providers/oauth2: ensure nonce is validated on all OIDC flows
This commit is contained in:
parent
67ca83c228
commit
ce9fb8801c
|
@ -71,7 +71,7 @@ class OAuthAuthorizationParams:
|
||||||
response_type: str
|
response_type: str
|
||||||
scope: List[str]
|
scope: List[str]
|
||||||
state: str
|
state: str
|
||||||
nonce: str
|
nonce: Optional[str]
|
||||||
prompt: Set[str]
|
prompt: Set[str]
|
||||||
grant_type: str
|
grant_type: str
|
||||||
|
|
||||||
|
@ -128,7 +128,7 @@ class OAuthAuthorizationParams:
|
||||||
grant_type=grant_type,
|
grant_type=grant_type,
|
||||||
scope=query_dict.get("scope", "").split(),
|
scope=query_dict.get("scope", "").split(),
|
||||||
state=state,
|
state=state,
|
||||||
nonce=query_dict.get("nonce", ""),
|
nonce=query_dict.get("nonce"),
|
||||||
prompt=ALLOWED_PROMPT_PARAMS.intersection(
|
prompt=ALLOWED_PROMPT_PARAMS.intersection(
|
||||||
set(query_dict.get("prompt", "").split())
|
set(query_dict.get("prompt", "").split())
|
||||||
),
|
),
|
||||||
|
@ -192,14 +192,12 @@ class OAuthAuthorizationParams:
|
||||||
|
|
||||||
def check_nonce(self):
|
def check_nonce(self):
|
||||||
"""Nonce parameter validation."""
|
"""Nonce parameter validation."""
|
||||||
if (
|
if not self.nonce:
|
||||||
SCOPE_OPENID in self.scope
|
if SCOPE_OPENID in self.scope:
|
||||||
and self.grant_type == GrantTypes.IMPLICIT
|
|
||||||
and not self.nonce
|
|
||||||
):
|
|
||||||
raise AuthorizeError(
|
raise AuthorizeError(
|
||||||
self.redirect_uri, "invalid_request", self.grant_type, self.state
|
self.redirect_uri, "invalid_request", self.grant_type, self.state
|
||||||
)
|
)
|
||||||
|
self.nonce = ""
|
||||||
|
|
||||||
def check_code_challenge(self):
|
def check_code_challenge(self):
|
||||||
"""PKCE validation of the transformation method."""
|
"""PKCE validation of the transformation method."""
|
||||||
|
|
Reference in New Issue