def _authorize_callback(self):
# if authorization failed abort early
error = request.args.get('error')
if error:
raise AuthenticationFailed(error, provider=self)
try:
token_data = self.authlib_client.authorize_access_token()
authinfo_token_data = {}
if self.include_token == 'only':
return self.multipass.handle_auth_success(
AuthInfo(self, token=token_data))
elif self.include_token:
authinfo_token_data['token'] = token_data
if self.use_id_token:
id_token = self.authlib_client.parse_id_token(token_data)
for key in INTERNAL_FIELDS:
id_token.pop(key, None)
return self.multipass.handle_auth_success(
AuthInfo(self, **dict(authinfo_token_data, **id_token)))
else:
user_info = self.authlib_client.userinfo()
return self.multipass.handle_auth_success(
AuthInfo(self, **dict(authinfo_token_data, **user_info)))
except AuthlibBaseError as exc:
raise AuthenticationFailed(str(exc), provider=self)
def _authorize_callback(self):
session_token = session.get(self._session_key, None)
req_token = request.args.get('state')
if not req_token or not session_token or session_token != req_token:
raise AuthenticationFailed('Invalid session state',
details={
'req_token': req_token,
'session_token': session_token
})
# XXX: When people have multiple oauth logins at the same time, e.g.
# after restarting their browser and being redirected to SSO pages
# the first successful one will remove the redirect uri from the
# session so we need to restore it in case it's not set.
session.setdefault('{}_oauthredir'.format(self.oauth_app.name),
self._get_redirect_uri())
resp = self.oauth_app.authorized_response() or {}
if isinstance(resp, flask_oauthlib.client.OAuthException):
error_details = {
'msg': resp.message,
'type': resp.type,
'data': resp.data
}
raise AuthenticationFailed('OAuth error', details=error_details)
elif self.settings['token_field'] not in resp:
error = resp.get('error_description',
resp.get('error', 'Received no oauth token'))
raise AuthenticationFailed(error)
return self.multipass.handle_auth_success(self._make_auth_info(resp))
def process_local_login(self, data):
username = data['username']
password = self.settings['identities'].get(username)
if password is None:
raise AuthenticationFailed('No such user')
if password != data['password']:
raise AuthenticationFailed('Invalid password.')
auth_info = AuthInfo(self, username=data['username'])
return self.multipass.handle_auth_success(auth_info)
def _authorize_callback(self):
token = session.pop('_multipass_oauth_' + self.name, None)
if not token or token != request.args.get('state'):
raise AuthenticationFailed('Invalid session state')
resp = self.oauth_app.authorized_response() or {}
if self.settings['token_field'] not in resp:
error = resp.get('error_description', resp.get('error', 'Received no oauth token'))
raise AuthenticationFailed(error)
return self.multipass.handle_auth_success(self._make_auth_info(resp))
def _authorize_callback(self):
error = request.args.get('error')
if error:
raise AuthenticationFailed(error, provider=self)
try:
token = self.oauth_app.authorize_access_token()
return self.multipass.handle_auth_success(
AuthInfo(self, token=token))
except AuthlibBaseError as exc:
raise AuthenticationFailed(str(exc), provider=self)
def _authorize_callback(self):
# if authorization failed abort early
error = request.args.get('error')
if error:
raise AuthenticationFailed(error, provider=self)
# try to get a token containing a valid oidc id token
try:
oauth_token_data = self.oauth_app.authorize_access_token()
id_token = self._parse_id_token(oauth_token_data,
session.pop(self._session_key))
return self.multipass.handle_auth_success(
AuthInfo(self, **id_token))
except AuthlibBaseError as exc:
raise AuthenticationFailed(str(exc), provider=self)
def test_login_view(mocker):
handle_auth_error = mocker.patch.object(Multipass, 'handle_auth_error')
app = Flask('test')
e = AuthenticationFailed()
@app.route('/ok')
@login_view
def ok():
return ''
@app.route('/err')
@login_view
def err():
raise Exception
@app.route('/fail')
@login_view
def fail():
raise e
Multipass(app)
with app.test_client() as c:
c.get('/ok')
assert not handle_auth_error.called
c.get('/err')
assert not handle_auth_error.called
c.get('/fail')
handle_auth_error.assert_called_with(e, True)
def _authorize_callback(self):
resp = self.oauth_app.authorized_response() or {}
if self.settings['token_field'] not in resp:
error = resp.get('error_description',
resp.get('error', 'Received no oauth token'))
raise AuthenticationFailed(error)
return self.multipass.handle_auth_success(self._make_auth_info(resp))
def _shibboleth_callback(self):
attributes = {
k: v
for k, v in iteritems(request.environ)
if k.startswith(self.settings['attrs_prefix'])
}
if not attributes:
raise AuthenticationFailed("No valid data received")
return self.multipass.handle_auth_success(AuthInfo(self, **attributes))
def _authorize_callback(self):
ticket = request.args.get('ticket')
if not ticket:
raise AuthenticationFailed('ticket is not provided')
cas_response = self.cas_client.perform_service_validate(
ticket=ticket,
service_url=self.cas_callback_url,
)
if cas_response and cas_response.success:
auth_info = cas_response.attributes
auth_info['_username'] = cas_response.user
return self.multipass.handle_auth_success(
AuthInfo(self, **auth_info))
raise AuthenticationFailed("CAS result: Access denied")
def _shibboleth_callback(self):
mapping = _lower_keys(
iteritems(
request.headers if self.from_headers else request.environ))
# get all attrs in the 'attrs' list, if empty use 'attrs_prefix'
if self.attrs is None:
attributes = {
k: _to_unicode(v)
for k, v in mapping if k.startswith(self.attrs_prefix)
}
else:
attributes = {
k: _to_unicode(v)
for k, v in mapping if k in self.attrs
}
if not attributes:
raise AuthenticationFailed("No valid data received", provider=self)
return self.multipass.handle_auth_success(AuthInfo(self, **attributes))