0002-idp_oidc-never-use-an-invalid-redirect_uri-fixes-280.patch
src/authentic2_idp_oidc/views.py | ||
---|---|---|
87 | 87 |
client_id = request.GET['client_id'] |
88 | 88 |
redirect_uri = request.GET['redirect_uri'] |
89 | 89 |
except KeyError as k: |
90 |
return HttpResponseBadRequest('invalid request: missing parameter %s' % k.args[0], |
|
91 |
content_type='text/plain') |
|
90 |
messages.warning(request, _('Authorization request is invalid')) |
|
91 |
logger.warning(u'idp_oidc: authorization request error, missing %s', k.args[0]) |
|
92 |
return redirect(request, 'auth_homepage') |
|
92 | 93 |
try: |
93 | 94 |
client = models.OIDCClient.objects.get(client_id=client_id) |
94 | 95 |
except models.OIDCClient.DoesNotExist: |
95 |
return HttpResponseBadRequest('invalid request: unknown client_id', content_type='text/plain') |
|
96 |
messages.warning(request, _('Authorization request is invalid')) |
|
97 |
logger.warning(u'idp_oidc: authorization request error, unknown client_id redirect_uri=%r client_id=%r', |
|
98 |
redirect_uri, client_id) |
|
99 |
return redirect(request, 'auth_homepage') |
|
100 | ||
101 |
if redirect_uri not in client.redirect_uris.split(): |
|
102 |
messages.warning(request, _('Authorization request is invalid')) |
|
103 |
logger.warning(u'idp_oidc: authorization request error, unknown redirect_uri redirect_uri=%r client_id=%r', |
|
104 |
redirect_uri, client_id) |
|
105 |
return redirect(request, 'auth_homepage') |
|
106 | ||
96 | 107 |
fragment = client.authorization_flow == client.FLOW_IMPLICIT |
97 | 108 | |
98 | 109 |
state = request.GET.get('state') |
... | ... | |
122 | 133 |
state=state, |
123 | 134 |
fragment=fragment) |
124 | 135 | |
125 |
if redirect_uri not in client.redirect_uris.split(): |
|
126 |
return authorization_error(request, redirect_uri, 'invalid_request', |
|
127 |
error_description='unauthorized redirect_uri', |
|
128 |
state=state, |
|
129 |
fragment=fragment) |
|
130 | 136 |
if client.authorization_flow == client.FLOW_AUTHORIZATION_CODE: |
131 | 137 |
if response_type != 'code': |
132 | 138 |
return authorization_error(request, redirect_uri, 'unsupported_response_type', |
tests/test_idp_oidc.py | ||
---|---|---|
344 | 344 |
else: |
345 | 345 |
raise NotImplementedError |
346 | 346 | |
347 |
# client_id |
|
347 |
# missing client_id
|
|
348 | 348 |
authorize_url = make_url('oidc-authorize', params={}) |
349 | 349 | |
350 |
response = app.get(authorize_url, status=400) |
|
351 |
assert 'missing parameter \'client_id\'' in response.content |
|
350 |
response = app.get(authorize_url, status=302) |
|
351 |
assert urlparse.urlparse(response['Location']).path == '/' |
|
352 |
response = response.maybe_follow() |
|
353 |
assert 'Authorization request is invalid' in response |
|
352 | 354 | |
353 |
# redirect_uri |
|
355 |
# missing redirect_uri
|
|
354 | 356 |
authorize_url = make_url('oidc-authorize', params={ |
355 | 357 |
'client_id': oidc_client.client_id, |
356 | 358 |
}) |
357 | 359 | |
358 |
response = app.get(authorize_url, status=400) |
|
359 |
assert 'missing parameter \'redirect_uri\'' in response.content |
|
360 |
response = app.get(authorize_url, status=302) |
|
361 |
assert urlparse.urlparse(response['Location']).path == '/' |
|
362 |
response = response.maybe_follow() |
|
363 |
assert 'Authorization request is invalid' in response |
|
360 | 364 | |
361 | 365 |
# invalid client_id |
362 | 366 |
authorize_url = make_url('oidc-authorize', params={ |
... | ... | |
364 | 368 |
'redirect_uri': redirect_uri, |
365 | 369 |
}) |
366 | 370 | |
367 |
response = app.get(authorize_url, status=400) |
|
368 |
assert 'unknown client_id' in response.content |
|
371 |
response = app.get(authorize_url, status=302) |
|
372 |
assert urlparse.urlparse(response['Location']).path == '/' |
|
373 |
response = response.maybe_follow() |
|
374 |
assert 'Authorization request is invalid' in response |
|
375 | ||
376 |
# invalid redirect_uri |
|
377 |
authorize_url = make_url('oidc-authorize', params={ |
|
378 |
'client_id': oidc_client.client_id, |
|
379 |
'redirect_uri': 'xxx', |
|
380 |
'response_type': 'code', |
|
381 |
'scope': 'openid', |
|
382 |
}) |
|
383 | ||
384 |
response = app.get(authorize_url, status=302) |
|
385 |
assert urlparse.urlparse(response['Location']).path == '/' |
|
386 |
response = response.maybe_follow() |
|
387 |
assert 'Authorization request is invalid' in response |
|
369 | 388 | |
370 | 389 |
# missing response_type |
371 | 390 |
authorize_url = make_url('oidc-authorize', params={ |
... | ... | |
411 | 430 |
response = app.get(authorize_url) |
412 | 431 |
assert_oidc_error(response, 'invalid_request', 'max_age is not', fragment=fragment) |
413 | 432 | |
414 |
# invalid redirect_uri |
|
415 |
authorize_url = make_url('oidc-authorize', params={ |
|
416 |
'client_id': oidc_client.client_id, |
|
417 |
'redirect_uri': 'xxx', |
|
418 |
'response_type': 'code', |
|
419 |
'scope': 'openid', |
|
420 |
}) |
|
421 | ||
422 |
response = app.get(authorize_url) |
|
423 |
assert_oidc_error(response, 'invalid_request', 'unauthorized redirect_uri', fragment=fragment) |
|
424 | ||
425 | 433 |
# unsupported response_type |
426 | 434 |
authorize_url = make_url('oidc-authorize', params={ |
427 | 435 |
'client_id': oidc_client.client_id, |
428 |
- |