From 87d4e3c38d408ea9473b43bd0415082de0dc3ca3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Mon, 1 Jul 2024 11:15:57 +0200 Subject: [PATCH 1/4] fix condition for authorize_anonymous_users --- seacatauth/openidconnect/handler/authorize.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/seacatauth/openidconnect/handler/authorize.py b/seacatauth/openidconnect/handler/authorize.py index e95ca192..553e273f 100644 --- a/seacatauth/openidconnect/handler/authorize.py +++ b/seacatauth/openidconnect/handler/authorize.py @@ -354,7 +354,7 @@ async def authorization_code_flow( authenticated = root_session is not None and not root_session.is_anonymous() allow_anonymous = "anonymous" in requested_scope if allow_anonymous: - if client_dict.get("authorize_anonymous_users", False): + if not client_dict.get("authorize_anonymous_users", False): raise OAuthAuthorizeError( AuthErrorResponseCode.InvalidScope, client_id, redirect_uri=redirect_uri, From d7f9d6970986b43717804ad9634b0396f0a1c05e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Mon, 1 Jul 2024 17:19:36 +0200 Subject: [PATCH 2/4] fix token request for self-encoded sessions --- seacatauth/openidconnect/handler/token.py | 18 ++++++++---------- seacatauth/openidconnect/service.py | 3 +-- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/seacatauth/openidconnect/handler/token.py b/seacatauth/openidconnect/handler/token.py index 7f0f5fe5..fb0ad6aa 100644 --- a/seacatauth/openidconnect/handler/token.py +++ b/seacatauth/openidconnect/handler/token.py @@ -172,22 +172,20 @@ async def _authorization_code_grant(self, request, from_ip): "grant_type": "authorization_code", "from_ip": from_ip}) + # Client can limit the session scope to a subset of the scope granted at authorization time + scope = form_data.get("scope") + # Generate new auth tokens if session.is_algorithmic(): - new_access_token = await self.SessionService.Algorithmic.serialize(session) - access_token_expires_in = ( - session.Session.Expiration - datetime.datetime.now(datetime.timezone.utc)).total_seconds() + new_access_token = self.SessionService.Algorithmic.serialize(session) + access_token_expires_in = self.SessionService.AnonymousExpiration new_refresh_token, refresh_token_expires_in = None, None else: new_access_token, access_token_expires_in = await self.OpenIdConnectService.create_access_token(session) new_refresh_token, refresh_token_expires_in = await self.OpenIdConnectService.create_refresh_token(session) - - # Client can limit the session scope to a subset of the scope granted at authorization time - scope = form_data.get("scope") - - # Refresh the session data - session = await self.OpenIdConnectService.refresh_session( - session, requested_scope=scope, expires_in=refresh_token_expires_in) + # Refresh the session data + session = await self.OpenIdConnectService.refresh_session( + session, requested_scope=scope, expires_in=refresh_token_expires_in) # Response response_payload = { diff --git a/seacatauth/openidconnect/service.py b/seacatauth/openidconnect/service.py index d2f695c2..767cce35 100644 --- a/seacatauth/openidconnect/service.py +++ b/seacatauth/openidconnect/service.py @@ -542,8 +542,7 @@ async def get_session_by_authorization_code(self, code, code_verifier: str | Non code_verifier=code_verifier) if token_data.get("sa"): # Session is algorithmic (self-encoded token) - algo_token = self.StorageService.aes_decrypt(token_data["sid"]) - return await self.SessionService.Algorithmic.deserialize(algo_token.decode("ascii")) + return await self.SessionService.Algorithmic.deserialize(token_data["sid"]) else: # Session is in the DB return await self.SessionService.get(token_data["sid"]) From 78b7076ee9e5ece939fb5fafa0fa9aa1cf98942c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Mon, 1 Jul 2024 17:25:24 +0200 Subject: [PATCH 3/4] update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31d7ebe4..5d870e3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ - Default password criteria are more restrictive (#372, `v24.20-alpha1`, Compatible with Seacat Auth Webui v24.19-alpha and later, Seacat Account Webui v24.08-beta and later) ### Fix +- Fix token request for self-encoded (algorithmic) sessions (#404, `v24.20-alpha12`) - Fix AttributeError in credentials update (#399, `v24.20-alpha11`) - Catch token decoding errors when finding sessions (#397, `v24.20-alpha10`) - Properly encrypt cookie value in session update (#394, `v24.20-alpha8`) From 32ca154751a3c8f988ba03825f32ef54d8b85cee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robin=20Hru=C5=A1ka?= Date: Mon, 1 Jul 2024 17:25:37 +0200 Subject: [PATCH 4/4] flake8 --- seacatauth/openidconnect/handler/token.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/seacatauth/openidconnect/handler/token.py b/seacatauth/openidconnect/handler/token.py index fb0ad6aa..53326468 100644 --- a/seacatauth/openidconnect/handler/token.py +++ b/seacatauth/openidconnect/handler/token.py @@ -1,17 +1,14 @@ import logging -import datetime - import aiohttp.web +import jwcrypto.jws +import jwcrypto.jwt +import json import asab import asab.web.rest import asab.web.rest.json import asab.exceptions -import jwcrypto.jws -import jwcrypto.jwt -import json - from .. import pkce from ..utils import TokenRequestErrorResponseCode from ... import exceptions, AuditLogger