Skip to content

Infinite redirect loop for prompt=login #187

New issue
New issue
Closed
Closed
Infinite redirect loop for prompt=login#187
Assignees
wojtek-fliposports
Labels
bug
@wojtek-fliposports

Description

@wojtek-fliposports
wojtek-fliposports
opened on Jun 2, 2017

The bug is located in: https://github.com/juanifioren/django-oidc-provider/blob/v0.5.x/oidc_provider/views.py#L83
When user is authenticated, it should be logged out when prompt not contains none value.
Basically whole prompt is not handled in proper way:
http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1

prompt
OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:

    `none`
        The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent. 
    `login`
        The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically `login_required`. 
    `consent`
        The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically `consent_required`. 
    `select_account`
        The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically `account_selection_required`.

The prompt parameter can be used by the Client to make sure that the End-User is still present for the current session or to bring attention to the request. If this parameter contains none with any other value, an error is returned.

I will try to fix none login and consent handling and skip select_account due is not supported right now.

Metadata

Metadata

Assignees

Labels

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions