providers/oauth2: only send id_token as access_token if ADFS compat mode is enabled
This commit is contained in:
parent
f1ccef7f6a
commit
818f417fd8
|
@ -41,4 +41,10 @@ class Migration(migrations.Migration):
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
migrations.RunPython(create_default_admin_group),
|
migrations.RunPython(create_default_admin_group),
|
||||||
|
migrations.AlterModelManagers(
|
||||||
|
name='user',
|
||||||
|
managers=[
|
||||||
|
('objects', passbook.core.models.UserManager()),
|
||||||
|
],
|
||||||
|
),
|
||||||
]
|
]
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Generated by Django 3.1.1 on 2020-09-16 21:29
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
dependencies = [
|
||||||
|
('passbook_providers_oauth2', '0002_oauth2provider_sub_mode'),
|
||||||
|
]
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.AlterField(
|
||||||
|
model_name='oauth2provider',
|
||||||
|
name='client_type',
|
||||||
|
field=models.CharField(choices=[('confidential', 'Confidential'), ('public', 'Public')], default='confidential', help_text='Confidential clients are capable of maintaining the confidentiality\n of their credentials. Public clients are incapable.', max_length=30, verbose_name='Client Type'),
|
||||||
|
),
|
||||||
|
migrations.AlterField(
|
||||||
|
model_name='oauth2provider',
|
||||||
|
name='response_type',
|
||||||
|
field=models.TextField(choices=[('code', 'code (Authorization Code Flow)'), ('code_adfs', 'code (ADFS Compatibility Mode, sends id_token as access_token)'), ('id_token', 'id_token (Implicit Flow)'), ('id_token token', 'id_token token (Implicit Flow)'), ('code token', 'code token (Hybrid Flow)'), ('code id_token', 'code id_token (Hybrid Flow)'), ('code id_token token', 'code id_token token (Hybrid Flow)')], default='code', help_text='Response Type required by the client.'),
|
||||||
|
),
|
||||||
|
]
|
|
@ -31,8 +31,8 @@ from passbook.providers.oauth2.generators import (
|
||||||
|
|
||||||
|
|
||||||
class ClientTypes(models.TextChoices):
|
class ClientTypes(models.TextChoices):
|
||||||
"""<b>Confidential</b> clients are capable of maintaining the confidentiality
|
"""Confidential clients are capable of maintaining the confidentiality
|
||||||
of their credentials. <b>Public</b> clients are incapable."""
|
of their credentials. Public clients are incapable."""
|
||||||
|
|
||||||
CONFIDENTIAL = "confidential", _("Confidential")
|
CONFIDENTIAL = "confidential", _("Confidential")
|
||||||
PUBLIC = "public", _("Public")
|
PUBLIC = "public", _("Public")
|
||||||
|
@ -70,6 +70,7 @@ class ResponseTypes(models.TextChoices):
|
||||||
"""Response Type required by the client."""
|
"""Response Type required by the client."""
|
||||||
|
|
||||||
CODE = "code", _("code (Authorization Code Flow)")
|
CODE = "code", _("code (Authorization Code Flow)")
|
||||||
|
CODE_ADFS = "code_adfs", _("code (ADFS Compatibility Mode, sends id_token as access_token)")
|
||||||
ID_TOKEN = "id_token", _("id_token (Implicit Flow)")
|
ID_TOKEN = "id_token", _("id_token (Implicit Flow)")
|
||||||
ID_TOKEN_TOKEN = "id_token token", _("id_token token (Implicit Flow)")
|
ID_TOKEN_TOKEN = "id_token token", _("id_token token (Implicit Flow)")
|
||||||
CODE_TOKEN = "code token", _("code token (Hybrid Flow)")
|
CODE_TOKEN = "code token", _("code token (Hybrid Flow)")
|
||||||
|
|
|
@ -90,7 +90,7 @@ class OAuthAuthorizationParams:
|
||||||
response_type = query_dict.get("response_type", "")
|
response_type = query_dict.get("response_type", "")
|
||||||
grant_type = None
|
grant_type = None
|
||||||
# Determine which flow to use.
|
# Determine which flow to use.
|
||||||
if response_type in [ResponseTypes.CODE]:
|
if response_type in [ResponseTypes.CODE, ResponseTypes.CODE_ADFS]:
|
||||||
grant_type = GrantTypes.AUTHORIZATION_CODE
|
grant_type = GrantTypes.AUTHORIZATION_CODE
|
||||||
elif response_type in [
|
elif response_type in [
|
||||||
ResponseTypes.ID_TOKEN,
|
ResponseTypes.ID_TOKEN,
|
||||||
|
|
|
@ -17,7 +17,7 @@ from passbook.providers.oauth2.errors import TokenError, UserAuthError
|
||||||
from passbook.providers.oauth2.models import (
|
from passbook.providers.oauth2.models import (
|
||||||
AuthorizationCode,
|
AuthorizationCode,
|
||||||
OAuth2Provider,
|
OAuth2Provider,
|
||||||
RefreshToken,
|
RefreshToken, ResponseTypes,
|
||||||
)
|
)
|
||||||
from passbook.providers.oauth2.utils import TokenResponse, extract_client_auth
|
from passbook.providers.oauth2.utils import TokenResponse, extract_client_auth
|
||||||
|
|
||||||
|
@ -200,7 +200,7 @@ class TokenView(View):
|
||||||
"id_token": refresh_token.provider.encode(refresh_token.id_token.to_dict()),
|
"id_token": refresh_token.provider.encode(refresh_token.id_token.to_dict()),
|
||||||
}
|
}
|
||||||
|
|
||||||
if self.params.authorization_code.is_open_id:
|
if self.params.provider.response_type == ResponseTypes.CODE_ADFS:
|
||||||
# This seems to be expected by some OIDC Clients
|
# This seems to be expected by some OIDC Clients
|
||||||
# namely VMware vCenter. This is not documented in any OpenID or OAuth2 Standard.
|
# namely VMware vCenter. This is not documented in any OpenID or OAuth2 Standard.
|
||||||
# Maybe this should be a setting
|
# Maybe this should be a setting
|
||||||
|
|
Reference in a new issue