mirror of
https://github.com/langgenius/dify.git
synced 2026-05-13 08:57:28 +08:00
71e9e8dda6
The four EE-only SSO handlers (sso_initiate, sso_complete, approval_context, approve_external) move from controllers/oauth_device_sso.py to controllers/openapi/oauth_device/. Each is registered on openapi_bp via @bp.route at the canonical path: /openapi/v1/oauth/device/sso-initiate /openapi/v1/oauth/device/sso-complete /openapi/v1/oauth/device/approval-context /openapi/v1/oauth/device/approve-external sso-complete moves under /oauth/device/ from its previous orphan path /v1/device/sso-complete; the IdP-side ACS callback URL hardcoded in sso_initiate now points to the canonical path. Operators must re-register the ACS callback with each IdP before Phase F deletes the legacy alias. oauth_device_sso.py shrinks to a thin re-mount file: same legacy bp with attach_anti_framing applied, four bp.add_url_rule() calls binding the legacy paths to the imported view functions. Same handler runs for both mounts — no duplicated logic. attach_anti_framing(openapi_bp) added in controllers/openapi/__init__.py so X-Frame-Options + frame-ancestors CSP cover the canonical paths too. Plan: docs/superpowers/plans/2026-04-26-openapi-migration.md (in difyctl repo). |
||
|---|---|---|
| .. | ||
| commands | ||
| configs | ||
| controllers | ||
| core | ||
| enterprise/telemetry | ||
| events | ||
| extensions | ||
| factories | ||
| fields | ||
| libs | ||
| models | ||
| oss | ||
| repositories | ||
| services | ||
| tasks | ||
| tools | ||
| utils | ||
| __init__.py | ||
| .gitignore | ||
| conftest.py | ||