auth_oidc: prompt login on passive requests for buggy providers (#734123)
This commit is contained in:
parent
74e6f1f248
commit
041a27c0e6
|
@ -261,7 +261,16 @@ class OIDCProvider(BaseAuthenticator):
|
||||||
def passive_login(self, request, block_id, next_url):
|
def passive_login(self, request, block_id, next_url):
|
||||||
from . import views
|
from . import views
|
||||||
|
|
||||||
return views.oidc_login(request, pk=self.pk, next_url=next_url, passive=True)
|
return views.oidc_login(
|
||||||
|
request,
|
||||||
|
pk=self.pk,
|
||||||
|
next_url=next_url,
|
||||||
|
# self.passive_authn_supported == False means that the remote provider implementation
|
||||||
|
# is buggy, prompt=none will trigger a remote HTTP 500 instead of the OIDC-specified
|
||||||
|
# {login,consent,interaction}_required error. Hence do not try to add prompt=none. Try
|
||||||
|
# a standard authn request instead, the lesser evil in this case.
|
||||||
|
passive=self.passive_authn_supported,
|
||||||
|
)
|
||||||
|
|
||||||
def login(self, request, *args, **kwargs):
|
def login(self, request, *args, **kwargs):
|
||||||
context = kwargs.get('context', {}).copy()
|
context = kwargs.get('context', {}).copy()
|
||||||
|
|
|
@ -1473,6 +1473,30 @@ def test_passive_login(get_provider, rf):
|
||||||
assert qs['prompt'] == 'none'
|
assert qs['prompt'] == 'none'
|
||||||
|
|
||||||
|
|
||||||
|
@mock.patch('authentic2_auth_oidc.views.get_provider')
|
||||||
|
def test_passive_login_deactivated(get_provider, rf):
|
||||||
|
AUTHORIZE_URL = 'https://op.example.com/authorize'
|
||||||
|
SCOPES = {'profile'}
|
||||||
|
|
||||||
|
provider = OIDCProvider.objects.create(
|
||||||
|
pk=1,
|
||||||
|
client_id='1234',
|
||||||
|
authorization_endpoint=AUTHORIZE_URL,
|
||||||
|
scopes=' '.join(SCOPES),
|
||||||
|
enabled=True,
|
||||||
|
passive_authn_supported=False, # remote provider will break on prompt=None
|
||||||
|
)
|
||||||
|
get_provider.return_value = provider
|
||||||
|
req = rf.get('/?next=/idp/x/')
|
||||||
|
req.user = mock.Mock()
|
||||||
|
req.user.is_authenticated = False
|
||||||
|
|
||||||
|
url = provider.passive_login(req, block_id=1, next_url='/').url
|
||||||
|
_, query = url.split('?', 1)
|
||||||
|
qs = dict(urllib.parse.parse_qsl(query))
|
||||||
|
assert qs['prompt'] == 'login'
|
||||||
|
|
||||||
|
|
||||||
@mock.patch('authentic2_auth_oidc.views.get_provider')
|
@mock.patch('authentic2_auth_oidc.views.get_provider')
|
||||||
def test_passive_login_main_view(get_provider, rf):
|
def test_passive_login_main_view(get_provider, rf):
|
||||||
AUTHORIZE_URL = 'https://op.example.com/authorize'
|
AUTHORIZE_URL = 'https://op.example.com/authorize'
|
||||||
|
|
Loading…
Reference in New Issue