idp_oidc: build the sid using the client_id instead of the sector identifier (#84017)

2023-11-28 11:27:04 +01:00 · 2023-11-28 11:27:04 +01:00 · 1d92a060a1
parent 3f038a7519
commit 1d92a060a1
2 changed files with 12 additions and 4 deletions
--- a/src/authentic2_idp_oidc/utils.py
+++ b/src/authentic2_idp_oidc/utils.py
@ -278,12 +278,15 @@ def get_issuer(request):


 def get_session_id(session, client):
-    """Derive an OIDC Session Id from the real session identifier, the sector
-    identifier of the RP and the secret key of the Django instance"""
+    """Derive an OIDC Session Id by hashing:
+    - the real session identifier,
+    - the client id,
+    - the secret key from Django's settings.
+    """
    session_key = force_bytes(session.session_key)
-    sector_identifier = force_bytes(client.get_sector_identifier())
+    client_id = force_bytes(client.client_id)
    secret_key = force_bytes(settings.SECRET_KEY)
-    return hashlib.md5(session_key + sector_identifier + secret_key).hexdigest()
+    return hashlib.md5(session_key + client_id + secret_key).hexdigest()


 def get_oidc_sessions(request):
--- a/tests/idp_oidc/test_misc.py
+++ b/tests/idp_oidc/test_misc.py
@ -111,6 +111,11 @@ OIDC_CLIENT_PARAMS = [
        'always_save_authorization': True,
        'authorization_default_duration': 105,
    },
+    # test that nothings depends upon the sector_identifier_uri when UUID policy is used.
+    {
+        'identifier_policy': OIDCClient.POLICY_UUID,
+        'redirect_uris': 'https://example.com/callbac%C3%A9\nhttps://other.com/callback/',
+    },
 ]