providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
f9a5add01d
commit
4d7d700afa
|
@ -99,7 +99,7 @@ class OAuthAuthorizationParams:
|
|||
# and POST request.
|
||||
query_dict = request.POST if request.method == "POST" else request.GET
|
||||
state = query_dict.get("state")
|
||||
redirect_uri = query_dict.get("redirect_uri", "")
|
||||
redirect_uri = query_dict.get("redirect_uri", "").lower()
|
||||
|
||||
response_type = query_dict.get("response_type", "")
|
||||
grant_type = None
|
||||
|
@ -156,13 +156,20 @@ class OAuthAuthorizationParams:
|
|||
if not self.redirect_uri:
|
||||
LOGGER.warning("Missing redirect uri.")
|
||||
raise RedirectUriError("", allowed_redirect_urls)
|
||||
if len(allowed_redirect_urls) < 1:
|
||||
|
||||
if self.provider.redirect_uris == "":
|
||||
LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
|
||||
self.provider.redirect_uris = self.redirect_uri
|
||||
self.provider.save()
|
||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
||||
|
||||
if self.provider.redirect_uris == "*":
|
||||
LOGGER.warning(
|
||||
"Provider has no allowed redirect_uri set, allowing all.",
|
||||
allow=self.redirect_uri.lower(),
|
||||
"Provider has wildcard allowed redirect_uri set, allowing all.",
|
||||
allow=self.redirect_uri,
|
||||
)
|
||||
return
|
||||
if self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
|
||||
if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
|
||||
LOGGER.warning(
|
||||
"Invalid redirect uri",
|
||||
redirect_uri=self.redirect_uri,
|
||||
|
|
|
@ -66,7 +66,7 @@ class TokenParams:
|
|||
provider=provider,
|
||||
client_id=client_id,
|
||||
client_secret=client_secret,
|
||||
redirect_uri=request.POST.get("redirect_uri", ""),
|
||||
redirect_uri=request.POST.get("redirect_uri", "").lower(),
|
||||
grant_type=request.POST.get("grant_type", ""),
|
||||
state=request.POST.get("state", ""),
|
||||
scope=request.POST.get("scope", "").split(),
|
||||
|
@ -123,21 +123,23 @@ class TokenParams:
|
|||
LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
|
||||
raise TokenError("unsupported_grant_type")
|
||||
|
||||
def __post_init_code(self, raw_code):
|
||||
def __post_init_code(self, raw_code: str):
|
||||
if not raw_code:
|
||||
LOGGER.warning("Missing authorization code")
|
||||
raise TokenError("invalid_grant")
|
||||
|
||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
||||
if len(allowed_redirect_urls) < 1:
|
||||
if self.provider.redirect_uris == "*":
|
||||
LOGGER.warning(
|
||||
"Provider has no allowed redirect_uri set, allowing all.",
|
||||
allow=self.redirect_uri.lower(),
|
||||
"Provider has wildcard allowed redirect_uri set, allowing all.",
|
||||
redirect=self.redirect_uri,
|
||||
)
|
||||
elif self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
|
||||
# At this point, no provider should have a blank redirect_uri, in case they do
|
||||
# this will check an empty array and raise an error
|
||||
elif self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
|
||||
LOGGER.warning(
|
||||
"Invalid redirect uri",
|
||||
uri=self.redirect_uri,
|
||||
redirect=self.redirect_uri,
|
||||
expected=self.provider.redirect_uris.split(),
|
||||
)
|
||||
raise TokenError("invalid_client")
|
||||
|
|
|
@ -2382,8 +2382,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
|
|||
msgstr "If multiple providers share an outpost, a self-signed certificate is used."
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
#~ msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||
msgstr "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||
|
||||
#: src/pages/tenants/TenantForm.ts
|
||||
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
||||
|
@ -5187,6 +5191,10 @@ msgstr "Title"
|
|||
msgid "To"
|
||||
msgstr "To"
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||
msgstr "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||
|
||||
#: src/pages/users/UserViewPage.ts
|
||||
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||
msgstr "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||
|
|
|
@ -2366,8 +2366,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
|
|||
msgstr "Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé."
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
|
||||
#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
#~ msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||
msgstr ""
|
||||
|
||||
#: src/pages/tenants/TenantForm.ts
|
||||
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
||||
|
@ -5131,6 +5135,10 @@ msgstr "Titre"
|
|||
msgid "To"
|
||||
msgstr "À"
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||
msgstr ""
|
||||
|
||||
#: src/pages/users/UserViewPage.ts
|
||||
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||
msgstr "Pour créer un lien de récupération, le locataire actuel doit avoir un flux de récupération configuré."
|
||||
|
|
|
@ -2374,7 +2374,11 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
|
|||
msgstr ""
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
#~ msgstr ""
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||
msgstr ""
|
||||
|
||||
#: src/pages/tenants/TenantForm.ts
|
||||
|
@ -5167,6 +5171,10 @@ msgstr ""
|
|||
msgid "To"
|
||||
msgstr ""
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||
msgstr ""
|
||||
|
||||
#: src/pages/users/UserViewPage.ts
|
||||
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||
msgstr ""
|
||||
|
|
|
@ -2337,8 +2337,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
|
|||
msgstr "Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır."
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
|
||||
#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||
#~ msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||
msgstr ""
|
||||
|
||||
#: src/pages/tenants/TenantForm.ts
|
||||
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
||||
|
@ -5076,6 +5080,10 @@ msgstr "Başlık"
|
|||
msgid "To"
|
||||
msgstr "Kime"
|
||||
|
||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||
msgstr ""
|
||||
|
||||
#: src/pages/users/UserViewPage.ts
|
||||
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||
msgstr "Kurtarma bağlantısı oluşturmak için geçerli sakinin yapılandırılmış bir kurtarma akışı olması gerekir."
|
||||
|
|
|
@ -171,7 +171,10 @@ ${this.instance?.redirectUris}</textarea
|
|||
${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`}
|
||||
</p>
|
||||
<p class="pf-c-form__helper-text">
|
||||
${t`If no explicit redirect URIs are specified, any redirect URI is allowed.`}
|
||||
${t`If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.`}
|
||||
</p>
|
||||
<p class="pf-c-form__helper-text">
|
||||
${t`To allow any redirect URI, set this value to "*". Be aware of the possible security implications this can have.`}
|
||||
</p>
|
||||
</ak-form-element-horizontal>
|
||||
<ak-form-element-horizontal label=${t`Signing Key`} name="signingKey">
|
||||
|
|
Reference in a new issue