def get(self, request):
"""Callback handler for OIDC authorization code flow"""
nonce = request.session.get('oidc_nonce')
if nonce:
# Make sure that nonce is not used twice
del request.session['oidc_nonce']
if request.GET.get('error'):
# Ouch! Something important failed.
# Make sure the user doesn't get to continue to be logged in
# otherwise the refresh middleware will force the user to
# redirect to authorize again if the session refresh has
# expired.
if is_authenticated(request.user):
auth.logout(request)
assert not is_authenticated(request.user)
elif 'code' in request.GET and 'state' in request.GET:
kwargs = {
'request': request,
'nonce': nonce,
}
if 'oidc_state' not in request.session:
return self.login_failure()
if request.GET['state'] != request.session['oidc_state']:
msg = 'Session `oidc_state` does not match the OIDC callback state'
raise SuspiciousOperation(msg)
self.user = auth.authenticate(**kwargs)
if self.user and self.user.is_active:
return self.login_success()
return self.login_failure()
def get(self, request):
"""Callback handler for OIDC authorization code flow"""
nonce = request.session.get('oidc_nonce')
if nonce:
# Make sure that nonce is not used twice
del request.session['oidc_nonce']
if request.GET.get('error'):
# Ouch! Something important failed.
# Make sure the user doesn't get to continue to be logged in
# otherwise the refresh middleware will force the user to
# redirect to authorize again if the session refresh has
# expired.
if is_authenticated(request.user):
auth.logout(request)
assert not is_authenticated(request.user)
elif 'code' in request.GET and 'state' in request.GET:
kwargs = {
'request': request,
'nonce': nonce,
}
if 'oidc_state' not in request.session:
return self.login_failure()
if request.GET['state'] != request.session['oidc_state']:
msg = 'Session `oidc_state` does not match the OIDC callback state'
raise SuspiciousOperation(msg)
self.user = auth.authenticate(**kwargs)
if self.user and self.user.is_active:
return self.login_success()
return self.login_failure()
def is_refreshable_url(self, request):
"""Takes a request and returns whether it triggers a refresh examination
:arg HttpRequest request:
:returns: boolean
"""
return (request.method == 'GET' and is_authenticated(request.user)
and request.path not in self.exempt_urls)
def is_refreshable_url(self, request):
"""Takes a request and returns whether it triggers a refresh examination
:arg HttpRequest request:
:returns: boolean
"""
return (
request.method == 'GET' and
is_authenticated(request.user) and
request.path not in self.exempt_urls
)
def post(self, request):
"""Log out the user."""
logout_url = self.redirect_url
if is_authenticated(request.user):
# Check if a method exists to build the URL to log out the user
# from the OP.
logout_from_op = import_from_settings('OIDC_OP_LOGOUT_URL_METHOD', '')
if logout_from_op:
logout_url = import_string(logout_from_op)()
# Log out the Django user if they were logged in.
auth.logout(request)
return HttpResponseRedirect(logout_url)
def post(self, request):
"""Log out the user."""
logout_url = self.redirect_url
if is_authenticated(request.user):
# Check if a method exists to build the URL to log out the user
# from the OP.
logout_from_op = import_from_settings('OIDC_OP_LOGOUT_URL_METHOD', '')
if logout_from_op:
logout_url = import_string(logout_from_op)(request)
# Log out the Django user if they were logged in.
auth.logout(request)
return HttpResponseRedirect(logout_url)
def is_refreshable_url(self, request):
"""Takes a request and returns whether it triggers a refresh examination
:arg HttpRequest request:
:returns: boolean
"""
# Do not attempt to refresh the session if the OIDC backend is not used
backend_session = request.session.get(BACKEND_SESSION_KEY)
is_oidc_enabled = True
if backend_session:
auth_backend = import_string(backend_session)
is_oidc_enabled = issubclass(auth_backend,
OIDCAuthenticationBackend)
return (request.method == 'GET' and is_authenticated(request.user)
and is_oidc_enabled and request.path not in self.exempt_urls)
def get(self, request):
return Response({'is_authenticated': is_authenticated(request.user)})
