feat: Allow trusted apps to perform cookie login.

open-craft · Dec 18, 2023 · d9b5f81 · d9b5f81
1 parent 1c6d7b2
commit d9b5f81
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/openedx/core/djangoapps/auth_exchange/tests/test_views.py b/openedx/core/djangoapps/auth_exchange/tests/test_views.py
@@ -168,11 +168,15 @@ def _verify_response(self, access_token, expected_status_code, token_type='Beare
         if expected_cookie_name:
             assert expected_cookie_name in response.cookies
 
-    def _create_dot_access_token(self, grant_type='Client credentials'):
+    def _create_dot_access_token(self, grant_type='Client credentials', skip_authorization=False):
         """
         Create dot based access token
         """
-        dot_application = dot_factories.ApplicationFactory(user=self.user, authorization_grant_type=grant_type)
+        dot_application = dot_factories.ApplicationFactory(
+            user=self.user,
+            authorization_grant_type=grant_type,
+            skip_authorization=skip_authorization,
+        )
         return dot_factories.AccessTokenFactory(user=self.user, application=dot_application)
 
     def test_failure_with_invalid_token(self):
@@ -257,3 +261,7 @@ def test_success_with_valid_asymmetric_jwt(self):
                               expected_status_code=204, expected_cookie_name='sessionid')
 
         assert int(self.client.session['_auth_user_id']) == self.user.id
+
+    def test_dot_client_credentials_supported_if_authorization_skipped(self):
+        access_token = self._create_dot_access_token(skip_authorization=True)
+        self._verify_response(access_token, expected_status_code=204, expected_cookie_name='sessionid')
diff --git a/openedx/core/djangoapps/auth_exchange/views.py b/openedx/core/djangoapps/auth_exchange/views.py
@@ -143,12 +143,15 @@ def _ensure_access_token_has_password_grant(request):
         else:
             token_query = dot_models.AccessToken.objects.select_related('user')
             dot_token = token_query.filter(token=request.auth).first()
+            if dot_token.application.skip_authorization:
+                return
             if dot_token and dot_token.application.authorization_grant_type == dot_models.Application.GRANT_PASSWORD:
                 return
 
         raise AuthenticationFailed({
             'error_code': 'non_supported_token',
-            'developer_message': 'Only access tokens with grant type password are supported.'
+            'developer_message': 'Only access tokens with grant type password are supported, '
+                                 'or those with authorization explicitly skipped.'
         })
 
     @staticmethod