Esempio n. 1
0
 def handle_backend_error(self, exception):
     """
     See super class satosa.frontends.base.FrontendModule
     :type exception: satosa.exception.SATOSAError
     :rtype: oic.utils.http_util.Response
     """
     auth_req = self._get_authn_request_from_state(exception.state)
     error_resp = AuthorizationErrorResponse(error="access_denied", error_description=exception.message)
     satosa_logging(logger, logging.DEBUG, exception.message, exception.state)
     return SeeOther(error_resp.request(auth_req["redirect_uri"], should_fragment_encode(auth_req)))
Esempio n. 2
0
 def handle_backend_error(self, exception):
     """
     See super class satosa.frontends.base.FrontendModule
     :type exception: satosa.exception.SATOSAError
     :rtype: oic.utils.http_util.Response
     """
     auth_req = self._get_authn_request_from_state(exception.state)
     error_resp = AuthorizationErrorResponse(error="access_denied", error_description=exception.message)
     satosa_logging(logger, logging.DEBUG, exception.message, exception.state)
     return SeeOther(error_resp.request(auth_req["redirect_uri"], should_fragment_encode(auth_req)))
Esempio n. 3
0
def client_error_message(redirect_uri, error="access_denied",
                         error_description="", state=""):
    """Construct an error response and send in fragment part of redirect_uri.
    :param redirect_uri: redirect_uri of the client
    :param error: OpenID Connect error code
    :param error_description: human readable description of the error
    """
    error_resp = AuthorizationErrorResponse(error=error,
                                            error_description=error_description,
                                            state=state)
    location = error_resp.request(redirect_uri, True)
    raise cherrypy.HTTPRedirect(location)
Esempio n. 4
0
    def to_error_url(self):
        redirect_uri = self.request.get('redirect_uri')
        response_type = self.request.get('response_type')
        if redirect_uri and response_type and self.oauth_error:
            error_resp = AuthorizationErrorResponse(
                error=self.oauth_error,
                error_message=str(self),
                state=self.request.get('state'))
            return error_resp.request(redirect_uri,
                                      should_fragment_encode(self.request))

        return None
Esempio n. 5
0
 def handle_backend_error(self, exception):
     """
     See super class satosa.frontends.base.FrontendModule
     :type exception: satosa.exception.SATOSAError
     :rtype: oic.utils.http_util.Response
     """
     auth_req = self._get_authn_request_from_state(exception.state)
     # If the client sent us a state parameter, we should reflect it back according to the spec
     if 'state' in auth_req:
         error_resp = AuthorizationErrorResponse(error="access_denied",
                                                 error_description=exception.message,
                                                 state=auth_req['state'])
     else:
         error_resp = AuthorizationErrorResponse(error="access_denied",
                                                 error_description=exception.message)
     satosa_logging(logger, logging.DEBUG, exception.message, exception.state)
     return SeeOther(error_resp.request(auth_req["redirect_uri"], should_fragment_encode(auth_req)))
Esempio n. 6
0
    def handle_authn_response(self, context, internal_resp):
        auth_req = self._get_authn_request_from_state(context.state)
        affiliation_attribute = self.converter.from_internal(
            'openid', internal_resp.attributes)['affiliation']
        scope = auth_req['scope']
        matching_affiliation = get_matching_affiliation(
            scope, affiliation_attribute)

        if matching_affiliation:
            return super().handle_authn_response(
                context, internal_resp,
                {'auth_time': internal_resp.auth_info.timestamp})

        auth_error = AuthorizationErrorResponse(error='access_denied')
        del context.state[self.name]
        http_response = auth_error.request(auth_req['redirect_uri'],
                                           should_fragment_encode(auth_req))
        return SeeOther(http_response)
Esempio n. 7
0
    def handle_authn_response(self, context, internal_resp):
        auth_req = self._get_authn_request_from_state(context.state)
        # User might not give us consent to release affiliation
        if 'affiliation' in internal_resp.attributes:
            affiliation_attribute = self.converter.from_internal('openid', internal_resp.attributes)['affiliation']
            scope = auth_req['scope']
            matching_affiliation = get_matching_affiliation(scope, affiliation_attribute)

            if matching_affiliation:
                return super().handle_authn_response(context, internal_resp,
                                                     {'auth_time': internal_resp.auth_info.timestamp,
                                                      'requested_scopes': {'values': scope}})
        # User's affiliation was not released or was not the one requested so return an error
        # If the client sent us a state parameter, we should reflect it back according to the spec
        if 'state' in auth_req:
            auth_error = AuthorizationErrorResponse(error='access_denied', state=auth_req['state'])
        else:
            auth_error = AuthorizationErrorResponse(error='access_denied')
        del context.state[self.name]
        http_response = auth_error.request(auth_req['redirect_uri'], should_fragment_encode(auth_req))
        return SeeOther(http_response)
Esempio n. 8
0
    def handle_authn_response(self, context, internal_resp):
        auth_req = self._get_authn_request_from_state(context.state)
        resp_rp = auth_req.get('client_id')

        # User might not give us consent to release affiliation
        if 'affiliation' in internal_resp.attributes:
            affiliation_attribute = self.converter.from_internal('openid', internal_resp.attributes)['affiliation']
            scope = auth_req['scope']
            matching_affiliation = get_matching_affiliation(scope, affiliation_attribute)

            if matching_affiliation:
                transaction_log(context.state, self.config.get("response_exit_order", 1200),
                        "inacademia_frontend", "response", "exit", "success", resp_rp , '', 'Responding successful validation to RP')

                return super().handle_authn_response(context, internal_resp,
                                                     {'auth_time': parser.parse(internal_resp.auth_info.timestamp).timestamp(),
                                                      'requested_scopes': {'values': scope}})

        # User's affiliation was not released or was not the one requested so return an error
        # If the client sent us a state parameter, we should reflect it back according to the spec
        transaction_log(context.state, self.config.get("response_exit_order", 1210),
                        "inacademia_frontend", "response", "exit", "failed", resp_rp, '',
                        ErrorDescription.REQUESTED_AFFILIATION_MISMATCH[LOG_MSG])

        if 'state' in auth_req:
            auth_error = AuthorizationErrorResponse(error='access_denied', state=auth_req['state'],
                                                    error_description=ErrorDescription.REQUESTED_AFFILIATION_MISMATCH[
                                                        ERROR_DESC])
        else:
            auth_error = AuthorizationErrorResponse(error='access_denied',
                                                    error_description=ErrorDescription.REQUESTED_AFFILIATION_MISMATCH[
                                                        ERROR_DESC])
        del context.state[self.name]
        http_response = auth_error.request(auth_req['redirect_uri'], should_fragment_encode(auth_req))

        return SeeOther(http_response)