Commit d1f22fab authored by Lukas Burgey's avatar Lukas Burgey
Browse files

Add bruteforce idp detection

parent f7d16cfa
......@@ -29,6 +29,21 @@ class OIDCTokenAuthBackend:
return user_info
# no issuer -> try all idps :/
def get_userinfo_bruteforce(self, access_token):
for oidc_client in OIDCConfig.objects.filter(enabled=true):
try:
return oidc_client, self.get_userinfo(
oidc_client,
access_token,
)
except HTTPError as exception:
pass
raise OIDCConfig.DoesNotExist('Unable to determine IdP')
# raises OIDCConfig.DoesNotExist if no idp can be determined
def get_idp(self, request):
# OPTION 1: issuer set in the 'X-Issuer' header
......@@ -81,22 +96,33 @@ class OIDCTokenAuthBackend:
from feudal.backend.models.users import User
idp = None
userinfo = None
# DETERMINE idp AND userinfo
try:
idp = self.get_idp(request)
except OIDCConfig.DoesNotExist:
request.session['auth_error'] = 'Unable to determine IdP'
return None
# get the user info from the idp
try:
# get the user info from the idp
userinfo = self.get_userinfo(
idp,
access_token,
)
except HTTPError as exception:
except OIDCConfig.DoesNotExist: # from get_idp
# Idp was not provided in param / session / JWT -> just try all of them
try:
idp, userinfo = self.get_userinfo_bruteforce(access_token)
except OIDCConfig.DoesNotExist:
request.session['auth_error'] = 'Unable to determine IdP'
return None
except HTTPError as exception: # from get_userinfo
request.session['auth_error'] = 'HTTP when retrieving user info: {}'.format(exception)
return None
# idp and userinfo are set correctly below this point
try:
user = User.get_user(
userinfo,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment