New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Addition of form_post OIDC response mode #2818
Conversation
Check response_mode in initialization
@BeryJu Right, it's working now at least! I added a separate class for the post response, and I've imported the AutosubmitChallenge and AutoSubmitChallengeResponse classes from providers.saml.views.flows for now, I'm going to do some testing with this setup and see whether I can find any shortcomings. |
@@ -238,6 +256,131 @@ def create_code(self, request: HttpRequest) -> AuthorizationCode: | |||
|
|||
return code | |||
|
|||
class OAuthPostFulfillmentStage(ChallengeStageView): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this extra stage view shouldn't be required, imo it makes more sense to hook in here https://github.com/goauthentik/authentik/blob/master/authentik/providers/oauth2/views/authorize.py#L248, rename redirect
to get_response
and have it check the parameters to either return an Autosubmit Challenge or a redirect
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I agree, this was just a way of testing the concept on my part for now. I'll have a look at integrating it a bit better later today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, had some more free time this afternoon. I've removed the separate class and moved the FORM_POST handling to create_response_uri() and redirect() respectively
I'll have to spend some more time going through a couple of more scenarios where form_post might want a non-implicit response, I've only been testing with an application of ours that has a very specific capability for OIDC (Azure) so far.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looked at it with a little more sleep behind me, I'm going to work on the create_response_uri-part a bit more since the current code doesn't really take any of the response_type parameters into account.
Form_post in particular can be requested with just the code and id_token parts by themselves, I'm gonna read up a bit on that part of the protocol when I get into work tomorrow.
The original version was written as if fragment always just creates an implicit response with just an id_token and query only provides a code, couldn't there be other combinations on those as well?
I'll be back with an update once I'm up to speed with the latest!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, apparently the code that's already in create_implicit_response works fine for form_post as well!
Codecov Report
@@ Coverage Diff @@
## master #2818 +/- ##
==========================================
- Coverage 91.73% 91.72% -0.01%
==========================================
Files 455 455
Lines 20039 20049 +10
==========================================
+ Hits 18381 18388 +7
- Misses 1658 1661 +3
Continue to review full report at Codecov.
|
Added handling for FORM_POST in create_response_uri Added handling for FORM_POST in return class
Removed comment
Details
Resolves #2748
Changes
New Features
Breaking Changes
None
Additional Details