Merge pull request #296 from TeskaLabs/fix/authorize-params

Allow all standard OIDC authorize params

CHANGELOG.md

@@ -2,10 +2,14 @@
 
 ## Release candidate
 
+### Breaking changes
+- Dropped support for authorize query params `ldid` and `expiration` (#296, PLUM Sprint 231006)
+
 ### Features
 - Authorization for websocket requests (#300, PLUM Sprint 231006)
 - Silence stable log messages (#312, PLUM Sprint 231006)
 - External login registration webhook (#286, PLUM Sprint 231006)
+- OAuth Authorize ignores all unknown parameters (#296, PLUM Sprint 231006)
 
 ---
 

seacatauth/authn/handler.py

@@ -14,6 +14,7 @@
 from ..audit import AuditCode
 from ..cookie import set_cookie, delete_cookie
 from ..decorators import access_control
+from ..openidconnect.utils import AUTHORIZE_PARAMETERS
 
 #
 
@@ -475,10 +476,8 @@ async def impersonate_and_redirect(self, request):
 		client_dict = await client_service.get(request_data["client_id"])
 		query = {
 			k: v for k, v in request_data.items()
-			if k in frozenset([
-				"redirect_uri", "response_type", "scope", "prompt", "code_challenge", "code_challenge_method"])
-		}
-		authorize_uri = oidc_service.build_authorize_uri(client_dict, client_id=request_data["client_id"], **query)
+			if k in AUTHORIZE_PARAMETERS}
+		authorize_uri = oidc_service.build_authorize_uri(client_dict, **query)
 
 		response = aiohttp.web.HTTPFound(
 			authorize_uri,

seacatauth/client/service.py

@@ -481,25 +481,16 @@ async def delete(self, client_id: str):
 		L.log(asab.LOG_NOTICE, "Client deleted", struct_data={"client_id": client_id})
 
 
-	async def authorize_client(
+	async def validate_client_authorize_options(
 		self,
 		client: dict,
 		redirect_uri: str,
-		client_secret: str = None,
 		grant_type: str = None,
 		response_type: str = None,
 	):
-		if client_secret is None:
-			# The client MAY omit the parameter if the client secret is an empty string.
-			# [rfc6749#section-2.3.1]
-			client_secret = ""
-		if "client_secret_expires_at" in client \
-			and client["client_secret_expires_at"] != 0 \
-			and client["client_secret_expires_at"] < datetime.datetime.now(datetime.timezone.utc):
-			raise exceptions.InvalidClientSecret(client["_id"])
-		if client_secret != client.get("__client_secret", ""):
-			raise exceptions.InvalidClientSecret(client["_id"])
-
+		"""
+		Verify that the specified authorization parameters are valid for the client.
+		"""
 		if not self.OIDCService.DisableRedirectUriValidation and not validate_redirect_uri(
 			redirect_uri, client["redirect_uris"], client.get("redirect_uri_validation_method")):
 			raise exceptions.InvalidRedirectURI(client_id=client["_id"], redirect_uri=redirect_uri)
@@ -512,6 +503,25 @@ async def authorize_client(
 
 		return True
 
+
+	async def authenticate_client(self, client: dict, client_secret: str = None):
+		"""
+		Verify client credentials (client_id and client_secret).
+		"""
+		# TODO: Use a client credential provider.
+		if client_secret is None:
+			# The client MAY omit the parameter if the client secret is an empty string.
+			# [rfc6749#section-2.3.1]
+			client_secret = ""
+		if "client_secret_expires_at" in client \
+			and client["client_secret_expires_at"] != 0 \
+			and client["client_secret_expires_at"] < datetime.datetime.now(datetime.timezone.utc):
+			L.warning("Client secret expired.", struct_data={"client_id": client["_id"]})
+		if client_secret != client.get("__client_secret", ""):
+			L.warning("Incorrect client secret.", struct_data={"client_id": client["_id"]})
+		return True
+
+
 	def _check_grant_types(self, grant_types, response_types):
 		# https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
 		# The following table lists the correspondence between response_type values that the Client will use