diff --git a/oidc_provider/lib/endpoints/authorize.py b/oidc_provider/lib/endpoints/authorize.py index 83624ad..dcdb8da 100644 --- a/oidc_provider/lib/endpoints/authorize.py +++ b/oidc_provider/lib/endpoints/authorize.py @@ -62,35 +62,39 @@ class AuthorizeEndpoint(object): self.params.code_challenge_method = query_dict.get('code_challenge_method') def validate_params(self): + # Client validation. try: self.client = Client.objects.get(client_id=self.params.client_id) except Client.DoesNotExist: logger.debug('[Authorize] Invalid client identifier: %s', self.params.client_id) raise ClientIdError() + # Redirect URI validation. if self.is_authentication and not self.params.redirect_uri: logger.debug('[Authorize] Missing redirect uri.') raise RedirectUriError() - - if not self.grant_type: - logger.debug('[Authorize] Invalid response type: %s', self.params.response_type) - raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type', - self.grant_type) - - if self.is_authentication and self.grant_type == 'implicit' and not self.params.nonce: - raise AuthorizeError(self.params.redirect_uri, 'invalid_request', - self.grant_type) - - if self.is_authentication and self.params.response_type != self.client.response_type: - raise AuthorizeError(self.params.redirect_uri, 'invalid_request', - self.grant_type) - clean_redirect_uri = urlsplit(self.params.redirect_uri) clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query='')) if not (clean_redirect_uri in self.client.redirect_uris): logger.debug('[Authorize] Invalid redirect uri: %s', self.params.redirect_uri) raise RedirectUriError() + # Grant type validation. + if not self.grant_type: + logger.debug('[Authorize] Invalid response type: %s', self.params.response_type) + raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type', + self.grant_type) + + # Nonce parameter validation. + if self.is_authentication and self.grant_type == 'implicit' and not self.params.nonce: + raise AuthorizeError(self.params.redirect_uri, 'invalid_request', + self.grant_type) + + # Response type parameter validation. + if self.is_authentication and self.params.response_type != self.client.response_type: + raise AuthorizeError(self.params.redirect_uri, 'invalid_request', + self.grant_type) + # PKCE validation of the transformation method. if self.params.code_challenge: if not (self.params.code_challenge_method in ['plain', 'S256']): diff --git a/oidc_provider/views.py b/oidc_provider/views.py index bd5a6f8..016bddd 100644 --- a/oidc_provider/views.py +++ b/oidc_provider/views.py @@ -66,13 +66,15 @@ class AuthorizeView(View): 'params': authorize.params, } + if authorize.params.prompt == 'none': + raise AuthorizeError(authorize.params.redirect_uri, 'interaction_required', authorize.grant_type) + return render(request, 'oidc_provider/authorize.html', context) else: if authorize.params.prompt == 'none': raise AuthorizeError(authorize.params.redirect_uri, 'login_required', authorize.grant_type) - else: - path = request.get_full_path() - return redirect_to_login(path) + + return redirect_to_login(request.get_full_path()) except (ClientIdError, RedirectUriError) as error: context = { @@ -92,12 +94,10 @@ class AuthorizeView(View): def post(self, request, *args, **kwargs): authorize = AuthorizeEndpoint(request) - allow = True if request.POST.get('allow') else False - try: authorize.validate_params() - if not allow: + if not request.POST.get('allow'): raise AuthorizeError(authorize.params.redirect_uri, 'access_denied', authorize.grant_type)