def _handle_consent_confirmation(user, is_confirmed): """ Return server response given user consent. Args: user (fence.models.User): authN'd user is_confirmed (str): confirmation param """ if is_confirmed == "yes": # user has already given consent, continue flow response = server.create_authorization_response(grant_user=user) else: # user did not give consent response = server.create_authorization_response(grant_user=None) return response
def _get_auth_response_for_prompts(prompts, grant, user, client, scope): """ Get response based on prompt parameter. TODO: not completely conforming yet FIXME: To conform to spec, some of the prompt params should be handled before AuthN or if it fails (so adequate and useful errors are provided). Right now the behavior is that the endpoint will just continue to redirect the user to log in without checking these params.... Args: prompts (TYPE): Description grant (TYPE): Description user (TYPE): Description client (TYPE): Description scope (TYPE): Description Returns: TYPE: Description """ show_consent_screen = True if prompts: prompts = prompts.split(" ") if "none" in prompts: # don't auth or consent, error if user not logged in show_consent_screen = False # if none is here, there shouldn't be others if len(prompts) != 1: error = InvalidRequestError(state=grant.params.get("state"), uri=grant.params.get("uri")) return _get_authorize_error_response( error, grant.params.get("redirect_uri")) try: get_current_user() response = server.create_authorization_response(user) except Unauthorized: error = AccessDeniedError(state=grant.params.get("state"), uri=grant.params.get("uri")) return _get_authorize_error_response( error, grant.params.get("redirect_uri")) if "login" in prompts: show_consent_screen = True try: # Re-AuthN user (kind of). # TODO (RR 2018-03-16): this could also include removing active # refresh tokens. flask.session.clear() # For a POST, return the redirect in JSON instead of headers. if flask.request.method == "POST": redirect_response = flask.make_response( flask.jsonify( {"redirect": response.headers["Location"]})) else: redirect_response = flask.make_response( flask.redirect(flask.url_for(".authorize"))) clear_cookies(redirect_response) return redirect_response except Unauthorized: error = AccessDeniedError(state=grant.params.get("state"), uri=grant.params.get("uri")) return _get_authorize_error_response( error, grant.params.get("redirect_uri")) if "consent" in prompts: # show consent screen (which is default behavior so pass) pass if "select_account" in prompts: # allow user to select one of their accounts, we # don't support this at the moment pass if show_consent_screen: shown_scopes = [] if not scope else scope.split(" ") if "openid" in shown_scopes: shown_scopes.remove("openid") enabled_idps = config.get("OPENID_CONNECT", {}) idp_names = [] for idp, info in enabled_idps.items(): # prefer name if its there, then just use the key for the provider idp_name = info.get("name") or idp.title() idp_names.append(idp_name) resource_description = [ SCOPE_DESCRIPTION[s].format(idp_names=" and ".join(idp_names)) for s in shown_scopes ] privacy_policy = config.get("BASE_URL").rstrip("/") + "/privacy-policy" response = flask.render_template( "oauthorize.html", grant=grant, user=user, client=client, app_name=config.get("APP_NAME"), resource_description=resource_description, privacy_policy=privacy_policy, ) return response
def _get_auth_response_for_prompts(prompts, grant, user, client, scope): """ Get response based on prompt parameter. TODO: not completely conforming yet FIXME: To conform to spec, some of the prompt params should be handled before AuthN or if it fails (so adequate and useful errors are provided). Right now the behavior is that the endpoint will just continue to redirect the user to log in without checking these params.... Args: prompts (TYPE): Description grant (TYPE): Description user (TYPE): Description client (TYPE): Description scope (TYPE): Description Returns: TYPE: Description """ show_consent_screen = True if prompts: prompts = prompts.split(' ') if 'none' in prompts: # don't auth or consent, error if user not logged in show_consent_screen = False # if none is here, there shouldn't be others if len(prompts) != 1: error = InvalidRequestError( state=grant.params.get('state'), uri=grant.params.get('uri') ) return _get_authorize_error_response( error, grant.params.get('redirect_uri')) try: get_current_user() response = server.create_authorization_response(user) except Unauthorized: error = AccessDeniedError( state=grant.params.get('state'), uri=grant.params.get('uri') ) return _get_authorize_error_response( error, grant.params.get('redirect_uri')) if 'login' in prompts: show_consent_screen = True try: # re-AuthN user # TODO not sure if this really counts as re-AuthN... handle_login(scope) except Unauthorized: error = AccessDeniedError( state=grant.params.get('state'), uri=grant.params.get('uri') ) return _get_authorize_error_response( error, grant.params.get('redirect_uri')) if 'consent' in prompts: # show consent screen (which is default behavior so pass) pass if 'select_account' in prompts: # allow user to select one of their accounts, we # don't support this at the moment pass if show_consent_screen: shown_scopes = scope.split(' ') if 'openid' in shown_scopes: shown_scopes.remove('openid') resource_description = [ SCOPE_DESCRIPTION[scope] for scope in shown_scopes] response = flask.render_template( 'oauthorize.html', grant=grant, user=user, client=client, app_name=flask.current_app.config.get('APP_NAME'), resource_description=resource_description ) return response