feat(ocid): use drycc ocid discover url

duanhongyi · duanhongyi · commit 011bb39d77c7 · 2026-01-16T14:31:24.000+08:00
diff --git a/rootfs/api/apps_extra/social_core/actions.py b/rootfs/api/apps_extra/social_core/actions.py
@@ -39,7 +39,7 @@ def form2json(form_data):
         query = urlparse("?" + form_data).query
         params = parse_qs(query)
         return {key: params[key][0] for key in params}
-    from api.backend import OauthCacheManager
+    from api.apps_extra.social_core.backends import OauthCacheManager
     oauth_cache_manager = OauthCacheManager()
     oauth_cache_manager.set_state(data.get("key", ""), form2json(url).get("state"))
     return response
@@ -129,7 +129,7 @@ def do_complete(backend, login, user=None, redirect_name="next", *args, **kwargs
     if social_auth and social_auth.extra_data:
         extra_data = json.loads(social_auth.extra_data) if \
             isinstance(social_auth.extra_data, str) else social_auth.extra_data
-    from api.backend import OauthCacheManager
+    from api.apps_extra.social_core.backends import OauthCacheManager
     oauth_cache_manager = OauthCacheManager()
     oauth_cache_manager.set_token(data.get("state"), extra_data)
     return response
diff --git a/rootfs/api/apps_extra/social_core/backends.py b/rootfs/api/apps_extra/social_core/backends.py
@@ -4,7 +4,6 @@
 from django.contrib.auth import get_user_model
 from django.utils.translation import gettext_lazy
 
-from social_core.utils import cache as social_cache
 from social_core.backends.open_id_connect import OpenIdConnectAuth
 from rest_framework import exceptions
 
@@ -16,12 +15,6 @@
 class DryccOIDC(OpenIdConnectAuth):
     """Drycc Openid Connect authentication backend"""
     name = 'drycc'
-    AUTHORIZATION_URL = settings.SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL
-    ACCESS_TOKEN_URL = settings.SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL
-    USERINFO_URL = settings.SOCIAL_AUTH_DRYCC_USERINFO_URL
-    JWKS_URI = settings.SOCIAL_AUTH_DRYCC_JWKS_URI
-    OIDC_ENDPOINT = settings.SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT
-    DEFAULT_SCOPE = ['openid', 'profile', 'email']
     EXTRA_DATA = [
         ('id', 'id'),
         ('access_token', 'access_token'),
@@ -32,20 +25,10 @@ class DryccOIDC(OpenIdConnectAuth):
         ('scope', 'scope'),
     ]
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-
-    @social_cache(ttl=86400)
-    def oidc_config(self):
-        return self.get_json(
-            self.OIDC_ENDPOINT + '/.well-known/openid-configuration/'
-        )
-
     def get_user_data(self, access_token):
         """Loads user data from service"""
-        url = settings.SOCIAL_AUTH_DRYCC_USERINFO_URL
         response = self.get_json(
-            url,
+            self.userinfo_url(),
             headers={
                 'authorization': 'Bearer ' + access_token
             },
@@ -62,12 +45,13 @@ def get_user_data(self, access_token):
         }
 
     def refresh_token(self, refresh_token):
+        # Get token URL from OIDC discovery if not already cached
         return self.get_json(
-            settings.SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL,
+            self.access_token_url(),
             method='POST',
             data={
                 'grant_type': 'refresh_token',
-                'client_id': settings.SOCIAL_AUTH_DRYCC_KEY,
+                'client_id': self.get_key_and_secret()[0],
                 'refresh_token': refresh_token,
             },
         )
diff --git a/rootfs/api/apps_extra/social_core/pipelines.py b/rootfs/api/apps_extra/social_core/pipelines.py
@@ -0,0 +1,6 @@
+from api.serializers import UserSerializer
+
+
+def update_or_create(backend, user, response, *args, **kwargs):
+    user, created = UserSerializer.update_or_create(response)
+    return {'is_new': created, 'user': user}
diff --git a/rootfs/api/authentication.py b/rootfs/api/authentication.py
@@ -47,7 +47,7 @@ def authenticate(self, request):
             return None
         try:
             if token_type == 'bearer':  # drycc oauth access token
-                from api.backend import OauthCacheManager
+                from api.apps_extra.social_core.backends import OauthCacheManager
                 return OauthCacheManager().get_user(token), token
             # drycc token
             user = cache.get(token, None)
@@ -69,7 +69,7 @@ def authenticate_credentials(self, key):
             raise exceptions.AuthenticationFailed(gettext_lazy('User inactive or deleted.'))
         if token.expires():
             try:
-                from api.backend import OauthCacheManager
+                from api.apps_extra.social_core.backends import OauthCacheManager
                 user = OauthCacheManager().get_user(token.oauth['access_token'])
                 cache.set(key, user, timeout=token.oauth['expires_in'])
                 token.refresh_token()
diff --git a/rootfs/api/models/base.py b/rootfs/api/models/base.py
@@ -120,7 +120,7 @@ def generate_key(cls):
         ) + ''.join(random.choices(string.ascii_letters, k=96))
 
     def refresh_token(self):
-        from api.backend import DryccOIDC
+        from api.apps_extra.social_core.backends import DryccOIDC
         drycc_open_connect = DryccOIDC()
         self.oauth = drycc_open_connect.refresh_token(self.oauth['refresh_token'])
         self.save()
diff --git a/rootfs/api/pipeline.py b/rootfs/api/pipeline.py
diff --git a/rootfs/api/settings/production.py b/rootfs/api/settings/production.py
@@ -127,6 +127,7 @@ def randstr(k):
 AUTHENTICATION_BACKENDS = (
     "django.contrib.auth.backends.ModelBackend",
     "guardian.backends.ObjectPermissionBackend",
+    "api.apps_extra.social_core.backends.DryccOIDC",
 )
 GUARDIAN_GET_INIT_ANONYMOUS_USER = 'api.models.base.get_anonymous_user_instance'
 ANONYMOUS_USER_NAME = os.environ.get('ANONYMOUS_USER_NAME', 'AnonymousUser')
@@ -431,54 +432,31 @@ def randstr(k):
     f'{DRYCC_PASSPORT_URL}/user/login/done/',
 )
 
+# social auth settings
 SOCIAL_AUTH_DRYCC_KEY = os.environ.get(
     "DRYCC_PASSPORT_KEY",
     os.environ.get("SOCIAL_AUTH_DRYCC_KEY"),
 )
-
 SOCIAL_AUTH_DRYCC_SECRET = os.environ.get(
     'DRYCC_PASSPORT_SECRET',
     os.environ.get("SOCIAL_AUTH_DRYCC_SECRET"),
 )
-
-SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL = os.environ.get(
-    'SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL',
-    f'{DRYCC_PASSPORT_URL}/oauth/authorize/',
-)
-SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL = os.environ.get(
-    'SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL',
-    f'{DRYCC_PASSPORT_URL}/oauth/token/'
-)
-SOCIAL_AUTH_DRYCC_ACCESS_API_URL = os.environ.get(
-    'SOCIAL_AUTH_DRYCC_ACCESS_API_URL',
-    f'{DRYCC_PASSPORT_URL}'
-)
-SOCIAL_AUTH_DRYCC_USERINFO_URL = os.environ.get(
-    'SOCIAL_AUTH_DRYCC_USERINFO_URL',
-    f'{DRYCC_PASSPORT_URL}/oauth/userinfo/'
-)
-SOCIAL_AUTH_DRYCC_JWKS_URI = os.environ.get(
-    'SOCIAL_AUTH_DRYCC_JWKS_URI',
-    f'{DRYCC_PASSPORT_URL}/oauth/.well-known/jwks.json'
-)
 SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT = os.environ.get(
     'SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT',
     f'{DRYCC_PASSPORT_URL}/oauth'
 )
-
 SOCIAL_AUTH_JSONFIELD_ENABLED = True
 SOCIAL_AUTH_PIPELINE = (
     'social_core.pipeline.social_auth.social_details',
     'social_core.pipeline.social_auth.social_uid',
     'social_core.pipeline.social_auth.social_user',
     'social_core.pipeline.user.get_username',
     'social_core.pipeline.social_auth.associate_by_email',
-    'api.pipeline.update_or_create',
+    'api.apps_extra.social_core.pipelines.update_or_create',
     'social_core.pipeline.social_auth.associate_user',
     'social_core.pipeline.social_auth.load_extra_data',
     'social_core.pipeline.user.user_details',
 )
-AUTHENTICATION_BACKENDS = ("api.backend.DryccOIDC", ) + AUTHENTICATION_BACKENDS
 DRYCC_CACHE_USER_TIME = int(os.environ.get('DRYCC_CACHE_USER_TIME', 30 * 60))
 
 # Cache Valkey Configuration
diff --git a/rootfs/api/views.py b/rootfs/api/views.py
@@ -47,7 +47,7 @@
 from social_django.views import _do_login
 from social_core.utils import setting_name
 from api import admissions, utils
-from api.backend import OauthCacheManager
+from api.apps_extra.social_core.backends import OauthCacheManager
 from api.apps_extra.social_core.actions import do_auth, do_complete
 
 
@@ -122,12 +122,15 @@ def _create_browser_response(self, key):
         return redirect(f"{uri[0:uri.find(self.request.path)]}/v2/login/drycc/?key={key}")
 
     def _create_interactive_response(self, username, password, key):
+        # Get token endpoint from OIDC discovery
+        token_url = oauth_cache_manager.drycc_oauth.access_token_url()
+        client_id, client_secret = oauth_cache_manager.drycc_oauth.get_key_and_secret()
         response = requests.post(
-            settings.SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL,
+            token_url,
             data={
                 'grant_type': 'password',
-                'client_id': settings.SOCIAL_AUTH_DRYCC_KEY,
-                'client_secret': settings.SOCIAL_AUTH_DRYCC_SECRET,
+                'client_id': client_id,
+                'client_secret': client_secret,
                 'username': username,
                 'password': password,
             },
