Browse Source

[FIX] add openid connect debug

13.0
Nicolas JEUDY 5 years ago
parent
commit
67338a9c19
  1. 6
      galicea_openid_connect/controllers/ext_web_login.py
  2. 40
      galicea_openid_connect/controllers/main.py
  3. 2
      galicea_openid_connect/models/client.py
  4. 6
      galicea_openid_connect/models/config_parameter.py

6
galicea_openid_connect/controllers/ext_web_login.py

@ -1,15 +1,21 @@
import logging
import time
from odoo import http
from odoo.addons import web
_logger = logging.getLogger(__name__)
class Home(web.controllers.main.Home):
@http.route("/web/login", type="http", auth="none")
def web_login(self, redirect=None, **kw):
_logger.debug("#### OPENID (0)")
result = super(Home, self).web_login(redirect, **kw)
_logger.debug("#### OPENID (1): %s" % result)
if result.is_qweb and "force_auth_and_redirect" in kw:
result.qcontext["redirect"] = kw["force_auth_and_redirect"]
if http.request.params.get("login_success"):
http.request.session["auth_time"] = int(time.time())
_logger.debug("#### OPENID (2): %s" % http.request.session)
return result

40
galicea_openid_connect/controllers/main.py

@ -1,3 +1,4 @@
import logging
import json
import time
import os
@ -15,6 +16,8 @@ try:
except ImportError:
pass
_logger = logging.getLogger(__name__)
def jwk_from_json(json_key):
key = jwk.JWK()
@ -80,15 +83,20 @@ class Main(http.Controller):
raise OAuthException(
"client_id param is invalid", OAuthException.INVALID_CLIENT,
)
_logger.debug("#### openid client: %s" % client)
return client
def __validate_redirect_uri(self, client, req, **query):
_logger.debug("#### openid client: %s" % query)
if "redirect_uri" not in query:
raise OAuthException(
"redirect_uri param is missing", OAuthException.INVALID_GRANT,
)
redirect_uri = query["redirect_uri"]
_logger.debug(
"#### openid client: %s (%s)" % (client.auth_redirect_uri, redirect_uri)
)
if client.auth_redirect_uri != redirect_uri:
raise OAuthException(
"redirect_uri param doesn't match the pre-configured redirect URI",
@ -99,6 +107,9 @@ class Main(http.Controller):
def __validate_client_secret(self, client, req, **query):
if "client_secret" not in query or query["client_secret"] != client.secret:
_logger.debug(
"#### openid client: %s (%s)" % (query["client_secret"], client.secret)
)
raise OAuthException(
"client_secret param is not valid", OAuthException.INVALID_CLIENT,
)
@ -143,6 +154,7 @@ class Main(http.Controller):
}
if user.email:
values["email"] = user.email
_logger.debug("#### OPENID (3): %s" % values)
return values
@resource("/oauth/clientinfo", method="GET", auth="client")
@ -155,12 +167,14 @@ class Main(http.Controller):
@http.route("/oauth/authorize", auth="public", type="http", csrf=False)
def authorize(self, req, **query):
# First, validate client_id and redirect_uri params.
_logger.debug("#### OPENID (auth)")
try:
client = self.__validate_client(req, **query)
redirect_uri = self.__validate_redirect_uri(client, req, **query)
except OAuthException as e:
# If those are not valid, we must not redirect back to the client
# - instead, we display a message to the user
_logger.debug("#### OPENID (4): %s" % e)
return req.render("galicea_openid_connect.error", {"exception": e})
scopes = query["scope"].split(" ") if query.get("scope") else []
@ -174,6 +188,7 @@ class Main(http.Controller):
response_mode = query.get("response_mode")
try:
if response_mode and response_mode not in ["query", "fragment"]:
_logger.debug("#### OPENID (auth 1)")
response_mode = None
raise OAuthException(
"The only supported response_modes are 'query' and 'fragment'",
@ -181,11 +196,13 @@ class Main(http.Controller):
)
if "response_type" not in query:
_logger.debug("#### OPENID (auth 2)")
raise OAuthException(
"response_type param is missing", OAuthException.INVALID_REQUEST,
)
response_type = query["response_type"]
if response_type not in RESPONSE_TYPES_SUPPORTED:
_logger.debug("#### OPENID (auth 3)")
raise OAuthException(
"The only supported response_types are: {}".format(
", ".join(RESPONSE_TYPES_SUPPORTED)
@ -193,12 +210,14 @@ class Main(http.Controller):
OAuthException.UNSUPPORTED_RESPONSE_TYPE,
)
except OAuthException as e:
_logger.debug("#### OPENID (5): %s" % e)
response_params["error"] = e.type
response_params["error_description"] = e.message
response_params["error_description"] = e
return self.__redirect(
redirect_uri, response_params, response_mode or "query"
)
_logger.debug("#### OPENID (auth 4)")
if not response_mode:
response_mode = "query" if response_type == "code" else "fragment"
@ -218,6 +237,7 @@ class Main(http.Controller):
werkzeug.url_encode(query)
)
}
_logger.debug("#### OPENID (auth 4.2): %s" % params)
return self.__redirect("/web/login", params, "query")
response_types = response_type.split()
@ -261,7 +281,14 @@ class Main(http.Controller):
response_params["id_token"] = self.__create_id_token(
req, user.id, client, extra_claims
)
_logger.debug(
"#### OPENID (6): %s, %s, %s"
% (redirect_uri, response_params, response_mode)
)
_logger.debug(
"#### OPENID (6.1): %s"
% self.__redirect(redirect_uri, response_params, response_mode)
)
return self.__redirect(redirect_uri, response_params, response_mode)
@http.route(
@ -281,6 +308,7 @@ class Main(http.Controller):
return http.Response(status=200, headers=cors_headers)
try:
_logger.debug("#### OPENID (7): %s" % query)
if "grant_type" not in query:
raise OAuthException(
"grant_type param is missing", OAuthException.INVALID_REQUEST,
@ -306,7 +334,7 @@ class Main(http.Controller):
OAuthException.UNSUPPORTED_GRANT_TYPE,
)
except OAuthException as e:
body = json.dumps({"error": e.type, "error_description": e.message})
body = json.dumps({"error": e.type, "error_description": e})
return werkzeug.Response(response=body, status=400, headers=cors_headers)
def __handle_grant_type_authorization_code(self, req, **query):
@ -320,20 +348,25 @@ class Main(http.Controller):
)
try:
payload = jwt_decode(query["code"], self.__get_authorization_code_jwk(req))
_logger.debug("#### OPENID (8): %s" % payload)
except jwt.JWTExpired:
_logger.debug("#### OPENID (9): %s" % OAuthException.INVALID_GRANT)
raise OAuthException(
"Code expired", OAuthException.INVALID_GRANT,
)
except ValueError:
_logger.debug("#### OPENID (10): %s" % OAuthException.INVALID_GRANT)
raise OAuthException(
"code malformed", OAuthException.INVALID_GRANT,
)
if payload["client_id"] != client.client_id:
_logger.debug("#### OPENID (11): %s" % OAuthException.INVALID_GRANT)
raise OAuthException(
"client_id doesn't match the authorization request",
OAuthException.INVALID_GRANT,
)
if payload["redirect_uri"] != redirect_uri:
_logger.debug("#### OPENID (12): %s" % OAuthException.INVALID_GRANT)
raise OAuthException(
"redirect_uri doesn't match the authorization request",
OAuthException.INVALID_GRANT,
@ -353,6 +386,7 @@ class Main(http.Controller):
response["id_token"] = self.__create_id_token(
req, payload["user_id"], client, extra_claims
)
_logger.debug("#### OPENID (12): %s" % response)
return response
def __handle_grant_type_password(self, req, **query):

2
galicea_openid_connect/models/client.py

@ -50,7 +50,7 @@ class Client(models.Model):
}
)
# Do not include in the "Pending invitations" list
system_user.sudo(system_user.id)._update_last_login()
system_user.with_user(system_user.id)._update_last_login()
values["system_user_id"] = system_user.id
return super(Client, self).create(values)

6
galicea_openid_connect/models/config_parameter.py

@ -32,9 +32,5 @@ class ConfigParameter(models.Model):
for key, gen in iter(keys.items()):
if not self.search([("key", "=", key)]):
self.create(
{
"key": key,
"value": gen(),
"group_ids": [(4, self.env.ref("base.group_erp_manager").id)],
}
{"key": key, "value": gen(),}
)
Loading…
Cancel
Save