Merge branch 'rfc9207' into 'main'

implement rfc9207 with authlib

See merge request yaal/canaille!242

Author: azmeuk

canaille/oidc/endpoints/oauth.py

@@ -1,7 +1,6 @@
 import datetime
 import uuid
 
-from authlib.common.urls import add_params_to_uri
 from authlib.integrations.flask_oauth2 import current_token
 from authlib.jose import jwt
 from authlib.jose.errors import JoseError
@@ -151,15 +150,7 @@ def authorize_consent(client, user):
         )
 
         if client_has_user_consent:
-            response = authorization.create_authorization_response(grant_user=user)
-
-            # Manually implement RFC9207 until this is implemented upstream in authlib
-            # https://github.com/lepture/authlib/pull/700
-            response.location = add_params_to_uri(
-                response.location, {"iss": get_issuer()}
-            )
-
-            return response
+            return authorization.create_authorization_response(grant_user=user)
 
         elif request.args.get("prompt") == "none":
             response = {
@@ -172,9 +163,8 @@ def authorize_consent(client, user):
         try:
             grant = authorization.get_consent_grant(end_user=user)
         except OAuth2Error as error:
-            response = {**dict(error.get_body()), "iss": get_issuer()}
-            current_app.logger.debug("authorization endpoint response: %s", response)
-            return jsonify(response)
+            current_app.logger.debug("authorization endpoint response: %s", error)
+            return {**dict(error.get_body()), "iss": get_issuer()}, error.status_code
 
         form = AuthorizeForm(request.form or None)
         return render_template(
@@ -219,10 +209,6 @@ def authorize_consent(client, user):
 
     response = authorization.create_authorization_response(grant_user=grant_user)
 
-    # Manually implement RFC9207 until this is implemented upstream in authlib
-    # https://github.com/lepture/authlib/pull/700
-    response.location = add_params_to_uri(response.location, {"iss": get_issuer()})
-
     current_app.logger.debug("authorization endpoint response: %s", response.location)
     return response
 

canaille/oidc/oauth.py

@@ -28,6 +28,7 @@
 from authlib.oauth2.rfc7636 import CodeChallenge as _CodeChallenge
 from authlib.oauth2.rfc7662 import IntrospectionEndpoint as _IntrospectionEndpoint
 from authlib.oauth2.rfc8414 import AuthorizationServerMetadata
+from authlib.oauth2.rfc9207.parameter import IssuerParameter as _IssuerParameter
 from authlib.oidc.core import UserInfo
 from authlib.oidc.core.grants import OpenIDCode as _OpenIDCode
 from authlib.oidc.core.grants import OpenIDHybridGrant as _OpenIDHybridGrant
@@ -629,6 +630,11 @@ def get_authorization_code_challenge_method(self, authorization_code):
         return authorization_code.challenge_method
 
 
+class IssuerParameter(_IssuerParameter):
+    def get_issuer(self) -> str:
+        return get_issuer()
+
+
 authorization = AuthorizationServer()
 require_oauth = ResourceProtector()
 
@@ -677,6 +683,7 @@ def setup_oauth(app):
     authorization.register_grant(
         AuthorizationCodeGrant,
         [
+            IssuerParameter(),
             OpenIDCode(require_nonce=app.config["CANAILLE_OIDC"]["REQUIRE_NONCE"]),
             CodeChallenge(required=True),
         ],

tests/oidc/test_authorization_code_flow.py

@@ -617,7 +617,7 @@ def test_nonce_required_in_oidc_requests(testclient, logged_user, client):
             scope="openid profile",
             redirect_uri="https://client.test/redirect1",
         ),
-        status=200,
+        status=400,
     )
 
     assert res.json.get("error") == "invalid_request"