Add nonce in id_token when included in auth request
http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token.
This commit is contained in:
parent
6ce523edaa
commit
a4fcf956c2
3 changed files with 40 additions and 3 deletions
|
@ -33,6 +33,7 @@ class TokenEndpoint(object):
|
||||||
self.params.grant_type = query_dict.get('grant_type', '')
|
self.params.grant_type = query_dict.get('grant_type', '')
|
||||||
self.params.code = query_dict.get('code', '')
|
self.params.code = query_dict.get('code', '')
|
||||||
self.params.state = query_dict.get('state', '')
|
self.params.state = query_dict.get('state', '')
|
||||||
|
self.params.nonce = query_dict.get('nonce', '')
|
||||||
|
|
||||||
def validate_params(self):
|
def validate_params(self):
|
||||||
if not (self.params.grant_type == 'authorization_code'):
|
if not (self.params.grant_type == 'authorization_code'):
|
||||||
|
@ -70,7 +71,9 @@ class TokenEndpoint(object):
|
||||||
def create_response_dic(self):
|
def create_response_dic(self):
|
||||||
id_token_dic = create_id_token(
|
id_token_dic = create_id_token(
|
||||||
user=self.code.user,
|
user=self.code.user,
|
||||||
aud=self.client.client_id)
|
aud=self.client.client_id,
|
||||||
|
nonce=self.params.nonce,
|
||||||
|
)
|
||||||
|
|
||||||
token = create_token(
|
token = create_token(
|
||||||
user=self.code.user,
|
user=self.code.user,
|
||||||
|
|
|
@ -10,7 +10,7 @@ from oidc_provider.models import *
|
||||||
from oidc_provider import settings
|
from oidc_provider import settings
|
||||||
|
|
||||||
|
|
||||||
def create_id_token(user, aud):
|
def create_id_token(user, aud, nonce=None):
|
||||||
"""
|
"""
|
||||||
Receives a user object and aud (audience).
|
Receives a user object and aud (audience).
|
||||||
Then creates the id_token dictionary.
|
Then creates the id_token dictionary.
|
||||||
|
@ -40,6 +40,9 @@ def create_id_token(user, aud):
|
||||||
'auth_time': auth_time,
|
'auth_time': auth_time,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if nonce:
|
||||||
|
dic['nonce'] = nonce
|
||||||
|
|
||||||
return dic
|
return dic
|
||||||
|
|
||||||
|
|
||||||
|
@ -89,4 +92,4 @@ def create_code(user, client, scope):
|
||||||
seconds=settings.get('OIDC_CODE_EXPIRE'))
|
seconds=settings.get('OIDC_CODE_EXPIRE'))
|
||||||
code.scope = scope
|
code.scope = scope
|
||||||
|
|
||||||
return code
|
return code
|
||||||
|
|
|
@ -9,6 +9,8 @@ from django.core.urlresolvers import reverse
|
||||||
from django.test import RequestFactory
|
from django.test import RequestFactory
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
|
|
||||||
|
import jwt
|
||||||
|
|
||||||
from oidc_provider.lib.utils.token import *
|
from oidc_provider.lib.utils.token import *
|
||||||
from oidc_provider.tests.utils import *
|
from oidc_provider.tests.utils import *
|
||||||
from oidc_provider.views import *
|
from oidc_provider.views import *
|
||||||
|
@ -123,3 +125,32 @@ class TokenTestCase(TestCase):
|
||||||
msg='"error" key should exists in response.')
|
msg='"error" key should exists in response.')
|
||||||
self.assertEqual(response_dic.get('error') == 'invalid_client', True,
|
self.assertEqual(response_dic.get('error') == 'invalid_client', True,
|
||||||
msg='"error" key value should be "invalid_client".')
|
msg='"error" key value should be "invalid_client".')
|
||||||
|
|
||||||
|
def test_token_contains_nonce_if_provided(self):
|
||||||
|
"""
|
||||||
|
If present in the Authentication Request, Authorization Servers MUST
|
||||||
|
include a nonce Claim in the ID Token with the Claim Value being the
|
||||||
|
nonce value sent in the Authentication Request.
|
||||||
|
|
||||||
|
See http://openid.net/specs/openid-connect-core-1_0.html#IDToken
|
||||||
|
"""
|
||||||
|
|
||||||
|
code = self._create_code()
|
||||||
|
|
||||||
|
post_data = {
|
||||||
|
'client_id': self.client.client_id,
|
||||||
|
'client_secret': self.client.client_secret,
|
||||||
|
'redirect_uri': self.client.default_redirect_uri,
|
||||||
|
'grant_type': 'authorization_code',
|
||||||
|
'code': code.code,
|
||||||
|
'state': self.state,
|
||||||
|
'nonce': 'thisisanonce'
|
||||||
|
}
|
||||||
|
|
||||||
|
response = self._post_request(post_data)
|
||||||
|
|
||||||
|
response_dic = json.loads(response.content.decode('utf-8'))
|
||||||
|
id_token = jwt.decode(response_dic['id_token'],
|
||||||
|
options={'verify_signature': False, 'verify_aud': False})
|
||||||
|
|
||||||
|
self.assertEqual(id_token['nonce'], 'thisisanonce')
|
||||||
|
|
Loading…
Reference in a new issue