Add hidden inputs for PKCE. Fix bug with AES.

This commit is contained in:
Ignacio 2016-04-07 11:45:35 -03:00
parent 93c0bc2382
commit b1b8247cb0
6 changed files with 16 additions and 4 deletions

View file

@ -9,6 +9,7 @@ except ImportError:
from Crypto.Cipher import AES
from django.http import JsonResponse
from django.conf import settings as django_settings
from oidc_provider.lib.errors import *
from oidc_provider.lib.utils.params import *
@ -96,7 +97,7 @@ class TokenEndpoint(object):
# Validate PKCE parameters.
if self.params.code_verifier:
obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
obj = AES.new(hashlib.md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
if code_challenge_method == 'S256':

View file

@ -4,6 +4,7 @@ import uuid
from Crypto.Cipher import AES
from Crypto.PublicKey.RSA import importKey
from django.conf import settings as django_settings
from django.utils import timezone
from hashlib import md5
from jwkest.jwk import RSAKey as jwk_RSAKey
@ -110,7 +111,7 @@ def create_code(user, client, scope, nonce, is_authentication,
if not code_challenge:
code.code = uuid.uuid4().hex
else:
obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
obj = AES.new(md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
# Default is 'plain' method.
code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method

View file

@ -3,4 +3,6 @@
<input name="response_type" type="hidden" value="{{ params.response_type }}" />
<input name="scope" type="hidden" value="{{ params.scope | join:' ' }}" />
<input name="state" type="hidden" value="{{ params.state }}" />
<input name="nonce" type="hidden" value="{{ params.nonce }}" />
<input name="nonce" type="hidden" value="{{ params.nonce }}" />
<input name="code_challenge" type="hidden" value="{{ params.code_challenge }}" />
<input name="code_challenge_method" type="hidden" value="{{ params.code_challenge_method }}" />

View file

@ -13,6 +13,7 @@ from oidc_provider.models import *
FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
FAKE_CODE_CHALLENGE = 'pG6flQqJa7INfIKb5cZVAXhTqvTKehIck6aQhdUuyWc'
def create_fake_user():

View file

@ -122,6 +122,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
'redirect_uri': self.client.default_redirect_uri,
'scope': 'openid email',
'state': self.state,
# PKCE parameters.
'code_challenge': FAKE_CODE_CHALLENGE,
'code_challenge_method': 'S256',
}).replace('+', '%20')
url = reverse('oidc_provider:authorize') + '?' + query_str
@ -140,6 +143,8 @@ class AuthorizationCodeFlowTestCase(TestCase):
'client_id': self.client.client_id,
'redirect_uri': self.client.default_redirect_uri,
'response_type': 'code',
'code_challenge': FAKE_CODE_CHALLENGE,
'code_challenge_method': 'S256',
}
for key, value in iter(to_check.items()):
@ -169,6 +174,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
'response_type': response_type,
'scope': 'openid email',
'state': self.state,
# PKCE parameters.
'code_challenge': FAKE_CODE_CHALLENGE,
'code_challenge_method': 'S256',
}
request = self.factory.post(url, data=post_data)

View file

@ -87,7 +87,6 @@ class AuthorizeView(View):
return redirect(uri)
def post(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
allow = True if request.POST.get('allow') else False