Skip to content
Snippets Groups Projects
Commit 6cb4c5a3 authored by Felix Schäfer's avatar Felix Schäfer :construction_worker:
Browse files

Redirect to original URL after OIDC Auth

parent e26d1c6a
Branches
No related tags found
No related merge requests found
Pipeline #257461 passed
import logging import logging
import time
from django.urls import reverse from django.urls import reverse
from oic import rndstr from oic import rndstr
from oic.oic import Client from oic.oic import Client
...@@ -57,17 +58,24 @@ class OIDCAuthBackend(BaseAuthBackend): ...@@ -57,17 +58,24 @@ class OIDCAuthBackend(BaseAuthBackend):
return self.title return self.title
def authentication_url(self, request): def authentication_url(self, request):
request.session["oidc_state"] = rndstr() oidc_state = rndstr()
request.session["oidc_nonce"] = rndstr() oidc_nonce = rndstr()
request.session["oidc_state"] = {
oidc_state: {
"nonce": oidc_nonce,
"next": "",
"generated_on": int(time.time()),
}
}
auth_req = self.client.construct_AuthorizationRequest( auth_req = self.client.construct_AuthorizationRequest(
request_args={ request_args={
"client_id": self.client.client_id, "client_id": self.client.client_id,
"response_type": "code", "response_type": "code",
"scope": self.scopes, "scope": self.scopes,
"nonce": request.session["oidc_nonce"], "nonce": oidc_nonce,
"redirect_uri": self.redirect_uri(request), "redirect_uri": self.redirect_uri(request),
"state": request.session["oidc_state"], "state": oidc_state,
} }
) )
...@@ -76,6 +84,9 @@ class OIDCAuthBackend(BaseAuthBackend): ...@@ -76,6 +84,9 @@ class OIDCAuthBackend(BaseAuthBackend):
def redirect_uri(self, request): def redirect_uri(self, request):
return request.build_absolute_uri(reverse("plugins:pretix_oidc:oidc_callback")) return request.build_absolute_uri(reverse("plugins:pretix_oidc:oidc_callback"))
def get_next_url(self, request):
return request.session.pop("oidc_next_url", None)
def process_callback(self, request): def process_callback(self, request):
auth_response = self.client.parse_response( auth_response = self.client.parse_response(
AuthorizationResponse, AuthorizationResponse,
...@@ -83,12 +94,24 @@ class OIDCAuthBackend(BaseAuthBackend): ...@@ -83,12 +94,24 @@ class OIDCAuthBackend(BaseAuthBackend):
sformat="urlencoded", sformat="urlencoded",
) )
# if auth_response is not AuthorizationResponse: request.session["oidc_next_url"] = None
# raise Exception('Invalid authorization response') oidc_state = request.session.pop("oidc_state", None)
response_state = auth_response.get("state", None)
if not oidc_state or not response_state:
return [None, None]
if response_state not in oidc_state:
return [None, None]
if auth_response["state"] != request.session["oidc_state"]: if auth_response["nonce"] != oidc_state[response_state]["nonce"]:
return [None, None] return [None, None]
if oidc_state[response_state]["generated_on"] < time.time() + 5 * 60:
return [None, None]
request.session["oidc_next_url"] = oidc_state[response_state]["next"]
access_token_response = self.client.do_access_token_request( access_token_response = self.client.do_access_token_request(
state=auth_response["state"], state=auth_response["state"],
scope=self.scopes, scope=self.scopes,
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment