def authorized(remote_app=None): """ Authorize handler callback. This function is called when the user is redirected from the IdP to the web application. It handles the authorization. :param remote_app: (str) Identity provider key :returns: (flask.Response) Return redirect response or abort in case of failure. """ # Logout user if already logged if current_user.is_authenticated: logout_user() # Configuration not found for given identity provider if remote_app not in current_app.config['SHIBBOLETH_IDENTITY_PROVIDERS']: return abort(404) # Init SAML auth req = prepare_flask_request(request) try: auth = init_saml_auth(req, remote_app) except Exception: return abort(500) # Process response errors = [] try: auth.process_response() except OneLogin_Saml2_Error: return abort(400) errors = auth.get_errors() if not errors and auth.is_authenticated(): if 'RelayState' in request.form: # Get state token stored in RelayState state_token = request.form['RelayState'] try: if not state_token: raise ValueError # Check authenticity and integrity of state and decode the # values. state = serializer.loads(state_token) # Verify that state is for this session, app and that next # parameter have not been modified. if (state['sid'] != _create_identifier() or state['app'] != remote_app): raise ValueError # Store next url set_session_next_url(remote_app, state['next']) except (ValueError, BadData): if current_app.config.get( 'OAUTHCLIENT_STATE_ENABLED', True) or ( not (current_app.debug or current_app.testing)): return abort(400) return authorized_signup_handler(auth, remote_app) return abort(403)
def authorized(remote_app=None): """ Authorize handler callback. This function is called when the user is redirected from the IdP to the web application. It handles the authorization. Args: remote_app (str): The remote application key name. Returns: flask.Response: Return redirect response or abort in case of failure. """ if current_user.is_authenticated: logout_user() if remote_app not in current_app.config['SHIBBOLETH_REMOTE_APPS']: return abort(404) conf = current_app.config['SHIBBOLETH_REMOTE_APPS'][remote_app] if 'saml_path' not in conf: return abort(500, 'Bad server configuration.') req = prepare_flask_request(request) try: auth = init_saml_auth(req, conf['saml_path']) except OneLogin_Saml2_Error: return abort(500) errors = [] try: auth.process_response() except OneLogin_Saml2_Error: return abort(400) errors = auth.get_errors() if len(errors) == 0 and auth.is_authenticated(): if 'RelayState' in request.form: # Get state token stored in RelayState state_token = request.form['RelayState'] try: if not state_token: raise ValueError # Check authenticity and integrity of state and decode the # values. state = serializer.loads(state_token) # Verify that state is for this session, app and that next # parameter have not been modified. if (state['sid'] != _create_identifier() or state['app'] != remote_app): raise ValueError # Store next url set_session_next_url(remote_app, state['next']) except (ValueError, BadData): if current_app.config.get('OAUTHCLIENT_STATE_ENABLED', True) \ or (not(current_app.debug or current_app.testing)): return abort(400) return authorized_signup_handler(auth, remote_app) return abort(403)