From ce9fb8801cdb391d26b574918147ffe2632f8a64 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sun, 27 Dec 2020 18:13:41 +0100 Subject: [PATCH] providers/oauth2: ensure nonce is validated on all OIDC flows --- authentik/providers/oauth2/views/authorize.py | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index 7fdb9917e..6ea21df8d 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -71,7 +71,7 @@ class OAuthAuthorizationParams: response_type: str scope: List[str] state: str - nonce: str + nonce: Optional[str] prompt: Set[str] grant_type: str @@ -128,7 +128,7 @@ class OAuthAuthorizationParams: grant_type=grant_type, scope=query_dict.get("scope", "").split(), state=state, - nonce=query_dict.get("nonce", ""), + nonce=query_dict.get("nonce"), prompt=ALLOWED_PROMPT_PARAMS.intersection( set(query_dict.get("prompt", "").split()) ), @@ -192,14 +192,12 @@ class OAuthAuthorizationParams: def check_nonce(self): """Nonce parameter validation.""" - if ( - SCOPE_OPENID in self.scope - and self.grant_type == GrantTypes.IMPLICIT - and not self.nonce - ): - raise AuthorizeError( - self.redirect_uri, "invalid_request", self.grant_type, self.state - ) + if not self.nonce: + if SCOPE_OPENID in self.scope: + raise AuthorizeError( + self.redirect_uri, "invalid_request", self.grant_type, self.state + ) + self.nonce = "" def check_code_challenge(self): """PKCE validation of the transformation method."""