auth_oidc: compare token_type case insensitively (fixes #32281)

2019-04-15 11:50:32 +02:00 · 2019-04-15 11:50:32 +02:00 · 05d68af54e
parent 532e5b2066
commit 05d68af54e
2 changed files with 8 additions and 3 deletions
--- a/src/authentic2_auth_oidc/views.py
+++ b/src/authentic2_auth_oidc/views.py
@ -166,8 +166,11 @@ class LoginCallback(View):
                                 'request_id': request.request_id,
            })
            return self.continue_to_next_url()
-        if ('access_token' not in result or 'token_type' not in result or
-                result['token_type'] != 'Bearer' or 'id_token' not in result):
+        # token_type is case insensitive, https://tools.ietf.org/html/rfc6749#section-4.2.2
+        if ('access_token' not in result
+                or 'token_type' not in result
+                or result['token_type'].lower() != 'bearer'
+                or 'id_token' not in result):
            logger.warning(u'auth_oidc: invalid token endpoint response from %s: %r' % (
                provider.token_endpoint, result))
            messages.warning(request, _('Provider %(name)s is down, report %(request_id)s to '
--- a/tests/test_auth_oidc.py
+++ b/tests/test_auth_oidc.py
@ -4,6 +4,7 @@ import os
 import pytest
 import json
 import time
+import random

 from jwcrypto.jwk import JWKSet, JWK
 from jwcrypto.jwt import JWT
@ -199,7 +200,8 @@ def oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, extra_id_token

            content = {
                'access_token': '1234',
-                'token_type': 'Bearer',
+                # check token_type is case insensitive
+                'token_type': random.choice(['B', 'b']) + 'earer',
                'id_token': jwt.serialize(),
            }
            return {