checking the 'state' parameter issued by idp
This commit is contained in:
parent
838dc9f3da
commit
6388360c4e
|
@ -26,14 +26,14 @@ class Client(oic.Client):
|
|||
if behaviour:
|
||||
self.behaviour = behaviour
|
||||
|
||||
def create_authn_request(self, session, acr_value=None):
|
||||
session["state"] = rndstr()
|
||||
session["nonce"] = rndstr()
|
||||
def create_authn_request(self, acr_value=None):
|
||||
self.state = rndstr()
|
||||
nonce = rndstr()
|
||||
request_args = {
|
||||
"response_type": self.behaviour["response_type"],
|
||||
"scope": self.behaviour["scope"],
|
||||
"state": session["state"],
|
||||
"nonce": session["nonce"],
|
||||
"state": self.state,
|
||||
"nonce": nonce,
|
||||
"redirect_uri": self.registration_response["redirect_uris"][0]
|
||||
}
|
||||
|
||||
|
@ -64,6 +64,9 @@ class Client(oic.Client):
|
|||
authresp = self.parse_response(AuthorizationResponse, response,
|
||||
sformat="dict", keyjar=self.keyjar)
|
||||
|
||||
if self.state != authresp['state']:
|
||||
raise OIDCError("Invalid state %s." % authresp["state"])
|
||||
|
||||
if isinstance(authresp, ErrorResponse):
|
||||
return OIDCError("Access denied")
|
||||
|
||||
|
|
|
@ -84,7 +84,7 @@ class OzwilloPyoidcPlugin(plugins.SingletonPlugin):
|
|||
if 'organization_id' in session:
|
||||
g = model.Group.get(session['organization_id'])
|
||||
client = Clients.get(g)
|
||||
url, ht_args = client.create_authn_request(session, conf.ACR_VALUES)
|
||||
url, ht_args = client.create_authn_request(conf.ACR_VALUES)
|
||||
if ht_args:
|
||||
toolkit.request.headers.update(ht_args)
|
||||
redirect_to(url)
|
||||
|
|
Reference in New Issue