Not auto-approve requests for non-confidential clients.
This commit is contained in:
parent
c39a81e5f9
commit
3f5992100a
|
@ -33,7 +33,7 @@ def create_fake_user():
|
||||||
return user
|
return user
|
||||||
|
|
||||||
|
|
||||||
def create_fake_client(response_type):
|
def create_fake_client(response_type, is_public=False):
|
||||||
"""
|
"""
|
||||||
Create a test client, response_type argument MUST be:
|
Create a test client, response_type argument MUST be:
|
||||||
'code', 'id_token' or 'id_token token'.
|
'code', 'id_token' or 'id_token token'.
|
||||||
|
@ -42,7 +42,12 @@ def create_fake_client(response_type):
|
||||||
"""
|
"""
|
||||||
client = Client()
|
client = Client()
|
||||||
client.name = 'Some Client'
|
client.name = 'Some Client'
|
||||||
client.client_id = '123'
|
if is_public:
|
||||||
|
client.client_type = 'public'
|
||||||
|
client.client_id = 'p123'
|
||||||
|
client.client_secret = ''
|
||||||
|
else:
|
||||||
|
client.client_id = 'c123'
|
||||||
client.client_secret = '456'
|
client.client_secret = '456'
|
||||||
client.response_type = response_type
|
client.response_type = response_type
|
||||||
client.redirect_uris = ['http://example.com/']
|
client.redirect_uris = ['http://example.com/']
|
||||||
|
|
|
@ -25,6 +25,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
||||||
self.factory = RequestFactory()
|
self.factory = RequestFactory()
|
||||||
self.user = create_fake_user()
|
self.user = create_fake_user()
|
||||||
self.client = create_fake_client(response_type='code')
|
self.client = create_fake_client(response_type='code')
|
||||||
|
self.client_public = create_fake_client(response_type='code', is_public=True)
|
||||||
self.state = uuid.uuid4().hex
|
self.state = uuid.uuid4().hex
|
||||||
|
|
||||||
def test_missing_parameters(self):
|
def test_missing_parameters(self):
|
||||||
|
@ -310,8 +311,31 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
||||||
|
|
||||||
response = AuthorizeView.as_view()(request)
|
response = AuthorizeView.as_view()(request)
|
||||||
|
|
||||||
|
# Search the scopes in the html.
|
||||||
self.assertEqual(scope_test in response.content.decode('utf-8'), True)
|
self.assertEqual(scope_test in response.content.decode('utf-8'), True)
|
||||||
|
|
||||||
|
def test_public_client_auto_approval(self):
|
||||||
|
"""
|
||||||
|
It's recommended not auto-approving requests for non-confidential clients.
|
||||||
|
"""
|
||||||
|
query_str = urlencode({
|
||||||
|
'client_id': self.client_public.client_id,
|
||||||
|
'response_type': 'code',
|
||||||
|
'redirect_uri': self.client_public.default_redirect_uri,
|
||||||
|
'scope': 'openid email',
|
||||||
|
'state': self.state,
|
||||||
|
})
|
||||||
|
|
||||||
|
url = reverse('oidc_provider:authorize') + '?' + query_str
|
||||||
|
|
||||||
|
request = self.factory.get(url)
|
||||||
|
# Simulate that the user is logged.
|
||||||
|
request.user = self.user
|
||||||
|
|
||||||
|
with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):
|
||||||
|
response = AuthorizeView.as_view()(request)
|
||||||
|
|
||||||
|
self.assertEqual('Request for Permission' in response.content.decode('utf-8'), True)
|
||||||
|
|
||||||
class ImplicitFlowTestCase(TestCase):
|
class ImplicitFlowTestCase(TestCase):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -40,12 +40,12 @@ class AuthorizeView(View):
|
||||||
if hook_resp:
|
if hook_resp:
|
||||||
return hook_resp
|
return hook_resp
|
||||||
|
|
||||||
if settings.get('OIDC_SKIP_CONSENT_ALWAYS'):
|
if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public'):
|
||||||
return redirect(authorize.create_response_uri())
|
return redirect(authorize.create_response_uri())
|
||||||
|
|
||||||
if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
|
if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
|
||||||
# Check if user previously give consent.
|
# Check if user previously give consent.
|
||||||
if authorize.client_has_user_consent():
|
if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public'):
|
||||||
return redirect(authorize.create_response_uri())
|
return redirect(authorize.create_response_uri())
|
||||||
|
|
||||||
# Generate hidden inputs for the form.
|
# Generate hidden inputs for the form.
|
||||||
|
|
Loading…
Reference in a new issue