Add support for RP-Initiated Registration

By adding a `prompt=create` parameter to the authorization request,
the user is redirected to the OP's registration point where they
can create an account, and on successful registration the user is
then redirected back to the authorization view with prompt=login

Closes #1546

Author: lullis

AUTHORS

@@ -100,6 +100,7 @@ Peter Karman
 Peter McDonald
 Petr Dlouhý
 pySilver
+Raphael Lullis
 Rodney Richardson
 Rustem Saiargaliev
 Rustem Saiargaliev

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 * #1506 Support for Wildcard Origin and Redirect URIs
 * #1586 Turkish language support added
+* #1546 Support for RP-Initiated Registration
 
 <!--
 ### Changed

docs/settings.rst

@@ -353,6 +353,7 @@ this you must also provide the service at that endpoint.
 If unset, the default location is used, eg if ``django-oauth-toolkit`` is
 mounted at ``/o/``, it will be ``<server-address>/o/userinfo/``.
 
+
 OIDC_RP_INITIATED_LOGOUT_ENABLED
 ~~~~~~~~~~~~~~~~~~~~~~~~
 Default: ``False``
@@ -388,6 +389,24 @@ Whether to delete the access, refresh and ID tokens of the user that is being lo
 The types of applications for which tokens are deleted can be customized with ``RPInitiatedLogoutView.token_types_to_delete``.
 The default is to delete the tokens of all applications if this flag is enabled.
 
+OIDC_RP_INITIATED_REGISTRATION_ENABLED
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ``False``
+
+Whether to allow the Relying Party (RP) to direct a user to an OpenID
+Provider (OP) to create a new account rather than authenticate with an
+existing one. This is done by adding a `prompt=create` parameter to
+the authorization request.
+
+OIDC_RP_INITIATED_REGISTRATION_VIEW_NAME
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Default: ''
+
+The name of the view for the URL that the user will be redirected to
+in case RP-Initated Registration is enabled.
+
+
+
 OIDC_ISS_ENDPOINT
 ~~~~~~~~~~~~~~~~~
 Default: ``""``

oauth2_provider/settings.py

@@ -92,6 +92,8 @@
         "client_secret_post",
         "client_secret_basic",
     ],
+    "OIDC_RP_INITIATED_REGISTRATION_ENABLED": False,
+    "OIDC_RP_INITIATED_REGISTRATION_VIEW_NAME": None,
     "OIDC_RP_INITIATED_LOGOUT_ENABLED": False,
     "OIDC_RP_INITIATED_LOGOUT_ALWAYS_PROMPT": True,
     "OIDC_RP_INITIATED_LOGOUT_STRICT_REDIRECT_URIS": False,

oauth2_provider/views/base.py

@@ -1,12 +1,14 @@
 import hashlib
 import json
 import logging
-from urllib.parse import parse_qsl, urlencode, urlparse
+from urllib.parse import parse_qsl, quote, urlencode, urlparse
 
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.auth.views import redirect_to_login
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseRedirect
 from django.shortcuts import resolve_url
+from django.urls import reverse
+from django.urls.exceptions import NoReverseMatch
 from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.views.decorators.csrf import csrf_exempt
@@ -154,6 +156,8 @@ def get(self, request, *args, **kwargs):
         prompt = request.GET.get("prompt")
         if prompt == "login":
             return self.handle_prompt_login()
+        elif prompt == "create":
+            return self.handle_prompt_create()
 
         all_scopes = get_scopes_backend().get_all_scopes()
         kwargs["scopes_descriptions"] = [all_scopes[scope] for scope in scopes]
@@ -252,13 +256,72 @@ def handle_prompt_login(self):
             self.get_redirect_field_name(),
         )
 
+    def handle_prompt_create(self):
+        """
+        When prompt=create is in the authorization request,
+        redirect the user to the registration page. After
+        registration, the user should be redirected back to the
+        authorization endpoint without the prompt parameter to
+        continue the OIDC flow.
+
+        Implements OpenID Connect Prompt Create 1.0 specification.
+        https://openid.net/specs/openid-connect-prompt-create-1_0.html
+
+        """
+        try:
+            assert not self.request.user.is_authenticated, "account_selection_required"
+            path = self.request.build_absolute_uri()
+
+            views_to_attempt = [oauth2_settings.OIDC_RP_INITIATED_REGISTRATION_VIEW_NAME, "account_signup"]
+
+            registration_url = None
+            for view_name in views_to_attempt:
+                try:
+                    registration_url = reverse(view_name)
+                    continue
+                except NoReverseMatch:
+                    pass
+
+            # Parse the current URL and remove the prompt parameter
+            parsed = urlparse(path)
+            parsed_query = dict(parse_qsl(parsed.query))
+            parsed_query.pop("prompt")
+
+            # Create the next parameter to redirect back to the authorization endpoint
+            next_url = parsed._replace(query=urlencode(parsed_query)).geturl()
+
+            assert oauth2_settings.OIDC_RP_INITIATED_REGISTRATION_ENABLED, "access_denied"
+            assert registration_url is not None, "access_denied"
+
+            # Add next parameter to registration URL
+            separator = "&" if "?" in registration_url else "?"
+            redirect_to = f"{registration_url}{separator}next={quote(next_url)}"
+
+            return HttpResponseRedirect(redirect_to)
+
+        except AssertionError as exc:
+            redirect_uri = self.request.GET.get("redirect_uri")
+            if redirect_uri:
+                response_parameters = {"error": str(exc)}
+                state = self.request.GET.get("state")
+                if state:
+                    response_parameters["state"] = state
+
+                separator = "&" if "?" in redirect_uri else "?"
+                redirect_to = redirect_uri + separator + urlencode(response_parameters)
+                return self.redirect(redirect_to, application=None)
+            else:
+                return HttpResponseBadRequest(str(exc))
+
     def handle_no_permission(self):
         """
         Generate response for unauthorized users.
 
         If prompt is set to none, then we redirect with an error code
         as defined by OIDC 3.1.2.6
 
+        If prompt is set to create, then we redirect to the registration page.
+
         Some code copied from OAuthLibMixin.error_response, but that is designed
         to operated on OAuth1Error from oauthlib wrapped in a OAuthToolkitError
         """
@@ -276,6 +339,9 @@ def handle_no_permission(self):
             separator = "&" if "?" in redirect_uri else "?"
             redirect_to = redirect_uri + separator + urlencode(response_parameters)
             return self.redirect(redirect_to, application=None)
+        elif prompt == "create":
+            # If prompt=create and user is not authenticated, redirect to registration
+            return self.handle_prompt_create()
         else:
             return super().handle_no_permission()
 

oauth2_provider/views/oidc.py

@@ -100,7 +100,11 @@ def get(self, request, *args, **kwargs):
             ),
             "code_challenge_methods_supported": [key for key, _ in AbstractGrant.CODE_CHALLENGE_METHODS],
             "claims_supported": oidc_claims,
+            "prompt_values_supported": ["none", "login"],
         }
+        if oauth2_settings.OIDC_RP_INITIATED_REGISTRATION_ENABLED:
+            data["prompt_values_supported"].append("create")
+
         if oauth2_settings.OIDC_RP_INITIATED_LOGOUT_ENABLED:
             data["end_session_endpoint"] = end_session_endpoint
         response = JsonResponse(data)

tests/presets.py

@@ -37,6 +37,10 @@
 OIDC_SETTINGS_RP_LOGOUT_DENY_EXPIRED["OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS"] = False
 OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS = deepcopy(OIDC_SETTINGS_RP_LOGOUT)
 OIDC_SETTINGS_RP_LOGOUT_KEEP_TOKENS["OIDC_RP_INITIATED_LOGOUT_DELETE_TOKENS"] = False
+OIDC_SETTINGS_RP_REGISTRATION = deepcopy(OIDC_SETTINGS_RW)
+OIDC_SETTINGS_RP_REGISTRATION["OIDC_RP_INITIATED_REGISTRATION_ENABLED"] = True
+OIDC_SETTINGS_RP_REGISTRATION["OIDC_RP_INITIATED_REGISTRATION_VIEW_NAME"] = "testapp:register"
+
 REST_FRAMEWORK_SCOPES = {
     "SCOPES": {
         "read": "Read scope",