Refactoring prompt=none logic.
This commit is contained in:
parent
b05894bf6d
commit
61f0c209af
2 changed files with 24 additions and 20 deletions
|
@ -62,35 +62,39 @@ class AuthorizeEndpoint(object):
|
||||||
self.params.code_challenge_method = query_dict.get('code_challenge_method')
|
self.params.code_challenge_method = query_dict.get('code_challenge_method')
|
||||||
|
|
||||||
def validate_params(self):
|
def validate_params(self):
|
||||||
|
# Client validation.
|
||||||
try:
|
try:
|
||||||
self.client = Client.objects.get(client_id=self.params.client_id)
|
self.client = Client.objects.get(client_id=self.params.client_id)
|
||||||
except Client.DoesNotExist:
|
except Client.DoesNotExist:
|
||||||
logger.debug('[Authorize] Invalid client identifier: %s', self.params.client_id)
|
logger.debug('[Authorize] Invalid client identifier: %s', self.params.client_id)
|
||||||
raise ClientIdError()
|
raise ClientIdError()
|
||||||
|
|
||||||
|
# Redirect URI validation.
|
||||||
if self.is_authentication and not self.params.redirect_uri:
|
if self.is_authentication and not self.params.redirect_uri:
|
||||||
logger.debug('[Authorize] Missing redirect uri.')
|
logger.debug('[Authorize] Missing redirect uri.')
|
||||||
raise RedirectUriError()
|
raise RedirectUriError()
|
||||||
|
|
||||||
if not self.grant_type:
|
|
||||||
logger.debug('[Authorize] Invalid response type: %s', self.params.response_type)
|
|
||||||
raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type',
|
|
||||||
self.grant_type)
|
|
||||||
|
|
||||||
if self.is_authentication and self.grant_type == 'implicit' and not self.params.nonce:
|
|
||||||
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
|
||||||
self.grant_type)
|
|
||||||
|
|
||||||
if self.is_authentication and self.params.response_type != self.client.response_type:
|
|
||||||
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
|
||||||
self.grant_type)
|
|
||||||
|
|
||||||
clean_redirect_uri = urlsplit(self.params.redirect_uri)
|
clean_redirect_uri = urlsplit(self.params.redirect_uri)
|
||||||
clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query=''))
|
clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query=''))
|
||||||
if not (clean_redirect_uri in self.client.redirect_uris):
|
if not (clean_redirect_uri in self.client.redirect_uris):
|
||||||
logger.debug('[Authorize] Invalid redirect uri: %s', self.params.redirect_uri)
|
logger.debug('[Authorize] Invalid redirect uri: %s', self.params.redirect_uri)
|
||||||
raise RedirectUriError()
|
raise RedirectUriError()
|
||||||
|
|
||||||
|
# Grant type validation.
|
||||||
|
if not self.grant_type:
|
||||||
|
logger.debug('[Authorize] Invalid response type: %s', self.params.response_type)
|
||||||
|
raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type',
|
||||||
|
self.grant_type)
|
||||||
|
|
||||||
|
# Nonce parameter validation.
|
||||||
|
if self.is_authentication and self.grant_type == 'implicit' and not self.params.nonce:
|
||||||
|
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
||||||
|
self.grant_type)
|
||||||
|
|
||||||
|
# Response type parameter validation.
|
||||||
|
if self.is_authentication and self.params.response_type != self.client.response_type:
|
||||||
|
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
||||||
|
self.grant_type)
|
||||||
|
|
||||||
# PKCE validation of the transformation method.
|
# PKCE validation of the transformation method.
|
||||||
if self.params.code_challenge:
|
if self.params.code_challenge:
|
||||||
if not (self.params.code_challenge_method in ['plain', 'S256']):
|
if not (self.params.code_challenge_method in ['plain', 'S256']):
|
||||||
|
|
|
@ -66,13 +66,15 @@ class AuthorizeView(View):
|
||||||
'params': authorize.params,
|
'params': authorize.params,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if authorize.params.prompt == 'none':
|
||||||
|
raise AuthorizeError(authorize.params.redirect_uri, 'interaction_required', authorize.grant_type)
|
||||||
|
|
||||||
return render(request, 'oidc_provider/authorize.html', context)
|
return render(request, 'oidc_provider/authorize.html', context)
|
||||||
else:
|
else:
|
||||||
if authorize.params.prompt == 'none':
|
if authorize.params.prompt == 'none':
|
||||||
raise AuthorizeError(authorize.params.redirect_uri, 'login_required', authorize.grant_type)
|
raise AuthorizeError(authorize.params.redirect_uri, 'login_required', authorize.grant_type)
|
||||||
else:
|
|
||||||
path = request.get_full_path()
|
return redirect_to_login(request.get_full_path())
|
||||||
return redirect_to_login(path)
|
|
||||||
|
|
||||||
except (ClientIdError, RedirectUriError) as error:
|
except (ClientIdError, RedirectUriError) as error:
|
||||||
context = {
|
context = {
|
||||||
|
@ -92,12 +94,10 @@ class AuthorizeView(View):
|
||||||
def post(self, request, *args, **kwargs):
|
def post(self, request, *args, **kwargs):
|
||||||
authorize = AuthorizeEndpoint(request)
|
authorize = AuthorizeEndpoint(request)
|
||||||
|
|
||||||
allow = True if request.POST.get('allow') else False
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
authorize.validate_params()
|
authorize.validate_params()
|
||||||
|
|
||||||
if not allow:
|
if not request.POST.get('allow'):
|
||||||
raise AuthorizeError(authorize.params.redirect_uri,
|
raise AuthorizeError(authorize.params.redirect_uri,
|
||||||
'access_denied',
|
'access_denied',
|
||||||
authorize.grant_type)
|
authorize.grant_type)
|
||||||
|
|
Loading…
Reference in a new issue