Refactoring prompt=none logic.
This commit is contained in:
parent
b05894bf6d
commit
61f0c209af
2 changed files with 24 additions and 20 deletions
|
@ -62,35 +62,39 @@ class AuthorizeEndpoint(object):
|
|||
self.params.code_challenge_method = query_dict.get('code_challenge_method')
|
||||
|
||||
def validate_params(self):
|
||||
# Client validation.
|
||||
try:
|
||||
self.client = Client.objects.get(client_id=self.params.client_id)
|
||||
except Client.DoesNotExist:
|
||||
logger.debug('[Authorize] Invalid client identifier: %s', self.params.client_id)
|
||||
raise ClientIdError()
|
||||
|
||||
# Redirect URI validation.
|
||||
if self.is_authentication and not self.params.redirect_uri:
|
||||
logger.debug('[Authorize] Missing redirect uri.')
|
||||
raise RedirectUriError()
|
||||
|
||||
if not self.grant_type:
|
||||
logger.debug('[Authorize] Invalid response type: %s', self.params.response_type)
|
||||
raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type',
|
||||
self.grant_type)
|
||||
|
||||
if self.is_authentication and self.grant_type == 'implicit' and not self.params.nonce:
|
||||
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
||||
self.grant_type)
|
||||
|
||||
if self.is_authentication and self.params.response_type != self.client.response_type:
|
||||
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
||||
self.grant_type)
|
||||
|
||||
clean_redirect_uri = urlsplit(self.params.redirect_uri)
|
||||
clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query=''))
|
||||
if not (clean_redirect_uri in self.client.redirect_uris):
|
||||
logger.debug('[Authorize] Invalid redirect uri: %s', self.params.redirect_uri)
|
||||
raise RedirectUriError()
|
||||
|
||||
# Grant type validation.
|
||||
if not self.grant_type:
|
||||
logger.debug('[Authorize] Invalid response type: %s', self.params.response_type)
|
||||
raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type',
|
||||
self.grant_type)
|
||||
|
||||
# Nonce parameter validation.
|
||||
if self.is_authentication and self.grant_type == 'implicit' and not self.params.nonce:
|
||||
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
||||
self.grant_type)
|
||||
|
||||
# Response type parameter validation.
|
||||
if self.is_authentication and self.params.response_type != self.client.response_type:
|
||||
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
||||
self.grant_type)
|
||||
|
||||
# PKCE validation of the transformation method.
|
||||
if self.params.code_challenge:
|
||||
if not (self.params.code_challenge_method in ['plain', 'S256']):
|
||||
|
|
|
@ -66,13 +66,15 @@ class AuthorizeView(View):
|
|||
'params': authorize.params,
|
||||
}
|
||||
|
||||
if authorize.params.prompt == 'none':
|
||||
raise AuthorizeError(authorize.params.redirect_uri, 'interaction_required', authorize.grant_type)
|
||||
|
||||
return render(request, 'oidc_provider/authorize.html', context)
|
||||
else:
|
||||
if authorize.params.prompt == 'none':
|
||||
raise AuthorizeError(authorize.params.redirect_uri, 'login_required', authorize.grant_type)
|
||||
else:
|
||||
path = request.get_full_path()
|
||||
return redirect_to_login(path)
|
||||
|
||||
return redirect_to_login(request.get_full_path())
|
||||
|
||||
except (ClientIdError, RedirectUriError) as error:
|
||||
context = {
|
||||
|
@ -92,12 +94,10 @@ class AuthorizeView(View):
|
|||
def post(self, request, *args, **kwargs):
|
||||
authorize = AuthorizeEndpoint(request)
|
||||
|
||||
allow = True if request.POST.get('allow') else False
|
||||
|
||||
try:
|
||||
authorize.validate_params()
|
||||
|
||||
if not allow:
|
||||
if not request.POST.get('allow'):
|
||||
raise AuthorizeError(authorize.params.redirect_uri,
|
||||
'access_denied',
|
||||
authorize.grant_type)
|
||||
|
|
Loading…
Reference in a new issue