def response_mode(self, areq, fragment_enc, **kwargs):
resp_mode = areq["response_mode"]
if resp_mode == 'fragment' and not fragment_enc:
# Can't be done
raise InvalidRequest("wrong response_mode")
elif resp_mode == 'query' and fragment_enc:
# Can't be done
return InvalidRequest("wrong response_mode")
return None
def verify(self, **kwargs):
"""Authorization Request parameters that are OPTIONAL in the OAuth 2.0
specification MAY be included in the OpenID Request Object without also
passing them as OAuth 2.0 Authorization Request parameters, with one
exception: The scope parameter MUST always be present in OAuth 2.0
Authorization Request parameters.
All parameter values that are present both in the OAuth 2.0
Authorization Request and in the OpenID Request Object MUST exactly
match."""
super(AuthorizationRequest, self).verify(**kwargs)
args = {}
for arg in ["key", "keyjar", "opponent_id", "sender"]:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
if "opponent_id" not in kwargs:
args["opponent_id"] = self["client_id"]
if "request" in self:
if isinstance(self["request"], six.string_types):
# Try to decode the JWT, checks the signature
oidr = OpenIDRequest().from_jwt(str(self["request"]), **args)
# verify that nothing is change in the original message
for key, val in oidr.items():
if key in self:
assert self[key] == val
# replace the JWT with the parsed and verified instance
self["request"] = oidr
if "id_token_hint" in self:
if isinstance(self["id_token_hint"], six.string_types):
idt = IdToken().from_jwt(str(self["id_token_hint"]), **args)
self["id_token_hint"] = idt
if "response_type" not in self:
raise MissingRequiredAttribute("response_type missing", self)
_rt = self["response_type"]
if "token" in _rt or "id_token" in _rt:
if "nonce" not in self:
raise MissingRequiredAttribute("Nonce missing", self)
if "openid" not in self.get("scope", []):
raise MissingRequiredValue("openid not in scope", self)
if "offline_access" in self.get("scope", []):
if "prompt" not in self or "consent" not in self["prompt"]:
raise MissingRequiredValue("consent in prompt", self)
if "prompt" in self:
if "none" in self["prompt"] and len(self["prompt"]) > 1:
raise InvalidRequest("prompt none combined with other value",
self)
return True
def response_mode(self, areq, fragment_enc, **kwargs):
resp_mode = areq["response_mode"]
if resp_mode == "form_post":
context = {
'action': kwargs['redirect_uri'],
'inputs': kwargs['aresp'],
}
return Response(self.template_renderer('form_post', context),
headers=kwargs["headers"])
elif resp_mode == 'fragment' and not fragment_enc:
# Can't be done
raise InvalidRequest("wrong response_mode")
elif resp_mode == 'query' and fragment_enc:
# Can't be done
raise InvalidRequest("wrong response_mode")
return None
def verify(self, **kwargs):
"""Authorization Request parameters that are OPTIONAL in the OAuth 2.0
specification MAY be included in the OpenID Request Object without also
passing them as OAuth 2.0 Authorization Request parameters, with one
exception: The scope parameter MUST always be present in OAuth 2.0
Authorization Request parameters.
All parameter values that are present both in the OAuth 2.0
Authorization Request and in the OpenID Request Object MUST exactly
match."""
args = {}
for arg in ["key", "keyjar"]:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
if "id_token_hint" in self:
if isinstance(self["id_token_hint"], basestring):
idt = IdToken().from_jwt(str(self["id_token_hint"]), **args)
self["id_token_hint"] = idt
if "response_type" not in self:
raise MissingRequiredAttribute("response_type missing", self)
try:
assert "openid" in self["scope"]
except AssertionError:
raise MissingRequiredValue("openid in scope", self)
if "offline_access" in self["scope"]:
try:
assert "consent" in self["prompt"]
except AssertionError:
raise MissingRequiredValue("consent in prompt", self)
if "prompt" in self:
if "none" in self["prompt"] and len(self["prompt"]) > 1:
raise InvalidRequest("prompt none combined with other value",
self)
return super(AuthorizationRequest, self).verify(**kwargs)