prompt parameter changed to list of strings not a simple string
This commit is contained in:
parent
127bf8045d
commit
f07327a713
3 changed files with 121 additions and 29 deletions
|
@ -36,6 +36,7 @@ logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
class AuthorizeEndpoint(object):
|
class AuthorizeEndpoint(object):
|
||||||
|
_allowed_prompt_params = {'none', 'login', 'consent', 'select_account'}
|
||||||
|
|
||||||
def __init__(self, request):
|
def __init__(self, request):
|
||||||
self.request = request
|
self.request = request
|
||||||
|
@ -74,7 +75,9 @@ class AuthorizeEndpoint(object):
|
||||||
self.params['scope'] = query_dict.get('scope', '').split()
|
self.params['scope'] = query_dict.get('scope', '').split()
|
||||||
self.params['state'] = query_dict.get('state', '')
|
self.params['state'] = query_dict.get('state', '')
|
||||||
self.params['nonce'] = query_dict.get('nonce', '')
|
self.params['nonce'] = query_dict.get('nonce', '')
|
||||||
self.params['prompt'] = query_dict.get('prompt', '')
|
|
||||||
|
self.params['prompt'] = self._allowed_prompt_params.intersection(set(query_dict.get('prompt', '').split()))
|
||||||
|
|
||||||
self.params['code_challenge'] = query_dict.get('code_challenge', '')
|
self.params['code_challenge'] = query_dict.get('code_challenge', '')
|
||||||
self.params['code_challenge_method'] = query_dict.get('code_challenge_method', '')
|
self.params['code_challenge_method'] = query_dict.get('code_challenge_method', '')
|
||||||
|
|
||||||
|
|
|
@ -278,7 +278,7 @@ class AuthorizationCodeFlowTestCase(TestCase, AuthorizeEndpointMixin):
|
||||||
|
|
||||||
self.assertIn('Request for Permission', response.content.decode('utf-8'))
|
self.assertIn('Request for Permission', response.content.decode('utf-8'))
|
||||||
|
|
||||||
def test_prompt_parameter(self):
|
def test_prompt_none_parameter(self):
|
||||||
"""
|
"""
|
||||||
Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
|
Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
|
||||||
See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||||
|
@ -289,10 +289,9 @@ class AuthorizationCodeFlowTestCase(TestCase, AuthorizeEndpointMixin):
|
||||||
'redirect_uri': self.client.default_redirect_uri,
|
'redirect_uri': self.client.default_redirect_uri,
|
||||||
'scope': 'openid email',
|
'scope': 'openid email',
|
||||||
'state': self.state,
|
'state': self.state,
|
||||||
|
'prompt': 'none'
|
||||||
}
|
}
|
||||||
|
|
||||||
data['prompt'] = 'none'
|
|
||||||
|
|
||||||
response = self._auth_request('get', data)
|
response = self._auth_request('get', data)
|
||||||
|
|
||||||
# An error is returned if an End-User is not already authenticated.
|
# An error is returned if an End-User is not already authenticated.
|
||||||
|
@ -301,7 +300,92 @@ class AuthorizationCodeFlowTestCase(TestCase, AuthorizeEndpointMixin):
|
||||||
response = self._auth_request('get', data, is_user_authenticated=True)
|
response = self._auth_request('get', data, is_user_authenticated=True)
|
||||||
|
|
||||||
# An error is returned if the Client does not have pre-configured consent for the requested Claims.
|
# An error is returned if the Client does not have pre-configured consent for the requested Claims.
|
||||||
self.assertIn('interaction_required', response['Location'])
|
self.assertIn('consent_required', response['Location'])
|
||||||
|
|
||||||
|
@patch('oidc_provider.views.django_user_logout')
|
||||||
|
def test_prompt_login_parameter(self, logout_function):
|
||||||
|
"""
|
||||||
|
Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
|
||||||
|
See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||||
|
"""
|
||||||
|
data = {
|
||||||
|
'client_id': self.client.client_id,
|
||||||
|
'response_type': self.client.response_type,
|
||||||
|
'redirect_uri': self.client.default_redirect_uri,
|
||||||
|
'scope': 'openid email',
|
||||||
|
'state': self.state,
|
||||||
|
'prompt': 'login'
|
||||||
|
}
|
||||||
|
|
||||||
|
response = self._auth_request('get', data)
|
||||||
|
self.assertIn(settings.get('OIDC_LOGIN_URL'), response['Location'])
|
||||||
|
|
||||||
|
response = self._auth_request('get', data, is_user_authenticated=True)
|
||||||
|
self.assertIn(settings.get('OIDC_LOGIN_URL'), response['Location'])
|
||||||
|
self.assertTrue(logout_function.called_once())
|
||||||
|
|
||||||
|
def test_prompt_login_none_parameter(self):
|
||||||
|
"""
|
||||||
|
Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
|
||||||
|
See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||||
|
"""
|
||||||
|
data = {
|
||||||
|
'client_id': self.client.client_id,
|
||||||
|
'response_type': self.client.response_type,
|
||||||
|
'redirect_uri': self.client.default_redirect_uri,
|
||||||
|
'scope': 'openid email',
|
||||||
|
'state': self.state,
|
||||||
|
'prompt': 'login none'
|
||||||
|
}
|
||||||
|
|
||||||
|
response = self._auth_request('get', data)
|
||||||
|
self.assertIn('login_required', response['Location'])
|
||||||
|
|
||||||
|
response = self._auth_request('get', data, is_user_authenticated=True)
|
||||||
|
self.assertIn('login_required', response['Location'])
|
||||||
|
|
||||||
|
@patch('oidc_provider.views.render')
|
||||||
|
def test_prompt_consent_parameter(self, render_patched):
|
||||||
|
"""
|
||||||
|
Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
|
||||||
|
See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||||
|
"""
|
||||||
|
data = {
|
||||||
|
'client_id': self.client.client_id,
|
||||||
|
'response_type': self.client.response_type,
|
||||||
|
'redirect_uri': self.client.default_redirect_uri,
|
||||||
|
'scope': 'openid email',
|
||||||
|
'state': self.state,
|
||||||
|
'prompt': 'consent'
|
||||||
|
}
|
||||||
|
|
||||||
|
response = self._auth_request('get', data)
|
||||||
|
self.assertIn(settings.get('OIDC_LOGIN_URL'), response['Location'])
|
||||||
|
|
||||||
|
response = self._auth_request('get', data, is_user_authenticated=True)
|
||||||
|
render_patched.assert_called_once()
|
||||||
|
self.assertTrue(render_patched.call_args[0][1], settings.get('OIDC_TEMPLATES')['authorize'])
|
||||||
|
|
||||||
|
def test_prompt_consent_none_parameter(self):
|
||||||
|
"""
|
||||||
|
Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
|
||||||
|
See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||||
|
"""
|
||||||
|
data = {
|
||||||
|
'client_id': self.client.client_id,
|
||||||
|
'response_type': self.client.response_type,
|
||||||
|
'redirect_uri': self.client.default_redirect_uri,
|
||||||
|
'scope': 'openid email',
|
||||||
|
'state': self.state,
|
||||||
|
'prompt': 'consent none'
|
||||||
|
}
|
||||||
|
|
||||||
|
response = self._auth_request('get', data)
|
||||||
|
self.assertIn('login_required', response['Location'])
|
||||||
|
|
||||||
|
response = self._auth_request('get', data, is_user_authenticated=True)
|
||||||
|
self.assertIn('consent_required', response['Location'])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
class AuthorizationImplicitFlowTestCase(TestCase, AuthorizeEndpointMixin):
|
class AuthorizationImplicitFlowTestCase(TestCase, AuthorizeEndpointMixin):
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
try:
|
try:
|
||||||
from urllib import urlencode
|
from urllib import urlencode
|
||||||
from urlparse import urlsplit, parse_qs, urlunsplit
|
from urlparse import urlsplit, parse_qs, urlunsplit
|
||||||
|
@ -10,6 +11,7 @@ from django.contrib.auth.views import (
|
||||||
redirect_to_login,
|
redirect_to_login,
|
||||||
logout,
|
logout,
|
||||||
)
|
)
|
||||||
|
from django.contrib.auth import logout as django_user_logout
|
||||||
from django.core.urlresolvers import reverse
|
from django.core.urlresolvers import reverse
|
||||||
from django.http import JsonResponse
|
from django.http import JsonResponse
|
||||||
from django.shortcuts import render
|
from django.shortcuts import render
|
||||||
|
@ -44,14 +46,12 @@ from oidc_provider.models import (
|
||||||
from oidc_provider import settings
|
from oidc_provider import settings
|
||||||
from oidc_provider import signals
|
from oidc_provider import signals
|
||||||
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
OIDC_TEMPLATES = settings.get('OIDC_TEMPLATES')
|
OIDC_TEMPLATES = settings.get('OIDC_TEMPLATES')
|
||||||
|
|
||||||
|
|
||||||
class AuthorizeView(View):
|
class AuthorizeView(View):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
|
|
||||||
authorize = AuthorizeEndpoint(request)
|
authorize = AuthorizeEndpoint(request)
|
||||||
|
@ -67,25 +67,35 @@ class AuthorizeView(View):
|
||||||
if hook_resp:
|
if hook_resp:
|
||||||
return hook_resp
|
return hook_resp
|
||||||
|
|
||||||
if not authorize.client.require_consent and not (authorize.client.client_type == 'public') \
|
if 'login' in authorize.params['prompt']:
|
||||||
and not (authorize.params['prompt'] == 'consent'):
|
if 'none' in authorize.params['prompt']:
|
||||||
return redirect(authorize.create_response_uri())
|
raise AuthorizeError(authorize.params['redirect_uri'], 'login_required', authorize.grant_type)
|
||||||
|
else:
|
||||||
|
django_user_logout(request)
|
||||||
|
return redirect_to_login(request.get_full_path(), settings.get('OIDC_LOGIN_URL'))
|
||||||
|
|
||||||
if authorize.client.reuse_consent:
|
if 'select_account' in authorize.params['prompt']:
|
||||||
# Check if user previously give consent.
|
# TODO: see how we can support multiple accounts for the end-user.
|
||||||
if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public') \
|
if 'none' in authorize.params['prompt']:
|
||||||
and not (authorize.params['prompt'] == 'consent'):
|
raise AuthorizeError(authorize.params['redirect_uri'], 'account_selection_required', authorize.grant_type)
|
||||||
|
else:
|
||||||
|
django_user_logout(request)
|
||||||
|
return redirect_to_login(request.get_full_path(), settings.get('OIDC_LOGIN_URL'))
|
||||||
|
|
||||||
|
if {'none', 'consent'}.issubset(authorize.params['prompt']):
|
||||||
|
raise AuthorizeError(authorize.params['redirect_uri'], 'consent_required', authorize.grant_type)
|
||||||
|
|
||||||
|
if 'consent' not in authorize.params['prompt']:
|
||||||
|
if not authorize.client.require_consent and not (authorize.client.client_type == 'public'):
|
||||||
return redirect(authorize.create_response_uri())
|
return redirect(authorize.create_response_uri())
|
||||||
|
|
||||||
if authorize.params['prompt'] == 'none':
|
if authorize.client.reuse_consent:
|
||||||
raise AuthorizeError(authorize.params['redirect_uri'], 'interaction_required', authorize.grant_type)
|
# Check if user previously give consent.
|
||||||
|
if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public'):
|
||||||
|
return redirect(authorize.create_response_uri())
|
||||||
|
|
||||||
if authorize.params['prompt'] == 'login':
|
if 'none' in authorize.params['prompt']:
|
||||||
return redirect_to_login(request.get_full_path(), settings.get('OIDC_LOGIN_URL'))
|
raise AuthorizeError(authorize.params['redirect_uri'], 'consent_required', authorize.grant_type)
|
||||||
|
|
||||||
if authorize.params['prompt'] == 'select_account':
|
|
||||||
# TODO: see how we can support multiple accounts for the end-user.
|
|
||||||
raise AuthorizeError(authorize.params['redirect_uri'], 'account_selection_required', authorize.grant_type)
|
|
||||||
|
|
||||||
# Generate hidden inputs for the form.
|
# Generate hidden inputs for the form.
|
||||||
context = {
|
context = {
|
||||||
|
@ -107,7 +117,7 @@ class AuthorizeView(View):
|
||||||
|
|
||||||
return render(request, OIDC_TEMPLATES['authorize'], context)
|
return render(request, OIDC_TEMPLATES['authorize'], context)
|
||||||
else:
|
else:
|
||||||
if authorize.params['prompt'] == 'none':
|
if 'none' in authorize.params['prompt']:
|
||||||
raise AuthorizeError(authorize.params['redirect_uri'], 'login_required', authorize.grant_type)
|
raise AuthorizeError(authorize.params['redirect_uri'], 'login_required', authorize.grant_type)
|
||||||
|
|
||||||
return redirect_to_login(request.get_full_path(), settings.get('OIDC_LOGIN_URL'))
|
return redirect_to_login(request.get_full_path(), settings.get('OIDC_LOGIN_URL'))
|
||||||
|
@ -120,7 +130,7 @@ class AuthorizeView(View):
|
||||||
|
|
||||||
return render(request, OIDC_TEMPLATES['error'], context)
|
return render(request, OIDC_TEMPLATES['error'], context)
|
||||||
|
|
||||||
except (AuthorizeError) as error:
|
except AuthorizeError as error:
|
||||||
uri = error.create_uri(
|
uri = error.create_uri(
|
||||||
authorize.params['redirect_uri'],
|
authorize.params['redirect_uri'],
|
||||||
authorize.params['state'])
|
authorize.params['state'])
|
||||||
|
@ -158,7 +168,6 @@ class AuthorizeView(View):
|
||||||
|
|
||||||
|
|
||||||
class TokenView(View):
|
class TokenView(View):
|
||||||
|
|
||||||
def post(self, request, *args, **kwargs):
|
def post(self, request, *args, **kwargs):
|
||||||
token = TokenEndpoint(request)
|
token = TokenEndpoint(request)
|
||||||
|
|
||||||
|
@ -206,7 +215,6 @@ def userinfo(request, *args, **kwargs):
|
||||||
|
|
||||||
|
|
||||||
class ProviderInfoView(View):
|
class ProviderInfoView(View):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
dic = dict()
|
dic = dict()
|
||||||
|
|
||||||
|
@ -241,7 +249,6 @@ class ProviderInfoView(View):
|
||||||
|
|
||||||
|
|
||||||
class JwksView(View):
|
class JwksView(View):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
dic = dict(keys=[])
|
dic = dict(keys=[])
|
||||||
|
|
||||||
|
@ -263,7 +270,6 @@ class JwksView(View):
|
||||||
|
|
||||||
|
|
||||||
class EndSessionView(View):
|
class EndSessionView(View):
|
||||||
|
|
||||||
def get(self, request, *args, **kwargs):
|
def get(self, request, *args, **kwargs):
|
||||||
id_token_hint = request.GET.get('id_token_hint', '')
|
id_token_hint = request.GET.get('id_token_hint', '')
|
||||||
post_logout_redirect_uri = request.GET.get('post_logout_redirect_uri', '')
|
post_logout_redirect_uri = request.GET.get('post_logout_redirect_uri', '')
|
||||||
|
@ -302,7 +308,6 @@ class EndSessionView(View):
|
||||||
|
|
||||||
|
|
||||||
class CheckSessionIframeView(View):
|
class CheckSessionIframeView(View):
|
||||||
|
|
||||||
@method_decorator(xframe_options_exempt)
|
@method_decorator(xframe_options_exempt)
|
||||||
def dispatch(self, request, *args, **kwargs):
|
def dispatch(self, request, *args, **kwargs):
|
||||||
return super(CheckSessionIframeView, self).dispatch(request, *args, **kwargs)
|
return super(CheckSessionIframeView, self).dispatch(request, *args, **kwargs)
|
||||||
|
|
Loading…
Reference in a new issue