diff options
author | Tom Evans <tevans@mintel.com> | 2021-02-01 13:44:19 +0000 |
---|---|---|
committer | Asif Saif Uddin <auvipy@gmail.com> | 2021-02-12 11:31:48 +0600 |
commit | 89162b8a7a911f094674d0a77199ae226b71a656 (patch) | |
tree | 8ec5c33f35aa4f1e6183d9c199900197a48789c0 | |
parent | 637c8945f2ba1481927478db7d1fa09de43c265b (diff) | |
download | oauthlib-89162b8a7a911f094674d0a77199ae226b71a656.tar.gz |
Use request.nonce when generating hybrid id token
Like with the implicit grant, we need to override add_id_token to pass
the nonce from the current request to GrantBase.add_id_token in order
for the ID token to have the correct nonce.
Add test that the nonce is in ID token from hybrid OIDC flow.
Fixes: #746
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | oauthlib/openid/connect/core/grant_types/hybrid.py | 3 | ||||
-rw-r--r-- | tests/openid/connect/core/grant_types/test_hybrid.py | 9 |
3 files changed, 13 insertions, 0 deletions
@@ -29,3 +29,4 @@ Brendan McCollam Jonathan Huot Pieter Ennes Olaf Conradi +Tom Evans diff --git a/oauthlib/openid/connect/core/grant_types/hybrid.py b/oauthlib/openid/connect/core/grant_types/hybrid.py index 7e118b3..7cb0758 100644 --- a/oauthlib/openid/connect/core/grant_types/hybrid.py +++ b/oauthlib/openid/connect/core/grant_types/hybrid.py @@ -35,6 +35,9 @@ class HybridGrant(GrantTypeBase): self.register_code_modifier(self.add_id_token) self.register_token_modifier(self.add_id_token) + def add_id_token(self, token, token_handler, request): + return super().add_id_token(token, token_handler, request, nonce=request.nonce) + def openid_authorization_validator(self, request): """Additional validation when following the Authorization Code flow. """ diff --git a/tests/openid/connect/core/grant_types/test_hybrid.py b/tests/openid/connect/core/grant_types/test_hybrid.py index fb61b04..e525f63 100644 --- a/tests/openid/connect/core/grant_types/test_hybrid.py +++ b/tests/openid/connect/core/grant_types/test_hybrid.py @@ -67,6 +67,15 @@ class OpenIDHybridCodeIdTokenTest(OpenIDAuthCodeTest): self.assertIsNone(b) self.assertEqual(s, 302) + def test_id_token_contains_nonce(self): + token = {} + self.mock_validator.get_id_token.side_effect = None + self.mock_validator.get_id_token.return_value = None + token = self.auth.add_id_token(token, None, self.request) + assert self.mock_validator.finalize_id_token.call_count == 1 + claims = self.mock_validator.finalize_id_token.call_args[0][0] + assert "nonce" in claims + class OpenIDHybridCodeIdTokenTokenTest(OpenIDAuthCodeTest): |