0001-oidc-revoke-oidc-claims-authorization-21966.patch
src/authentic2/views.py | ||
---|---|---|
50 | 50 |
from django.http import Http404 |
51 | 51 |
from django.utils.http import urlsafe_base64_decode |
52 | 52 |
from django.views.generic.edit import CreateView |
53 | 53 |
from django.forms import CharField |
54 | 54 |
from django.http import HttpResponseBadRequest |
55 | 55 |
from django.template import loader |
56 | 56 | |
57 | 57 |
from authentic2.compat.misc import default_token_generator |
58 |
from authentic2_idp_oidc.models import OIDCAuthorization |
|
58 | 59 |
from . import (utils, app_settings, decorators, constants, |
59 | 60 |
models, cbv, hooks, validators) |
60 | 61 |
from .utils import switch_user |
61 | 62 |
from .a2_rbac.utils import get_default_ou |
62 | 63 |
from .a2_rbac.models import OrganizationalUnit as OU |
63 | 64 |
from .forms import ( |
64 | 65 |
passwords as passwords_forms, |
65 | 66 |
registration as registration_forms, |
... | ... | |
501 | 502 |
context.update({ |
502 | 503 |
'frontends_block': blocks, |
503 | 504 |
'frontends_block_by_id': blocks_by_id, |
504 | 505 |
'profile': profile, |
505 | 506 |
'attributes': attributes, |
506 | 507 |
'allow_account_deletion': app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT, |
507 | 508 |
'allow_profile_edit': EditProfile.can_edit_profile(), |
508 | 509 |
'allow_email_change': app_settings.A2_PROFILE_CAN_CHANGE_EMAIL, |
510 |
'oidc_authorizations': OIDCAuthorization.objects.filter(user=self.request.user), |
|
509 | 511 |
# TODO: deprecated should be removed when publik-base-theme is updated |
510 | 512 |
'allow_password_change': utils.user_can_change_password(request=request), |
511 | 513 |
'federation_management': federation_management, |
512 | 514 |
}) |
513 | 515 |
hooks.call_hooks('modify_context_data', self, context) |
514 | 516 |
return context |
515 | 517 | |
516 | 518 |
profile = login_required(ProfileView.as_view()) |
src/authentic2_idp_oidc/urls.py | ||
---|---|---|
24 | 24 |
views.openid_configuration, |
25 | 25 |
name='oidc-openid-configuration'), |
26 | 26 |
url(r'^idp/oidc/certs/$', |
27 | 27 |
views.certs, |
28 | 28 |
name='oidc-certs'), |
29 | 29 |
url(r'^idp/oidc/authorize/$', |
30 | 30 |
views.authorize, |
31 | 31 |
name='oidc-authorize'), |
32 |
url(r'^idp/oidc/unconsent/(?P<authorization_id>[-\w]+)/$', |
|
33 |
views.unconsent, |
|
34 |
name='oidc-unconsent'), |
|
32 | 35 |
url(r'^idp/oidc/token/$', |
33 | 36 |
views.token, |
34 | 37 |
name='oidc-token'), |
35 | 38 |
url(r'^idp/oidc/user_info/$', |
36 | 39 |
views.user_info, |
37 | 40 |
name='oidc-user-info'), |
38 | 41 |
url(r'^idp/oidc/logout/$', |
39 | 42 |
views.logout, |
src/authentic2_idp_oidc/views.py | ||
---|---|---|
15 | 15 |
# along with this program. If not, see <http://www.gnu.org/licenses/>. |
16 | 16 | |
17 | 17 |
import logging |
18 | 18 |
import math |
19 | 19 |
import datetime |
20 | 20 |
import base64 |
21 | 21 |
import time |
22 | 22 | |
23 |
from django.http import (HttpResponse, HttpResponseNotAllowed, JsonResponse) |
|
23 |
from django.http import (HttpResponse, HttpResponseNotAllowed, HttpResponseRedirect, JsonResponse)
|
|
24 | 24 |
from django.urls import reverse |
25 | 25 |
from django.utils import six |
26 | 26 |
from django.utils.encoding import force_text |
27 | 27 |
from django.utils.timezone import now, utc |
28 | 28 |
from django.utils.http import urlencode |
29 | 29 |
from django.shortcuts import render |
30 | 30 |
from django.views.decorators.csrf import csrf_exempt |
31 | 31 |
from django.contrib import messages |
... | ... | |
361 | 361 |
}) |
362 | 362 |
# query is transfered through the hashtag |
363 | 363 |
response = redirect(request, redirect_uri + '#%s' % urlencode(params), resolve=False) |
364 | 364 |
hooks.call_hooks('event', name='sso-success', idp='oidc', service=client, user=request.user) |
365 | 365 |
utils.add_oidc_session(request, client) |
366 | 366 |
return response |
367 | 367 | |
368 | 368 | |
369 |
def unconsent(request, authorization_id): |
|
370 |
try: |
|
371 |
models.OIDCAuthorization.objects.get(user=request.user, id=authorization_id).delete() |
|
372 |
except models.DoesNotExist: |
|
373 |
pass |
|
374 |
return HttpResponseRedirect('/accounts/') |
|
375 | ||
376 | ||
369 | 377 |
def authenticate_client(request, client=None): |
370 | 378 |
'''Authenticate client on the token endpoint''' |
371 | 379 | |
372 | 380 |
if 'HTTP_AUTHORIZATION' in request.META: |
373 | 381 |
authorization = request.META['HTTP_AUTHORIZATION'].split() |
374 | 382 |
if authorization[0] != 'Basic' or len(authorization) != 2: |
375 | 383 |
return None |
376 | 384 |
try: |
377 |
- |