Merge pull request #84 from wojtek-fliposports/v0.3.x

Fixing missing verification of client response type and encoding the client secret.
2016-03-08 18:48:44 -03:00 · 2016-03-08 18:48:44 -03:00 · a2809307cf
parent d43bad80dc 08033bb9ad
commit a2809307cf
2 changed files with 5 additions and 1 deletions
--- a/oidc_provider/admin.py
+++ b/oidc_provider/admin.py
@ -33,7 +33,7 @@ class ClientForm(ModelForm):
        if instance and instance.pk:
            return instance.client_secret
        else:
-            return md5(str(uuid4())).hexdigest()
+            return md5(uuid4().hex.encode()).hexdigest()


@admin.register(Client)
--- a/oidc_provider/lib/endpoints/authorize.py
+++ b/oidc_provider/lib/endpoints/authorize.py
@ -76,6 +76,10 @@ class AuthorizeEndpoint(object):
            raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
                self.grant_type)

+        if self.is_authentication and self.params.response_type != self.client.response_type:
+            raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
+                self.grant_type)
+                
        clean_redirect_uri = urlsplit(self.params.redirect_uri)
        clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query=''))
        if not (clean_redirect_uri in self.client.redirect_uris):