From 78af0ec6946734048170ec36e1f6517a838f4863 Mon Sep 17 00:00:00 2001
From: Josue Kouka <jkouka@entrouvert.com>
Date: Wed, 19 Apr 2017 10:26:56 +0200
Subject: [PATCH 5/6] oidc: check if user is authorized through the client

---
 src/authentic2_idp_oidc/views.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/authentic2_idp_oidc/views.py b/src/authentic2_idp_oidc/views.py
index 3399e6e2..57a32801 100644
--- a/src/authentic2_idp_oidc/views.py
+++ b/src/authentic2_idp_oidc/views.py
@@ -71,7 +71,6 @@ def authorization_error(request, redirect_uri, error, error_description=None, er
 def authorize(request, *args, **kwargs):
     logger = logging.getLogger(__name__)
     start = now()
-
     try:
         client_id = request.GET['client_id']
         redirect_uri = request.GET['redirect_uri']
@@ -159,6 +158,13 @@ def authorize(request, *args, **kwargs):
                                        fragment=fragment)
         return login_require(request, params={'nonce': nonce})
 
+    # is user authorized through this client
+    if not client.authorize(request):
+        logger.info(u'user %s unauthorized on  service %s', request.user.username, client.name)
+        return authorization_error(request, redirect_uri, 'access_denied',
+                                   error_description='user not authorized through this client',
+                                   state=state, fragment=fragment)
+
     last_auth = last_authentication_event(request.session)
     if max_age is not None and time.time() - last_auth['when'] >= max_age:
         if 'none' in prompt:
-- 
2.11.0