|
Lines 85-90
class OIDCResource(OAuth2Mixin, Resource):
Link Here
|
| 85 |
"""Base class for all OIDC resources.""" |
85 |
"""Base class for all OIDC resources.""" |
| 86 |
|
86 |
|
| 87 |
requires_authentication = False |
87 |
requires_authentication = False |
|
|
88 |
_http_client = None |
| 89 |
|
| 90 |
@property |
| 91 |
def http_client(self): |
| 92 |
if self.__class__._http_client is None: |
| 93 |
# TODO: make sure the connection is still valid |
| 94 |
self.__class__._http_client = self.get_auth_http_client() |
| 95 |
return self._http_client |
| 88 |
|
96 |
|
| 89 |
async def prepare(self): |
97 |
async def prepare(self): |
| 90 |
await super().prepare() |
98 |
await super().prepare() |
|
Lines 291-299
class OIDCResource(OAuth2Mixin, Resource):
Link Here
|
| 291 |
"Authorization": "Bearer %s" % (bearer_token,), |
299 |
"Authorization": "Bearer %s" % (bearer_token,), |
| 292 |
}, |
300 |
}, |
| 293 |
) |
301 |
) |
| 294 |
http_client = self.get_auth_http_client() |
|
|
| 295 |
try: |
302 |
try: |
| 296 |
user_info_res = await http_client.fetch(user_info_req) |
303 |
user_info_res = await self.http_client.fetch(user_info_req) |
| 297 |
except HTTPClientError as exc: |
304 |
except HTTPClientError as exc: |
| 298 |
CORE.warn("Fetching user info failed: %s %s" % (user_info_req.url, exc)) |
305 |
CORE.warn("Fetching user info failed: %s %s" % (user_info_req.url, exc)) |
| 299 |
raise OpenIDProvideUnavailable(self._("Could not receive user information from OP.")) |
306 |
raise OpenIDProvideUnavailable(self._("Could not receive user information from OP.")) |
|
Lines 304-313
class OIDCResource(OAuth2Mixin, Resource):
Link Here
|
| 304 |
|
311 |
|
| 305 |
async def download_jwks(self): |
312 |
async def download_jwks(self): |
| 306 |
request = HTTPRequest(self._OAUTH_CERT_URL, method='GET') |
313 |
request = HTTPRequest(self._OAUTH_CERT_URL, method='GET') |
| 307 |
http_client = self.get_auth_http_client() |
|
|
| 308 |
|
314 |
|
| 309 |
try: |
315 |
try: |
| 310 |
response = await http_client.fetch(request, raise_error=False) |
316 |
response = await self.http_client.fetch(request, raise_error=False) |
| 311 |
except HTTPClientError as exc: |
317 |
except HTTPClientError as exc: |
| 312 |
CORE.warn("Fetching certificate failed: %s %s" % (request.url, exc)) |
318 |
CORE.warn("Fetching certificate failed: %s %s" % (request.url, exc)) |
| 313 |
raise OpenIDProvideUnavailable(self._("Could not receive certificate from OP.")) |
319 |
raise OpenIDProvideUnavailable(self._("Could not receive certificate from OP.")) |
|
Lines 324-330
class OIDCResource(OAuth2Mixin, Resource):
Link Here
|
| 324 |
return await self._get_access_token(redirect_uri, {"refresh_token": refresh_token, "grant_type": "refresh_token"}) |
330 |
return await self._get_access_token(redirect_uri, {"refresh_token": refresh_token, "grant_type": "refresh_token"}) |
| 325 |
|
331 |
|
| 326 |
async def _get_access_token(self, redirect_uri, data): |
332 |
async def _get_access_token(self, redirect_uri, data): |
| 327 |
http_client = self.get_auth_http_client() |
|
|
| 328 |
body = urlencode(dict( |
333 |
body = urlencode(dict( |
| 329 |
data, |
334 |
data, |
| 330 |
redirect_uri=redirect_uri, |
335 |
redirect_uri=redirect_uri, |
|
Lines 332-338
class OIDCResource(OAuth2Mixin, Resource):
Link Here
|
| 332 |
client_secret=self.client_secret, |
337 |
client_secret=self.client_secret, |
| 333 |
)) # TODO: request specific AUD for ldap server |
338 |
)) # TODO: request specific AUD for ldap server |
| 334 |
try: |
339 |
try: |
| 335 |
response = await http_client.fetch( |
340 |
response = await self.http_client.fetch( |
| 336 |
self._OAUTH_ACCESS_TOKEN_URL, |
341 |
self._OAUTH_ACCESS_TOKEN_URL, |
| 337 |
method="POST", |
342 |
method="POST", |
| 338 |
headers={"Content-Type": "application/x-www-form-urlencoded"}, |
343 |
headers={"Content-Type": "application/x-www-form-urlencoded"}, |
|
Lines 340-347
class OIDCResource(OAuth2Mixin, Resource):
Link Here
|
| 340 |
) |
345 |
) |
| 341 |
except HTTPClientError: |
346 |
except HTTPClientError: |
| 342 |
raise # handled in get() |
347 |
raise # handled in get() |
| 343 |
# TODO: why do we need that, see univention/dev/ucs#2388 |
|
|
| 344 |
http_client.close() |
| 345 |
return escape.json_decode(response.body) |
348 |
return escape.json_decode(response.body) |
| 346 |
|
349 |
|
| 347 |
async def refresh_session_tokens(self, user): |
350 |
async def refresh_session_tokens(self, user): |
|
Lines 488-496
class OIDCLogout(_OIDCLogoutBase):
Link Here
|
| 488 |
if not id_token: |
491 |
if not id_token: |
| 489 |
raise BadRequest(self._("Not logged in")) |
492 |
raise BadRequest(self._("Not logged in")) |
| 490 |
|
493 |
|
| 491 |
http_client = self.get_auth_http_client() |
|
|
| 492 |
try: |
494 |
try: |
| 493 |
await http_client.fetch( |
495 |
await self.http_client.fetch( |
| 494 |
self._OAUTH_END_SESSION_URL, |
496 |
self._OAUTH_END_SESSION_URL, |
| 495 |
method="POST", |
497 |
method="POST", |
| 496 |
headers={"Content-Type": "application/x-www-form-urlencoded"}, |
498 |
headers={"Content-Type": "application/x-www-form-urlencoded"}, |