checking the 'state' parameter issued by idp

2015-02-26 16:34:35 +01:00 · 2015-02-26 16:34:35 +01:00 · 6388360c4e
parent 838dc9f3da
commit 6388360c4e
2 changed files with 9 additions and 6 deletions
--- a/ckanext/ozwillo_pyoidc/oidc.py
+++ b/ckanext/ozwillo_pyoidc/oidc.py
@ -26,14 +26,14 @@ class Client(oic.Client):
        if behaviour:
            self.behaviour = behaviour

-    def create_authn_request(self, session, acr_value=None):
-        session["state"] = rndstr()
-        session["nonce"] = rndstr()
+    def create_authn_request(self, acr_value=None):
+        self.state = rndstr()
+        nonce = rndstr()
        request_args = {
            "response_type": self.behaviour["response_type"],
            "scope": self.behaviour["scope"],
-            "state": session["state"],
-            "nonce": session["nonce"],
+            "state": self.state,
+            "nonce": nonce,
            "redirect_uri": self.registration_response["redirect_uris"][0]
        }

@ -64,6 +64,9 @@ class Client(oic.Client):
        authresp = self.parse_response(AuthorizationResponse, response,
                                       sformat="dict", keyjar=self.keyjar)

+        if self.state != authresp['state']:
+            raise OIDCError("Invalid state %s." % authresp["state"])
+
        if isinstance(authresp, ErrorResponse):
            return OIDCError("Access denied")

--- a/ckanext/ozwillo_pyoidc/plugin.py
+++ b/ckanext/ozwillo_pyoidc/plugin.py
@ -84,7 +84,7 @@ class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
        if 'organization_id' in session:
            g = model.Group.get(session['organization_id'])
            client = Clients.get(g)
-            url, ht_args = client.create_authn_request(session, conf.ACR_VALUES)
+            url, ht_args = client.create_authn_request(conf.ACR_VALUES)
            if ht_args:
                toolkit.request.headers.update(ht_args)
            redirect_to(url)