|
@ -47,6 +47,7 @@ class OAuthException(Exception): |
|
|
UNSUPPORTED_RESPONSE_TYPE = 'unsupported_response_type' |
|
|
UNSUPPORTED_RESPONSE_TYPE = 'unsupported_response_type' |
|
|
INVALID_GRANT = 'invalid_grant' |
|
|
INVALID_GRANT = 'invalid_grant' |
|
|
UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type' |
|
|
UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type' |
|
|
|
|
|
RESTRICTED_APP = 'restricted_app' |
|
|
|
|
|
|
|
|
def __init__(self, message, type): |
|
|
def __init__(self, message, type): |
|
|
super(Exception, self).__init__(message) |
|
|
super(Exception, self).__init__(message) |
|
@ -103,6 +104,15 @@ class Main(http.Controller): |
|
|
OAuthException.INVALID_CLIENT, |
|
|
OAuthException.INVALID_CLIENT, |
|
|
) |
|
|
) |
|
|
|
|
|
|
|
|
|
|
|
def __validate_user(self, client, user): |
|
|
|
|
|
if not client.user_group_id: |
|
|
|
|
|
return |
|
|
|
|
|
if client.user_group_id not in user.groups_id: |
|
|
|
|
|
raise OAuthException( |
|
|
|
|
|
'User is not allowed to use this client', |
|
|
|
|
|
OAuthException.RESTRICTED_APP |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
@http.route('/.well-known/openid-configuration', auth='public', type='http') |
|
|
@http.route('/.well-known/openid-configuration', auth='public', type='http') |
|
|
def metadata(self, req, **query): |
|
|
def metadata(self, req, **query): |
|
|
base_url = http.request.httprequest.host_url |
|
|
base_url = http.request.httprequest.host_url |
|
@ -206,6 +216,7 @@ class Main(http.Controller): |
|
|
} |
|
|
} |
|
|
return self.__redirect('/web/login', params, 'query') |
|
|
return self.__redirect('/web/login', params, 'query') |
|
|
|
|
|
|
|
|
|
|
|
self.__validate_user(client, user) |
|
|
response_types = response_type.split() |
|
|
response_types = response_type.split() |
|
|
|
|
|
|
|
|
extra_claims = { |
|
|
extra_claims = { |
|
@ -355,7 +366,7 @@ class Main(http.Controller): |
|
|
'Invalid username or password', |
|
|
'Invalid username or password', |
|
|
OAuthException.INVALID_REQUEST |
|
|
OAuthException.INVALID_REQUEST |
|
|
) |
|
|
) |
|
|
|
|
|
|
|
|
|
|
|
self.__validate_user(client, req.env['res.users'].sudo().browse(user_id)) |
|
|
scopes = query['scope'].split(' ') if query.get('scope') else [] |
|
|
scopes = query['scope'].split(' ') if query.get('scope') else [] |
|
|
# Retrieve/generate access token. We currently only store one per user/client |
|
|
# Retrieve/generate access token. We currently only store one per user/client |
|
|
token = req.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create( |
|
|
token = req.env['galicea_openid_connect.access_token'].sudo().retrieve_or_create( |
|
|