2015-01-08 20:55:24 +00:00
|
|
|
from datetime import timedelta
|
|
|
|
|
from django.utils import timezone
|
|
|
|
|
from openid_provider.lib.errors import *
|
|
|
|
|
from openid_provider.lib.utils.params import *
|
|
|
|
|
from openid_provider.lib.utils.token import *
|
|
|
|
|
from openid_provider.models import *
|
2015-01-28 20:00:04 +00:00
|
|
|
from openid_provider import settings
|
|
|
|
|
import uuid
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class AuthorizeEndpoint(object):
|
|
|
|
|
|
|
|
|
|
def __init__(self, request):
|
|
|
|
|
|
|
|
|
|
self.request = request
|
|
|
|
|
|
2015-01-09 17:59:23 +00:00
|
|
|
self.params = Params()
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
# Because in this endpoint we handle both GET
|
|
|
|
|
# and POST request.
|
2015-01-28 20:00:04 +00:00
|
|
|
self.query_dict = (self.request.POST if self.request.method == 'POST'
|
|
|
|
|
else self.request.GET)
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
self._extract_params()
|
|
|
|
|
|
|
|
|
|
# Determine which flow to use.
|
|
|
|
|
if self.params.response_type in ['code']:
|
|
|
|
|
self.grant_type = 'authorization_code'
|
|
|
|
|
elif self.params.response_type in ['id_token', 'id_token token']:
|
|
|
|
|
self.grant_type = 'implicit'
|
|
|
|
|
self._extract_implicit_params()
|
|
|
|
|
else:
|
|
|
|
|
self.grant_type = None
|
|
|
|
|
|
|
|
|
|
def _extract_params(self):
|
2015-01-28 18:19:36 +00:00
|
|
|
"""
|
2015-01-08 20:55:24 +00:00
|
|
|
Get all the params used by the Authorization Code Flow
|
|
|
|
|
(and also for the Implicit).
|
|
|
|
|
|
|
|
|
|
See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
2015-01-28 18:19:36 +00:00
|
|
|
"""
|
2015-01-08 20:55:24 +00:00
|
|
|
self.params.client_id = self.query_dict.get('client_id', '')
|
|
|
|
|
self.params.redirect_uri = self.query_dict.get('redirect_uri', '')
|
|
|
|
|
self.params.response_type = self.query_dict.get('response_type', '')
|
2015-01-12 22:13:48 +00:00
|
|
|
self.params.scope = self.query_dict.get('scope', '').split()
|
2015-01-08 20:55:24 +00:00
|
|
|
self.params.state = self.query_dict.get('state', '')
|
|
|
|
|
|
|
|
|
|
def _extract_implicit_params(self):
|
2015-01-28 18:19:36 +00:00
|
|
|
"""
|
2015-01-08 20:55:24 +00:00
|
|
|
Get specific params used by the Implicit Flow.
|
|
|
|
|
|
|
|
|
|
See: http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
|
2015-01-28 18:19:36 +00:00
|
|
|
"""
|
2015-01-08 20:55:24 +00:00
|
|
|
self.params.nonce = self.query_dict.get('nonce', '')
|
|
|
|
|
|
|
|
|
|
def validate_params(self):
|
|
|
|
|
|
|
|
|
|
if not self.params.redirect_uri:
|
|
|
|
|
raise RedirectUriError()
|
|
|
|
|
|
2015-01-12 22:13:48 +00:00
|
|
|
if not ('openid' in self.params.scope):
|
|
|
|
|
raise AuthorizeError(
|
|
|
|
|
self.params.redirect_uri,
|
|
|
|
|
'invalid_scope',
|
|
|
|
|
self.grant_type)
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
self.client = Client.objects.get(client_id=self.params.client_id)
|
|
|
|
|
|
|
|
|
|
if not (self.params.redirect_uri in self.client.redirect_uris):
|
|
|
|
|
raise RedirectUriError()
|
|
|
|
|
|
2015-01-28 18:19:36 +00:00
|
|
|
if not self.grant_type or not (self.params.response_type == self.client.response_type):
|
2015-01-12 22:13:48 +00:00
|
|
|
|
|
|
|
|
raise AuthorizeError(
|
|
|
|
|
self.params.redirect_uri,
|
|
|
|
|
'unsupported_response_type',
|
|
|
|
|
self.grant_type)
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
except Client.DoesNotExist:
|
|
|
|
|
raise ClientIdError()
|
|
|
|
|
|
|
|
|
|
def create_response_uri(self, allow):
|
|
|
|
|
|
|
|
|
|
if not allow:
|
2015-01-12 22:13:48 +00:00
|
|
|
raise AuthorizeError(
|
|
|
|
|
self.params.redirect_uri,
|
|
|
|
|
'access_denied',
|
|
|
|
|
self.grant_type)
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
self.validate_params()
|
2015-01-28 20:00:04 +00:00
|
|
|
|
2015-01-28 18:19:36 +00:00
|
|
|
if self.grant_type == 'authorization_code':
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
code = Code()
|
|
|
|
|
code.user = self.request.user
|
|
|
|
|
code.client = self.client
|
|
|
|
|
code.code = uuid.uuid4().hex
|
2015-01-28 20:00:04 +00:00
|
|
|
code.expires_at = timezone.now() + timedelta(
|
|
|
|
|
seconds=settings.get('DOP_CODE_EXPIRE'))
|
2015-01-08 20:55:24 +00:00
|
|
|
code.scope = self.params.scope
|
|
|
|
|
code.save()
|
|
|
|
|
|
|
|
|
|
uri = self.params.redirect_uri + '?code={0}'.format(code.code)
|
2015-01-09 17:59:23 +00:00
|
|
|
|
2015-01-28 18:19:36 +00:00
|
|
|
else: # Implicit Flow
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
id_token_dic = create_id_token_dic(
|
|
|
|
|
self.request.user,
|
2015-01-28 20:00:04 +00:00
|
|
|
settings.get('SITE_URL'),
|
2015-01-08 20:55:24 +00:00
|
|
|
self.client.client_id)
|
|
|
|
|
|
|
|
|
|
token = create_token(
|
|
|
|
|
user=self.request.user,
|
|
|
|
|
client=self.client,
|
|
|
|
|
id_token_dic=id_token_dic,
|
|
|
|
|
scope=self.params.scope)
|
|
|
|
|
|
|
|
|
|
# Store the token.
|
|
|
|
|
token.save()
|
|
|
|
|
|
2015-01-28 20:00:04 +00:00
|
|
|
id_token = encode_id_token(
|
|
|
|
|
id_token_dic, self.client.client_secret)
|
|
|
|
|
|
2015-01-12 22:13:48 +00:00
|
|
|
# TODO: Check if response_type is 'id_token token' then
|
2015-01-08 20:55:24 +00:00
|
|
|
# add access_token to the fragment.
|
2015-01-28 18:19:36 +00:00
|
|
|
uri = self.params.redirect_uri + '#token_type={0}&id_token={1}&expires_in={2}'.format(
|
|
|
|
|
'bearer',
|
|
|
|
|
id_token,
|
2015-01-28 20:00:04 +00:00
|
|
|
60 * 10
|
2015-01-28 18:19:36 +00:00
|
|
|
)
|
2015-01-08 20:55:24 +00:00
|
|
|
except:
|
2015-01-12 22:13:48 +00:00
|
|
|
raise AuthorizeError(
|
|
|
|
|
self.params.redirect_uri,
|
|
|
|
|
'server_error',
|
|
|
|
|
self.grant_type)
|
2015-01-08 20:55:24 +00:00
|
|
|
|
|
|
|
|
# Add state if present.
|
2015-01-28 20:00:04 +00:00
|
|
|
uri = uri + \
|
|
|
|
|
('&state={0}'.format(self.params.state)
|
|
|
|
|
if self.params.state else '')
|
2015-01-08 20:55:24 +00:00
|
|
|
|
2015-01-28 20:00:04 +00:00
|
|
|
return uri
|
