Do not use cookie for browser_state. It may not yet be there
This commit is contained in:
parent
62a0a48678
commit
542479a227
|
@ -30,8 +30,7 @@ from oidc_provider.models import (
|
|||
UserConsent,
|
||||
)
|
||||
from oidc_provider import settings
|
||||
from oidc_provider.lib.utils.common import cleanup_url_from_query_string
|
||||
|
||||
from oidc_provider.lib.utils.common import cleanup_url_from_query_string, get_browser_state_or_default
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
@ -197,7 +196,7 @@ class AuthorizeEndpoint(object):
|
|||
session_state = '{client_id} {origin} {browser_state} {salt}'.format(
|
||||
client_id=self.client.client_id,
|
||||
origin=client_origin,
|
||||
browser_state=self.request.COOKIES['op_browser_state'],
|
||||
browser_state=get_browser_state_or_default(self.request),
|
||||
salt=salt)
|
||||
session_state = sha256(session_state.encode('utf-8')).hexdigest()
|
||||
session_state += '.' + salt
|
||||
|
|
|
@ -7,7 +7,7 @@ try:
|
|||
except ImportError:
|
||||
from urlparse import parse_qs, urlsplit
|
||||
import uuid
|
||||
from mock import patch
|
||||
from mock import patch, mock
|
||||
|
||||
from django.contrib.auth.models import AnonymousUser
|
||||
from django.core.management import call_command
|
||||
|
@ -537,3 +537,14 @@ class TestCreateResponseURI(TestCase):
|
|||
authorization_endpoint.create_response_uri()
|
||||
|
||||
log_exception.assert_called_once_with('[Authorize] Error when trying to create response uri: %s', exception)
|
||||
|
||||
@override_settings(OIDC_SESSION_MANAGEMENT_ENABLE=True)
|
||||
def test_create_response_uri_generates_session_state_if_session_management_enabled(self):
|
||||
# RequestFactory doesn't support sessions, so we mock it
|
||||
self.request.session = mock.Mock(session_key=None)
|
||||
|
||||
authorization_endpoint = AuthorizeEndpoint(self.request)
|
||||
authorization_endpoint.validate_params()
|
||||
|
||||
uri = authorization_endpoint.create_response_uri()
|
||||
self.assertIn('session_state=', uri)
|
||||
|
|
Loading…
Reference in a new issue