providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
f9a5add01d
commit
4d7d700afa
|
@ -99,7 +99,7 @@ class OAuthAuthorizationParams:
|
||||||
# and POST request.
|
# and POST request.
|
||||||
query_dict = request.POST if request.method == "POST" else request.GET
|
query_dict = request.POST if request.method == "POST" else request.GET
|
||||||
state = query_dict.get("state")
|
state = query_dict.get("state")
|
||||||
redirect_uri = query_dict.get("redirect_uri", "")
|
redirect_uri = query_dict.get("redirect_uri", "").lower()
|
||||||
|
|
||||||
response_type = query_dict.get("response_type", "")
|
response_type = query_dict.get("response_type", "")
|
||||||
grant_type = None
|
grant_type = None
|
||||||
|
@ -156,13 +156,20 @@ class OAuthAuthorizationParams:
|
||||||
if not self.redirect_uri:
|
if not self.redirect_uri:
|
||||||
LOGGER.warning("Missing redirect uri.")
|
LOGGER.warning("Missing redirect uri.")
|
||||||
raise RedirectUriError("", allowed_redirect_urls)
|
raise RedirectUriError("", allowed_redirect_urls)
|
||||||
if len(allowed_redirect_urls) < 1:
|
|
||||||
|
if self.provider.redirect_uris == "":
|
||||||
|
LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
|
||||||
|
self.provider.redirect_uris = self.redirect_uri
|
||||||
|
self.provider.save()
|
||||||
|
allowed_redirect_urls = self.provider.redirect_uris.split()
|
||||||
|
|
||||||
|
if self.provider.redirect_uris == "*":
|
||||||
LOGGER.warning(
|
LOGGER.warning(
|
||||||
"Provider has no allowed redirect_uri set, allowing all.",
|
"Provider has wildcard allowed redirect_uri set, allowing all.",
|
||||||
allow=self.redirect_uri.lower(),
|
allow=self.redirect_uri,
|
||||||
)
|
)
|
||||||
return
|
return
|
||||||
if self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
|
if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
|
||||||
LOGGER.warning(
|
LOGGER.warning(
|
||||||
"Invalid redirect uri",
|
"Invalid redirect uri",
|
||||||
redirect_uri=self.redirect_uri,
|
redirect_uri=self.redirect_uri,
|
||||||
|
|
|
@ -66,7 +66,7 @@ class TokenParams:
|
||||||
provider=provider,
|
provider=provider,
|
||||||
client_id=client_id,
|
client_id=client_id,
|
||||||
client_secret=client_secret,
|
client_secret=client_secret,
|
||||||
redirect_uri=request.POST.get("redirect_uri", ""),
|
redirect_uri=request.POST.get("redirect_uri", "").lower(),
|
||||||
grant_type=request.POST.get("grant_type", ""),
|
grant_type=request.POST.get("grant_type", ""),
|
||||||
state=request.POST.get("state", ""),
|
state=request.POST.get("state", ""),
|
||||||
scope=request.POST.get("scope", "").split(),
|
scope=request.POST.get("scope", "").split(),
|
||||||
|
@ -123,21 +123,23 @@ class TokenParams:
|
||||||
LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
|
LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
|
||||||
raise TokenError("unsupported_grant_type")
|
raise TokenError("unsupported_grant_type")
|
||||||
|
|
||||||
def __post_init_code(self, raw_code):
|
def __post_init_code(self, raw_code: str):
|
||||||
if not raw_code:
|
if not raw_code:
|
||||||
LOGGER.warning("Missing authorization code")
|
LOGGER.warning("Missing authorization code")
|
||||||
raise TokenError("invalid_grant")
|
raise TokenError("invalid_grant")
|
||||||
|
|
||||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
allowed_redirect_urls = self.provider.redirect_uris.split()
|
||||||
if len(allowed_redirect_urls) < 1:
|
if self.provider.redirect_uris == "*":
|
||||||
LOGGER.warning(
|
LOGGER.warning(
|
||||||
"Provider has no allowed redirect_uri set, allowing all.",
|
"Provider has wildcard allowed redirect_uri set, allowing all.",
|
||||||
allow=self.redirect_uri.lower(),
|
redirect=self.redirect_uri,
|
||||||
)
|
)
|
||||||
elif self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]:
|
# At this point, no provider should have a blank redirect_uri, in case they do
|
||||||
|
# this will check an empty array and raise an error
|
||||||
|
elif self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
|
||||||
LOGGER.warning(
|
LOGGER.warning(
|
||||||
"Invalid redirect uri",
|
"Invalid redirect uri",
|
||||||
uri=self.redirect_uri,
|
redirect=self.redirect_uri,
|
||||||
expected=self.provider.redirect_uris.split(),
|
expected=self.provider.redirect_uris.split(),
|
||||||
)
|
)
|
||||||
raise TokenError("invalid_client")
|
raise TokenError("invalid_client")
|
||||||
|
|
|
@ -2382,8 +2382,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
|
||||||
msgstr "If multiple providers share an outpost, a self-signed certificate is used."
|
msgstr "If multiple providers share an outpost, a self-signed certificate is used."
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||||
msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
#~ msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||||
|
|
||||||
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
|
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||||
|
msgstr "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||||
|
|
||||||
#: src/pages/tenants/TenantForm.ts
|
#: src/pages/tenants/TenantForm.ts
|
||||||
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
||||||
|
@ -5187,6 +5191,10 @@ msgstr "Title"
|
||||||
msgid "To"
|
msgid "To"
|
||||||
msgstr "To"
|
msgstr "To"
|
||||||
|
|
||||||
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
|
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||||
|
msgstr "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||||
|
|
||||||
#: src/pages/users/UserViewPage.ts
|
#: src/pages/users/UserViewPage.ts
|
||||||
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||||
msgstr "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
msgstr "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||||
|
|
|
@ -2366,8 +2366,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
|
||||||
msgstr "Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé."
|
msgstr "Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé."
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||||
msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
|
#~ msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
|
||||||
|
|
||||||
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
|
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/tenants/TenantForm.ts
|
#: src/pages/tenants/TenantForm.ts
|
||||||
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
||||||
|
@ -5131,6 +5135,10 @@ msgstr "Titre"
|
||||||
msgid "To"
|
msgid "To"
|
||||||
msgstr "À"
|
msgstr "À"
|
||||||
|
|
||||||
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
|
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/users/UserViewPage.ts
|
#: src/pages/users/UserViewPage.ts
|
||||||
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||||
msgstr "Pour créer un lien de récupération, le locataire actuel doit avoir un flux de récupération configuré."
|
msgstr "Pour créer un lien de récupération, le locataire actuel doit avoir un flux de récupération configuré."
|
||||||
|
|
|
@ -2374,7 +2374,11 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||||
|
#~ msgstr ""
|
||||||
|
|
||||||
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
|
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/tenants/TenantForm.ts
|
#: src/pages/tenants/TenantForm.ts
|
||||||
|
@ -5167,6 +5171,10 @@ msgstr ""
|
||||||
msgid "To"
|
msgid "To"
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
||||||
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
|
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/users/UserViewPage.ts
|
#: src/pages/users/UserViewPage.ts
|
||||||
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
|
|
@ -2337,8 +2337,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
|
||||||
msgstr "Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır."
|
msgstr "Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır."
|
||||||
|
|
||||||
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
#~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
|
||||||
msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
|
#~ msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
|
||||||
|
|
||||||
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
|
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/tenants/TenantForm.ts
|
#: src/pages/tenants/TenantForm.ts
|
||||||
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
|
||||||
|
@ -5076,6 +5080,10 @@ msgstr "Başlık"
|
||||||
msgid "To"
|
msgid "To"
|
||||||
msgstr "Kime"
|
msgstr "Kime"
|
||||||
|
|
||||||
|
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
|
||||||
|
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
|
||||||
|
msgstr ""
|
||||||
|
|
||||||
#: src/pages/users/UserViewPage.ts
|
#: src/pages/users/UserViewPage.ts
|
||||||
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
|
||||||
msgstr "Kurtarma bağlantısı oluşturmak için geçerli sakinin yapılandırılmış bir kurtarma akışı olması gerekir."
|
msgstr "Kurtarma bağlantısı oluşturmak için geçerli sakinin yapılandırılmış bir kurtarma akışı olması gerekir."
|
||||||
|
|
|
@ -171,7 +171,10 @@ ${this.instance?.redirectUris}</textarea
|
||||||
${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`}
|
${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`}
|
||||||
</p>
|
</p>
|
||||||
<p class="pf-c-form__helper-text">
|
<p class="pf-c-form__helper-text">
|
||||||
${t`If no explicit redirect URIs are specified, any redirect URI is allowed.`}
|
${t`If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.`}
|
||||||
|
</p>
|
||||||
|
<p class="pf-c-form__helper-text">
|
||||||
|
${t`To allow any redirect URI, set this value to "*". Be aware of the possible security implications this can have.`}
|
||||||
</p>
|
</p>
|
||||||
</ak-form-element-horizontal>
|
</ak-form-element-horizontal>
|
||||||
<ak-form-element-horizontal label=${t`Signing Key`} name="signingKey">
|
<ak-form-element-horizontal label=${t`Signing Key`} name="signingKey">
|
||||||
|
|
Reference in a new issue