providers/oauth2: only send id_token as access_token if ADFS compat mode is enabled

This commit is contained in:
Jens Langhammer 2020-09-16 23:31:03 +02:00
parent f1ccef7f6a
commit 818f417fd8
5 changed files with 35 additions and 5 deletions

View File

@ -41,4 +41,10 @@ class Migration(migrations.Migration):
),
),
migrations.RunPython(create_default_admin_group),
migrations.AlterModelManagers(
name='user',
managers=[
('objects', passbook.core.models.UserManager()),
],
),
]

View File

@ -0,0 +1,23 @@
# Generated by Django 3.1.1 on 2020-09-16 21:29
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('passbook_providers_oauth2', '0002_oauth2provider_sub_mode'),
]
operations = [
migrations.AlterField(
model_name='oauth2provider',
name='client_type',
field=models.CharField(choices=[('confidential', 'Confidential'), ('public', 'Public')], default='confidential', help_text='Confidential clients are capable of maintaining the confidentiality\n of their credentials. Public clients are incapable.', max_length=30, verbose_name='Client Type'),
),
migrations.AlterField(
model_name='oauth2provider',
name='response_type',
field=models.TextField(choices=[('code', 'code (Authorization Code Flow)'), ('code_adfs', 'code (ADFS Compatibility Mode, sends id_token as access_token)'), ('id_token', 'id_token (Implicit Flow)'), ('id_token token', 'id_token token (Implicit Flow)'), ('code token', 'code token (Hybrid Flow)'), ('code id_token', 'code id_token (Hybrid Flow)'), ('code id_token token', 'code id_token token (Hybrid Flow)')], default='code', help_text='Response Type required by the client.'),
),
]

View File

@ -31,8 +31,8 @@ from passbook.providers.oauth2.generators import (
class ClientTypes(models.TextChoices):
"""<b>Confidential</b> clients are capable of maintaining the confidentiality
of their credentials. <b>Public</b> clients are incapable."""
"""Confidential clients are capable of maintaining the confidentiality
of their credentials. Public clients are incapable."""
CONFIDENTIAL = "confidential", _("Confidential")
PUBLIC = "public", _("Public")
@ -70,6 +70,7 @@ class ResponseTypes(models.TextChoices):
"""Response Type required by the client."""
CODE = "code", _("code (Authorization Code Flow)")
CODE_ADFS = "code_adfs", _("code (ADFS Compatibility Mode, sends id_token as access_token)")
ID_TOKEN = "id_token", _("id_token (Implicit Flow)")
ID_TOKEN_TOKEN = "id_token token", _("id_token token (Implicit Flow)")
CODE_TOKEN = "code token", _("code token (Hybrid Flow)")

View File

@ -90,7 +90,7 @@ class OAuthAuthorizationParams:
response_type = query_dict.get("response_type", "")
grant_type = None
# Determine which flow to use.
if response_type in [ResponseTypes.CODE]:
if response_type in [ResponseTypes.CODE, ResponseTypes.CODE_ADFS]:
grant_type = GrantTypes.AUTHORIZATION_CODE
elif response_type in [
ResponseTypes.ID_TOKEN,

View File

@ -17,7 +17,7 @@ from passbook.providers.oauth2.errors import TokenError, UserAuthError
from passbook.providers.oauth2.models import (
AuthorizationCode,
OAuth2Provider,
RefreshToken,
RefreshToken, ResponseTypes,
)
from passbook.providers.oauth2.utils import TokenResponse, extract_client_auth
@ -200,7 +200,7 @@ class TokenView(View):
"id_token": refresh_token.provider.encode(refresh_token.id_token.to_dict()),
}
if self.params.authorization_code.is_open_id:
if self.params.provider.response_type == ResponseTypes.CODE_ADFS:
# This seems to be expected by some OIDC Clients
# namely VMware vCenter. This is not documented in any OpenID or OAuth2 Standard.
# Maybe this should be a setting