idp_oidc: discard ambiguous profile validation context variable (#70553)
This variable did not help determining whether the profiles weren't shown because (a) the user does not own any or (b) the oidc client deactivates this feature.
This commit is contained in:
parent
109f86b49a
commit
3343aaae97
|
@ -26,7 +26,7 @@
|
|||
{% endfor %}
|
||||
</ul>
|
||||
{% endif %}
|
||||
{% if needs_profile_validation %}
|
||||
{% if client.activate_user_profiles and user_has_selectable_profiles %}
|
||||
<div id="profile-validation">
|
||||
<p>{% trans "You may authenticate as owner of the following juridical entity management profile, which may change the aforementioned information." %}</p>
|
||||
<div class="profile" id="profile-validation-none">
|
||||
|
|
|
@ -366,7 +366,7 @@ def authorize_for_client(request, client, redirect_uri):
|
|||
|
||||
iat = now() # iat = issued at
|
||||
|
||||
needs_profile_validation = False
|
||||
user_has_selectable_profiles = False
|
||||
needs_scope_validation = False
|
||||
profile = None
|
||||
if client.authorization_mode != client.AUTHORIZATION_MODE_NONE or 'consent' in prompt:
|
||||
|
@ -395,13 +395,13 @@ def authorize_for_client(request, client, redirect_uri):
|
|||
# load first authorized profile
|
||||
if not authorized_profile and authorization.profile:
|
||||
authorized_profile = authorization.profile
|
||||
if request.user.profiles.count() and not authorized_profile and client.activate_user_profiles:
|
||||
needs_profile_validation = True
|
||||
if request.user.profiles.count() and not authorized_profile:
|
||||
user_has_selectable_profiles = True
|
||||
else:
|
||||
profile = authorized_profile
|
||||
if (authorized_scopes & scopes) < scopes:
|
||||
needs_scope_validation = True
|
||||
if needs_scope_validation or needs_profile_validation:
|
||||
if needs_scope_validation or (user_has_selectable_profiles and client.activate_user_profiles):
|
||||
if 'none' in prompt:
|
||||
raise ConsentRequired(_('Consent is required but prompt parameter is "none"'))
|
||||
if request.method == 'POST':
|
||||
|
@ -446,7 +446,7 @@ def authorize_for_client(request, client, redirect_uri):
|
|||
request,
|
||||
'authentic2_idp_oidc/authorization.html',
|
||||
{
|
||||
'needs_profile_validation': needs_profile_validation,
|
||||
'user_has_selectable_profiles': user_has_selectable_profiles,
|
||||
'needs_scope_validation': needs_scope_validation,
|
||||
'client': client,
|
||||
'scopes': scopes - {'openid'},
|
||||
|
|
|
@ -143,6 +143,29 @@ def test_login_profiles_absent(app, oidc_client, simple_user, profile_settings):
|
|||
assert not 'profile-validation-' in response.text
|
||||
|
||||
|
||||
def test_login_profiles_deactivated(app, oidc_client, profile_user, profile_settings):
|
||||
redirect_uri = oidc_client.redirect_uris.split()[0]
|
||||
oidc_client.activate_user_profiles = False
|
||||
oidc_client.save()
|
||||
params = {
|
||||
'client_id': oidc_client.client_id,
|
||||
'scope': 'openid profile email',
|
||||
'redirect_uri': redirect_uri,
|
||||
'state': 'xxx',
|
||||
'nonce': 'yyy',
|
||||
'login_hint': 'backoffice john@example.com',
|
||||
'response_type': 'code',
|
||||
}
|
||||
assert profile_user.profiles.count() == 2
|
||||
|
||||
authorize_url = make_url('oidc-authorize', params=params)
|
||||
utils.login(app, profile_user)
|
||||
response = app.get(authorize_url)
|
||||
assert 'a2-oidc-authorization-form' in response.text
|
||||
# not interface changes for users without a profile
|
||||
assert not 'profile-validation-' in response.text
|
||||
|
||||
|
||||
def test_login_profile_selection(app, oidc_client, profile_user, profile_settings):
|
||||
oidc_client.idtoken_algo = oidc_client.ALGO_HMAC
|
||||
oidc_client.activate_user_profiles = True
|
||||
|
|
Loading…
Reference in New Issue