first version entra

app/apps/cases/views/case.py

@@ -42,7 +42,7 @@
 )
 from apps.schedules.models import DaySegment, Priority, Schedule, WeekSegment
 from apps.users.auth_apps import TopKeyAuth
-from apps.users.permissions import CanAccessSensitiveCases
+from apps.users.permissions import CanAccessSensitiveCases, IsInAuthorizedRealm
 from apps.workflow.models import CaseUserTask, CaseWorkflow, WorkflowOption
 from apps.workflow.serializers import (
     CaseWorkflowSerializer,
@@ -56,7 +56,6 @@
 from django_filters import rest_framework as filters
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from keycloak_oidc.drf.permissions import IsInAuthorizedRealm
 from rest_framework import mixins, serializers, status, viewsets
 from rest_framework.decorators import action, parser_classes
 from rest_framework.pagination import LimitOffsetPagination

app/apps/users/auth.py

@@ -2,7 +2,7 @@
 
 from django.conf import settings
 from drf_spectacular.contrib.rest_framework_simplejwt import SimpleJWTScheme
-from keycloak_oidc.auth import OIDCAuthenticationBackend
+from mozilla_django_oidc.auth import OIDCAuthenticationBackend
 from mozilla_django_oidc.contrib.drf import OIDCAuthentication
 from rest_framework_simplejwt.authentication import JWTAuthentication
 

app/apps/users/permissions.py

@@ -1,8 +1,38 @@
 from apps.cases.models import Case
 from apps.users.auth_apps import TonKeyAuth, TopKeyAuth
-from keycloak_oidc.drf.permissions import IsInAuthorizedRealm
+from django.conf import settings
 from rest_framework.permissions import BasePermission, IsAuthenticated
 
+
+class InAuthGroup(BasePermission):
+    allowed_group_names = None
+
+    def __init__(self):
+        if self.allowed_group_names is None:
+            raise Exception(
+                "Allowed group names must be set when using the AuthGroupPermission class"
+            )
+
+        super().__init__()
+
+    def has_permission(self, request, view):
+        return bool(
+            request.user
+            and request.user.is_authenticated
+            and request.user.groups.filter(name__in=self.allowed_group_names).exists()
+        )
+
+
+class IsInAuthorizedRealm(InAuthGroup):
+    """
+    A permission to allow access if and only if a user is logged in,
+    and is a member of one of the OIDC_AUTHORIZED_GROUPS groups in Keycloak
+    """
+
+    assert settings.OIDC_AUTHORIZED_GROUPS, "OIDC_AUTHORIZED_GROUPS must be set"
+    allowed_group_names = settings.OIDC_AUTHORIZED_GROUPS
+
+
 custom_permissions = [
     # Permissions for cases/tasks
     ("create_case", "Create a new Case"),

app/apps/users/tests/tests_auth.py

@@ -10,7 +10,7 @@
 
 from django.core.exceptions import SuspiciousOperation
 from django.test import TestCase
-from keycloak_oidc.auth import OIDCAuthenticationBackend
+from mozilla_django_oidc.contrib.drf import OIDCAuthenticationBackend
 
 from app.utils.unittest_helpers import get_test_user
 

app/apps/users/views.py

@@ -1,9 +1,9 @@
 import logging
 
+from apps.users.permissions import IsInAuthorizedRealm
 from django.contrib.auth.models import Permission
 from django.http import HttpResponseBadRequest
 from drf_spectacular.utils import extend_schema
-from keycloak_oidc.drf.permissions import IsInAuthorizedRealm
 from rest_framework import generics, serializers, status
 from rest_framework.decorators import action
 from rest_framework.response import Response

app/apps/workflow/views.py

@@ -12,7 +12,7 @@
 from apps.main.pagination import EmptyPagination
 from apps.summons.serializers import SummonTypeSerializer
 from apps.users.auth_apps import TopKeyAuth
-from apps.users.permissions import CanAccessSensitiveCases
+from apps.users.permissions import CanAccessSensitiveCases, IsInAuthorizedRealm
 from apps.workflow.serializers import (
     CaseUserTaskSerializer,
     CaseUserTaskTaskNameSerializer,
@@ -24,7 +24,6 @@
 from django_filters import rest_framework as filters
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from keycloak_oidc.drf.permissions import IsInAuthorizedRealm
 from rest_framework import mixins, serializers, status, viewsets
 from rest_framework.decorators import action
 from rest_framework.pagination import LimitOffsetPagination

app/config/settings.py

@@ -5,7 +5,6 @@
 
 from celery.schedules import crontab
 from dotenv import load_dotenv
-from keycloak_oidc.default_settings import *  # noqa
 from opencensus.ext.azure.trace_exporter import AzureExporter
 
 from .azure_settings import Azure
@@ -14,7 +13,6 @@
 
 load_dotenv()
 
-# config_integration.trace_integrations(["requests", "logging"])
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 SECRET_KEY = os.environ.get("DJANGO_SECRET_KEY")
@@ -48,7 +46,6 @@
     "django.contrib.postgres",
     "corsheaders",
     # Third party apps
-    "keycloak_oidc",
     "rest_framework",
     "rest_framework.authtoken",
     "drf_spectacular",
@@ -162,9 +159,7 @@
         "rest_framework.renderers.JSONRenderer",
         "rest_framework.renderers.BrowsableAPIRenderer",
     ),
-    "DEFAULT_PERMISSION_CLASSES": (
-        "keycloak_oidc.drf.permissions.IsInAuthorizedRealm",
-    ),
+    "DEFAULT_PERMISSION_CLASSES": ("apps.users.permissions.IsInAuthorizedRealm",),
     "DEFAULT_AUTHENTICATION_CLASSES": (
         "apps.users.auth.AuthenticationClass",
         "rest_framework.authentication.TokenAuthentication",
@@ -183,7 +178,7 @@
 
 TAG_NAME = os.getenv("TAG_NAME", "default-release")
 
-LOGGING_LEVEL = os.getenv("LOGGING_LEVEL", "DEBUG")
+LOGGING_LEVEL = "INFO"
 
 LOGGING = {
     "version": 1,
@@ -219,7 +214,7 @@
             "level": LOGGING_LEVEL,
             "propagate": True,
         },
-        "mozilla_django_oidc": {"handlers": ["console"], "level": "INFO"},
+        "mozilla_django_oidc": {"handlers": ["console"], "level": "DEBUG"},
     },
 }
 
@@ -274,7 +269,7 @@ def filter_traces(envelope):
 OIDC_AUTHORIZED_GROUPS
 OIDC_OP_USER_ENDPOINT
 """
-OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID", None)
+# OIDC_RP_CLIENT_ID = os.environ.get("OIDC_RP_CLIENT_ID", None)
 OIDC_RP_CLIENT_SECRET = os.environ.get("OIDC_RP_CLIENT_SECRET", None)
 OIDC_USE_NONCE = False
 OIDC_AUTHORIZED_GROUPS = (
@@ -283,26 +278,23 @@ def filter_traces(envelope):
     "enable_persistent_token",
 )
 OIDC_AUTHENTICATION_CALLBACK_URL = "oidc-authenticate"
-
+OIDC_RP_CLIENT_ID = os.environ.get(
+    "OIDC_RP_CLIENT_ID", "14c4257b-bcd1-4850-889e-7156c9efe2ec"
+)
 OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv(
     "OIDC_OP_AUTHORIZATION_ENDPOINT",
-    "https://acc.iam.amsterdam.nl/auth/realms/datapunt-ad-acc/protocol/openid-connect/auth",
+    "https://login.microsoftonline.com/72fca1b1-2c2e-4376-a445-294d80196804/oauth2/v2.0/authorize",
 )
 OIDC_OP_TOKEN_ENDPOINT = os.getenv(
     "OIDC_OP_TOKEN_ENDPOINT",
-    "https://acc.iam.amsterdam.nl/auth/realms/datapunt-ad-acc/protocol/openid-connect/token",
+    "https://login.microsoftonline.com/72fca1b1-2c2e-4376-a445-294d80196804/oauth2/v2.0/token",
 )
 OIDC_OP_USER_ENDPOINT = os.getenv(
-    "OIDC_OP_USER_ENDPOINT",
-    "https://acc.iam.amsterdam.nl/auth/realms/datapunt-ad-acc/protocol/openid-connect/userinfo",
+    "OIDC_OP_USER_ENDPOINT", "https://graph.microsoft.com/oidc/userinfo"
 )
 OIDC_OP_JWKS_ENDPOINT = os.getenv(
     "OIDC_OP_JWKS_ENDPOINT",
-    "https://acc.iam.amsterdam.nl/auth/realms/datapunt-ad-acc/protocol/openid-connect/certs",
-)
-OIDC_OP_LOGOUT_ENDPOINT = os.getenv(
-    "OIDC_OP_LOGOUT_ENDPOINT",
-    "https://acc.iam.amsterdam.nl/auth/realms/datapunt-ad-acc/protocol/openid-connect/logout",
+    "https://login.microsoftonline.com/72fca1b1-2c2e-4376-a445-294d80196804/discovery/v2.0/keys",
 )
 
 LOCAL_DEVELOPMENT_AUTHENTICATION = (

app/requirements.txt

@@ -14,7 +14,6 @@ click-didyoumean==0.3.1
 click-plugins==1.1.1
 click-repl==0.2.0
 cryptography==43.0.3
-datapunt-keycloak-oidc @ git+https://github.com/remyvdwereld/keycloak_oidc_top.git@main
 debugpy==1.4.1
 Django==4.2.16
 django-axes==6.5.0