Not auto-approve requests for non-confidential clients.
This commit is contained in:
parent
c39a81e5f9
commit
3f5992100a
3 changed files with 34 additions and 5 deletions
|
@ -33,7 +33,7 @@ def create_fake_user():
|
|||
return user
|
||||
|
||||
|
||||
def create_fake_client(response_type):
|
||||
def create_fake_client(response_type, is_public=False):
|
||||
"""
|
||||
Create a test client, response_type argument MUST be:
|
||||
'code', 'id_token' or 'id_token token'.
|
||||
|
@ -42,7 +42,12 @@ def create_fake_client(response_type):
|
|||
"""
|
||||
client = Client()
|
||||
client.name = 'Some Client'
|
||||
client.client_id = '123'
|
||||
if is_public:
|
||||
client.client_type = 'public'
|
||||
client.client_id = 'p123'
|
||||
client.client_secret = ''
|
||||
else:
|
||||
client.client_id = 'c123'
|
||||
client.client_secret = '456'
|
||||
client.response_type = response_type
|
||||
client.redirect_uris = ['http://example.com/']
|
||||
|
|
|
@ -25,6 +25,7 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
|||
self.factory = RequestFactory()
|
||||
self.user = create_fake_user()
|
||||
self.client = create_fake_client(response_type='code')
|
||||
self.client_public = create_fake_client(response_type='code', is_public=True)
|
||||
self.state = uuid.uuid4().hex
|
||||
|
||||
def test_missing_parameters(self):
|
||||
|
@ -310,8 +311,31 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
|||
|
||||
response = AuthorizeView.as_view()(request)
|
||||
|
||||
# Search the scopes in the html.
|
||||
self.assertEqual(scope_test in response.content.decode('utf-8'), True)
|
||||
|
||||
def test_public_client_auto_approval(self):
|
||||
"""
|
||||
It's recommended not auto-approving requests for non-confidential clients.
|
||||
"""
|
||||
query_str = urlencode({
|
||||
'client_id': self.client_public.client_id,
|
||||
'response_type': 'code',
|
||||
'redirect_uri': self.client_public.default_redirect_uri,
|
||||
'scope': 'openid email',
|
||||
'state': self.state,
|
||||
})
|
||||
|
||||
url = reverse('oidc_provider:authorize') + '?' + query_str
|
||||
|
||||
request = self.factory.get(url)
|
||||
# Simulate that the user is logged.
|
||||
request.user = self.user
|
||||
|
||||
with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):
|
||||
response = AuthorizeView.as_view()(request)
|
||||
|
||||
self.assertEqual('Request for Permission' in response.content.decode('utf-8'), True)
|
||||
|
||||
class ImplicitFlowTestCase(TestCase):
|
||||
"""
|
||||
|
|
|
@ -40,12 +40,12 @@ class AuthorizeView(View):
|
|||
if hook_resp:
|
||||
return hook_resp
|
||||
|
||||
if settings.get('OIDC_SKIP_CONSENT_ALWAYS'):
|
||||
if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public'):
|
||||
return redirect(authorize.create_response_uri())
|
||||
|
||||
if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
|
||||
# Check if user previously give consent.
|
||||
if authorize.client_has_user_consent():
|
||||
if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public'):
|
||||
return redirect(authorize.create_response_uri())
|
||||
|
||||
# Generate hidden inputs for the form.
|
||||
|
|
Loading…
Reference in a new issue