Add hidden inputs for PKCE. Fix bug with AES.
This commit is contained in:
parent
93c0bc2382
commit
b1b8247cb0
6 changed files with 16 additions and 4 deletions
|
@ -9,6 +9,7 @@ except ImportError:
|
|||
|
||||
from Crypto.Cipher import AES
|
||||
from django.http import JsonResponse
|
||||
from django.conf import settings as django_settings
|
||||
|
||||
from oidc_provider.lib.errors import *
|
||||
from oidc_provider.lib.utils.params import *
|
||||
|
@ -96,7 +97,7 @@ class TokenEndpoint(object):
|
|||
|
||||
# Validate PKCE parameters.
|
||||
if self.params.code_verifier:
|
||||
obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
|
||||
obj = AES.new(hashlib.md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
|
||||
code_challenge, code_challenge_method = tuple(obj.decrypt(self.code.code.decode('hex')).split(':'))
|
||||
|
||||
if code_challenge_method == 'S256':
|
||||
|
|
|
@ -4,6 +4,7 @@ import uuid
|
|||
|
||||
from Crypto.Cipher import AES
|
||||
from Crypto.PublicKey.RSA import importKey
|
||||
from django.conf import settings as django_settings
|
||||
from django.utils import timezone
|
||||
from hashlib import md5
|
||||
from jwkest.jwk import RSAKey as jwk_RSAKey
|
||||
|
@ -110,7 +111,7 @@ def create_code(user, client, scope, nonce, is_authentication,
|
|||
if not code_challenge:
|
||||
code.code = uuid.uuid4().hex
|
||||
else:
|
||||
obj = AES.new(settings.SECRET_KEY, AES.MODE_CBC)
|
||||
obj = AES.new(md5(django_settings.SECRET_KEY).hexdigest(), AES.MODE_CBC)
|
||||
|
||||
# Default is 'plain' method.
|
||||
code_challenge_method = 'plain' if not code_challenge_method else code_challenge_method
|
||||
|
|
|
@ -3,4 +3,6 @@
|
|||
<input name="response_type" type="hidden" value="{{ params.response_type }}" />
|
||||
<input name="scope" type="hidden" value="{{ params.scope | join:' ' }}" />
|
||||
<input name="state" type="hidden" value="{{ params.state }}" />
|
||||
<input name="nonce" type="hidden" value="{{ params.nonce }}" />
|
||||
<input name="nonce" type="hidden" value="{{ params.nonce }}" />
|
||||
<input name="code_challenge" type="hidden" value="{{ params.code_challenge }}" />
|
||||
<input name="code_challenge_method" type="hidden" value="{{ params.code_challenge_method }}" />
|
||||
|
|
|
@ -13,6 +13,7 @@ from oidc_provider.models import *
|
|||
|
||||
FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d'
|
||||
FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32))
|
||||
FAKE_CODE_CHALLENGE = 'pG6flQqJa7INfIKb5cZVAXhTqvTKehIck6aQhdUuyWc'
|
||||
|
||||
|
||||
def create_fake_user():
|
||||
|
|
|
@ -122,6 +122,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
|||
'redirect_uri': self.client.default_redirect_uri,
|
||||
'scope': 'openid email',
|
||||
'state': self.state,
|
||||
# PKCE parameters.
|
||||
'code_challenge': FAKE_CODE_CHALLENGE,
|
||||
'code_challenge_method': 'S256',
|
||||
}).replace('+', '%20')
|
||||
|
||||
url = reverse('oidc_provider:authorize') + '?' + query_str
|
||||
|
@ -140,6 +143,8 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
|||
'client_id': self.client.client_id,
|
||||
'redirect_uri': self.client.default_redirect_uri,
|
||||
'response_type': 'code',
|
||||
'code_challenge': FAKE_CODE_CHALLENGE,
|
||||
'code_challenge_method': 'S256',
|
||||
}
|
||||
|
||||
for key, value in iter(to_check.items()):
|
||||
|
@ -169,6 +174,9 @@ class AuthorizationCodeFlowTestCase(TestCase):
|
|||
'response_type': response_type,
|
||||
'scope': 'openid email',
|
||||
'state': self.state,
|
||||
# PKCE parameters.
|
||||
'code_challenge': FAKE_CODE_CHALLENGE,
|
||||
'code_challenge_method': 'S256',
|
||||
}
|
||||
|
||||
request = self.factory.post(url, data=post_data)
|
||||
|
|
|
@ -87,7 +87,6 @@ class AuthorizeView(View):
|
|||
return redirect(uri)
|
||||
|
||||
def post(self, request, *args, **kwargs):
|
||||
|
||||
authorize = AuthorizeEndpoint(request)
|
||||
|
||||
allow = True if request.POST.get('allow') else False
|
||||
|
|
Loading…
Reference in a new issue