providers/oauth2: ensure nonce is validated on all OIDC flows

2020-12-27 18:13:41 +01:00 · 2020-12-27 18:13:41 +01:00 · ce9fb8801c
parent 67ca83c228
commit ce9fb8801c
1 changed files with 8 additions and 10 deletions
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -71,7 +71,7 @@ class OAuthAuthorizationParams:
    response_type: str
    scope: List[str]
    state: str
-    nonce: str
+    nonce: Optional[str]
    prompt: Set[str]
    grant_type: str

@ -128,7 +128,7 @@ class OAuthAuthorizationParams:
            grant_type=grant_type,
            scope=query_dict.get("scope", "").split(),
            state=state,
-            nonce=query_dict.get("nonce", ""),
+            nonce=query_dict.get("nonce"),
            prompt=ALLOWED_PROMPT_PARAMS.intersection(
                set(query_dict.get("prompt", "").split())
            ),
@ -192,14 +192,12 @@ class OAuthAuthorizationParams:

    def check_nonce(self):
        """Nonce parameter validation."""
-        if (
-            SCOPE_OPENID in self.scope
-            and self.grant_type == GrantTypes.IMPLICIT
-            and not self.nonce
-        ):
-            raise AuthorizeError(
-                self.redirect_uri, "invalid_request", self.grant_type, self.state
-            )
+        if not self.nonce:
+            if SCOPE_OPENID in self.scope:
+                raise AuthorizeError(
+                    self.redirect_uri, "invalid_request", self.grant_type, self.state
+                )
+            self.nonce = ""

    def check_code_challenge(self):
        """PKCE validation of the transformation method."""