use state as nonce and check nonce returned in id_token
This commit is contained in:
parent
6a57e1f0ec
commit
690fde2f6b
|
@ -64,7 +64,6 @@ def ask_authorization(request, scopes, logger):
|
|||
scopes = [scopes]
|
||||
redirect_uri = request.build_absolute_uri()
|
||||
state = unicode(uuid.uuid4())
|
||||
nonce = unicode(uuid.uuid4())
|
||||
states = request.session.setdefault('fc-states', {})
|
||||
states[state] = {
|
||||
'redirect_uri': redirect_uri,
|
||||
|
@ -76,7 +75,7 @@ def ask_authorization(request, scopes, logger):
|
|||
'redirect_uri': redirect_uri,
|
||||
'response_type': 'code',
|
||||
'state': state,
|
||||
'nonce': nonce,
|
||||
'nonce': state,
|
||||
}
|
||||
logger.debug('query string %s', params)
|
||||
url = '{0}?{1}'.format(app_settings.authorize_url, urlencode(params))
|
||||
|
@ -136,7 +135,6 @@ def access_token_from_request(request, logger):
|
|||
if state not in states:
|
||||
return
|
||||
# there should not be many FC SSO in flight
|
||||
request.session.pop('fc-states', None)
|
||||
redirect_uri = states[state]['redirect_uri']
|
||||
return resolve_access_token(code, redirect_uri, logger)
|
||||
|
||||
|
@ -253,6 +251,13 @@ class FcOAuthSessionViewMixin(LoggerMixin):
|
|||
return self.redirect(request)
|
||||
|
||||
self.id_token = models.parse_id_token(self.token['id_token'])
|
||||
nonce = self.id_token.get('nonce')
|
||||
states = request.session.get('fc-states', {})
|
||||
if not nonce or nonce not in states:
|
||||
self.logger.warning(u'invalid nonce in id_token %s, known ones %s', nonce,
|
||||
u', '.join(states.keys()))
|
||||
messages.warning(request, _('Unable to connect to FranceConnect.'))
|
||||
return self.redirect(request)
|
||||
self.logger.debug('fc id_token %s', self.id_token)
|
||||
for key in self.id_token:
|
||||
setattr(self, key, self.id_token[key])
|
||||
|
|
Reference in New Issue