trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/oauth2: only send id_token as access_token if ADFS compat mode is enabled

This commit is contained in:
Jens Langhammer 2020-09-16 23:31:03 +02:00
parent f1ccef7f6a
commit 818f417fd8
5 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
passbook/core/migrations/0009_group_is_superuser.py
View File

@ -41,4 +41,10 @@ class Migration(migrations.Migration):
), ),
), ),
migrations.RunPython(create_default_admin_group), migrations.RunPython(create_default_admin_group),
migrations.AlterModelManagers(
name='user',
managers=[
('objects', passbook.core.models.UserManager()),
],
),
] ]

23
passbook/providers/oauth2/migrations/0003_auto_20200916_2129.py Normal file
View File

@ -0,0 +1,23 @@
# Generated by Django 3.1.1 on 2020-09-16 21:29
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('passbook_providers_oauth2', '0002_oauth2provider_sub_mode'),
]
operations = [
migrations.AlterField(
model_name='oauth2provider',
name='client_type',
field=models.CharField(choices=[('confidential', 'Confidential'), ('public', 'Public')], default='confidential', help_text='Confidential clients are capable of maintaining the confidentiality\n of their credentials. Public clients are incapable.', max_length=30, verbose_name='Client Type'),
),
migrations.AlterField(
model_name='oauth2provider',
name='response_type',
field=models.TextField(choices=[('code', 'code (Authorization Code Flow)'), ('code_adfs', 'code (ADFS Compatibility Mode, sends id_token as access_token)'), ('id_token', 'id_token (Implicit Flow)'), ('id_token token', 'id_token token (Implicit Flow)'), ('code token', 'code token (Hybrid Flow)'), ('code id_token', 'code id_token (Hybrid Flow)'), ('code id_token token', 'code id_token token (Hybrid Flow)')], default='code', help_text='Response Type required by the client.'),
),
]

5
passbook/providers/oauth2/models.py
View File

@ -31,8 +31,8 @@ from passbook.providers.oauth2.generators import (
class ClientTypes(models.TextChoices): class ClientTypes(models.TextChoices):
"""<b>Confidential</b> clients are capable of maintaining the confidentiality """Confidential clients are capable of maintaining the confidentiality
of their credentials. <b>Public</b> clients are incapable.""" of their credentials. Public clients are incapable."""
CONFIDENTIAL = "confidential", _("Confidential") CONFIDENTIAL = "confidential", _("Confidential")
PUBLIC = "public", _("Public") PUBLIC = "public", _("Public")
@ -70,6 +70,7 @@ class ResponseTypes(models.TextChoices):
"""Response Type required by the client.""" """Response Type required by the client."""
CODE = "code", _("code (Authorization Code Flow)") CODE = "code", _("code (Authorization Code Flow)")
CODE_ADFS = "code_adfs", _("code (ADFS Compatibility Mode, sends id_token as access_token)")
ID_TOKEN = "id_token", _("id_token (Implicit Flow)") ID_TOKEN = "id_token", _("id_token (Implicit Flow)")
ID_TOKEN_TOKEN = "id_token token", _("id_token token (Implicit Flow)") ID_TOKEN_TOKEN = "id_token token", _("id_token token (Implicit Flow)")
CODE_TOKEN = "code token", _("code token (Hybrid Flow)") CODE_TOKEN = "code token", _("code token (Hybrid Flow)")

2
passbook/providers/oauth2/views/authorize.py
View File

@ -90,7 +90,7 @@ class OAuthAuthorizationParams:
response_type = query_dict.get("response_type", "") response_type = query_dict.get("response_type", "")
grant_type = None grant_type = None
# Determine which flow to use. # Determine which flow to use.
if response_type in [ResponseTypes.CODE]: if response_type in [ResponseTypes.CODE, ResponseTypes.CODE_ADFS]:
grant_type = GrantTypes.AUTHORIZATION_CODE grant_type = GrantTypes.AUTHORIZATION_CODE
elif response_type in [ elif response_type in [
ResponseTypes.ID_TOKEN, ResponseTypes.ID_TOKEN,

4
passbook/providers/oauth2/views/token.py
View File

@ -17,7 +17,7 @@ from passbook.providers.oauth2.errors import TokenError, UserAuthError
from passbook.providers.oauth2.models import ( from passbook.providers.oauth2.models import (
AuthorizationCode, AuthorizationCode,
OAuth2Provider, OAuth2Provider,
RefreshToken, RefreshToken, ResponseTypes,
) )
from passbook.providers.oauth2.utils import TokenResponse, extract_client_auth from passbook.providers.oauth2.utils import TokenResponse, extract_client_auth
@ -200,7 +200,7 @@ class TokenView(View):
"id_token": refresh_token.provider.encode(refresh_token.id_token.to_dict()), "id_token": refresh_token.provider.encode(refresh_token.id_token.to_dict()),
} }
if self.params.authorization_code.is_open_id: if self.params.provider.response_type == ResponseTypes.CODE_ADFS:
# This seems to be expected by some OIDC Clients # This seems to be expected by some OIDC Clients
# namely VMware vCenter. This is not documented in any OpenID or OAuth2 Standard. # namely VMware vCenter. This is not documented in any OpenID or OAuth2 Standard.
# Maybe this should be a setting # Maybe this should be a setting