site.io/ http://testing-site.io",
    "client_type":"confidential",
    "authorization_grant_type":"client-credentials",
    "name": "test-application",
    "skip_authorization": true
}

After making the request and obtaining a successful response, make sure you check that:

Checklist for Merge

magajh commented 1 year ago

The unit tests were added cc @eduNEXT/dedalo

magajh commented 1 year ago

While making some tests, I realized the current site was being used to create the signup source for the new user, so I added the helper function get_or_create_site_from_oauth_app_uris to use the site sent in the redirect_uris field instead as the site for the signup source