def post(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
allow = True if request.POST.get('allow') else False
try:
authorize.validate_params()
if not allow:
raise AuthorizeError(authorize.params.redirect_uri,
'access_denied',
authorize.grant_type)
# Save the user consent given to the client.
authorize.set_client_user_consent()
uri = authorize.create_response_uri()
return redirect(uri)
except (AuthorizeError) as error:
uri = error.create_uri(
authorize.params.redirect_uri,
authorize.params.state)
return redirect(uri)
def post(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
try:
authorize.validate_params()
if not request.POST.get('allow'):
signals.user_decline_consent.send(
self.__class__,
user=request.user,
client=authorize.client,
scope=authorize.params['scope'])
raise AuthorizeError(authorize.params['redirect_uri'],
'access_denied', authorize.grant_type)
signals.user_accept_consent.send(self.__class__,
user=request.user,
client=authorize.client,
scope=authorize.params['scope'])
# Save the user consent given to the client.
authorize.set_client_user_consent()
uri = authorize.create_response_uri()
return redirect(uri)
except AuthorizeError as error:
uri = error.create_uri(authorize.params['redirect_uri'],
authorize.params['state'])
return redirect(uri)
def post(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
allow = True if request.POST.get('allow') else False
try:
authorize.validate_params()
if not allow:
raise AuthorizeError(authorize.params.redirect_uri,
'access_denied', authorize.grant_type)
# Save the user consent given to the client.
authorize.set_client_user_consent()
uri = authorize.create_response_uri()
return redirect(uri)
except (AuthorizeError) as error:
uri = error.create_uri(authorize.params.redirect_uri,
authorize.params.state)
return redirect(uri)
def get(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
try:
authorize.validate_params()
if request.user.is_authenticated():
# Check if there's a hook setted.
hook_resp = settings.get('OIDC_AFTER_USERLOGIN_HOOK', import_str=True)(
request=request, user=request.user,
client=authorize.client)
if hook_resp:
return hook_resp
if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public'):
return redirect(authorize.create_response_uri())
if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
# Check if user previously give consent.
if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public'):
return redirect(authorize.create_response_uri())
# Generate hidden inputs for the form.
context = {
'params': authorize.params,
}
hidden_inputs = render_to_string(
'oidc_provider/hidden_inputs.html', context)
# Remove `openid` from scope list
# since we don't need to print it.
if 'openid' in authorize.params.scope:
authorize.params.scope.remove('openid')
context = {
'client': authorize.client,
'hidden_inputs': hidden_inputs,
'params': authorize.params,
}
return render(request, 'oidc_provider/authorize.html', context)
else:
path = request.get_full_path()
return redirect_to_login(path)
except (ClientIdError, RedirectUriError) as error:
context = {
'error': error.error,
'description': error.description,
}
return render(request, 'oidc_provider/error.html', context)
except (AuthorizeError) as error:
uri = error.create_uri(
authorize.params.redirect_uri,
authorize.params.state)
return redirect(uri)
def post(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
try:
authorize.validate_params()
if not request.POST.get('allow'):
signals.user_decline_consent.send(
self.__class__, user=request.user,
client=authorize.client, scope=authorize.params['scope'])
raise AuthorizeError(authorize.params['redirect_uri'],
'access_denied',
authorize.grant_type)
signals.user_accept_consent.send(
self.__class__, user=request.user, client=authorize.client,
scope=authorize.params['scope'])
# Save the user consent given to the client.
authorize.set_client_user_consent()
uri = authorize.create_response_uri()
return redirect(uri)
except AuthorizeError as error:
uri = error.create_uri(
authorize.params['redirect_uri'],
authorize.params['state'])
return redirect(uri)
def post(self, request, *args, **kwargs):
authorize = self.authorize_endpoint_class(request)
try:
authorize.validate_params()
check_login_required(request, authorize)
if not request.POST.get('allow'):
signals.user_decline_consent.send(
self.__class__,
user=request.user,
client=authorize.client,
scope=authorize.params['scope'])
call_oidc_declined_userconsent_hook(request, authorize.client)
raise AuthorizeError(authorize.params['redirect_uri'],
'access_denied', authorize.grant_type)
signals.user_accept_consent.send(self.__class__,
user=request.user,
client=authorize.client,
scope=authorize.params['scope'])
# Save the user consent given to the client.
authorize.set_client_user_consent()
uri = authorize.create_response_uri()
call_oidc_prior_to_redirect_hook(request, authorize.client)
return redirect(uri)
except AuthorizeError as error:
uri = error.create_uri(authorize.params['redirect_uri'],
authorize.params['state'])
return redirect(uri)
except JustRedirect as error:
# TODO we're trying to redirect to a login page here, but can't at this point as
# 1. We don't have all the query parameters
# 2. The nonce is wrong.
# So just display an error.
context = {
'error':
"Logged out",
'description':
"You have logged out or your session has timed out. Please re-try the authorization.",
}
return render(request, OIDC_TEMPLATES['error'], context)
def get(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
try:
authorize.validate_params()
if request.user.is_authenticated():
# Check if there's a hook setted.
hook_resp = settings.get('OIDC_AFTER_USERLOGIN_HOOK',
import_str=True)(
request=request,
user=request.user,
client=authorize.client)
if hook_resp:
return hook_resp
if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public') \
and not (authorize.params['prompt'] == 'consent'):
return redirect(authorize.create_response_uri())
if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
# Check if user previously give consent.
if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public') \
and not (authorize.params['prompt'] == 'consent'):
return redirect(authorize.create_response_uri())
if authorize.params['prompt'] == 'none':
raise AuthorizeError(authorize.params['redirect_uri'],
'interaction_required',
authorize.grant_type)
if authorize.params['prompt'] == 'login':
return redirect_to_login(request.get_full_path())
if authorize.params['prompt'] == 'select_account':
# TODO: see how we can support multiple accounts for the end-user.
raise AuthorizeError(authorize.params['redirect_uri'],
'account_selection_required',
authorize.grant_type)
# Generate hidden inputs for the form.
context = {
'params': authorize.params,
}
hidden_inputs = render_to_string(
'oidc_provider/hidden_inputs.html', context)
# Remove `openid` from scope list
# since we don't need to print it.
if 'openid' in authorize.params['scope']:
authorize.params['scope'].remove('openid')
context = {
'client': authorize.client,
'hidden_inputs': hidden_inputs,
'params': authorize.params,
'scopes': authorize.get_scopes_information(),
}
return render(request, 'oidc_provider/authorize.html', context)
else:
if authorize.params['prompt'] == 'none':
raise AuthorizeError(authorize.params['redirect_uri'],
'login_required',
authorize.grant_type)
return redirect_to_login(request.get_full_path())
except (ClientIdError, RedirectUriError) as error:
context = {
'error': error.error,
'description': error.description,
}
return render(request, 'oidc_provider/error.html', context)
except (AuthorizeError) as error:
uri = error.create_uri(authorize.params['redirect_uri'],
authorize.params['state'])
return redirect(uri)
def get(self, request, *args, **kwargs):
authorize = self.authorize_endpoint_class(request)
try:
authorize.validate_params()
if get_attr_or_callable(request.user, 'is_authenticated'):
# Check if there's a hook setted.
hook_resp = settings.get('OIDC_AFTER_USERLOGIN_HOOK',
import_str=True)(
request=request,
user=request.user,
client=authorize.client)
if hook_resp:
return hook_resp
if 'login' in authorize.params['prompt']:
if 'none' in authorize.params['prompt']:
raise AuthorizeError(authorize.params['redirect_uri'],
'login_required',
authorize.grant_type)
else:
django_user_logout(request)
next_page = strip_prompt_login(request.get_full_path())
return redirect_to_login(
next_page, settings.get('OIDC_LOGIN_URL'))
if 'select_account' in authorize.params['prompt']:
# TODO: see how we can support multiple accounts for the end-user.
if 'none' in authorize.params['prompt']:
raise AuthorizeError(authorize.params['redirect_uri'],
'account_selection_required',
authorize.grant_type)
else:
django_user_logout(request)
return redirect_to_login(
request.get_full_path(),
settings.get('OIDC_LOGIN_URL'))
if {'none', 'consent'}.issubset(authorize.params['prompt']):
raise AuthorizeError(authorize.params['redirect_uri'],
'consent_required',
authorize.grant_type)
if not authorize.client.require_consent and (
'consent' not in authorize.params['prompt']):
return redirect(authorize.create_response_uri())
if authorize.client.reuse_consent:
# Check if user previously give consent.
if authorize.client_has_user_consent() and (
'consent' not in authorize.params['prompt']):
return redirect(authorize.create_response_uri())
if 'none' in authorize.params['prompt']:
raise AuthorizeError(authorize.params['redirect_uri'],
'consent_required',
authorize.grant_type)
# Generate hidden inputs for the form.
context = {
'params': authorize.params,
}
hidden_inputs = render_to_string(
'oidc_provider/hidden_inputs.html', context)
# Remove `openid` from scope list
# since we don't need to print it.
if 'openid' in authorize.params['scope']:
authorize.params['scope'].remove('openid')
context = {
'client': authorize.client,
'hidden_inputs': hidden_inputs,
'params': authorize.params,
'scopes': authorize.get_scopes_information(),
}
return render(request, OIDC_TEMPLATES['authorize'], context)
else:
if 'none' in authorize.params['prompt']:
raise AuthorizeError(authorize.params['redirect_uri'],
'login_required',
authorize.grant_type)
if 'login' in authorize.params['prompt']:
next_page = strip_prompt_login(request.get_full_path())
return redirect_to_login(next_page,
settings.get('OIDC_LOGIN_URL'))
return redirect_to_login(request.get_full_path(),
settings.get('OIDC_LOGIN_URL'))
except (ClientIdError, RedirectUriError) as error:
context = {
'error': error.error,
'description': error.description,
}
return render(request, OIDC_TEMPLATES['error'], context)
except AuthorizeError as error:
uri = error.create_uri(authorize.params['redirect_uri'],
authorize.params['state'])
return redirect(uri)
def get(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
try:
authorize.validate_params()
if request.user.is_authenticated():
# Check if there's a hook setted.
hook_resp = settings.get('OIDC_AFTER_USERLOGIN_HOOK',
import_str=True)(
request=request,
user=request.user,
client=authorize.client)
if hook_resp:
return hook_resp
if settings.get('OIDC_SKIP_CONSENT_ALWAYS'):
return redirect(authorize.create_response_uri())
if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
# Check if user previously give consent.
if authorize.client_has_user_consent():
return redirect(authorize.create_response_uri())
# Generate hidden inputs for the form.
context = {
'params': authorize.params,
}
hidden_inputs = render_to_string(
'oidc_provider/hidden_inputs.html', context)
# Remove `openid` from scope list
# since we don't need to print it.
if 'openid' in authorize.params.scope:
authorize.params.scope.remove('openid')
context = {
'client': authorize.client,
'hidden_inputs': hidden_inputs,
'params': authorize.params,
}
return render(request, 'oidc_provider/authorize.html', context)
else:
path = request.get_full_path()
return redirect_to_login(path)
except (ClientIdError, RedirectUriError) as error:
context = {
'error': error.error,
'description': error.description,
}
return render(request, 'oidc_provider/error.html', context)
except (AuthorizeError) as error:
uri = error.create_uri(authorize.params.redirect_uri,
authorize.params.state)
return redirect(uri)
def get(self, request, *args, **kwargs):
authorize = AuthorizeEndpoint(request)
try:
authorize.validate_params()
if request.user.is_authenticated():
# Check if there's a hook setted.
hook_resp = settings.get('OIDC_AFTER_USERLOGIN_HOOK', import_str=True)(
request=request, user=request.user,
client=authorize.client)
if hook_resp:
return hook_resp
if settings.get('OIDC_SKIP_CONSENT_ALWAYS') and not (authorize.client.client_type == 'public') \
and not (authorize.params['prompt'] == 'consent'):
return redirect(authorize.create_response_uri())
if settings.get('OIDC_SKIP_CONSENT_ENABLE'):
# Check if user previously give consent.
if authorize.client_has_user_consent() and not (authorize.client.client_type == 'public') \
and not (authorize.params['prompt'] == 'consent'):
return redirect(authorize.create_response_uri())
if authorize.params['prompt'] == 'none':
raise AuthorizeError(authorize.params['redirect_uri'], 'interaction_required', authorize.grant_type)
if authorize.params['prompt'] == 'login':
return redirect_to_login(request.get_full_path())
if authorize.params['prompt'] == 'select_account':
# TODO: see how we can support multiple accounts for the end-user.
raise AuthorizeError(authorize.params['redirect_uri'], 'account_selection_required', authorize.grant_type)
# Generate hidden inputs for the form.
context = {
'params': authorize.params,
}
hidden_inputs = render_to_string('oidc_provider/hidden_inputs.html', context)
# Remove `openid` from scope list
# since we don't need to print it.
if 'openid' in authorize.params['scope']:
authorize.params['scope'].remove('openid')
context = {
'client': authorize.client,
'hidden_inputs': hidden_inputs,
'params': authorize.params,
'scopes': authorize.get_scopes_information(),
}
return render(request, 'oidc_provider/authorize.html', context)
else:
if authorize.params['prompt'] == 'none':
raise AuthorizeError(authorize.params['redirect_uri'], 'login_required', authorize.grant_type)
return redirect_to_login(request.get_full_path())
except (ClientIdError, RedirectUriError) as error:
context = {
'error': error.error,
'description': error.description,
}
return render(request, 'oidc_provider/error.html', context)
except (AuthorizeError) as error:
uri = error.create_uri(
authorize.params['redirect_uri'],
authorize.params['state'])
return redirect(uri)
def get(self, request, *args, **kwargs):
authorize = self.authorize_endpoint_class(request)
try:
authorize.validate_params()
if get_attr_or_callable(request.user, 'is_authenticated'):
# Check if there's a hook setted.
hook_resp = settings.get('OIDC_AFTER_USERLOGIN_HOOK', import_str=True)(
request=request, user=request.user,
client=authorize.client)
if hook_resp:
return hook_resp
if 'login' in authorize.params['prompt']:
if 'none' in authorize.params['prompt']:
raise AuthorizeError(
authorize.params['redirect_uri'], 'login_required',
authorize.grant_type)
else:
django_user_logout(request)
next_page = strip_prompt_login(request.get_full_path())
return redirect_to_login(next_page, settings.get('OIDC_LOGIN_URL'))
if 'select_account' in authorize.params['prompt']:
# TODO: see how we can support multiple accounts for the end-user.
if 'none' in authorize.params['prompt']:
raise AuthorizeError(
authorize.params['redirect_uri'], 'account_selection_required',
authorize.grant_type)
else:
django_user_logout(request)
return redirect_to_login(
request.get_full_path(), settings.get('OIDC_LOGIN_URL'))
if {'none', 'consent'}.issubset(authorize.params['prompt']):
raise AuthorizeError(
authorize.params['redirect_uri'], 'consent_required', authorize.grant_type)
implicit_flow_resp_types = {'id_token', 'id_token token'}
allow_skipping_consent = (
authorize.client.client_type != 'public' or
authorize.params['response_type'] in implicit_flow_resp_types)
if not authorize.client.require_consent and (
allow_skipping_consent and
'consent' not in authorize.params['prompt']):
return redirect(authorize.create_response_uri())
if authorize.client.reuse_consent:
# Check if user previously give consent.
if authorize.client_has_user_consent() and (
allow_skipping_consent and
'consent' not in authorize.params['prompt']):
return redirect(authorize.create_response_uri())
if 'none' in authorize.params['prompt']:
raise AuthorizeError(
authorize.params['redirect_uri'], 'consent_required', authorize.grant_type)
# Generate hidden inputs for the form.
context = {
'params': authorize.params,
}
hidden_inputs = render_to_string('oidc_provider/hidden_inputs.html', context)
# Remove `openid` from scope list
# since we don't need to print it.
if 'openid' in authorize.params['scope']:
authorize.params['scope'].remove('openid')
context = {
'client': authorize.client,
'hidden_inputs': hidden_inputs,
'params': authorize.params,
'scopes': authorize.get_scopes_information(),
}
return render(request, OIDC_TEMPLATES['authorize'], context)
else:
if 'none' in authorize.params['prompt']:
raise AuthorizeError(
authorize.params['redirect_uri'], 'login_required', authorize.grant_type)
if 'login' in authorize.params['prompt']:
next_page = strip_prompt_login(request.get_full_path())
return redirect_to_login(next_page, settings.get('OIDC_LOGIN_URL'))
return redirect_to_login(request.get_full_path(), settings.get('OIDC_LOGIN_URL'))
except (ClientIdError, RedirectUriError) as error:
context = {
'error': error.error,
'description': error.description,
}
return render(request, OIDC_TEMPLATES['error'], context)
except AuthorizeError as error:
uri = error.create_uri(
authorize.params['redirect_uri'],
authorize.params['state'])
return redirect(uri)
