Project

General

Profile

« Previous | Next » 

Revision 34457e9c

Added by Serghei Mihai almost 9 years ago

sso attributes stored in session.

View differences:

ckanext/ozwillo_pyoidc/plugin.py
19 19
log = logging.getLogger(__name__)
20 20
plugin_controller = __name__ + ':OpenidController'
21 21

  
22
_CLIENTS = {}
23 22

  
24 23
class Clients(object):
25 24

  
26 25
    @classmethod
27
    def get(cls, g):
28
        global _CLIENTS
29
        if g.id in _CLIENTS:
30
            return _CLIENTS.get(g.id)
31
        client = cls().get_client(g)
32
        _CLIENTS.update({g.id: client})
33
        return client
34

  
35
    def get_client(self, g):
26
    def get_client(cls, g):
36 27
        params = conf.CLIENT.copy()
37 28
        params['client_registration'].update({
38 29
            'client_id': g._extras['client_id'].value,
......
82 73

  
83 74
        if 'organization_id' in session:
84 75
            g = model.Group.get(session['organization_id'])
85
            client = Clients.get(g)
86
            url, ht_args = client.create_authn_request(conf.ACR_VALUES)
76
            client = Clients.get_client(g)
77
            url, ht_args, state = client.create_authn_request(conf.ACR_VALUES)
78
            session['state'] = state
79
            session.save()
87 80
            if ht_args:
88 81
                toolkit.request.headers.update(ht_args)
89 82
            redirect_to(url)
......
128 121

  
129 122
    def callback(self):
130 123
        g = model.Group.get(session['organization_id'])
131
        client = Clients.get(g)
124
        client = Clients.get_client(g)
132 125
        org_url = str(toolkit.url_for(controller="organization",
133 126
                                      action='read',
134 127
                                      id=g.name))
135 128
        try:
136
            userinfo = client.callback(request.GET)
129
            userinfo, app_admin, app_user, access_token, id_token \
130
                = client.callback(session['state'], request.GET)
131
            session['access_token'] = access_token
132
            session['id_token'] = id_token
133
            session.save()
137 134
        except OIDCError, e:
138 135
            flash_error('Login failed')
139 136
            redirect_to(org_url, qualified=True)
......
159 156
                           'session': model.Session}
160 157
                user_create(context, user_dict)
161 158
                userobj = model.User.get(userinfo['sub'])
162
                if client.app_admin or client.app_user:
159
                if app_admin or app_user:
163 160
                    member_dict = {
164 161
                        'id': g.id,
165 162
                        'object': userinfo['sub'],
......
212 209
        org_url = str(org_url)
213 210

  
214 211
        if toolkit.c.user:
215
            client = Clients.get(g)
212
            client = Clients.get_client(g)
216 213
            logout_url = client.end_session_endpoint
217 214

  
218 215
            redirect_uri = org_url + '/logout'
219 216

  
220
            if not hasattr(client, 'access_token'):
221
                self.sso(g.name)
222

  
223 217
            # revoke the access token
224 218
            headers = {'Content-Type': 'application/x-www-form-urlencoded'}
225
            data = 'token=' + client.access_token
219
            data = 'token=' + session.get('access_token')
226 220
            data += '&token_type_hint=access_token'
227 221
            client.http_request(client.revocation_endpoint, 'POST',
228 222
                                data=data, headers=headers)
229 223

  
230 224
            # redirect to IDP logout
231
            logout_url += '?id_token_hint=%s&' % client.id_token
225
            logout_url += '?id_token_hint=%s&' % session.get('id_token')
232 226
            logout_url += 'post_logout_redirect_uri=%s' % redirect_uri
233 227
            redirect_to(str(logout_url))
234 228
        redirect_to(org_url)

Also available in: Unified diff