take into account nonce in openid

This commit is contained in:
Son NK 2021-04-01 12:49:23 +02:00
parent 3c5706fb16
commit e6d8815ac5
2 changed files with 8 additions and 11 deletions

View File

@ -263,7 +263,6 @@ def authorize():
auth_code = None
if ResponseType.CODE in response_types:
# Create authorization code
auth_code = AuthorizationCode.create(
client_id=client.id,
user_id=current_user.id,
@ -271,9 +270,8 @@ def authorize():
scope=scope,
redirect_uri=redirect_uri,
response_type=response_types_to_str(response_types),
nonce=nonce
nonce=nonce,
)
db.session.add(auth_code)
redirect_args["code"] = auth_code.code
oauth_token = None

View File

@ -69,12 +69,6 @@ def token():
access_token=generate_access_token(),
response_type=auth_code.response_type,
)
db.session.add(oauth_token)
# Auth code can be used only once
AuthorizationCode.delete(auth_code.id)
db.session.commit()
client_user: ClientUser = ClientUser.get_by(
client_id=auth_code.client_id, user_id=auth_code.user_id
@ -96,7 +90,12 @@ def token():
# Also return id_token if the initial flow is "code,id_token"
# cf https://medium.com/@darutk/diagrams-of-all-the-openid-connect-flows-6968e3990660
response_types = get_response_types_from_str(auth_code.response_type)
if ResponseType.ID_TOKEN in response_types:
res["id_token"] = make_id_token(client_user)
if ResponseType.ID_TOKEN in response_types or auth_code.scope == "openid":
res["id_token"] = make_id_token(client_user, nonce=auth_code.nonce)
# Auth code can be used only once
AuthorizationCode.delete(auth_code.id)
db.session.commit()
return jsonify(res)