providers/oauth2: only send id_token as access_token if ADFS compat mode is enabled
This commit is contained in:
parent
f1ccef7f6a
commit
818f417fd8
|
@ -41,4 +41,10 @@ class Migration(migrations.Migration):
|
|||
),
|
||||
),
|
||||
migrations.RunPython(create_default_admin_group),
|
||||
migrations.AlterModelManagers(
|
||||
name='user',
|
||||
managers=[
|
||||
('objects', passbook.core.models.UserManager()),
|
||||
],
|
||||
),
|
||||
]
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
# Generated by Django 3.1.1 on 2020-09-16 21:29
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('passbook_providers_oauth2', '0002_oauth2provider_sub_mode'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterField(
|
||||
model_name='oauth2provider',
|
||||
name='client_type',
|
||||
field=models.CharField(choices=[('confidential', 'Confidential'), ('public', 'Public')], default='confidential', help_text='Confidential clients are capable of maintaining the confidentiality\n of their credentials. Public clients are incapable.', max_length=30, verbose_name='Client Type'),
|
||||
),
|
||||
migrations.AlterField(
|
||||
model_name='oauth2provider',
|
||||
name='response_type',
|
||||
field=models.TextField(choices=[('code', 'code (Authorization Code Flow)'), ('code_adfs', 'code (ADFS Compatibility Mode, sends id_token as access_token)'), ('id_token', 'id_token (Implicit Flow)'), ('id_token token', 'id_token token (Implicit Flow)'), ('code token', 'code token (Hybrid Flow)'), ('code id_token', 'code id_token (Hybrid Flow)'), ('code id_token token', 'code id_token token (Hybrid Flow)')], default='code', help_text='Response Type required by the client.'),
|
||||
),
|
||||
]
|
|
@ -31,8 +31,8 @@ from passbook.providers.oauth2.generators import (
|
|||
|
||||
|
||||
class ClientTypes(models.TextChoices):
|
||||
"""<b>Confidential</b> clients are capable of maintaining the confidentiality
|
||||
of their credentials. <b>Public</b> clients are incapable."""
|
||||
"""Confidential clients are capable of maintaining the confidentiality
|
||||
of their credentials. Public clients are incapable."""
|
||||
|
||||
CONFIDENTIAL = "confidential", _("Confidential")
|
||||
PUBLIC = "public", _("Public")
|
||||
|
@ -70,6 +70,7 @@ class ResponseTypes(models.TextChoices):
|
|||
"""Response Type required by the client."""
|
||||
|
||||
CODE = "code", _("code (Authorization Code Flow)")
|
||||
CODE_ADFS = "code_adfs", _("code (ADFS Compatibility Mode, sends id_token as access_token)")
|
||||
ID_TOKEN = "id_token", _("id_token (Implicit Flow)")
|
||||
ID_TOKEN_TOKEN = "id_token token", _("id_token token (Implicit Flow)")
|
||||
CODE_TOKEN = "code token", _("code token (Hybrid Flow)")
|
||||
|
|
|
@ -90,7 +90,7 @@ class OAuthAuthorizationParams:
|
|||
response_type = query_dict.get("response_type", "")
|
||||
grant_type = None
|
||||
# Determine which flow to use.
|
||||
if response_type in [ResponseTypes.CODE]:
|
||||
if response_type in [ResponseTypes.CODE, ResponseTypes.CODE_ADFS]:
|
||||
grant_type = GrantTypes.AUTHORIZATION_CODE
|
||||
elif response_type in [
|
||||
ResponseTypes.ID_TOKEN,
|
||||
|
|
|
@ -17,7 +17,7 @@ from passbook.providers.oauth2.errors import TokenError, UserAuthError
|
|||
from passbook.providers.oauth2.models import (
|
||||
AuthorizationCode,
|
||||
OAuth2Provider,
|
||||
RefreshToken,
|
||||
RefreshToken, ResponseTypes,
|
||||
)
|
||||
from passbook.providers.oauth2.utils import TokenResponse, extract_client_auth
|
||||
|
||||
|
@ -200,7 +200,7 @@ class TokenView(View):
|
|||
"id_token": refresh_token.provider.encode(refresh_token.id_token.to_dict()),
|
||||
}
|
||||
|
||||
if self.params.authorization_code.is_open_id:
|
||||
if self.params.provider.response_type == ResponseTypes.CODE_ADFS:
|
||||
# This seems to be expected by some OIDC Clients
|
||||
# namely VMware vCenter. This is not documented in any OpenID or OAuth2 Standard.
|
||||
# Maybe this should be a setting
|
||||
|
|
Reference in a new issue