Skip to content

Commit

Permalink
Merge pull request #643 from open-craft/fox/port-oauth-trust-fix
Browse files Browse the repository at this point in the history
feat: Allow trusted apps to perform cookie login.
  • Loading branch information
Cup0fCoffee authored Mar 12, 2024
2 parents 2846c4b + 0d98f85 commit 505fb80
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 3 deletions.
12 changes: 10 additions & 2 deletions openedx/core/djangoapps/auth_exchange/tests/test_views.py
Original file line number Diff line number Diff line change
Expand Up @@ -168,11 +168,15 @@ def _verify_response(self, access_token, expected_status_code, token_type='Beare
if expected_cookie_name:
assert expected_cookie_name in response.cookies

def _create_dot_access_token(self, grant_type='Client credentials'):
def _create_dot_access_token(self, grant_type='Client credentials', skip_authorization=False):
"""
Create dot based access token
"""
dot_application = dot_factories.ApplicationFactory(user=self.user, authorization_grant_type=grant_type)
dot_application = dot_factories.ApplicationFactory(
user=self.user,
authorization_grant_type=grant_type,
skip_authorization=skip_authorization,
)
return dot_factories.AccessTokenFactory(user=self.user, application=dot_application)

def test_failure_with_invalid_token(self):
Expand Down Expand Up @@ -257,3 +261,7 @@ def test_success_with_valid_asymmetric_jwt(self):
expected_status_code=204, expected_cookie_name='sessionid')

assert int(self.client.session['_auth_user_id']) == self.user.id

def test_dot_client_credentials_supported_if_authorization_skipped(self):
access_token = self._create_dot_access_token(skip_authorization=True)
self._verify_response(access_token, expected_status_code=204, expected_cookie_name='sessionid')
5 changes: 4 additions & 1 deletion openedx/core/djangoapps/auth_exchange/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -143,12 +143,15 @@ def _ensure_access_token_has_password_grant(request):
else:
token_query = dot_models.AccessToken.objects.select_related('user')
dot_token = token_query.filter(token=request.auth).first()
if dot_token.application.skip_authorization:
return
if dot_token and dot_token.application.authorization_grant_type == dot_models.Application.GRANT_PASSWORD:
return

raise AuthenticationFailed({
'error_code': 'non_supported_token',
'developer_message': 'Only access tokens with grant type password are supported.'
'developer_message': 'Only access tokens with grant type password are supported, '
'or those with authorization explicitly skipped.'
})

@staticmethod
Expand Down

0 comments on commit 505fb80

Please sign in to comment.