File size: 7,585 Bytes
824bf31 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 |
"""
Module: core.oauth_config
Description: OAuth2 configuration for multiple providers
Author: Anderson H. Silva
Date: 2025-01-15
License: Proprietary - All rights reserved
"""
from enum import Enum
from typing import Dict, List, Optional
from pydantic import BaseModel, Field, HttpUrl
class OAuthProvider(str, Enum):
"""Supported OAuth providers."""
GOOGLE = "google"
GITHUB = "github"
MICROSOFT = "microsoft"
GOV_BR = "gov_br" # Login Único do Governo Federal
class OAuthScope(BaseModel):
"""OAuth scope configuration."""
name: str
description: str
required: bool = False
class OAuthProviderConfig(BaseModel):
"""OAuth provider configuration."""
name: str = Field(..., description="Provider name")
client_id: str = Field(..., description="OAuth client ID")
client_secret: str = Field(..., description="OAuth client secret", repr=False)
authorization_url: HttpUrl = Field(..., description="Authorization endpoint")
token_url: HttpUrl = Field(..., description="Token endpoint")
userinfo_url: HttpUrl = Field(..., description="User info endpoint")
scopes: List[OAuthScope] = Field(default_factory=list, description="Available scopes")
redirect_uri: str = Field(..., description="Redirect URI")
enabled: bool = Field(default=True, description="Provider enabled")
# Provider-specific settings
pkce_enabled: bool = Field(default=True, description="PKCE enabled")
state_verification: bool = Field(default=True, description="State verification")
nonce_verification: bool = Field(default=True, description="Nonce verification")
# User mapping
user_id_field: str = Field(default="id", description="User ID field mapping")
email_field: str = Field(default="email", description="Email field mapping")
name_field: str = Field(default="name", description="Name field mapping")
avatar_field: str = Field(default="avatar_url", description="Avatar field mapping")
# Additional validation
email_verification_required: bool = Field(default=True, description="Require verified email")
allowed_domains: Optional[List[str]] = Field(default=None, description="Allowed email domains")
class OAuthConfig(BaseModel):
"""Complete OAuth configuration."""
providers: Dict[OAuthProvider, OAuthProviderConfig] = Field(
default_factory=dict,
description="OAuth provider configurations"
)
# Global settings
session_timeout_minutes: int = Field(default=60, description="OAuth session timeout")
state_lifetime_minutes: int = Field(default=10, description="State parameter lifetime")
nonce_lifetime_minutes: int = Field(default=10, description="Nonce parameter lifetime")
# Security settings
secure_cookies: bool = Field(default=True, description="Use secure cookies")
same_site_policy: str = Field(default="Lax", description="SameSite cookie policy")
csrf_protection: bool = Field(default=True, description="CSRF protection enabled")
# Auto-registration settings
auto_register_enabled: bool = Field(default=True, description="Auto-register new users")
default_role: str = Field(default="analyst", description="Default role for new users")
require_admin_approval: bool = Field(default=False, description="Require admin approval")
def get_oauth_providers_config() -> OAuthConfig:
"""Get OAuth providers configuration."""
google_config = OAuthProviderConfig(
name="Google",
client_id="${GOOGLE_CLIENT_ID}",
client_secret="${GOOGLE_CLIENT_SECRET}",
authorization_url="https://accounts.google.com/o/oauth2/v2/auth",
token_url="https://oauth2.googleapis.com/token",
userinfo_url="https://www.googleapis.com/oauth2/v2/userinfo",
scopes=[
OAuthScope(name="openid", description="OpenID Connect", required=True),
OAuthScope(name="email", description="Email address", required=True),
OAuthScope(name="profile", description="Basic profile", required=True),
],
redirect_uri="${BASE_URL}/auth/oauth/google/callback",
user_id_field="id",
email_field="email",
name_field="name",
avatar_field="picture",
)
github_config = OAuthProviderConfig(
name="GitHub",
client_id="${GITHUB_CLIENT_ID}",
client_secret="${GITHUB_CLIENT_SECRET}",
authorization_url="https://github.com/login/oauth/authorize",
token_url="https://github.com/login/oauth/access_token",
userinfo_url="https://api.github.com/user",
scopes=[
OAuthScope(name="user:email", description="Email addresses", required=True),
OAuthScope(name="read:user", description="User profile", required=True),
],
redirect_uri="${BASE_URL}/auth/oauth/github/callback",
user_id_field="id",
email_field="email",
name_field="name",
avatar_field="avatar_url",
)
microsoft_config = OAuthProviderConfig(
name="Microsoft",
client_id="${MICROSOFT_CLIENT_ID}",
client_secret="${MICROSOFT_CLIENT_SECRET}",
authorization_url="https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
token_url="https://login.microsoftonline.com/common/oauth2/v2.0/token",
userinfo_url="https://graph.microsoft.com/v1.0/me",
scopes=[
OAuthScope(name="openid", description="OpenID Connect", required=True),
OAuthScope(name="email", description="Email address", required=True),
OAuthScope(name="profile", description="Basic profile", required=True),
],
redirect_uri="${BASE_URL}/auth/oauth/microsoft/callback",
user_id_field="id",
email_field="mail",
name_field="displayName",
avatar_field="photo",
email_verification_required=False, # Microsoft handles verification
)
gov_br_config = OAuthProviderConfig(
name="Login Único - Gov.br",
client_id="${GOV_BR_CLIENT_ID}",
client_secret="${GOV_BR_CLIENT_SECRET}",
authorization_url="https://sso.staging.acesso.gov.br/authorize",
token_url="https://sso.staging.acesso.gov.br/token",
userinfo_url="https://sso.staging.acesso.gov.br/userinfo",
scopes=[
OAuthScope(name="openid", description="OpenID Connect", required=True),
OAuthScope(name="email", description="Email address", required=True),
OAuthScope(name="profile", description="Basic profile", required=True),
OAuthScope(name="govbr_cpf", description="CPF do usuário", required=False),
OAuthScope(name="govbr_nome", description="Nome completo", required=False),
],
redirect_uri="${BASE_URL}/auth/oauth/govbr/callback",
user_id_field="sub",
email_field="email",
name_field="name",
avatar_field="picture",
email_verification_required=True,
# Only allow government domains
allowed_domains=[
"gov.br", "fazenda.gov.br", "cgu.gov.br", "tcu.gov.br",
"mpf.mp.br", "camara.leg.br", "senado.leg.br"
],
)
return OAuthConfig(
providers={
OAuthProvider.GOOGLE: google_config,
OAuthProvider.GITHUB: github_config,
OAuthProvider.MICROSOFT: microsoft_config,
OAuthProvider.GOV_BR: gov_br_config,
},
auto_register_enabled=True,
default_role="analyst",
require_admin_approval=False,
) |