auth_oidc: prompt login on passive requests for buggy providers (#734123)
This commit is contained in:
parent
74e6f1f248
commit
041a27c0e6
|
@ -261,7 +261,16 @@ class OIDCProvider(BaseAuthenticator):
|
|||
def passive_login(self, request, block_id, next_url):
|
||||
from . import views
|
||||
|
||||
return views.oidc_login(request, pk=self.pk, next_url=next_url, passive=True)
|
||||
return views.oidc_login(
|
||||
request,
|
||||
pk=self.pk,
|
||||
next_url=next_url,
|
||||
# self.passive_authn_supported == False means that the remote provider implementation
|
||||
# is buggy, prompt=none will trigger a remote HTTP 500 instead of the OIDC-specified
|
||||
# {login,consent,interaction}_required error. Hence do not try to add prompt=none. Try
|
||||
# a standard authn request instead, the lesser evil in this case.
|
||||
passive=self.passive_authn_supported,
|
||||
)
|
||||
|
||||
def login(self, request, *args, **kwargs):
|
||||
context = kwargs.get('context', {}).copy()
|
||||
|
|
|
@ -1473,6 +1473,30 @@ def test_passive_login(get_provider, rf):
|
|||
assert qs['prompt'] == 'none'
|
||||
|
||||
|
||||
@mock.patch('authentic2_auth_oidc.views.get_provider')
|
||||
def test_passive_login_deactivated(get_provider, rf):
|
||||
AUTHORIZE_URL = 'https://op.example.com/authorize'
|
||||
SCOPES = {'profile'}
|
||||
|
||||
provider = OIDCProvider.objects.create(
|
||||
pk=1,
|
||||
client_id='1234',
|
||||
authorization_endpoint=AUTHORIZE_URL,
|
||||
scopes=' '.join(SCOPES),
|
||||
enabled=True,
|
||||
passive_authn_supported=False, # remote provider will break on prompt=None
|
||||
)
|
||||
get_provider.return_value = provider
|
||||
req = rf.get('/?next=/idp/x/')
|
||||
req.user = mock.Mock()
|
||||
req.user.is_authenticated = False
|
||||
|
||||
url = provider.passive_login(req, block_id=1, next_url='/').url
|
||||
_, query = url.split('?', 1)
|
||||
qs = dict(urllib.parse.parse_qsl(query))
|
||||
assert qs['prompt'] == 'login'
|
||||
|
||||
|
||||
@mock.patch('authentic2_auth_oidc.views.get_provider')
|
||||
def test_passive_login_main_view(get_provider, rf):
|
||||
AUTHORIZE_URL = 'https://op.example.com/authorize'
|
||||
|
|
Loading…
Reference in New Issue