Not auto-approve requests for non-confidential clients.

2016-04-08 18:09:24 -03:00 · 2016-04-08 18:09:24 -03:00 · 3f5992100a
parent c39a81e5f9
commit 3f5992100a
3 changed files with 34 additions and 5 deletions
--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@ -33,7 +33,7 @@ def create_fake_user():
    return user


-def create_fake_client(response_type):
+def create_fake_client(response_type, is_public=False):
    """
    Create a test client, response_type argument MUST be:
    'code', 'id_token' or 'id_token token'.
@ -42,8 +42,13 @@ def create_fake_client(response_type):
    """
    client = Client()
    client.name = 'Some Client'
-    client.client_id = '123'
-    client.client_secret = '456'
+    if is_public:
+        client.client_type = 'public'
+        client.client_id = 'p123'
+        client.client_secret = ''
+    else:
+        client.client_id = 'c123'
+        client.client_secret = '456'
    client.response_type = response_type
    client.redirect_uris = ['http://example.com/']

--- a/oidc_provider/tests/test_authorize_endpoint.py
+++ b/oidc_provider/tests/test_authorize_endpoint.py
@ -25,6 +25,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
        self.factory = RequestFactory()
        self.user = create_fake_user()
        self.client = create_fake_client(response_type='code')
+        self.client_public = create_fake_client(response_type='code', is_public=True)
        self.state = uuid.uuid4().hex

    def test_missing_parameters(self):
@ -310,8 +311,31 @@ class AuthorizationCodeFlowTestCase(TestCase):

        response = AuthorizeView.as_view()(request)

+        # Search the scopes in the html.
        self.assertEqual(scope_test in response.content.decode('utf-8'), True)

+    def test_public_client_auto_approval(self):
+        """
+        It's recommended not auto-approving requests for non-confidential clients.
+        """
+        query_str = urlencode({
+            'client_id': self.client_public.client_id,
+            'response_type': 'code',
+            'redirect_uri': self.client_public.default_redirect_uri,
+            'scope': 'openid email',
+            'state': self.state,
+        })
+
+        url = reverse('oidc_provider:authorize') + '?' + query_str
+
+        request = self.factory.get(url)
+        # Simulate that the user is logged.
+        request.user = self.user
+
+        with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):
+            response = AuthorizeView.as_view()(request)
+
+        self.assertEqual('Request for Permission' in response.content.decode('utf-8'), True)

 class ImplicitFlowTestCase(TestCase):
    """
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@ -40,12 +40,12 @@ class AuthorizeView(View):
                if hook_resp:
                    return hook_resp

-                if settings.get('OIDC_SKIP_CONSENT_ALWAYS'):
+                if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public'):
                    return redirect(authorize.create_response_uri())

                if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
                    # Check if user previously give consent.
-                    if authorize.client_has_user_consent():
+                    if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public'):
                        return redirect(authorize.create_response_uri())

                # Generate hidden inputs for the form.