def authorized(remote_app=None):
"""
Authorize handler callback.
This function is called when the user is redirected from the IdP to the
web application. It handles the authorization.
:param remote_app: (str) Identity provider key
:returns: (flask.Response) Return redirect response or abort in case of
failure.
"""
# Logout user if already logged
if current_user.is_authenticated:
logout_user()
# Configuration not found for given identity provider
if remote_app not in current_app.config['SHIBBOLETH_IDENTITY_PROVIDERS']:
return abort(404)
# Init SAML auth
req = prepare_flask_request(request)
try:
auth = init_saml_auth(req, remote_app)
except Exception:
return abort(500)
# Process response
errors = []
try:
auth.process_response()
except OneLogin_Saml2_Error:
return abort(400)
errors = auth.get_errors()
if not errors and auth.is_authenticated():
if 'RelayState' in request.form:
# Get state token stored in RelayState
state_token = request.form['RelayState']
try:
if not state_token:
raise ValueError
# Check authenticity and integrity of state and decode the
# values.
state = serializer.loads(state_token)
# Verify that state is for this session, app and that next
# parameter have not been modified.
if (state['sid'] != _create_identifier()
or state['app'] != remote_app):
raise ValueError
# Store next url
set_session_next_url(remote_app, state['next'])
except (ValueError, BadData):
if current_app.config.get(
'OAUTHCLIENT_STATE_ENABLED', True) or (
not (current_app.debug or current_app.testing)):
return abort(400)
return authorized_signup_handler(auth, remote_app)
return abort(403)
def authorized(remote_app=None):
"""
Authorize handler callback.
This function is called when the user is redirected from the IdP to the
web application. It handles the authorization.
Args:
remote_app (str): The remote application key name.
Returns:
flask.Response: Return redirect response or abort in case of failure.
"""
if current_user.is_authenticated:
logout_user()
if remote_app not in current_app.config['SHIBBOLETH_REMOTE_APPS']:
return abort(404)
conf = current_app.config['SHIBBOLETH_REMOTE_APPS'][remote_app]
if 'saml_path' not in conf:
return abort(500, 'Bad server configuration.')
req = prepare_flask_request(request)
try:
auth = init_saml_auth(req, conf['saml_path'])
except OneLogin_Saml2_Error:
return abort(500)
errors = []
try:
auth.process_response()
except OneLogin_Saml2_Error:
return abort(400)
errors = auth.get_errors()
if len(errors) == 0 and auth.is_authenticated():
if 'RelayState' in request.form:
# Get state token stored in RelayState
state_token = request.form['RelayState']
try:
if not state_token:
raise ValueError
# Check authenticity and integrity of state and decode the
# values.
state = serializer.loads(state_token)
# Verify that state is for this session, app and that next
# parameter have not been modified.
if (state['sid'] != _create_identifier() or
state['app'] != remote_app):
raise ValueError
# Store next url
set_session_next_url(remote_app, state['next'])
except (ValueError, BadData):
if current_app.config.get('OAUTHCLIENT_STATE_ENABLED', True) \
or (not(current_app.debug or current_app.testing)):
return abort(400)
return authorized_signup_handler(auth, remote_app)
return abort(403)