Add nonce validation for Implicit Flow.
This commit is contained in:
parent
814a24a4ba
commit
c6534db693
|
@ -54,20 +54,25 @@ class AuthorizeEndpoint(object):
|
||||||
self.params.nonce = query_dict.get('nonce', '')
|
self.params.nonce = query_dict.get('nonce', '')
|
||||||
|
|
||||||
def validate_params(self):
|
def validate_params(self):
|
||||||
|
|
||||||
if not self.params.redirect_uri:
|
if not self.params.redirect_uri:
|
||||||
logger.error('[Authorize] Missing redirect uri.')
|
logger.error('[Authorize] Missing redirect uri.')
|
||||||
raise RedirectUriError()
|
raise RedirectUriError()
|
||||||
|
|
||||||
if not ('openid' in self.params.scope):
|
if not ('openid' in self.params.scope):
|
||||||
logger.error('[Authorize] Missing openid scope.')
|
logger.error('[Authorize] Missing openid scope.')
|
||||||
raise AuthorizeError(
|
raise AuthorizeError(self.params.redirect_uri, 'invalid_scope',
|
||||||
self.params.redirect_uri,
|
self.grant_type)
|
||||||
'invalid_scope',
|
|
||||||
|
# http://openid.net/specs/openid-connect-implicit-1_0.html#RequestParameters
|
||||||
|
if self.grant_type == 'implicit' and not self.params.nonce:
|
||||||
|
raise AuthorizeError(self.params.redirect_uri, 'invalid_request',
|
||||||
self.grant_type)
|
self.grant_type)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.client = Client.objects.get(client_id=self.params.client_id)
|
self.client = Client.objects.get(client_id=self.params.client_id)
|
||||||
|
except Client.DoesNotExist:
|
||||||
|
logger.error('[Authorize] Invalid client identifier: %s', self.params.client_id)
|
||||||
|
raise ClientIdError()
|
||||||
|
|
||||||
clean_redirect_uri = urlsplit(self.params.redirect_uri)
|
clean_redirect_uri = urlsplit(self.params.redirect_uri)
|
||||||
clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query=''))
|
clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query=''))
|
||||||
|
@ -77,15 +82,9 @@ class AuthorizeEndpoint(object):
|
||||||
|
|
||||||
if not self.grant_type or not (self.params.response_type == self.client.response_type):
|
if not self.grant_type or not (self.params.response_type == self.client.response_type):
|
||||||
logger.error('[Authorize] Invalid response type: %s', self.params.response_type)
|
logger.error('[Authorize] Invalid response type: %s', self.params.response_type)
|
||||||
raise AuthorizeError(
|
raise AuthorizeError(self.params.redirect_uri, 'unsupported_response_type',
|
||||||
self.params.redirect_uri,
|
|
||||||
'unsupported_response_type',
|
|
||||||
self.grant_type)
|
self.grant_type)
|
||||||
|
|
||||||
except Client.DoesNotExist:
|
|
||||||
logger.error('[Authorize] Invalid client identifier: %s', self.params.client_id)
|
|
||||||
raise ClientIdError()
|
|
||||||
|
|
||||||
def create_response_uri(self):
|
def create_response_uri(self):
|
||||||
uri = urlsplit(self.params.redirect_uri)
|
uri = urlsplit(self.params.redirect_uri)
|
||||||
query_params = parse_qs(uri.query)
|
query_params = parse_qs(uri.query)
|
||||||
|
|
Loading…
Reference in a new issue