Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infinite redirect loop for prompt=login #187

Closed
wojtek-fliposports opened this issue Jun 2, 2017 · 0 comments
Closed

Infinite redirect loop for prompt=login #187

wojtek-fliposports opened this issue Jun 2, 2017 · 0 comments
Assignees
Labels

Comments

@wojtek-fliposports
Copy link
Contributor

The bug is located in: https://github.com/juanifioren/django-oidc-provider/blob/v0.5.x/oidc_provider/views.py#L83
When user is authenticated, it should be logged out when prompt not contains none value.
Basically whole prompt is not handled in proper way:
http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1

prompt
OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:

    `none`
        The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent. 
    `login`
        The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically `login_required`. 
    `consent`
        The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically `consent_required`. 
    `select_account`
        The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically `account_selection_required`. 

The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. If this parameter contains none with any other value, an error is returned.

I will try to fix none login and consent handling and skip select_account due is not supported right now.

@wojtek-fliposports wojtek-fliposports self-assigned this Jun 2, 2017
wojtek-fliposports added a commit that referenced this issue Jun 6, 2017
prompt parameter changed to list of strings not a simple string
wojtek-fliposports added a commit to wojtek-fliposports/django-oidc-provider that referenced this issue Jun 6, 2017
suutari-ai added a commit to suutari-ai/django-oidc-provider that referenced this issue May 23, 2018
* 'develop' of github.com:juanifioren/django-oidc-provider:
  Update changelog.rst
  include request in password grant authenticate call
  Update setup.py
  Update changelog.rst
  Update changelog.rst
  Adjust import order and method order in introspection tests
  Replace resource with client in docs.
  Update settings docs to add extra introspection setting
  Update README.md
  Update README.md
  Remove the Resource model
  Skip csrf protection on introspection endpoint
  Add token introspection endpoint to satisfy https://tools.ietf.org/html/rfc7662
  Test docs with tox.
  Remove Django 1.7 for travis.
  Drop support for Django 1.7.
  Move extract_client_auth to oauth2 utils.
  Remove duplicate link in docs.
  Bump version v0.6.0.
  Fix BaseCodeTokenModel and user attr.
  Update README.md
  Edit README and contribute doc.
  Edit changelog.
  Update changelog.rst
  Add protected_resource_view test using client_credentials.
  Fix docs.
  Improve docs.
  Client credentials implementation.
  Move changelog into docs.
  Update README.md
  Update CHANGELOG.md
  Fixed infinite callback loop in check-session iframe
  Fix PEP8. New migration.
  Update example project.
  Fix PEP8.
  Fix PEP8.
  PEP8 errors and urls.
  PEP8 models.
  Fix contribute docs.
  Fix tox for checking PEP8 all files.
  Update README.md
  Update README.md
  Simplify test suit.
  Update CHANGELOG.md
  Bump version 0.5.3.
  Update installation.rst
  Update CHANGELOG.md
  Fixed wrong Object in Template
  Update project to support Django 2.0
  Now passing along the token to create_id_token function.
  Made token and token_refresh endpoint return requested claims.
  Sphinx documentation fixes (juanifioren#219)
  Use request.user.is_authenticated as a bool with recent Django (juanifioren#216)
  Fixed client id retrieval when aud is a list of str. (juanifioren#210)
  Add owner field to Client (juanifioren#211)
  Update CHANGELOG
  removed tab char
  Add pep8 compliance and checker
  Bump version
  Update CHANGELOG.md
  Preparing v0.5.2 (juanifioren#201)
  Fix Django 2.0 deprecation warnings (juanifioren#185)
  Fix infinite login loop if "prompt=login" (juanifioren#198)
  fixed typos
  Bump version
  Fix scope handling of token endpoint (juanifioren#193)
  Fixes juanifioren#192
  Use stored user consent for public clients too (juanifioren#189)
  Redirect URIs must match exactly. (juanifioren#191)
  Bug juanifioren#187 prompt handling (juanifioren#188)
  Don't pin exact versions in install_requires.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant