auth_oidc: prompt login on passive requests for buggy providers (#734123)

This commit is contained in:
Paul Marillonnet 2023-01-17 09:48:07 +01:00
parent 74e6f1f248
commit 041a27c0e6
2 changed files with 34 additions and 1 deletions

View File

@ -261,7 +261,16 @@ class OIDCProvider(BaseAuthenticator):
def passive_login(self, request, block_id, next_url):
from . import views
return views.oidc_login(request, pk=self.pk, next_url=next_url, passive=True)
return views.oidc_login(
request,
pk=self.pk,
next_url=next_url,
# self.passive_authn_supported == False means that the remote provider implementation
# is buggy, prompt=none will trigger a remote HTTP 500 instead of the OIDC-specified
# {login,consent,interaction}_required error. Hence do not try to add prompt=none. Try
# a standard authn request instead, the lesser evil in this case.
passive=self.passive_authn_supported,
)
def login(self, request, *args, **kwargs):
context = kwargs.get('context', {}).copy()

View File

@ -1473,6 +1473,30 @@ def test_passive_login(get_provider, rf):
assert qs['prompt'] == 'none'
@mock.patch('authentic2_auth_oidc.views.get_provider')
def test_passive_login_deactivated(get_provider, rf):
AUTHORIZE_URL = 'https://op.example.com/authorize'
SCOPES = {'profile'}
provider = OIDCProvider.objects.create(
pk=1,
client_id='1234',
authorization_endpoint=AUTHORIZE_URL,
scopes=' '.join(SCOPES),
enabled=True,
passive_authn_supported=False, # remote provider will break on prompt=None
)
get_provider.return_value = provider
req = rf.get('/?next=/idp/x/')
req.user = mock.Mock()
req.user.is_authenticated = False
url = provider.passive_login(req, block_id=1, next_url='/').url
_, query = url.split('?', 1)
qs = dict(urllib.parse.parse_qsl(query))
assert qs['prompt'] == 'login'
@mock.patch('authentic2_auth_oidc.views.get_provider')
def test_passive_login_main_view(get_provider, rf):
AUTHORIZE_URL = 'https://op.example.com/authorize'