Form post response ContentType MUST be set to "text/html".

rohe · rohe · commit 4511cd109213 · 2020-01-13T11:02:34.000+01:00
response_placement is useful higher up.
diff --git a/src/oidcendpoint/endpoint.py b/src/oidcendpoint/endpoint.py
@@ -45,12 +45,15 @@
     ('Pragma', 'no-cache'), 
     ('Cache-Control', 'no-store')
   ],
-  'cookie': _list of cookies_
+  'cookie': _list of cookies_,
+  'response_placement': 'body'
 }
 
 "response" MUST be present
 "http_headers" MAY be present
 "cookie": MAY be present 
+"response_placement": If absent defaults the endpoints response_placement parameter value
+    or if that is also missing 'url'
 """
 
 
@@ -341,7 +344,7 @@ def do_response(self, response_args=None, request=None, error="", **kwargs):
         do_placement = True
         content_type = "text/html"
         _resp = {}
-
+        _response_placement = None
         if response_args is None:
             response_args = {}
 
@@ -354,6 +357,7 @@ def do_response(self, response_args=None, request=None, error="", **kwargs):
                 pass
         elif "response_msg" in kwargs:
             resp = kwargs["response_msg"]
+            _response_placement = kwargs.get('response_placement')
             do_placement = False
             _response = ""
             content_type = kwargs.get('content_type')
@@ -408,6 +412,9 @@ def do_response(self, response_args=None, request=None, error="", **kwargs):
             except KeyError:
                 http_headers = []
 
+        if _response_placement:
+            _resp["response_placement"] = _response_placement
+
         http_headers.extend(OAUTH2_NOCACHE_HEADERS)
 
         _resp.update({"response": resp, "http_headers": http_headers})
diff --git a/src/oidcendpoint/oauth2/authorization.py b/src/oidcendpoint/oauth2/authorization.py
@@ -394,7 +394,11 @@ def response_mode(self, request, **kwargs):
                 inputs=inputs(kwargs["response_args"].to_dict()),
                 action=kwargs["return_uri"],
             )
-            kwargs["response_msg"] = msg
+            kwargs.update({
+                "response_msg": msg,
+                "content_type": 'text/html',
+                "response_placement": "body"
+            })
         elif resp_mode == "fragment":
             if "fragment_enc" in kwargs:
                 if not kwargs["fragment_enc"]:
diff --git a/src/oidcendpoint/oidc/authorization.py b/src/oidcendpoint/oidc/authorization.py
@@ -419,11 +419,11 @@ def setup_auth(self, request, redirect_uri, cinfo, cookie, acr=None, **kwargs):
                 if "req_user" in kwargs:
                     sids = self.endpoint_context.sdb.get_sids_by_sub(kwargs["req_user"])
                     if (
-                        sids
-                        and user
-                        != self.endpoint_context.sdb.get_authentication_event(
-                            sids[-1]
-                        ).uid
+                            sids
+                            and user
+                            != self.endpoint_context.sdb.get_authentication_event(
+                        sids[-1]
+                    ).uid
                     ):
                         logger.debug("Wanted to be someone else!")
                         if "prompt" in request and "none" in request["prompt"]:
@@ -457,8 +457,10 @@ def response_mode(self, request, **kwargs):
                 inputs=inputs(kwargs["response_args"].to_dict()),
                 action=kwargs["return_uri"],
             )
-            kwargs["response_msg"] = msg
-            kwargs["content_type"] = 'text/html'
+            kwargs.update({
+                "response_msg": msg,
+                "content_type": 'text/html',
+                "response_placement": "body"})
         elif resp_mode == "fragment":
             if "fragment_enc" in kwargs:
                 if not kwargs["fragment_enc"]:
diff --git a/tests/test_24_oauth2_authorization_endpoint.py b/tests/test_24_oauth2_authorization_endpoint.py
@@ -541,7 +541,8 @@ def test_response_mode_form_post(self):
             "return_uri": "https://example.com/cb",
         }
         info = self.endpoint.response_mode(request, **info)
-        assert set(info.keys()) == {"response_args", "return_uri", "response_msg"}
+        assert set(info.keys()) == {"response_args", "return_uri", "response_msg",
+                                    "content_type", "response_placement"}
         assert info["response_msg"] == FORM_POST.format(
             action="https://example.com/cb",
             inputs='<input type="hidden" name="foo" value="bar"/>',
diff --git a/tests/test_24_oidc_authorization_endpoint.py b/tests/test_24_oidc_authorization_endpoint.py
@@ -723,7 +723,8 @@ def test_response_mode_form_post(self):
             "return_uri": "https://example.com/cb",
         }
         info = self.endpoint.response_mode(request, **info)
-        assert set(info.keys()) == {"response_args", "return_uri", "response_msg", "content_type"}
+        assert set(info.keys()) == {"response_args", "return_uri", "response_msg",
+                                    "content_type", "response_placement"}
         assert info["response_msg"] == FORM_POST.format(
             action="https://example.com/cb",
             inputs='<input type="hidden" name="foo" value="bar"/>',
@@ -736,6 +737,7 @@ def test_do_response_code_form_post(self):
         _resp = self.endpoint.process_request(_pr_resp)
         msg = self.endpoint.do_response(**_resp)
         assert ('Content-type', 'text/html') in msg["http_headers"]
+        assert "response_placement" in msg
 
     def test_response_mode_fragment(self):
         request = {"response_mode": "fragment"}
