scottk/Mailu-OIDC
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/Mailu-OIDC.git synced 2025-11-01 10:37:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'oidc' into 2024.06

Browse Source
This commit is contained in:
Encotric
2025-03-16 21:22:24 +01:00
parent 2459fa1e10 9ed141c761
commit 7a4f085c97
1 changed files with 15 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
core/admin/mailu/oidc.py
View File

@@ -26,6 +26,7 @@ from oic.oic.message import (
UserInfoErrorResponse, UserInfoErrorResponse,
) )
from oic.oauth2.grant import Token from oic.oauth2.grant import Token
from urllib.parse import urlparse
# [OIDC] Client class # [OIDC] Client class
class OicClient: class OicClient:
@@ -38,7 +39,7 @@ class OicClient:
registration_response: Optional[RegistrationResponse] = None registration_response: Optional[RegistrationResponse] = None
enable_change_password_redirect: bool = True enable_change_password_redirect: bool = True
change_password_url: Optional[str] = None change_password_url: Optional[str] = None
redirect_url: Optional[str] = None allowed_hostnames: list[str] = []
def receive_provider_info(self): def receive_provider_info(self):
self.app.logger.info("[OIDC] Getting provider config..") self.app.logger.info("[OIDC] Getting provider config..")
@@ -49,15 +50,15 @@ class OicClient:
self.change_password_url = self.app.config["OIDC_CHANGE_PASSWORD_REDIRECT_URL"] or ( self.change_password_url = self.app.config["OIDC_CHANGE_PASSWORD_REDIRECT_URL"] or (
self.client.issuer + "/.well-known/change-password" self.client.issuer + "/.well-known/change-password"
) )
self.redirect_url = self.app.config["OIDC_REDIRECT_URL"] or (
"https://" + self.app.config["HOSTNAME"]
)
redirect_uris = [f"{hostname}/sso/login" for hostname in self.allowed_hostnames]
client_reg = RegistrationResponse( client_reg = RegistrationResponse(
client_id=self.app.config["OIDC_CLIENT_ID"], client_id=self.app.config["OIDC_CLIENT_ID"],
client_secret=self.app.config["OIDC_CLIENT_SECRET"], client_secret=self.app.config["OIDC_CLIENT_SECRET"],
redirect_uris=[f"{self.redirect_url}/sso/login"], redirect_uris=redirect_uris,
) )
self.client.store_registration_info(client_reg) self.client.store_registration_info(client_reg)
self.extension_client.store_registration_info(client_reg) self.extension_client.store_registration_info(client_reg)
@@ -71,6 +72,7 @@ class OicClient:
"""Initialize OIDC client""" """Initialize OIDC client"""
self.app = app self.app = app
self.allowed_hostnames = [host.strip() for host in self.app.config['HOSTNAMES'].split(',')]
settings = OicClientSettings(verify_ssl=app.config["OIDC_VERIFY_SSL"]) settings = OicClientSettings(verify_ssl=app.config["OIDC_VERIFY_SSL"])
@@ -94,12 +96,19 @@ class OicClient:
flask.session["state"] = rndstr() flask.session["state"] = rndstr()
flask.session["nonce"] = rndstr() flask.session["nonce"] = rndstr()
redirect_uri = flask.request.host_url + "sso/login"
if self.app.config["OIDC_REDIRECT_URL"]:
redirect_uri = self.app.config["OIDC_REDIRECT_URL"]
elif flask.request.host not in self.allowed_hostnames:
return None
args = { args = {
"client_id": self.client.client_id, "client_id": self.client.client_id,
"response_type": ["code"], "response_type": ["code"],
"scope": ["openid", "email"], "scope": ["openid", "email"],
"nonce": flask.session["nonce"], "nonce": flask.session["nonce"],
"redirect_uri": self.redirect_url + "/sso/login", "redirect_uri": redirect_uri,
"state": flask.session["state"], "state": flask.session["state"],
} }