Example #1
0
    def validate_params(self):
        # Client validation.
        try:
            self.client = Client.objects.get(client_id=self.params['client_id'])
        except Client.DoesNotExist:
            logger.debug('[Authorize] Invalid client identifier: %s', self.params['client_id'])
            raise ClientIdError()

        # Redirect URI validation.
        if self.is_authentication and not self.params['redirect_uri']:
            logger.debug('[Authorize] Missing redirect uri.')
            raise RedirectUriError()
        clean_redirect_uri = urlsplit(self.params['redirect_uri'])
        clean_redirect_uri = urlunsplit(clean_redirect_uri._replace(query=''))
        if not (clean_redirect_uri in self.client.redirect_uris):
            logger.debug('[Authorize] Invalid redirect uri: %s', self.params['redirect_uri'])
            raise RedirectUriError()

        # Grant type validation.
        if not self.grant_type:
            logger.debug('[Authorize] Invalid response type: %s', self.params['response_type'])
            raise AuthorizeError(self.params['redirect_uri'], 'unsupported_response_type', self.grant_type)

        # Nonce parameter validation.
        if self.is_authentication and self.grant_type == 'implicit' and not self.params['nonce']:
            raise AuthorizeError(self.params['redirect_uri'], 'invalid_request', self.grant_type)

        # Response type parameter validation.
        if self.is_authentication and self.params['response_type'] != self.client.response_type:
            raise AuthorizeError(self.params['redirect_uri'], 'invalid_request', self.grant_type)

        # PKCE validation of the transformation method.
        if self.params['code_challenge']:
            if not (self.params['code_challenge_method'] in ['plain', 'S256']):
                raise AuthorizeError(self.params['redirect_uri'], 'invalid_request', self.grant_type)
Example #2
0
    def validate_params(self):
        # Client validation.
        try:
            self.client = self.client_class.objects.get(
                client_id=self.params['client_id'])
        except Client.DoesNotExist:
            logger.debug('[Authorize] Invalid client identifier: %s',
                         self.params['client_id'])
            raise ClientIdError()

        # Redirect URI validation.
        if self.is_authentication and not self.params['redirect_uri']:
            logger.debug('[Authorize] Missing redirect uri.')
            raise RedirectUriError()
        if not (self.params['redirect_uri'] in self.client.redirect_uris):
            logger.debug('[Authorize] Invalid redirect uri: %s',
                         self.params['redirect_uri'])
            raise RedirectUriError()

        # Grant type validation.
        if not self.grant_type:
            logger.debug('[Authorize] Invalid response type: %s',
                         self.params['response_type'])
            raise AuthorizeError(self.params['redirect_uri'],
                                 'unsupported_response_type', self.grant_type)

        if (not self.is_authentication and
            (self.grant_type == 'hybrid' or self.params['response_type']
             in ['id_token', 'id_token token'])):
            logger.debug('[Authorize] Missing openid scope.')
            raise AuthorizeError(self.params['redirect_uri'], 'invalid_scope',
                                 self.grant_type)

        # Nonce parameter validation.
        if self.is_authentication and self.grant_type == 'implicit' and not self.params[
                'nonce']:
            raise AuthorizeError(self.params['redirect_uri'],
                                 'invalid_request', self.grant_type)

        # Response type parameter validation.
        if self.is_authentication \
                and self.params['response_type'] not in self.client.response_type_values():
            raise AuthorizeError(self.params['redirect_uri'],
                                 'invalid_request', self.grant_type)

        # PKCE validation of the transformation method.
        if self.params['code_challenge']:
            if not (self.params['code_challenge_method'] in ['plain', 'S256']):
                raise AuthorizeError(self.params['redirect_uri'],
                                     'invalid_request', self.grant_type)

        # acr_values parameter validation
        if 'acr_values' in self.params and self.params['acr_values']:
            for acr in self.params['acr_values'].split():
                if not (acr in settings.get('OIDC_ACR_VALUES')):
                    raise AuthorizeError(self.params['redirect_uri'],
                                         'invalid_request', self.grant_type)