trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/oauth2: ensure nonce is validated on all OIDC flows

This commit is contained in:
Jens Langhammer 2020-12-27 18:13:41 +01:00
parent 67ca83c228
commit ce9fb8801c
1 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
authentik/providers/oauth2/views/authorize.py
View File

@ -71,7 +71,7 @@ class OAuthAuthorizationParams:
response_type: str response_type: str
scope: List[str] scope: List[str]
state: str state: str
nonce: str nonce: Optional[str]
prompt: Set[str] prompt: Set[str]
grant_type: str grant_type: str
@ -128,7 +128,7 @@ class OAuthAuthorizationParams:
grant_type=grant_type, grant_type=grant_type,
scope=query_dict.get("scope", "").split(), scope=query_dict.get("scope", "").split(),
state=state, state=state,
nonce=query_dict.get("nonce", ""), nonce=query_dict.get("nonce"),
prompt=ALLOWED_PROMPT_PARAMS.intersection( prompt=ALLOWED_PROMPT_PARAMS.intersection(
set(query_dict.get("prompt", "").split()) set(query_dict.get("prompt", "").split())
), ),
@ -192,14 +192,12 @@ class OAuthAuthorizationParams:
def check_nonce(self): def check_nonce(self):
"""Nonce parameter validation.""" """Nonce parameter validation."""
if ( if not self.nonce:
SCOPE_OPENID in self.scope if SCOPE_OPENID in self.scope:
and self.grant_type == GrantTypes.IMPLICIT raise AuthorizeError(
and not self.nonce self.redirect_uri, "invalid_request", self.grant_type, self.state
): )
raise AuthorizeError( self.nonce = ""
self.redirect_uri, "invalid_request", self.grant_type, self.state
)
def check_code_challenge(self): def check_code_challenge(self):
"""PKCE validation of the transformation method.""" """PKCE validation of the transformation method."""