Add hidden inputs for PKCE. Fix bug with AES.
This commit is contained in:
parent
93c0bc2382
commit
b1b8247cb0
|
@ -9,6 +9,7 @@ except ImportError:
|
||||||
|
|
||||||
from Crypto.Cipher import AES
|
from Crypto.Cipher import AES
|
||||||
from django.http import JsonResponse
|
from django.http import JsonResponse
|
||||||
|
from django.conf import settings as django_settings
|
||||||
|
|
||||||
from oidc_provider.lib.errors import *
|
from oidc_provider.lib.errors import *
|
||||||
from oidc_provider.lib.utils.params import *
|
from oidc_provider.lib.utils.params import *
|
||||||
|
@ -96,7 +97,7 @@ class TokenEndpoint(object):
|
||||||
|
|
||||||
# Validate PKCE parameters.
|
# Validate PKCE parameters.
|
||||||
if self.params.code_verifier:
|
if self.params.code_verifier:
|
||||||
obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
|
obj = AES.new(hashlib.md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
|
||||||
code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
|
code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
|
||||||
|
|
||||||
if code_challenge_method == 'S256':
|
if code_challenge_method == 'S256':
|
||||||
|
|
|
@ -4,6 +4,7 @@ import uuid
|
||||||
|
|
||||||
from Crypto.Cipher import AES
|
from Crypto.Cipher import AES
|
||||||
from Crypto.PublicKey.RSA import importKey
|
from Crypto.PublicKey.RSA import importKey
|
||||||
|
from django.conf import settings as django_settings
|
||||||
from django.utils import timezone
|
from django.utils import timezone
|
||||||
from hashlib import md5
|
from hashlib import md5
|
||||||
from jwkest.jwk import RSAKey as jwk_RSAKey
|
from jwkest.jwk import RSAKey as jwk_RSAKey
|
||||||
|
@ -110,7 +111,7 @@ def create_code(user, client, scope, nonce, is_authentication,
|
||||||
if not code_challenge:
|
if not code_challenge:
|
||||||
code.code = uuid.uuid4().hex
|
code.code = uuid.uuid4().hex
|
||||||
else:
|
else:
|
||||||
obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
|
obj = AES.new(md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
|
||||||
|
|
||||||
# Default is 'plain' method.
|
# Default is 'plain' method.
|
||||||
code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method
|
code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method
|
||||||
|
|
|
@ -4,3 +4,5 @@
|
||||||
<input name="scope" type="hidden" value="{{ params.scope | join:' ' }}" />
|
<input name="scope" type="hidden" value="{{ params.scope | join:' ' }}" />
|
||||||
<input name="state" type="hidden" value="{{ params.state }}" />
|
<input name="state" type="hidden" value="{{ params.state }}" />
|
||||||
<input name="nonce" type="hidden" value="{{ params.nonce }}" />
|
<input name="nonce" type="hidden" value="{{ params.nonce }}" />
|
||||||
|
<input name="code_challenge" type="hidden" value="{{ params.code_challenge }}" />
|
||||||
|
<input name="code_challenge_method" type="hidden" value="{{ params.code_challenge_method }}" />
|
||||||
|
|
|
@ -13,6 +13,7 @@ from oidc_provider.models import *
|
||||||
|
|
||||||
FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
|
FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
|
||||||
FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
|
FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
|
||||||
|
FAKE_CODE_CHALLENGE = 'pG6flQqJa7INfIKb5cZVAXhTqvTKehIck6aQhdUuyWc'
|
||||||
|
|
||||||
|
|
||||||
def create_fake_user():
|
def create_fake_user():
|
||||||
|
|
|
@ -122,6 +122,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
||||||
'redirect_uri': self.client.default_redirect_uri,
|
'redirect_uri': self.client.default_redirect_uri,
|
||||||
'scope': 'openid email',
|
'scope': 'openid email',
|
||||||
'state': self.state,
|
'state': self.state,
|
||||||
|
# PKCE parameters.
|
||||||
|
'code_challenge': FAKE_CODE_CHALLENGE,
|
||||||
|
'code_challenge_method': 'S256',
|
||||||
}).replace('+', '%20')
|
}).replace('+', '%20')
|
||||||
|
|
||||||
url = reverse('oidc_provider:authorize') + '?' + query_str
|
url = reverse('oidc_provider:authorize') + '?' + query_str
|
||||||
|
@ -140,6 +143,8 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
||||||
'client_id': self.client.client_id,
|
'client_id': self.client.client_id,
|
||||||
'redirect_uri': self.client.default_redirect_uri,
|
'redirect_uri': self.client.default_redirect_uri,
|
||||||
'response_type': 'code',
|
'response_type': 'code',
|
||||||
|
'code_challenge': FAKE_CODE_CHALLENGE,
|
||||||
|
'code_challenge_method': 'S256',
|
||||||
}
|
}
|
||||||
|
|
||||||
for key, value in iter(to_check.items()):
|
for key, value in iter(to_check.items()):
|
||||||
|
@ -169,6 +174,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
||||||
'response_type': response_type,
|
'response_type': response_type,
|
||||||
'scope': 'openid email',
|
'scope': 'openid email',
|
||||||
'state': self.state,
|
'state': self.state,
|
||||||
|
# PKCE parameters.
|
||||||
|
'code_challenge': FAKE_CODE_CHALLENGE,
|
||||||
|
'code_challenge_method': 'S256',
|
||||||
}
|
}
|
||||||
|
|
||||||
request = self.factory.post(url, data=post_data)
|
request = self.factory.post(url, data=post_data)
|
||||||
|
|
|
@ -87,7 +87,6 @@ class AuthorizeView(View):
|
||||||
return redirect(uri)
|
return redirect(uri)
|
||||||
|
|
||||||
def post(self, request, *args, **kwargs):
|
def post(self, request, *args, **kwargs):
|
||||||
|
|
||||||
authorize = AuthorizeEndpoint(request)
|
authorize = AuthorizeEndpoint(request)
|
||||||
|
|
||||||
allow = True if request.POST.get('allow') else False
|
allow = True if request.POST.get('allow') else False
|
||||||
|
|
Loading…
Reference in a new issue