cco/py-scopes
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

auth: use form['camefrom'] as requested URI, store in initial session and use for final redirect

Browse source
This commit is contained in:
Helmut Merz 2025-05-14 16:25:34 +02:00
parent 2f87493144
commit 05499d5d41
1 changed files with 5 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
scopes/web/auth/oidc.py
View file

@ -85,12 +85,8 @@ class Authenticator(DummyFolder):
def __init__(self, request): def __init__(self, request):
self.request = request self.request = request
self.params = config.oidc_params self.params = config.oidc_params
self.reqUrl = config.base_url
self.setCrypt(self.params.get('cookie_crypt')) self.setCrypt(self.params.get('cookie_crypt'))
def setReqUrl(self, base, path):
self.reqUrl = '/'.join((base, path))
def setCrypt(self, key): def setCrypt(self, key):
self.cookieCrypt = key and Fernet(key) or None self.cookieCrypt = key and Fernet(key) or None
@ -108,6 +104,7 @@ class Authenticator(DummyFolder):
nonce = util.rndstr() nonce = util.rndstr()
codeVerifier = util.rndstr2() codeVerifier = util.rndstr2()
codeChallenge = util.hashS256(codeVerifier) codeChallenge = util.hashS256(codeVerifier)
reqUrl = self.request.form.get('camefrom') or params['base_url']
args = dict( args = dict(
client_id=self.params['client_id'], client_id=self.params['client_id'],
response_type='code', # 'code id_token token', response_type='code', # 'code id_token token',
@ -115,9 +112,9 @@ class Authenticator(DummyFolder):
code_challenge=codeChallenge, code_challenge_method='S256', code_challenge=codeChallenge, code_challenge_method='S256',
scope='openid profile email urn:zitadel:iam:user:resourceowner', scope='openid profile email urn:zitadel:iam:user:resourceowner',
redirect_uri=self.params['callback_url'], redirect_uri=self.params['callback_url'],
request_uri=self.reqUrl,
) )
self.storeSession(dict(state=state, nonce=nonce, code_verifier=codeVerifier)) self.storeSession(dict(state=state, nonce=nonce, request_uri=reqUrl,
code_verifier=codeVerifier))
authUrl = self.params['op_uris']['authorization_endpoint'] authUrl = self.params['op_uris']['authorization_endpoint']
loginUrl = '?'.join((authUrl, urlencode(args))) loginUrl = '?'.join((authUrl, urlencode(args)))
logger.debug('login: URL %s', loginUrl) logger.debug('login: URL %s', loginUrl)
@ -127,6 +124,7 @@ class Authenticator(DummyFolder):
req = self.request req = self.request
logger.debug('callback: %s %s', self, req.form) logger.debug('callback: %s %s', self, req.form)
sdata = self.loadSession() sdata = self.loadSession()
reqUrl = sdata.get('request_uri') or self.params['base_url']
code = req.form['code'] code = req.form['code']
# !check state: req.form['state'] == sdata['state'] # !check state: req.form['state'] == sdata['state']
args = dict( args = dict(
@ -152,7 +150,7 @@ class Authenticator(DummyFolder):
) )
self.storeSession(ndata) self.storeSession(ndata)
logger.debug('callback: session data: %s', ndata) logger.debug('callback: session data: %s', ndata)
req.response.redirect(self.reqUrl, trusted=True) req.response.redirect(reqUrl, trusted=True)
def logout(self): def logout(self):
#sdata = self.loadSession() #sdata = self.loadSession()