From e3e992ea5d429d9f1afd7ce2ce2fbedfaa361c07 Mon Sep 17 00:00:00 2001
From: peppelinux <giuseppe.demarco@unical.it>
Date: Mon, 15 Nov 2021 19:36:28 +0100
Subject: [PATCH 01/11] latest rohe's OIDC certification improvements and FAPI
 OP example project

---
 .gitignore                                    |   1 +
 ...ication-mark-l-rgb-150dpi-90mm-300x157.png | Bin 0 -> 17881 bytes
 docs/source/conf.py                           |   2 +-
 docs/source/contents/clients.rst              |  75 ++++
 docs/source/contents/conf.rst                 |   4 +-
 docs/source/contents/session_management.rst   |   2 +-
 docs/source/index.rst                         |  10 +
 example/fastapi.tgz                           | Bin 0 -> 2901 bytes
 example/fastapi/__init__.py                   |   0
 example/fastapi/config.json                   | 330 ++++++++++++++
 example/fastapi/main.py                       |  64 +++
 example/fastapi/models.py                     |  31 ++
 .../chpy => example/fastapi}/passwd.json      |   0
 .../chpy => example/fastapi}/users.json       |   0
 example/fastapi/utils.py                      | 136 ++++++
 example/flask_op/config.json                  |  15 +
 example/flask_op/config_cdb.json              | 332 ++++++++++++++
 example/flask_op/config_martin.yaml           | 309 +++++++++++++
 example/flask_op/sram_passwd.json             |   5 +
 example/flask_op/sram_users.json              |  42 ++
 example/flask_op/templates.tgz                | Bin 0 -> 15872 bytes
 example/flask_op/views.py                     |   4 +-
 example/flask_op/yaml_to_json.py              |  11 +
 pyproject.toml                                |   2 +-
 setup.py                                      |   2 +-
 src/oidcop/__init__.py                        |   2 +-
 src/oidcop/authn_event.py                     |   8 +-
 src/oidcop/endpoint.py                        |  14 +-
 src/oidcop/endpoint_context.py                |  33 +-
 src/oidcop/oauth2/authorization.py            |  95 ++--
 src/oidcop/oauth2/token.py                    |   4 +-
 src/oidcop/oidc/add_on/custom_scopes.py       |   2 +-
 src/oidcop/oidc/registration.py               |  72 +--
 src/oidcop/oidc/session.py                    |  72 ++-
 src/oidcop/scopes.py                          |   3 +
 src/oidcop/session/claims.py                  | 108 +++--
 src/oidcop/session/grant.py                   |  47 +-
 src/oidcop/session/manager.py                 |  11 +
 src/oidcop/session/token.py                   |  54 ++-
 src/oidcop/token/__init__.py                  |   6 +-
 src/oidcop/token/id_token.py                  |   4 +-
 src/oidcop/user_authn/user.py                 |  27 +-
 tests/donot_test_49_session_persistence.py    | 227 ++++++++++
 tests/logging_config.json                     |  31 ++
 tests/test_00_server.py                       |   3 +-
 tests/test_01_claims.py                       | 150 ++++---
 tests/test_01_session_token.py                |   4 +-
 tests/test_04_token_handler.py                |   5 +-
 tests/test_05_id_token.py                     |  19 +-
 tests/test_05_jwt_token.py                    |   6 +-
 tests/test_06_authn_context.py                |   6 +-
 tests/test_06_session_manager.py              |  92 +++-
 tests/test_08_session_life.py                 |  18 +-
 tests/test_100_temp.py                        | 422 ++++++++++++++++++
 tests/test_12_user_authn.py                   |   6 +-
 tests/test_23_oidc_registration_endpoint.py   |  16 +-
 .../test_24_oauth2_authorization_endpoint.py  |   9 +-
 tests/test_24_oidc_authorization_endpoint.py  | 160 ++++---
 tests/test_26_oidc_userinfo_endpoint.py       |  12 +-
 tests/test_30_oidc_end_session.py             |  65 ++-
 tests/test_31_oauth2_introspection.py         |   3 +-
 tests/test_32_oidc_read_registration.py       |   5 +-
 tests/test_33_oauth2_pkce.py                  |   3 +-
 tests/test_34_oidc_sso.py                     |  15 +-
 unsupported/chpy/certs/cert.pem               |  31 --
 unsupported/chpy/certs/key.pem                |  52 ---
 unsupported/chpy/conf.py                      | 143 ------
 unsupported/chpy/provider.py                  | 182 --------
 unsupported/chpy/seed.txt                     |   1 -
 unsupported/chpy/server.py                    | 117 -----
 70 files changed, 2808 insertions(+), 934 deletions(-)
 create mode 100644 docs/source/_images/oid-l-certification-mark-l-rgb-150dpi-90mm-300x157.png
 create mode 100644 docs/source/contents/clients.rst
 create mode 100644 example/fastapi.tgz
 create mode 100644 example/fastapi/__init__.py
 create mode 100644 example/fastapi/config.json
 create mode 100644 example/fastapi/main.py
 create mode 100644 example/fastapi/models.py
 rename {unsupported/chpy => example/fastapi}/passwd.json (100%)
 rename {unsupported/chpy => example/fastapi}/users.json (100%)
 create mode 100644 example/fastapi/utils.py
 create mode 100644 example/flask_op/config_cdb.json
 create mode 100644 example/flask_op/config_martin.yaml
 create mode 100644 example/flask_op/sram_passwd.json
 create mode 100644 example/flask_op/sram_users.json
 create mode 100644 example/flask_op/templates.tgz
 create mode 100755 example/flask_op/yaml_to_json.py
 create mode 100644 tests/donot_test_49_session_persistence.py
 create mode 100644 tests/logging_config.json
 create mode 100644 tests/test_100_temp.py
 delete mode 100644 unsupported/chpy/certs/cert.pem
 delete mode 100644 unsupported/chpy/certs/key.pem
 delete mode 100644 unsupported/chpy/conf.py
 delete mode 100644 unsupported/chpy/provider.py
 delete mode 100644 unsupported/chpy/seed.txt
 delete mode 100644 unsupported/chpy/server.py

diff --git a/.gitignore b/.gitignore
index 831dbd0f..d2508374 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@ conf.yaml
 flask_op/debug.log
 flask_op/static/
 debug.log
+.pytest_cache/
 # Created by .ignore support plugin (hsz.mobi)
 ### Python template
 # Byte-compiled / optimized / DLL files
diff --git a/docs/source/_images/oid-l-certification-mark-l-rgb-150dpi-90mm-300x157.png b/docs/source/_images/oid-l-certification-mark-l-rgb-150dpi-90mm-300x157.png
new file mode 100644
index 0000000000000000000000000000000000000000..f226aa8c069b0978c5bf9f7d73bc081d0d4278b1
GIT binary patch
literal 17881
zcmXtgWmsEXur*GB;_k(ZLvb%&C=S7$;_fb`xVIGdVkJOvcc-`%hv05OLa@Nid++!C
zNS=Lmo}8IIXU@#pYn>!kLroDIlL8X~0Rda-lbjX;0wM=|oc9I|{*IF?kB@-x4navy
zTE{Q<yelxbR1t6qGwBFq<{S7z#%w|0NgjnK^A_LoEj}ZX2fp0hsH(IE*hBa?nFP&k
z;jie7>8D3vbjCM4>7h0JpE)rzlx=7Uh)jbByis^R$fD??EIwqZMEy1HfCjwkdmBK+
zr$JrNiwh;+!-u{SXvp2ozZzgZ5a3vC2w>_mRmac($VIU2c)xZ4C3L%bvK8hVZi<dU
zqonxrPGbYL^>25blpTL~p>0T+!MISMq?fh)mEMNVSOXwWZAu4!J(kPgLA}oN+XJaz
z#n7z9L;n1Dd%C`mAb`;+y_7v?N1*XyNa(9Ai3YHN4EckkAzDK`eKR`fs_Ux99JZh`
zFSOFle@WSM`oG<r{q;yLYkl_qn4mrT5b67Rb!@CDj#<Z(a2n>C-v)Gf>ZDD<^1j0l
z8_7`V=P;|_qbe#d;MCcFQ~G~0^Iy~d8?}bw6IV`IsynvW&HftFDuP%v+09z6FtF)X
z_d395;`+Q!y<Fh~WodK;+*J5TKK==d-m)PASBLX-hImaBNgc_>DD>fv*g<fid^`!1
zQfC2W5m|LWG-#+f@wcSWwg(_soPNk~3~r8tdr%;0J_PZ~VR*a633*#*<`8(I9zQCN
zM5%*f&q53L>`r50;nGX$HoZZN-a`}|w8cW)Hps0+V4kKY9Z$keqgj`2I(e{F#6AV0
zALV}ksFiYqN~i&-+F^tH4S1Io0rgc#M~bcyev*kSP<UXC;It!ArjX<wI`IB);f5+T
z=}Cb{aSi3DZAAA<Glxh<@+Aj3aq^sk<i$-GMveMYF)(l9tOyS-FdaaG*t3L^pGdbM
zJ1wFS32DymeKXujo5g~iJ`$yhzVyE=IqArEnLFsY^UB|-j2`w~XDyqo03sU#b{Yl^
z9-FBjh@pbMPa~VIA};V4{{FN!e$UNLZhHUQ<m19vnX*pjkB1E0(pK6JYw)<%rT94N
zb28I?*=Cr!=94ayj;nyp2YLQ$Hf*%3d#(f0Z=|k!UoWleVM}c#p%^hCb;!prBrUWV
zeal`mna!RoPn)i$t(1>X`vz!;`ZGf?5K;Kf+oCEP*G1fY#Sw0w-hAN=N35C;85wX3
zHLb0Yzpe5APCa%vP~XcQs~vveqMogz8uI`V{V!O}@B1lqvE)i-LqUv5z$?T5=DI(9
z_I%D*K&=p2zTv(I{4Y5yhs+l^CY6{AwKJpA#$KBPRCY)>b-Crf2vC<$@UvB%b!|m_
zZzq>|T|24x2LD7zcOgXI9jaj@Mb=`O!q1>jtg;HOfalIQA+SAQk$^cSMOQpJGqQ2G
z_LoJZKGY{L3;wM)x@l3UfS$BM>30Id)}?{}c}`FZOh1r2R{~tc=cLk(n<TGIR3-gr
zv8#Keqi1(auU$Iz=Am2DT$ulQBliUv%)9Xb^r}}N*Gv1RC~zT;X_15WWAFqL;P~|t
z3wNUo7${d#0}RGL_U+gp)EtE8>)XD1A&kH-5DB0QuNCj!bW3~-34etsNJ}q%biu#J
z3IkMmmcxdV7xQG^CKf(nSP85l{$9SuSC89@-->ZBQ?t~8*jll6P9y$x=)YU%qv(Ub
zNYT=%b6>>#E&yWR8%bY}zZ|pXHuGzhNn|e7Ee-?q0RXYs&r?86bD|J5#{x6r`~Lt=
zAw|pW^-fGoK<KYEw+sPY)+0&O=;=T%cn~aNF7ls(<M+%DoHZBX<@Qj40jzFGF-|l;
zTcno+lvrI4beC{{pya+8GQE^Nu{4wuM9h)f<Jc1E`_kF9bQ+9wRB_@=U*97@4Nv}{
zl5aYfHE-dTs))az_a-BnY*|tW65UERJKRSu)qliKYYYv9tlYjWE#JsbTZO%Nx-;r8
zUNj>a@v4GD5ta~W;o-d0TiBrgAXWgz><_2}cI(T%6cYQugE@jhs^8ZJBic#>K2qTu
zU>Srjq9k;f5>pv2l+4+iVuwdPCYZM~dt*EPd={=E{9Yd6(S_rO3(n{=y=-@BS)<j#
z1wIneUsLv0^ooTAt3tWx1g#|d8hBFItn}_%2<<pz<4ITuj`t1;@r74UA%Ybr4PVW0
z4mR7FEqLA+<J+rOM*W6-+5Rq2By7K&>9LCC$Pbd<WcOcr`%DG?0Dyg}S$bmFI&o<c
z!{XuN<HHuGxi`UYBhqK5N7wPj`pjJ`+AH6SYiW3n+H2^v1-w{yf18PVhd_(`f_P6_
z2wCC8twJ^p#}>p7-eTw_rM%drx{&gg={D(=u98?M@1~`^T1o6}2&2U;fFjYNO7bdD
ztS}lYOX=1u8I=Pw5NlAmPz7}+|1fJ;DRo@+JWOx-n$HCJv89psD~l4)?=*caj%~?~
zE_=!YZ@#1FM#;xCUO0uACS!!@S=fLpE>@1sEkS|`3rXMXo#=NxwpKD(#WojZG@n2y
z&-7sJUhiHbUc|+zbWo2zdM6U)GyP+)OE&5vbJe*?Ey9$6Q?F<kMs+1mpC|G+^!oX)
zn|&w?V!RgKXyDY|`LIo!gyzOC?)rUFo?KwZ-p@MT1GUK9Xbx(`h?>%7ayEb_+;_m=
z8gEF0eg;O$?kb5sysR*T%EYnT%lpuqQT-&{vVb&*%|lPd?eoj=CYVnB{M}~56k{dJ
zF<G6P=s|e**oK~0U!&}+BwP`jt(><>>%N{%_NMjH`G%sOzM}K?-Q8?M4YsBSpan>v
z;Wy`><kD@BdrWJDs)16-LCS#F_!uWJb^A#&1uF5#6BoXJGVle>#*jKLe53}e%K3<N
zr?&o#9Y<S&p57HD1oxgtF#Ii1dg(w9e`O^!`qD`Li;+NHA*WBKF@QEowRh8!VO=I7
zZNyMT_L<Sfu-VVtiqJ;>nHsE@sm^aHb`b8zzSs>#szH0f_7ed=^(OOJu9^KvEr3@G
zA3*T8n6utzzF4P}X&@_Z+NKZkQtT)T0HVC*W4<^&NZr13X82auS!kBZ$e{@L!Vt`B
zvT_QMtOn-skh{@=b@2Vs+%QNMXELWPmZBEi`7wC;oO#`8z%EXAO&DUlX)oHnO(=-e
zwHWMAP^-i%trJ52Lxj+8iG`tcpZs0iEoVno`(E%b60;Y|5PQ^-xd$Kr?k^XHavc=6
zQ#&f!B8u_69*@-dw4gR{-6j0kmd{~&%e<8uCKNNu1n{f?3t{6~65m{g#TZB1ztIDp
z<k5TB!3$2}vngW<na^LN@vTPA1|pNf3hkKwDpOi*qZ-sdd0ANxyM@#eSbkrDl4v>P
zRcTf;hxZ#9o3a4)Q%FFbbVHog&f6_jeyqx_URtZ-?J12ZHXKW&v$2#ZZC={F$e+$O
zSm2Ic>P+OOp|O76El8%ihh!DjYqJINis#oG-o!O4F)&N7dg_{P<6aVi`rzs~ZN%*(
ze@h=y9XDqjuA_}jSuv2C=(`Z`!~nEMNtBKk8lQ!+`LwLEQZB!z9_HA-aY3gL5j9yG
z2acdpJMkl4aHDV3AAI6DTduQ`62#n?IfcBaa6H0@d#zEbD-DM&D6F-+<-cIvS(38V
zE?Oo{*aH4QzZ%ufUa~3JF>YrC_dfAT4V~6zF>iiqK?+5AMiBJ;XSrXP+;sZAF(=HZ
z_Ul=7X7jD%Pn&nkVGre*E2NynwTRcM+bcJ<h_1Lc(%AB6VpxLk4nqTcB-p}qI^nm_
zfBzAHti50W2+oM<bcaV>D4~E5gD<>fOH*lS03Sl9!9JK#*0cNXW6RnGdJw$D1(SKo
z^icRMB2?QKqOH8!Q`1|pS0H2@08?$T{GLVvy?uV)Ea*XSHW;xXJu!RYjw7h`DlQn;
ztPfj8ekKRoJM{t|`C2T__eHk^GLuiomsRcykff4C&TGsE-Dnai?^WZ>(YoK>v*WKA
z!@BIzs{1&y0SlF3BeA3E@J@*lL7e$<Zcb`HL^%Y!_r+}aYee6ncPbF1k!Ql6ZIkGs
zA&lbI9>d{9@P*JHbH$1UOwUZJi;vEW2;(}*-cm<UH#2|a)TMDjHx08t2b>{v$6-{M
z4WsQITH5Sd_XhHw2Y*pH8_3SeIyRq&xL#9N_f4?pR|aiz(z|Lcw4gUQTD}iQN#%K{
z9$nRr8wn?Rd`B@kdeu0Ahw@|vd}OEhprI3IOm|JG`D1@Kg8{K4;6mXp`jbCxxjHQq
z2^i#c8tf$U1S+UlF`O(k_LbuDQw@S(BdoT?<zF)_zwHO|3Jo!YxtdG<F(RA)m8owY
zJG%Q-$lS+n{_^-HtTyZv09l~-fFx0ikvO33!~XoX<5DWN=Yb98-V~!fMqA61T6O1^
z$BecQcfOq|K^yXnoGy<am0^|^w3Pe?oOwbKjN`QF{72nOS+`7iIUOL*Jo=|<z2~dP
ziRk0-uh9B$O~szI-=P-E6SE2v+|B6sNNy4bmt-QM0SINXAzW`BBnT-X$rh>DW+RJH
zpm0^K1T9}9UKWo*X=Uy5Z{7#-wa!19Ep6rzt5jM<r_$boT~S_e!KXi+!Io9|HN!|M
zEHWPL>ep^HOKS-jmFEj6Io(2D{~UE7@?t(``f@DJc#>)y6@;dd^Bci)z%WNR40#Jj
z=4A%YZ_~h07Sc5@u8@2*P<4Xf(0as8E$coTXlzcdG!)^+Kw{Wr4MjY;y*Ge><UJX0
zd{+A9$aB8bx5UA3GCcHm=F*j}!$BUYZ?>y5{jX(IWT{FPrYsGQ#lA{?3E5nytXugP
zgKKUr9+h^rkomM%MVC9mGk-F<Jh7pSH3p-c5ZKzq7P9IFRg(U2(?MbukTz9pV?-cZ
z=VgZ)v(ih|xAp_y#n3uLf3~|Xh@KFVe-n{em0{69Jyf+{TPhCtDlx%JOMQ7`W5W~j
zvwb)StGU^UwH96brqYkZn|4)Hr33sbXwGmsQa2@8P>Vz;_)2_F1(y1)UV%FxdPe;s
z2F}S0qg{L{=e2l7+v3Z#;eT7MmCkKQlZ^gCe$QFOfV*oPFH-Z0g9SA9d0LqKmQxEU
z1BiRpy%{FaheH~Is@ams+bB-6tAcN}k1KH0F~xrp^E>~RYLTj4{L{VJ_ZIxz%MBMO
z8Ti#=b-?QDNX5y1Z=l>B1z<y!3>!T%_AS8{@s0bO-K}b-z4nkk&LjpH<K$qR<lu7M
zocg(o-!byWg76^YiSVSq4ui5*BU#F#9%18itzU0>!ozy0e&<^2DRj|-uTE;DAC}ER
zQQ*|toTrS^$4DlI123mG$Y4iz6LS@m6Y3`EunnZn_O)}aEE^_Xjen>~!<*R`+>7K>
z-|%MqQ#vhS?WQ$QLG#Z%q%DZ*MBn3i%_c|y8}#&f{zwY*wsn(;EPcm6aol)R!8e3u
zLTo-3hPkAoIXqt>D|FM|JS^2q!jE)ar@Wq*Tw6u@ZaY@}U8cJ+hL<!dyR={GtB1l(
zU&Tt3D`@k(FtG5tN&VcmIx^djeYk8)d#G}N1-Lo9le6mKXTv9_@x2?{s|<e$$-0A1
zWxAz4wqaVd?J7*<-dV4NL1N3~R~W2*l!}ldh#g>rIXzb3K1ao<oO$Jte%I>{{kO9*
zSx3W9eo|nyzR37S#>w^GmjV3Uv}Oq-{KR-7A}BY;xC(e!d1A<MS1pV?hXK=O9>>V3
z$Vo*v=*;SqUXI2fhl50Y7OE(msn=M0d)EQ}!aQuK>p+lNO=<4lv3d6BVO`Qj1gRFO
zZo_iEwd){NAHZz3t#{foJ>swffo~xs^C8$!y<e1V8w53%P8HHDAQz)vQ`%l)6?;7H
zjsN;8fxG0<Z>rK8Ahl>Xp<<fS8_w&rhvx~w1XOb>RiH)4Oty(5PjEnzvZZa~N?6@=
zcF}?(JGv|s-0?N=EtkyuyxnUa;|F>aD^G^#J*4&Tsp>gWA8V(IE~Z7~JP*xOCM?4r
zAJR@2X5uWCW4#wGx|>b(%eyE%&mM1u%)`$pPO?XjGjV}zRa_&W@xqnkwc3sMk{HiS
z)`uN$Jvm-iQl4c50l4O~TduSomo6%wjpH%&Hn|HDFmBQaQUXzOgs;69>98(i@vJ9=
zS)^RG7gz*_2mw~fY%*K#7VSu=+IeWvVreScHpf{MupRZ^z`J(0OG_XVxTkjZDR%i5
zcB2D<>Ocm70dDY)&#Ple!~bCI<BoJfg@yRr@+oGTreE~tz2i!+N?pMS8gg<xkLp<Q
zHw>9e(p=OR*C;IZ<jUIMoM(>H)s#a`QFB@&KB2K4uw>a4Ao4<lV^WRgbL7#7EB$dK
zQfPUp$ji96uvDf<lR=F?2`?OC8VAzfv8(6sM_kT<jpm{9y7f`?|GsU$IZuM;zqAV0
za_<*j1=X^>Sc>mC{X7Z_>zk3)C$zSYFAge3S67nM9Ku)5U!=Xzyy<)hnLjEJ?*%(8
zo^tcd^IhjfX9eA0tWwswC22m~nZNMY<T+V<UHyxpFyC>e;m}5C^`*Q6Xc}%5sK4+V
zZO{brwI^{6nVWUTgUZt=4aYZD6AWUU=-Jq`T|lSviAXEH3se!^6^j?C8{xd+AfW^#
zLSv^Mj#%0<=e*9W_<VNJtfwq(wx>0wKE1pV{4A=n9D;{cPmM05*Ii@1KS?BL(Z_2I
zRJPTjO^OLpPd(PdcKkgNaBiZd82DW}{A2w}AJJS&?iJ*tI%K*zlPHm$TA{b;pV;B=
z*1UkuY34EgKeT0MM}g#$o+59Tv^TpS=?@Bkufn^&{{q=J)vX(66896V5^5O+-jlKL
zIIk5pxdB>F18ax9k+yuKd;h+}c0}J8Dm#J_Cpj=g%WL&1eoXD9kauj4`kS##h5Uk_
zBORZK){TCnK2)faj7(>is^+vVLvBXWqDbC2-;1xNzh<VZuV~Vn)OffM1Sc&HJlmlG
zU5RuIH$#RCR2RU2{-i%_%qT&b17S0ft)BwwY%wp<`Ln2P%?}1;mNq7%qlJufrr%}{
zElzO`s@Tn~7svXsc}urr-_IZkS0-IfzFn%ltH1T`p{h%I{8Q5Kk42fe|C1UN?|r)u
zjWbXw4B~sX?7p)oYfofYBFy1_RXmH9aCLbFdRmEWB5OrHjRB#o#$Z(EeI8xwv#A4S
zCVQq|1&aarQQs+kCH5V;)gM1<$S8itWkVB@){Ns;R~y?-(qYHE{b@=ZKla2+M!OT>
zT~`xRbq)z&8RVZee<bHUu&Wtc+S|E4eb$Y%Z_Q{&SRU<9@}fX3*Gg_Xu{woB6;1d1
zGTITmVHtayq!0E;1;jZ2Yg%LA=yz#k;10R)=}^>Z(!Y{&YC(doF_XNyMJmYk6$7u{
z9p<)JnlR|}R3Twk{?%*6#}YMGb}Hr~QcSEhv&Ra|nZc|Q&0lgmw;{0~NpYu`bml*s
zL6F_8YmOWBQR_9`WDfMOlV$q$V2*h>6IY=7HOd<y$2(AY{}G47GO%JIwOre`_QLvw
zi7eh7$4Z;WIsrpW&RP$fgZV_!V7*;GT>hDz!pJ@yUsX(4CE`13dQ1?_eeB6p_5jIk
z+$b|guZwixcEV4o9kdXUPPQ-fdx}3qGJVLsp*3!|UunRVKW$zf^kHUAD7o&Jm28sZ
z&j%oW>$eMxc7`v6#e-0Ry&_rD4-1y|V4ahAFs|j=DaRXo`>B|54}|XD!07Bd|2Xi{
zz#$H}7~Zx~e!n)CcVHABDJ8Ex3?Z`-v2^^%Z@Ol|K+F;7sM~(5spWSUpDtbR#8s*E
zhrXHi3A?nhu-T5pUi!rv5Yw*P^Zl>Yu;D~<(=x@RgU-u2NB^(G_eR69g<a%Wg_PuU
zzi-929=c3ja}`GvjPE&E{r<(WlZIM%bFt<dG6{#tC+Vr?+eU}R$IjQmN`Yz@j^q-;
zH>@gLpM)$%;{2(Kz3%iBA=Ug?ZJJlX%dtyWoAV-9YA^e7IAt3`=YQ`^N&38!;uc1~
zUu0&(W-Vd?HK?kN)L;q#wU_1DuXkt(B!Mj*DUoE|8qeAW*f_q)zM8(>>Q-1Gm8&x)
z`q9++hS;{k;m+q`Ku>RWNK;7h4(~sqm$hV!iI~dwF#Xe7NK`6^XV!31{UbZ{av`B*
z_t-%meT@ks@K4}it=8F_Btd3?Vu<6+rz2)G&~476`*8h|G=7vjQkE(mP13ZHK+M5x
zY;C@MAn3`VSK5hX3OFN-yB2T%gfzby=B)Zma6<h$@DJ)yfLoLOPW_Z;z8IKiqDcPQ
z6yM$q<rv-+AgYqhS4_Gzj5eVBT&MS<+>hoo^Wb^X_bXUs^wRk4uM&&C(GCH;(bsm?
z1iC-0x4$RIUMRrdK08w&HNOHTiuLL&yXQt))fa*NPhsRIW!u_3kY^d@`456tfr4G>
z?KXAjIf+y)$Yw-yRDh=o^EEW7au3*>=69>yufk!RhIh*m)az}*3F0n;W5yfRx32zM
zXwhm`QxGAmejsbuox@hLL5V1Z(EyT|xDFsxQSPEj@-Xj8^$;9MJ|NW}gcy&5MS(ps
zSDAx&dx|dLpp$Kjqeq)$@gx8!{~?x{yv?`F?7k~pSn!Q=&sp?-8==|R&D$OP+mF1N
z)l7S^bA&(ra<lwm8OC3>4Y)#7=ELW3IiuyNwwLS+CRwDbbiPC8*ct^A$2Dc91dt2j
zJyU|s?CxYi5$6oL*qjD<I^I>VS_Jr(c%&QN(+mN@>}gTj5}d<kSi)F-wlzzE_AP5&
zHbto5_vw6}_uJEH=RlWz+fA7L6u?$OLi)=R&<dQE`#sL9dX~D^@cJvN9yL%exlaw!
zm1%>114@}<VIH+IR{qz=jLJ29m-nbMI^73eJJ$CbW|uVpBHiFPAr&fhh(%5Qc#*J1
zxItb1%dcl?csRLt?b<u`qT^INbRzlG!CT}{FQ{njP&F`iolOTFWcox|+io`Ewz&b&
z&(S}ct5is6yl+Fi?6a{CK@w6H7_t#C7DK;Z%gV~qiyLJjajxMY4FbgD5{7O?L>V!O
z)XV7>4EE<<at|pCjK8P;#fx)7TBqqDRmM8xTZd2RG@#OClF1B39M*fX9q?2iiLg2&
z>LI>v#O1pYrNb?sTUWZX5KF<y>FP!!G;}R_tGf{sX(LWa*oiJ9vKS@qT=wTHb#G7v
zR(_co^O5<tKFcixFpiV&HWL;REej5N5u7B(|Gqg)AscS?dD$z*uJaGj7V%PN!R!bU
z5Z{nvnakwG<)xatY-zW^xFnOQ>t_SVjxv`Vp+yDtZy_5lSx`TStK76A5ZZi;0EnO6
z_%HKXrs4>{hGBG`{Dj&#X>=f*s<<y<Bufg0_YkaMg=F@gSs|Zs&z~VAp)=;v3Qsd(
zX(mf#a-VV^YzMxh%V&fbROP`iKfkY%`%+aKg|yxJNALH^c?e;TgT`^nxm|P2XpRnK
z1J0Ai)9<6+m<?&W&jGHsv9`VJ0Q^)sbq+&m7TkiUud@2f12X)p+?Fys(fx;!KI=Wb
z6pz9U@gqFa4+&u3pW?T5e`Cr~r`&x+&aId)ajlGar0`l2DlAE~bwhB)7$JZ4sW~gM
z#J}T?%gVX*H^;&7+@=aw2FCba92Mn!5HcVET|$ViX3KPyHjl&?UUbxov^DG+?k*B|
zZrFm5*8mRi)!$5A0jJoBkcq4iYC(1%&UmS`P=T4D9iVC4q@~NiL@#z`MO`u#FU*DG
zS13WByBM?ECc?AdmN@DBiP}&j5Vmc$7s!2JUXXmb`xE`sSq@LKkd{>AFME+$UMCS<
z@1h4z<T;55=N0kT%X_sg$%#<kz^!H4Yd4w3$r3zBfCMVd?70uiDs|n`X%R3ZZnS`q
zKDKfs6ktnOne`_02^jD#<~bG^@@2jF47baAZHPVy@e@`aF{cm3<RD6i#sJ5!px3Bz
zU)A>D3*{l^iQAQMjF=-Q$*?S`z=6%+?M)el=|jt;%NT=+B3RN`Fm?T<6Y_zhn1ZAz
z+hZ09)~p^WF2dK&mJo5q5`our#DFf){8uSMFh!4BSbr0|sg(jBb@3l0-OH(QMK#e+
zR!K-QJR@T|flH@dls6LVE9X9kfNdrREv^ze%xd}%I)kW|L-L}PbH|djmeK2fuifdP
zf03@`-sSIYSVo%9s_h>6bO@PiZ(WAj(CVfRFSt!N0!`mMCjmpG0h@5D)AR#8Z>CqA
zC>F)_B9hHgRBz3dBpbp3=l{t`fOlgF@*DCNaPlh<?kRg%XuoA}oJ2BErivBim&dEk
zRwVE-XiFc?*7K7Hc}ci=wyb%t{ZTe_&@RDOkx@M!p{A}6X%a1_fa_HfG4&R6!c|}4
z4mH3RO5K}Ce{HyB0L;dz&Ag-<EQ2+N$F||bXZfcCY4E-y!y7N@0p80=2CgX|?5OKf
z#okX<jlXquR}E)&gm{|6i5RY=>Y|YFe-?hT;nIR@yaZniO=IyUo|r&8pGxudQk0!p
zUZKD9aPCk>1zVt?csjgj@<13T-%_yUL&@&m`Qy(0r-X)b9LLtfH}}18;^-wgMjStW
zh0MQYq)cKrN5k`E<nXHd1FMQWhMvrCd$ZN7LK4n&0n4gG{rCbFc{uU6cJ5<_B~D=k
zO(Pi-q@EH@)(+WnB|=yG(!g^WN^HZ0C~qq*iG7V!&7I;57ydrT)ENy}=0tqM3zvB{
z0|X;Af4p|Uuc$tv`B}jHs>izZ-0v9QpuEX{Y=DjeN}fZ_Z+W>kp<Q=-__I)((j*@b
z!2XV}9%8D3^15icg$w7nJ9Hqt^w&s$;PjYWI(kaWeBet}8D4CE8x56K_M$)slW4!`
zPxY`D*3l-)kYmdDc8Gj@k+57F;Ry$pR7UL(GT!GMFIwUa7hhU809+<hmQx$@A@*Yi
zf1~$6tJMWKo>Eg%Un~6`;|rq$IY{*feiU@n*!cg?0&K>P3Y>DkDxB7cUbRyAS?;eE
z4lQ#U^3zu{b@t%@+J{;?=1DG}LPUW9u`%NEax|okwKs*`XCn+3y?DP!FHnMUM~P3l
zH=AxENPf!`E9#dNj~R*c;6FXp<LLuX8m?ANYkWDIVIycx?(l8$^#(BDPfRZHAGpFc
z`H>~2hB6HL>w4*p?;lr~He6Tt<1pAdvZS{&9qI3B_3V9uQzvC#CxPvna)NQAWss4(
zeA@0%gjUZ1?sEs#9(ewcmt|DeQbbXU`Ald@4f)O{4g4n$U(3b~wD;s*z-3lDUd%a7
zNOkRh61;~ZT+M>Z!zAp8|4)+-1FHErsQs_jZ`UaKztTQgi9tU+ts3<&^qar`?-{o1
z7z5k?Pt`BPcKlD>kCSDu{ZBQu<f#T4*FR0x2nP+V_%7l6)tc<s8QSc}H`rDemCm{s
zp&`9&`ASD+N}*n(1P#DxnNE}9li47}fa(;~95CcViJ>_b2;AE$GIVEZY{>q>lCweW
zUgFoLH%Vn&*y}fY@fDrh<+agz2ReFD)>G`;o>ifL$^WvrKB<!I#;)&7nPWLCG>WHV
z_avsY>*e*dbXG>Ti1V^bSpB_$1cyR@8_`?`-B?uTtU*uf`i3JA`19Fz*WAZiPpQAB
z7-zPw*-oi+Gk{9#!dSZw#P4mzGju|r<y${P(ZRzJ;dm-}^<S69XZ%u%9Ekc`A7h$+
zy?lOet1{8GK6>t>+Vs?~5HX&=l%zE7TD`Xv6=j;lROdT*srD&~xv0CVw7>`i7|40d
z6E^JtXy`;Hj$Fvex#V!QP&2=w*x4OsVvRLCtWK{>`O)^*7E#mK8%p{*J5i*p)BdAm
zTApq0`iF8b>zHqfKSRNMJB2^BIu+oo#jUI;-P^AG^WpVi@S%3zCn||wGqq20^sasi
z`gfgmAS{r+m6j>@Y3r)UzpjBXgLV6XVdY28%abi^*uu>L<)F9v<l6Wb=TE7A?EeIo
z>`xC-Mad1wuNX9m824F)3{sc`h&J6BF*J-#jXC}N3s4g7F`WVy4`tVncvCWNCA!~x
zBXQzVsL5hM+0s4?2fRD{+k-bxU=orc;_9UF0K=d7nu1&2H-!7b`H1s_!iO;yIa#N9
z5U1F4yhGWqX!taA`g}pYJ#a%wwjaBm<@1{b4NUg5lqRN7BZ6r);qMm<x#@PDfA`Vl
zD(CdI&zY#lu7(2_VAP{V(`O$|u{)I)4gc*A<;O;wMr06%>S6oqbmp(La<Hvl)Fq7P
z3Q^zCG2#%bV)J5m<_|9gQUL@GxpC4d#5B&mF@AAg0=J1-^W$-{f5$%D8LsrIubX*q
z?h;Rie*h6Entx&tOJgYx$khJ##ZaGs;Exhpqi{Y)sYDH-TE&Nkb_!4Wx*bZtd5Ie^
zv-Uq+93=!>KCR#~nYKYdaS1R9lIg1J%ZU|3+<PinjyPDFUoYo%(4Iijd4>O~R_`h0
z5L<EHM%TP=veH>+QWlaum|WORC+p2=F`7<keIA!mpZ|gBZ<<9Ugq~}fzg2warb>C6
z{c6r+@bkhuJOL1WBo@=8%y1l?vgggwV5h+K!7rTsrgp%uOLT0C&s&5GC2dS087fqX
zm`mzFtEY{;oKJHf^xn7zg-+S0P}KB9MTq)vcjUTZ?ESbE+$9DVR}U(HuK!?ygoQ~u
z|6aa}L<PhSjNuMXd?L`x5|86`9FP`OaAuS|EtTVEA&7s7*FvL9JW~Zj6-`~^N*o}o
z()Sg$iR_&zFx>$^?Tw!cazsBqb#ptg4ng0m6c4KSC+_M_1xDJ-gAG6I&$sopNhw$V
zxe4?ZYNMO$u6R)Ghn=7eru**S{3<PAYo{Yf+`S;ON3}0K&h~atci}fkFo?>nHaLI!
zE6(d(dLm1p2WHF@z~l)Hov=82k0O;ys21jr8Q)Gd!G7U6CYz@xuy$rTLp<HiKOP8k
zy{qxkebfX7*)V}|2<~@IR}B@FM;xtV3FVo_07|SepFFNbchY@{uNJj@gXagOyBRR5
z7_a!T_+#ZB44z?;ciR&f6*hwVW*+DsG1fCW_nEFr6d%1P<9leZPWMWLyWh*9U+bc-
zA%K>7yU=#oI7{%o@wmy@pyi#qjYaoPRV>^(=_0NUUP_}&u1O(7;zxGwp9N3Zk!C$B
z)W;>8IxD{|nZ<YhKneF0o2lg=p~2ac&ihP0qO=&dH{PC{T6WBWJy*o`XlyvEE;Hx2
zgInY_+jtd;nfv30%$9@DmC&rTShQII)Hlj4tXsPy+FkCYQjxEfS0W?^ZrdMYH@q&3
z%5zcmlw{Uma6K1!#Ti#A(Oeb?(lG=9`g7(vB2xp-8O%qMinX2-7fsVU+WN}>obz+B
z-2E6PU?2Q@0S+Yjc^rtR*u9ftOc$%&G$BhMK}Rd==lQqz*7bmMf(iQ5fy6c&6tiTh
zJU`aBR7gG?gf3ywr%UqbL#-ZKjc_&TdRTNR_nzI+{jdIp*%b#vC#S6|i4H}6ak875
zlGxP$uDpW3CRl;w3Mw7vC6tuAlKF8WvWMHPY?woH<_kGVJ|@lUF~mzvBzcNFV@~9p
z{>!|e{>{4%`#Z@;-_5v-7bMv0Gu3(r*7<Z)zhOvcLSm=EP{J3AbOL!^^6NQ+_}n{v
z(fQL%BA9CsNh9s`56{%5$!8?1zq_CDvt-o#iSn?^r_@X0XryAOB*H)~lp-Oc3w?f_
z52h)chxC*^Rufu!^**<zt*7HN1)Tm}J#>3TZp3z(bCSn>Ud^U&KED3R**Xdl5{|4Y
zcW}d&TrW1YCdE5`XVilwVn6?7zs*(XtiwA9bl>|;t-N9X`_Ve@{bGjsg}wnOGir$}
z>ZhJuN;N6{Da{8>|0CM+o<jxU5H}7}Gtg97!}rOx!_v8x0iHmVq_b#Q-@f(Py75#0
zV#e>k@*5B!%)4H?Yy8lVij;tAHs!uC2{mTs7!`){VA6TgSE@X|0t6O`Wzm;)&A>iw
zNAnZLvKC2_?wiQlOPHvqnZK0h>kH29(MxZU(x)B2&*!6u5^2Mdf7T|lZ98M(#>bVD
z_k9c%Nyhe}46cDFx0K2T5W<HH;zo+HMIKnIndQm4t+u?=?*~`fq+m*k0Pe?g*SXi^
zWF9Cj?YF1yNTFkeZGi9PKP%IzTi-6HcQrkNN1m@!)1GGoQdlG1CWoro8C~(etYaRK
z#L9C=vTa|<3#nd@*t6CkE6;%{N<pG+^<4<eIQsLa`kpJUvm(25{x_~l8QItCdZ6(u
z^&T51(^{pHif9;uWBy~{QSj!@(UVVaa7X<0umvCg_PQcknx3eN)V6?%bD-8a^}{nR
z$L@BA$YP*K`{D4FpNYR%auCkEy5D4H=LAjE%D~b0z?s0FzIA7bN3#xsBv8&AWpqne
zjqUp-%v~X{r<Bh8=(<`VY9ceJ1{>Fh1|q&FekEkFL4xr3>W>XulZv8gMV1I6t#`q?
zE}T!9@6M_441KfGn0R~%BNi<;8@x(>{gFsgbXVG+LlN;r!>+?-XaGDK@GVxv)rnuY
zZ@a$`$oxm4+)B0FGRArL3%3Zp2hORXWuQwCi9B%Z?KNbH-UMc~Z;gnAEV%ya=+W4v
z8a_RS%$Pnx*Fh6&Sqg%AsBZ!`U2d0)>d&?tLY{I2m-(-Tp+!utv-Xt_IIHoOZ|m}%
z<)*TYNdE1=$-nl!cex$yD()JOk@emGIlPtltyx01%#huc%zpO|ne6!KO~4+_Em$IP
zpIm>q7>c55s{$IED2yre9GP|9l=dRmY5M{r(TC!l_T<n?A6lqO_duAE%wVEk)7XSJ
ztFCP>P20}4sWX6Fg{Jf`XVyhzd?}lPvxmF<qGeouyz`r{qM4@2ppMj)&`0M--)Fwn
zf^lNP`Ho|WiI?$99$18#?a4FgjQ_H>!A*jY`?FOK0&F*S>E9>4uf(amiOTP1ovu*x
zyDo6EI<~nTp}M}^R}Y`>gth+3{sMEC7=Fj0?_Z}b*u9r}b~<RGW!ukDfZy)gn-5kh
zCihyR<@wXuv_X6$FE2yjb1{VjRb|$(^`7pmw$NZthML?U5=XOZr7x3cNicZzcuG#z
z6}59RNA~-hIA?Ixx-=gnY-LbUGPC*5J7A6=>45odgV{ZUP0#I}%{jyK5*C#dwiK6Z
zer&Z}ecJUSqPS>rbo!D>{?m0wCT#r`nC8ov=x1yy1(IKfawc_MinyI^ng2P)_L}Pa
zS)nLVFf~vheRvyh(6LKR)pM<PeA(&20W!9=_V*MU%kpf9$bJD(mT;?*@R#TvT@rny
z@!*<Ieg(k2z0F?}ewi&Oe@&bYyQ@%3E5A*mF~8%hvAr1fMO3zZnm-bMJ{B>-ca;0y
zvgoeN%Bkg(ZUHrvUo5}=4B8sio$Mb1eBoVPh`K48ZS^u&q<L&O0_9}F4qu~JreTtz
zfhZymDrHlF7k-_6{>NhagsxUE!>q3Ghg-UgoPWRVEYktlvRx`$l8<#R%~AHAZnhVg
z7W`cD9b6SNc?-IoFb7#cI#aF%E#6(8(LI{=#O)S53M7R-lTLaF+w;wDLQhA((F!ux
zP`+h@>Yx_H55zUdEo2El0h)3{2ZR(7cgfyqt4Q40n!{L+zQg{@lOo?x)N1}F`s&^)
zPsOaRm+6_{7WzC^c!uFutz`O#6J1O4SC^#O_GRbz_;XhnFW4>wPmiU^v8Jmc|1I`A
zTV`9xOuJ^<&ywieo3^i%2~BUKd_~)MB9;?9s3ecp8};V80qfp~DERNb)ieMZkKf&F
z`Qk@f2}%(OjVL*ISBPh?8hOSMn@+ad0HaaChQf-3ul;_GWW8dp65PK#7w9La$Jg;6
z#iWL=DqmTsdT>{QaI}*{j`ce$HUS`40`4S{XaPHpGQCjGVxb-lU6W!#d3mJz7oxJM
zCww{4+n$%?|6bD1#Pyq;r0zjLH?Z1)%TtW?#qFiEV7}=d3+yvP9CIT30iPJh>1E+o
z+HYyVHJw&f9oAz;DJ4ke!RU|F&&JLod^K3cZ?v)uiqPcZWsAqa9;Z&00$vi=e`K=W
zxO>k1`unAHS#c`l`jlw_(6i%U0+7{-IC8_rD5VLLA$0{wFXe0cw;3dV$`c#BORcmP
zx`*$6n${P0$sc@AqoqYv@?L{(jFLwwp9;BMDSXpp8ZP}7#)VGaqXzFN-`(3Lvio8p
z^6f5)zsZy6KkMm1_Tn0Q`p0V}uAXrGX$3!r^>p)*?$OsY9u&-1wRT3oPw97MZ=lrR
zS_Ep8a4l;Z&ayon7(F==dAeZKa{|y0ixY*XJWA}G@*mQbZ|CQT>1Njuf|(H)dX3h1
zdDQ$<$<G^2xkb@M>aY2-UmU0=cg3{g8gs7U4WxJNA3kZnQKLY?fsFsDkkIv%-ZT~~
z_s>f|V^CWT2s;|u*B(8y^760FuM);9apJ$=yv0&c+&X1JRGN53Q4zf%H2IG_gP#5t
z3W~Vc%nC_7ke_V!F8Cq0`6`eEF?BJsNlsV4*W@(z6v0j-Rm?%;=9aAC5^-l`M%*4x
zXUCR_+@Y%1Dl?l%A|kdfk-Q`sIMzvj4~GKiQtN-HyM*?Ai9q$5*ayyI`J1E8plbs3
z4r%A&^wbH$Q-M-qNwK1AqCPvVPg#~t-xmC>UN|qY_L<UK;szx|T${ov{12-S|Bh46
zS2^ewU!QCU!7DATSNE>F*Hr7z7rj>+FP9M0Nva1}Hrh4|p?ryPHX*z|TRRZ(^mQ=R
zaWx6<#J#E7h{+9N4pS|rZDT1tWv5$PwI2FZ#RCxbd6TpmeP^qUeAQW}agwigVA{%k
ziM)?>%%!Zx?SQX)z(Wwxm<smEYk4%{FZxGXR=A+A8Tr@nEs9Gc{@1Bv()pD~GM%)S
zyaL)}J#R)3+b?s9uFg_~&->VUOkJ1EG(v`UK+hlMiN`6|n%RV^zi$qLxG-yURda{7
ztE~_&J0YE6*INF1yVo>Q2_T3yA%_tSMjn}fK(0^|hn}hHl^;=Hd%T{=uf}<fJnaH7
zw4|Q(Ll@1W(L@@kgRoS+s3ht(HMHVaq#Re>bE+8De*D7w`C?&+e{z2nA{-_K1an=6
z^&B@$8UB-ak&jX^HYO~uFtGkCAYI@?G#2Rw7E+<hp`FTRftl$RK!eAhk$FUG_MU#}
z{u>l~Q=BgJ@Rog_c;`sp^-O@vxZDj%P~w2XZ;wM#z4~i~cSQ*Bx5+6j^11rN+WRod
zF|lPY=N+bU&iNRlEKSFZrpsWg!Tgw(9SaX@uEsmehr;WVka%cnqHVZJ;xK#m&(fbs
z0T9+=k897lY0M{q*X$DgQp@mn*^(Fr9e){*zq*#3vvnf;Ju&H~;5&c`gG!Vw-={5H
z5wLR}jC=23meIhp%9^FBA4bq7&O3jsaCcFA2cnc>`ufLa7YtH3Y?0!B*^oWTeYoE)
zVJVP56yvfuSwHMuO?30)9+A2Uxc$SOdj1pNuc@lMpFc)Vpa*voV`1q=eBT>&kj1=Q
z+}g~tNf|R$#6M0c@0|c{q@TD>yUzEo+N7PC70&83x|OIlH85l&G(r4JJd3R{%K6b$
zse$pFO3loGJ<p@uyXEiW^F2?MBuJiTTg#o@of`J&!p<J~(40Am`ppaf8Qmi<g<aw~
z-H8Qg<sWKNNsjTKp+;(J9tKcsRnIs9R_b}}&D1!W{m7&W6zMvSMr`gywlT8+=5&?Z
znK)DqGTLXJFE@ADtZRGdnt(5_=Se~!(!p=7kDrQFbt*Zr7KS;?O$M_s#K_{Nh(?Lv
z=pk>3_es4c5)|zD`<2&^9mbYUm(JPv!>|q3Rh%aD^ckgo(b<7}rC48@H{kGa_vN;`
z*l$v*sqIs7oYQKQ_`OA>zX^nnqzw9~&3u?vpZFy_>bh*UZIzkQuj@?eL1k}`k8)hQ
z3vK3DMb>r<(gC-D^w&{eDKp_Q#On3-gCz>6s!xed+qhW^G&VF{`tR=#{{110#JKeR
zruP}2o<qaadq~s`qItd=1S+K|{QASM6*NVx1xP$}36X-;yjpQ)d@F=r#6?a<Y5s^+
zBTPh2sEio??stb5u$9yoK|i{hYB3-?J4Nwj*M79DVJ6sYGCb%DsGd%rcSmd-yF&K>
zJn?%!4NTXByky$xR`FrqSTK|1;-dfEn;>~g0*i|ST%MMju|9~QbSRXRboewfYFyC(
zr0-k0m7AfL_Oc||x6VmR(Iy^nPa_=izGq&^FW#`4AmKX1q}}S;hE(&<;lDk$Ylf_d
zzj8OLXwqSW8N{y)M01?kj;jUow#oX4OA>>p)}>j9N^kb#uw|sHM3pC}_k}T;4-1r_
zpBJb&%);R{;J^juW{tw-SW4D+jhEVh7iqUx1S`l6!}Dl|ZJ6!dv%F9u(@}qc$-;M9
zyup7fQ_x*)AD_%du8=q1AeLBxqj2_`7RA{{4s=~hKyPVFJBRl#ydOSMD5Zk$E<5H(
z9P%cy4OJUzU|mA9J&=J?bG1$iHahRR$Q#{NWiG8eJ%t1BT<AK9Wp)W3i4x~%UIj;u
zO25&fb!t=Jr%NI5AMCFnPsRDmo9oBB6DhrE?h>$tbphaa6dYUA$r0DC?xo)5N+2mh
z8S1fDylj-2UQEZRS=pJoV@_huF^SnnFjLKPMN^p;Tve^BZb<xniI)bA-e|i1DB&NN
zh$^lYkvdEo_#UiA>FrIKD$$wove8l)=xTY6CH2vEenmy%q>XCxDJ|Bo_&%0FFGzv$
z_2j$QwB0_0LuZcaPw=j9L$i44cV1taQ*?KtrC(V;W3hKQBZZH`{iGe8?Rfp>7i28#
z4yaA1Q!`o&%ar`AZ+zq;UZjmU3gY=n@>9*3GxUDDuBcce_mru9Ss>AJze%9*623|c
zI(rx3<~w@NkaCPIzxuK<$f_naRX%p2GB0u(+nf*nd6^*fL+ty398*pR>!b#TYJ*7r
zQid!cdZdlc^}**If0N)L{6Tfjk<+UKVK~{Pn}&d2)B_#AeZBGg&6d}|MVTW6T%8y&
z8pzz|Y)TxnGXWVe(K`%kRx-a}7|&KsuWNm-zM|IiXNcxPa`m(znaH7GMY|Tg`~(rV
z@TcU(aka%1S-2CQ4|MtVa%Klv*8q9ZSeAbG8B-uT762GdlrfT1T>hvf8mw^hR6O4F
zE{1jQi+>rAb+n%TR!_84t<`^s?rc5Dw>g$=`$Ct;M|0RJa1|H$0bu>}-=INERE9<u
zbGUQmnWbJ3c`Oo#ZY{pU5kzT0ZRT0aIB~&d`?;2sDRw$N{Ngn`*q~)a(1$X5DG^O%
zxa@0-p@gWZf9kZxb(Icd>T_KbJr|2<MP`m1r&<NZ%(F;SK4Pb4jFCU-SPpJ=H3|G8
zxi4k=AJ!bA{`CFYS^tpBQ?XF~I?4U<_5M>Qg`(z&<3@|ARNk-DGUMpO)UqP^?P_dC
zjn>><&9s-$5Sj%McqKZ@g`f<=)B*%O05(_sdD@5Kgp1B-c@5!?Z@E(^DCd;(vu`C1
zTihqyI<E>8qCF;ZQVR{HMnvD4DEWwJx+!k6R`l&<Xe9mABpYm>cp>-^Rf66_o}U+f
zoH~4{ib^$MRGH5^j#Z@T=wz;S{O(&ybZ&b(5vA{FXRGh7hmLAZte$`!?vJ&Za6fs<
zr8usiLTNJV!PuQQ3pe3or}x_3!&~Q0p%n1V_4Ym8<L13nI`IuSE{1d6cVB?%y+f=)
zOh&Xu%(&m9scwOuK_v_c-)kCj)NO=laWc#OHC6ENMg8cFs;tXkRJBU*Vf+NgYOqAW
z<&w57ho1?E(OTHpl?OdXCHmPa<j<crYY6e{M&-pZb%&_^avj~qK2x!}7?kic^nN?L
zjpswnAi+-t8$#EtmaDNG>Tdg=<Is3^y)>3GVsy^x#_E24EvU=RJb?d3`IESP0@lIg
zeofXh)>gHi2H#~6q_g%~_vtSg9DVn}=@GQKqMk#v+drYSHTg|1A)Yx?(1X+hZ3RyS
zHi2c0I<@Wi6VMsHP0g!kgISAY)bZz6%1<m%!i+4#=q%CL<Ikq@hef1?FoT2c`;q1m
z|4FCnH^nK2+d>X_h5(RXXfs<U?r7KGdwI+`>F_0tj;Mg!1uB6>dL>7TyWoo$XFuU!
zg8KiEE)zCGnI`sb^}c(;HOZyI+|2%*>jA6n*V1jS$<9P1V73~cE7ji|mFif(N*Q2!
zvXcLyv<i!O5C48%itm7|!OgAE9DH*q9KhZ1`k0P!(&iC;=zVmLlTScVSPvYx(>m4)
z{L5VvIv(vbAQ@4i*ppfD*(|YYMc+<Ips3Y{P<!)fGwX4Rv}o1#g8i~M^zbl#41dH3
zvnJ*6U7L1_k-S*N0iRO9BrEaM{vc(fMJZBhZ8A(GCq;Gja}Z-0v0@Jy34!8*4ovZ)
z$(pf`F*imJ!=@hr{)3?;O_09&&YDb#nzKh(7~o^EE2FyOT2B-ri@>B!5pRr;j<eu*
zlHSv&Ud!tPe&bc_&f<SJGGj&p7|~btFFK-!Jt<8aJ-<8;c4v2^vta#eGh#J)2}>D5
ztgTG0*7j<@OHw*vlZFZa9EEeaCasya;)#$0h)T`Ir$aHCky~izkEx1e%ZtrTrO-`I
zpA_j(oDyV5p}Cdo_hnom*80u#x4t29E7M(w*hZDVcRz=kC<;+7>$w9Q-==wtJ$TW)
zBp7}_lnsSKMz=f0Zu9Q;Rex)}d5iZ(>77ET7C)a%;>a283VOo`oa6ffV|DpS87YKm
zSKxx|ihS1f=!Kq<ane!qb2g*=S)#cj7t4EkpMd`gX9g|m+GeRQ+%K<UaebC$mowiF
zJiy{m-X6*lFkOws#*Hw4dL({U;j=6!;EF4Xz3B4GbBw{+(s|r}#sGPwd-5y;G_{T$
ziYh8}@RaDBU_9Ne-YN>j;7DYa6DU5G6#$P5TrhqL3-tAP9@A?$sDD+mebPR53Kh+R
zQ+AK%VzbB{95#*)iPWvN_BqvO`C?;mVsGTEDHK8Rj>#e|BK`D>W~R-nZR@WKLwW0h
z_AUA5cvfp!rEHyjL$3(h*XV-Mo*V7%A8~Ao#w;~<2!N!Yg6^X9pMsXmcjB8FekS!Q
z<)lPQQn<YCk#$~q?t>^?nL<_T&Gr4Y+ws#~X!g%%9a?S)-|}V<1nR>hc48U+8w0y@
zD_fc@fwZ4ptNXKAKI#pc7tNLI@y}A`qNBC4k@bw1%-z@L4#EtfD<|PJ0jc}+2mb{U
zlhX@skLPwNxyyUonKlf+&(1w~ZVw8D^+w2h%3Q7-3<F(@48kTHqBA@5(2Je>k&vV*
zk?Aid;iU5-=XG%8b#4ZXkPO&tIl6p&>nZdi0Fw}UCx1{p#&TuEmPBvgrt@Q0=FKs#
z)C5h@Ym++t_Fldcp4GS(OFYsL?w$PX4N>h870mU8eS*3;bSd${x_sC~i9JLoGO%ar
zO!cy~!Je|-W!$e5bSsZ`eR3sB0+VVYk?^yfdq2#@{cz5xI^!EL@RZpx>61J2bfNqZ
zS8PWSHdj7s!L1{ct+abO{Q;Udy^7#B?TqYSiYHtI;|deX5`tcoz;EUmD|8h?gZDLT
zFtL{*!QLD^Sci+DhQIe_^+Yh_8-x3CpV%zStoU{E^l0;j7OV1*QR+Hx(YK_`Yjk2F
z!St@6#tL?}!6jsh9iONXx0$V|LU%B*r$XYP;u<DE`8{=-r`q8>%58l~@^+?$<ET+8
z2aBSqsbBnRPA?ww)Be)>=p0|3J#-J{%>&z$!yZe`Q8H@s17;cN2h_Pbe5J#Bgiqdw
zkDoYX=ePzM@OBJ`w^Y3W2W?x#Dy20)8@O_^{RNoh+B*`Y>nsouP-Fi4UjQmPtAM;t
zDXq{&42{ndb3ZU^D18^mvA%yS8~En=`;OAz)AENDcZ|?I;sCw(jD{=LZj<0C2*Nni
z=Eb(axZl()C_teXQ)iePFogs(oUW7D=z0n2_IliJNn<W@$S%F!_1u%!a*(%b4$=))
zow5yocLg3A@GS~_sjkDRY8W2Y#3ZYJo-7W)bCJ$g<eT+<UM|em(6>@kBb6C&l&m;S
zhtOwxzm0wP@&4oCkHQa0^-eN0D4na$dg~3l*X`2f2e!BBkmMzQMGkIan%DmNW*V&%
z+UdYSu>y69?J=V3h70Ny=EQC4Q>VHA39JND`)W#`ntL`ru9Y7r<_&{E7<^bHUb{D(
zs$I0n@O~v<DsD(0bDx{Iy!}2%e`Maps^_B3g?c8{v!hh4gf#@`qHoqp7;{4)nnKoM
zd=^xZa9tvqlb^Mm4uFU&E4kCS;)lQLbLW3B$(=N`A!MP3lUN<ZTU-zI<4i0d`OVVO
z%lLD}G%IF3wEhz9_v{~9_PnY6R1>6jJ=SIImBax~qtK0yhr!5GgdbBDTizAV8@xRQ
zZ%#U=CL(@6EGL4zc2N|luF|FFqJ|X;9+$?%JN(qWPa*v`-&k}Qf2woNL&dmhlI~*n
zC;v?Yue}ggX}*pfuV*U<Kc8t=(cXdW(@B~1WePP}n1PXNh4G363!pxuob>O|B6G9T
zBrJ0d15XsJ@x7+3dv`#~yBc{RDm~@oLN=If5t++^7pWQ!bjTS`zi8>(kthTt7c_PT
z37sha*YU;1@0@o<X9;PPIn>1ArF-$5Fqk*;M2G$$-cZgUk#m_{x?Tgum6s@}ffy}Z
zz1Q!8fyOu$T@k#+466nMQgXeA$LzgC!6|Wos17KS-lm^%j%_Mw?oJDAc~=2%Xip`t
z=FaEZTJ~Y7Z^;n5H;KaNa|g~sBqb3`9eEnIhsddWjw~AEbuToEoF(3Bew|Qr=B-k~
z^J*{|vk$46w@5>S$P0BEg=BPe#|;Sc^S;iim64s~q<0iP6Gxim&Fd-^?>~#zYre?P
z&SHa4joAxSf3uWYpz&(qdu(}EHZO$s=XmW}Y;aL9N)}kz1adQbc_>Z<DTCsFk6opl
zxzo6Xs%z-JTNR%}|1p1=?{L|JB^BP>t#Zmy6Nrfx9k;^k)6?4h&U2=|@?DL@{Azx2
z;?gr=Q97k13P~yJGnTtrQOljz1ikYkx@M8yPj0i70WOTz;oTEQ=#Z}WA^Ny4GDXX~
z3V6#I_4u^?A|!bQxHznOBX_fK?o&=KH~4r@RoccuJdWHI@mE%e_-ipwgL!k2ym0e(
z=9~@V1!?$iCAB0Jve?tgGewzQ(nXy(K^j-p$8-wsV3GyPpV!(=PQTIj75!($qw0A4
z6J>Ak+w11`DHIB2%e&%vwaS~MVD>MoYUQZ<qz-0MHR@mjIzNwwXNYDME+avDirCCy
zN{{qxqSb;fS4iYT3#VJ;jRi<{H91ZDt<s?zcw=_U=bCv7{x~9q6#R>_QHG?+;F8FK
zQ-bhl>i*4GuDmG)sW7=L#5Ph?r@DWUN8&q;%}88|S&;htx4f%>SDSd9!r)9o=X7^}
zq`WBZdNu`8I#~kZt|2K?>VJ0$YI;_SJVaG8T?~RWJ{v<-au3Z;!zgH^!r8=I)UWD5
z-k4C1Rf^x^%L?xQAoSx4QHdi~T|mao5AFTc1#)`%%beHhGC2WA`!ETlefKq0ec~<F
ze!9k-%#rwh;{72%*@SI*R~0W><JHhneLtNBI5PE+;$n*yEm|xm9G!YF5Cqm2zT;N_
zCjkSh-{(WIjAqPdM@e(3(8Mw58qk=ZVZSZ(_vOx8M9E7TH{<WArq$G5n$oTQKIp!d
gcV+U<cg^Gf2Xaqyj0--H(f|Me07*qoM6N<$g1O=D*8l(j

literal 0
HcmV?d00001

diff --git a/docs/source/conf.py b/docs/source/conf.py
index 34382356..2cc78e31 100644
--- a/docs/source/conf.py
+++ b/docs/source/conf.py
@@ -13,7 +13,7 @@
 # import os
 # import sys
 # sys.path.insert(0, os.path.abspath('.'))
-from recommonmark.parser import CommonMarkParser
+# from recommonmark.parser import CommonMarkParser
 
 # -- Project information -----------------------------------------------------
 
diff --git a/docs/source/contents/clients.rst b/docs/source/contents/clients.rst
new file mode 100644
index 00000000..f5644c91
--- /dev/null
+++ b/docs/source/contents/clients.rst
@@ -0,0 +1,75 @@
+********************
+The clients database
+********************
+
+Information kept about clients in the client database are to begin with the
+client metadata as defined in
+https://openid.net/specs/openid-connect-registration-1_0.html .
+
+To that we have the following additions specified in OIDC extensions.
+
+* https://openid.net/specs/openid-connect-rpinitiated-1_0.html
+    + post_logout_redirect_uri
+* https://openid.net/specs/openid-connect-frontchannel-1_0.html
+    + frontchannel_logout_uri
+    + frontchannel_logout_session_required
+* https://openid.net/specs/openid-connect-backchannel-1_0.html#Backchannel
+    + backchannel_logout_uri
+    + backchannel_logout_session_required
+* https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.3.1
+    + client_registration_types
+    + organization_name
+    + signed_jwks_uri
+
+And finally we add a number of parameters that are OidcOP specific.
+These are described in this document.
+
+--------------
+allowed_scopes
+--------------
+
+Which scopes that can be returned to a client. This is used to filter
+the set of scopes a user can authorize release of.
+
+-----------------
+token_usage_rules
+-----------------
+
+There are usage rules for tokens. Rules are set per token type (the basic set is
+authorization_code, refresh_token, access_token and id_token).
+The possible rules are:
+
++ how many times they can be used
++ if other tokens can be minted based on this token
++ how fast they expire
+
+A typical example (this is the default) would be::
+
+    "token_usage_rules": {
+        "authorization_code": {
+            "max_usage": 1
+            "supports_minting": ["access_token", "refresh_token"],
+            "expires_in": 600,
+        },
+        "refresh_token": {
+            "supports_minting": ["access_token"],
+            "expires_in": -1
+        },
+    }
+
+This then means that access_tokens can be used any number of times,
+can not be used to mint other tokens and will expire after 300 seconds
+which is the default for any token. An authorization_code can only used once
+and it can be used to mint access_tokens and refresh_tokens. Note that normally
+an authorization_code is used to mint an access_token and a refresh_token at
+the same time. Such a dual minting is counted as one usage.
+And lastly an refresh_token can be used to mint access_tokens any number of
+times. An *expires_in* of -1 means that the token will never expire.
+
+If token_usage_rules are defined in the client metadata then it will be used
+whenever a token is minted unless circumstances makes the OP modify the rules.
+
+Also this does not mean that what is valid for a token can not be changed
+during run time.
+
+
diff --git a/docs/source/contents/conf.rst b/docs/source/contents/conf.rst
index e5450105..30ed142f 100644
--- a/docs/source/contents/conf.rst
+++ b/docs/source/contents/conf.rst
@@ -199,9 +199,9 @@ client_db
 
 If you're running an OP with static client registration you want to keep the
 registered clients in a database separate from the session database since
-it will change independent of the OP process. In this case you need this.
+it will change independent of the OP process. In this case you need *client_db*.
 If you are on the other hand only allowing dynamic client registration then
-keeping registered clients in the session database makes total sense.
+keeping registered clients only in the session database makes total sense.
 
 The class you reference in the specification MUST be a subclass of
 oidcmsg.storage.DictType and have some of the methods a dictionary has.
diff --git a/docs/source/contents/session_management.rst b/docs/source/contents/session_management.rst
index 26e99371..8bb60fbf 100644
--- a/docs/source/contents/session_management.rst
+++ b/docs/source/contents/session_management.rst
@@ -481,7 +481,7 @@ add_grant
 +++++++++
 .. _add_grant:
 
-    add_grant(self, user_id, client_id, **kwargs)
+    add_grant(self, user_id, client_id, \*\*kwargs)
 
 find_token
 ++++++++++
diff --git a/docs/source/index.rst b/docs/source/index.rst
index 99a12111..051a7b27 100644
--- a/docs/source/index.rst
+++ b/docs/source/index.rst
@@ -1,6 +1,10 @@
 Welcome to Idpy OIDC-op Documentation
 ======================================
 
+.. image:: _images/oid-l-certification-mark-l-rgb-150dpi-90mm-300x157.png
+  :width: 300
+  :alt: OIDC Certified
+
 This project is a Python implementation of an **OIDC Provider** on top of `jwtconnect.io <https://jwtconnect.io/>`_
 that shows you how to 'build' an OP using the classes and functions provided by oidc-op.
 
@@ -66,6 +70,12 @@ under the `Apache 2.0 <https://en.wikipedia.org/wiki/Apache_License>`_.
 
    contents/developers.md
 
+.. toctree::
+   :maxdepth: 2
+   :caption: Client database
+
+   contents/clients.rst
+
 .. toctree::
    :maxdepth: 2
    :caption: FAQ
diff --git a/example/fastapi.tgz b/example/fastapi.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..d9ff83002720ee47101a4028e17d7643d43ccda0
GIT binary patch
literal 2901
zcmV-b3##-ViwFQbcZy&D1MM5zZreKYJo_uOdZ}|ZkuPzaHoyT+n&kAd-6n_=^q~j@
zTB2>nvZN)cxNecp*)Q22+aX0tq%7HKo3_|R^bkwrkeoYbhRg&pj#APIl6XR<-YrYw
z-yZwvcDuvDz!ATP!=e1`_VaIedc$G2=kx~ML4PpZ?;i}DZtq~f+x^YyJ~}2fPX_c;
zK!qj|io<3&0GmuU%##!26u<u?&zF|txF`($BzBJ+@de-MJix^ld{44C;6y^W2?>KF
z^~8^tkMjh$d>1c1%hEKV+}+iq=SxJV%$N__Fk?981Vzw1K@r2dWnYkl*binXif}x|
z{sQw^5{jiq{ez)1+J8Q9MhCsVt47?*-}`(5H;52fu&+Qq00l@EK7)45WTVxxnGA{<
zMl_iDpgJ&M20BF9jHCedv48@&7%i~7Yqm_u9gh9=_6b^$XjRjJ7l=ePP5vFGWI}Lg
z_pxkjHxR}uqr)u46zn~xH1t8gNkow3RRMTobGfBB?V^m&K9?E;Y-h~iu<Z7Z#oyP!
zn~20ywfZ_A-6=&e_j3<q^EYD%G=OFiwi&MwNGSO%@%4qyR3Ic1q$)ChK|tB!X+<pg
zJV5};=<{TbV~atum*NS?c-GWSLe*n++}LpL0)6r&C9r<a=(@M$VIcyf*u6F)Kb%sV
z9uw!{-N4VqpHc#&eIigB?DxCf4Qe9{KS0VPmHuQ5Q&S~SKn-mYy}lS4OT`l6jye9s
zy*KZ#&Mx1dU0qzBU!9+vzq>ddjXs=To|aZyRZL?l@#<Z}p9=taOX6G9-)!yD(pEl>
z!!!Xli&^ugjzr(!2gi#vLR<)3lIEwdgm-JN0dV2Cs@7}xauRuON9XTPNx)BE+9q6s
zq-+<vI4sF$Vj{8hGL$>JyH${>u(ugTp%jOEg_+PMCrYLcF_lL6mj&Vem`lI<3Ug<H
z0pxEcjHEn5V=TP9`<?{zid$2-l`tb5P?(CL3^t$!6$(&_#^9(pF`R<H=N1Rt=PPj9
zdJn>(VFzxSjUy72B2E#ZOTyGb%4n4{+AvLx<0+;jAa)WEWAn>sd_*vx9Hoe&1v^T_
z@FTg%o>=7QcFFg~u!$H7RA-AfCH+Y<Cm<x@Rt=+B(;OSlJCUES)u={aJjbhw)~A%*
zfhw2!lz(^B{I|<F%azNJE6n1Dc)}`fsG_EVelg?u$yLQ43Dv1{VK@#pyV^OCkwOK|
za;4vm1cP1bAxKo<N`o`tLDWcuA<;?)LR#w!Wso*wNrZtLHv$?zNnLBkDPbH_quZwz
zgc|QJPz>h2z_}}9@Y!T@hRajhw#4HJcm~^RYZdX9IEwb>ak7j%C19gZmf=`PAPfO_
zy7Er-+h%VZL<BI;eR&xq##t2A28Jn3?g+Rw*rO)NHl!gQib=Saha?%zH>=I~7xSx3
z>Oy^=)X(t<6y<`Z_D*ULWc6=G-URh7YsY;Z!n<ogOuBYoMhdy><U}gA3>UgvDfA&r
z-A1K^*+wbYTO+xb(EBYUTfu(r&GjzY6iF)*!Ki4$QXDi%(FSNHPGHpcENJgd{n&4$
z%NAssFm4cMIiLumHP<Pl0qM)OaKzeQ>o{TqY!<f#EAx?>k>8=(BH8ri){epDS^)#6
z8Me6cuMDE8uLI5~dFTL^CNaYs0+$?PGhC4^>*+w5)$CS>I!*2MLv-ubVRZm;65}QX
zQ^YP{jt#^D4~<PkHccp+$_>wMP3WSk(6zc*&AtkqwDGUkMG50w*^rNCi@VMJW5kTW
zw*~-$P`g_PeIk$(om==KY`bY+E&4WdM}x_X?2QFq&m%CsZQ34#Tv4THf~He&|A<!$
zCZX5_$T$-nTd2jN*i*z{YXs}A&GafLZ&Zb@qZab7B;&qHKr<SZxu>7^Sy>gRgKAbD
zL`CjpyA=+SX$%pXk0MbvaL+`U&Fr60$hHH>BVrusX*al{T5uI{ZWuO3!TjNi)Io1w
zBbeb}UI3B_%|q+@_J&Y+#(5g#PT5F5b6FTMd=6Z=#l|d6LwIjaP0vu1nL$2<vWWX@
z6;4MN2P>rnv&JeIQS@1r8@q=1;3*ooLm12Q)I;!z9d$Zi!UUFx?~lF+soYEY>@2e}
z!>p#3b!nx+1f9uUj*cr;h^k+(GPA<Qcblg?J27Vr=$&Z1*sB=IgIAKjy5NwPB?{sh
zhv+0&r+qC^)UMYs@U^jpT);+1?9U)P?4y9PW_>IHy?5gEwHR_NhBPWB1M^wHW{lE$
zrL-9G%@w^SpInfr%@>rUByU0@tP<!#tu!F8$>Q*OB|u43OEF(Z*Y^C7NJZD*IfwE{
zKv!LSi&w4?j8I@}*Jx1we4h2{N|Pegn}=QQC`e3#%6>myaam3453J_83P`oMVpTtM
z?L)?ybq?p(prZ<E21e@b#@g5`rwH|1F_~bMxegoB*0m_HYGk>`hqy}l{<j~l9uO89
zEAPY7hU1Z^R(e~o%<U^rjnWwe-F}=c##TMM(o+sDjj|3Kf4s`imezM-l&uA8dc(k<
z5EvBp5<2amG>x`JV_LQkm)rB<pz(lWEt0K2L8yyV>-OxiFFcSAgPBo<mrJ(pTfg}H
zccRY!jZ=b0Ut{z6zi2(k&;R?wUhm*Qp8xlUPv`$X<B{k8Awe+`N;;<~%H0J-*kh^n
zvt+5aHVCZq*e;-%$d&JZHS$l-cR$+xOZW8nYizOq-eG^u{(FbLC;R^yk7fVmS*oz|
zkj$wNkKW#N9DORFoqrUr!m)0%XaL=1UTA?nYgnw0gyo=ejLsZ##QroQ0t>=STg{Zn
zieg}vzYm7ai>`C{e0Tu#=qVsffw;lWWH`l``(=-Ny}<wZw{sl>eUuT7jg#Fd2~b4%
zssJ-imJ`sHNMA~EM`wF4y1nOzMnx#eVov4I(GrK)j0sHdYYRj))(PY#qGLpn^VWHb
zV^-D>Y^f-y2D#WHO~FW1s)7-Xg<OJU(I}TP?t2)+dtf_?-6(QSfWOW~gg&EszQ0bQ
zXthj|&`gh}>TLAnxKSc6dc*GXT5(*Dj;pfJ+ny~9(OM^rYXR+?$Q`m)4icb23f8cK
z*;(*lR_8(GSJ=Py|2~AYg!{git{&aTY>odw=IZ`uzc)A({=dJ!|K$IF#-rsgYIHwB
z_Tt&L{|^p_O8$rY`v*gi|6nk9ivNGgLl&Ye>xjUwrQV}tIwkS6)tb;`;V1=hROcy9
zaU8PRzQ5q}_~MP#Ckl#FaEQj-n5wD8@m<7p*9ScQOI{SY%nv_v7?pHGbb43LGLm1d
zRz4ea@^|<SM{R|<cY5~n`qfUWh0@gdL!;H+5#M^IKb-dvB(z$s5Ko+`*n`rvy>ld8
zE5$scu>&p8|ECy~#6Bz#^R_6lQl6#mjvSbzzG~28;af~DE|9dJ8JFsx?Z~SKfP{bw
z;t2qWcHj>RSz8Rty9)erBHIAE>jca254R(D;pR{lB}}m+#}$ZayPf(gI62m$%a>hk
zDT1Rl-ovCy(Cr;XnBsMa$Jw;)zDf*%IqJAt;ifMO!6YS`>c^MZ71xP&<++=>?V~88
zQwAe7h`3iHudS*za*Vx@1RPLX$4m_0QBurLiOtEv#MjO3-+#AZZGmX8kHu-Td$VI|
zhiLxQ#hXWX3jZ%{@yF}{+xGwdq5l65$OL;mNA3s*PyYXBJkrVXRVr@zD(`xpit8~b
zQeHY;g-G1k*4-}=!~Yc80uD#kM%TPYy8tO1D)<;Z?MHBRH(+efM8Wr{qwd;yG3Fg{
zRf&mzMT&92J3X)4$<Gs?X(LTC8sH-bX81oay{G5td3v6nU;6wPGmI@?06G8w(?qa`

literal 0
HcmV?d00001

diff --git a/example/fastapi/__init__.py b/example/fastapi/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/example/fastapi/config.json b/example/fastapi/config.json
new file mode 100644
index 00000000..0dc7fd0d
--- /dev/null
+++ b/example/fastapi/config.json
@@ -0,0 +1,330 @@
+{
+  "add_on": {
+    "pkce": {
+      "function": "oidcop.oidc.add_on.pkce.add_pkce_support",
+      "kwargs": {
+        "essential": false,
+        "code_challenge_method": "S256 S384 S512"
+      }
+    },
+    "claims": {
+      "function": "oidcop.oidc.add_on.custom_scopes.add_custom_scopes",
+      "kwargs": {
+        "research_and_scholarship": [
+          "name",
+          "given_name",
+          "family_name",
+          "email",
+          "email_verified",
+          "sub",
+          "iss",
+          "eduperson_scoped_affiliation"
+        ]
+      }
+    }
+  },
+  "authz": {
+    "class": "oidcop.authz.AuthzHandling",
+    "kwargs": {
+      "grant_config": {
+        "usage_rules": {
+          "authorization_code": {
+            "supports_minting": [
+              "access_token",
+              "refresh_token",
+              "id_token"
+            ],
+            "max_usage": 1
+          },
+          "access_token": {},
+          "refresh_token": {
+            "supports_minting": [
+              "access_token",
+              "refresh_token"
+            ]
+          }
+        },
+        "expires_in": 43200
+      }
+    }
+  },
+  "authentication": {
+    "user": {
+      "acr": "oidcop.user_authn.authn_context.INTERNETPROTOCOLPASSWORD",
+      "class": "oidcop.user_authn.user.UserPassJinja2",
+      "kwargs": {
+        "verify_endpoint": "verify/user",
+        "template": "user_pass.jinja2",
+        "db": {
+          "class": "oidcop.util.JSONDictDB",
+          "kwargs": {
+            "filename": "passwd.json"
+          }
+        },
+        "page_header": "Testing log in",
+        "submit_btn": "Get me in!",
+        "user_label": "Nickname",
+        "passwd_label": "Secret sauce"
+      }
+    }
+  },
+  "capabilities": {
+    "subject_types_supported": [
+      "public",
+      "pairwise"
+    ],
+    "grant_types_supported": [
+      "authorization_code",
+      "implicit",
+      "urn:ietf:params:oauth:grant-type:jwt-bearer",
+      "refresh_token"
+    ]
+  },
+  "cookie_handler": {
+    "class": "oidcop.cookie_handler.CookieHandler",
+    "kwargs": {
+      "keys": {
+        "private_path": "private/cookie_jwks.json",
+        "key_defs": [
+          {
+            "type": "OCT",
+            "use": [
+              "enc"
+            ],
+            "kid": "enc"
+          },
+          {
+            "type": "OCT",
+            "use": [
+              "sig"
+            ],
+            "kid": "sig"
+          }
+        ],
+        "read_only": false
+      },
+      "name": {
+        "session": "oidc_op",
+        "register": "oidc_op_rp",
+        "session_management": "sman"
+      }
+    }
+  },
+  "endpoint": {
+    "webfinger": {
+      "path": ".well-known/webfinger",
+      "class": "oidcop.oidc.discovery.Discovery",
+      "kwargs": {
+        "client_authn_method": null
+      }
+    },
+    "provider_info": {
+      "path": ".well-known/openid-configuration",
+      "class": "oidcop.oidc.provider_config.ProviderConfiguration",
+      "kwargs": {
+        "client_authn_method": null
+      }
+    },
+    "registration": {
+      "path": "registration",
+      "class": "oidcop.oidc.registration.Registration",
+      "kwargs": {
+        "client_authn_method": null,
+        "client_secret_expiration_time": 432000
+      }
+    },
+    "registration_api": {
+      "path": "registration_api",
+      "class": "oidcop.oidc.read_registration.RegistrationRead",
+      "kwargs": {
+        "client_authn_method": [
+          "bearer_header"
+        ]
+      }
+    },
+    "introspection": {
+      "path": "introspection",
+      "class": "oidcop.oauth2.introspection.Introspection",
+      "kwargs": {
+        "client_authn_method": [
+          "client_secret_post"
+        ],
+        "release": [
+          "username"
+        ]
+      }
+    },
+    "authorization": {
+      "path": "authorization",
+      "class": "oidcop.oidc.authorization.Authorization",
+      "kwargs": {
+        "client_authn_method": null,
+        "claims_parameter_supported": true,
+        "request_parameter_supported": true,
+        "request_uri_parameter_supported": true,
+        "response_types_supported": [
+          "code",
+          "token",
+          "id_token",
+          "code token",
+          "code id_token",
+          "id_token token",
+          "code id_token token",
+          "none"
+        ],
+        "response_modes_supported": [
+          "query",
+          "fragment",
+          "form_post"
+        ]
+      }
+    },
+    "token": {
+      "path": "token",
+      "class": "oidcop.oidc.token.Token",
+      "kwargs": {
+        "client_authn_method": [
+          "client_secret_post",
+          "client_secret_basic",
+          "client_secret_jwt",
+          "private_key_jwt"
+        ]
+      }
+    },
+    "userinfo": {
+      "path": "userinfo",
+      "class": "oidcop.oidc.userinfo.UserInfo",
+      "kwargs": {
+        "claim_types_supported": [
+          "normal",
+          "aggregated",
+          "distributed"
+        ]
+      }
+    },
+    "end_session": {
+      "path": "session",
+      "class": "oidcop.oidc.session.Session",
+      "kwargs": {
+        "logout_verify_url": "verify_logout",
+        "post_logout_uri_path": "post_logout",
+        "signing_alg": "ES256",
+        "frontchannel_logout_supported": true,
+        "frontchannel_logout_session_supported": true,
+        "backchannel_logout_supported": true,
+        "backchannel_logout_session_supported": true,
+        "check_session_iframe": "check_session_iframe"
+      }
+    }
+  },
+  "httpc_params": {
+    "verify": false
+  },
+  "id_token": {
+    "class": "oidcop.id_token.IDToken",
+    "kwargs": {
+      "default_claims": {
+        "email": {
+          "essential": true
+        },
+        "email_verified": {
+          "essential": true
+        }
+      }
+    }
+  },
+  "issuer": "https://{domain}:{port}",
+  "keys": {
+    "private_path": "private/jwks.json",
+    "key_defs": [
+      {
+        "type": "RSA",
+        "use": [
+          "sig"
+        ]
+      },
+      {
+        "type": "EC",
+        "crv": "P-256",
+        "use": [
+          "sig"
+        ]
+      }
+    ],
+    "public_path": "static/jwks.json",
+    "read_only": false,
+    "uri_path": "static/jwks.json"
+  },
+  "login_hint2acrs": {
+    "class": "oidcop.login_hint.LoginHint2Acrs",
+    "kwargs": {
+      "scheme_map": {
+        "email": [
+          "oidcop.user_authn.authn_context.INTERNETPROTOCOLPASSWORD"
+        ]
+      }
+    }
+  },
+  "session_key": {
+    "filename": "private/session_jwk.json",
+    "type": "OCT",
+    "use": "sig"
+  },
+  "template_dir": "templates",
+  "token_handler_args": {
+    "jwks_def": {
+      "private_path": "private/token_jwks.json",
+      "read_only": false,
+      "key_defs": [
+        {
+          "type": "oct",
+          "bytes": 24,
+          "use": [
+            "enc"
+          ],
+          "kid": "code"
+        },
+        {
+          "type": "oct",
+          "bytes": 24,
+          "use": [
+            "enc"
+          ],
+          "kid": "refresh"
+        }
+      ]
+    },
+    "code": {
+      "kwargs": {
+        "lifetime": 600
+      }
+    },
+    "token": {
+      "class": "oidcop.token.jwt_token.JWTToken",
+      "kwargs": {
+        "lifetime": 3600,
+        "add_claims": [
+          "email",
+          "email_verified",
+          "phone_number",
+          "phone_number_verified"
+        ],
+        "add_claim_by_scope": true,
+        "aud": [
+          "https://example.org/appl"
+        ]
+      }
+    },
+    "refresh": {
+      "kwargs": {
+        "lifetime": 86400
+      }
+    }
+  },
+  "userinfo": {
+    "class": "oidcop.user_info.UserInfo",
+    "kwargs": {
+      "db_file": "users.json"
+    }
+  }
+}
diff --git a/example/fastapi/main.py b/example/fastapi/main.py
new file mode 100644
index 00000000..e7e64c4b
--- /dev/null
+++ b/example/fastapi/main.py
@@ -0,0 +1,64 @@
+import json
+import logging
+
+from fastapi import Depends
+from fastapi import FastAPI
+from fastapi import HTTPException
+from fastapi.logger import logger
+from fastapi.openapi.models import Response
+from models import AuthorizationRequest
+from models import WebFingerRequest
+from utils import verify
+
+from oidcop.exception import FailedAuthentication
+from oidcop.server import Server
+
+logger.setLevel(logging.DEBUG)
+
+app = FastAPI()
+app.server = None
+
+
+def get_app():
+    return app
+
+
+@app.on_event("startup")
+def op_startup():
+    _str = open('config.json').read()
+    cnf = json.loads(_str)
+    server = Server(cnf, cwd="/oidc")
+    app.server = server
+
+
+@app.get("/.well-known/webfinger")
+async def well_known(model: WebFingerRequest = Depends()):
+    endpoint = app.server.server_get("endpoint", "discovery")
+    args = endpoint.process_request(model.dict())
+    response = endpoint.do_response(**args)
+    resp = json.loads(response["response"])
+    return resp
+
+
+@app.get("/.well-known/openid-configuration")
+async def openid_config():
+    endpoint = app.server.server_get("endpoint", "provider_config")
+    args = endpoint.process_request()
+    response = endpoint.do_response(**args)
+    resp = json.loads(response["response"])
+    return resp
+
+
+@app.post('/verify/user', status_code=200)
+def verify_user(kwargs: dict, response: Response):
+    authn_method = app.server.server_get(
+        "endpoint_context").authn_broker.get_method_by_id('user')
+    try:
+        return verify(app, authn_method, kwargs, response)
+    except FailedAuthentication as exc:
+        raise HTTPException(404, "Failed authentication")
+
+
+@app.get('/authorization')
+def authorization(model: AuthorizationRequest = Depends()):
+    return service_endpoint(app.server.server_get("endpoint", 'authorization'))
diff --git a/example/fastapi/models.py b/example/fastapi/models.py
new file mode 100644
index 00000000..63b7a45e
--- /dev/null
+++ b/example/fastapi/models.py
@@ -0,0 +1,31 @@
+from typing import List
+from typing import Optional
+
+from pydantic import BaseModel
+
+
+class WebFingerRequest(BaseModel):
+    rel: Optional[str] = 'http://openid.net/specs/connect/1.0/issuer'
+    resource: str
+
+
+class AuthorizationRequest(BaseModel):
+    acr_values: Optional[List[str]]
+    claims: Optional[dict]
+    claims_locales: Optional[List[str]]
+    client_id: str
+    display: Optional[str]
+    id_token_hint: Optional[str]
+    login_hint: Optional[str]
+    max_age: Optional[int]
+    nonce: Optional[str]
+    prompt: Optional[List[str]]
+    redirect_uri: str
+    registration: Optional[dict]
+    request: Optional[str]
+    request_uri: Optional[str]
+    response_mode: Optional[str]
+    response_type: List[str]
+    scope: List[str]
+    state: Optional[str]
+    ui_locales: Optional[List[str]]
diff --git a/unsupported/chpy/passwd.json b/example/fastapi/passwd.json
similarity index 100%
rename from unsupported/chpy/passwd.json
rename to example/fastapi/passwd.json
diff --git a/unsupported/chpy/users.json b/example/fastapi/users.json
similarity index 100%
rename from unsupported/chpy/users.json
rename to example/fastapi/users.json
diff --git a/example/fastapi/utils.py b/example/fastapi/utils.py
new file mode 100644
index 00000000..13efdf6c
--- /dev/null
+++ b/example/fastapi/utils.py
@@ -0,0 +1,136 @@
+import json
+
+from fastapi import HTTPException
+from fastapi import status
+from oic.oic import AuthorizationRequest
+from oidcmsg.oauth2 import ResponseMessage
+
+
+def do_response(endpoint, req_args, response, error='', **args):
+    info = endpoint.do_response(request=req_args, error=error, **args)
+
+    try:
+        _response_placement = info['response_placement']
+    except KeyError:
+        _response_placement = endpoint.response_placement
+
+    if error:
+        if _response_placement == 'body':
+            raise HTTPException(400, info['response'])
+        else:  # _response_placement == 'url':
+            response.status_code = status.HTTP_307_TEMPORARY_REDIRECT
+            resp = json.loads(info['response'])
+    else:
+        if _response_placement == 'body':
+            resp = json.loads(info['response'])
+        else:  # _response_placement == 'url':
+            response.status_code = status.HTTP_307_TEMPORARY_REDIRECT
+            resp = json.loads(info['response'])
+
+    for key, value in info['http_headers']:
+        response.headers[key] = value
+
+    if 'cookie' in info:
+        for d in info["cookie"]:
+            response.set_cookie(key=d["name"], value=d["value"])
+
+    return resp
+
+
+def verify(app, authn_method, kwargs, response):
+    """
+    Authentication verification
+
+    :param kwargs: response arguments
+    :return: HTTP redirect
+    """
+
+    #kwargs = dict([(k, v) for k, v in request.form.items()])
+    username = authn_method.verify(**kwargs)
+    if not username:
+        raise HTTPException(403, "Authentication failed")
+
+    auth_args = authn_method.unpack_token(kwargs['token'])
+    authz_request = AuthorizationRequest().from_urlencoded(auth_args['query'])
+
+    endpoint = app.server.server_get("endpoint", 'authorization')
+    _session_id = endpoint.create_session(authz_request, username, auth_args['authn_class_ref'],
+                                          auth_args['iat'], authn_method)
+
+    args = endpoint.authz_part2(request=authz_request, session_id=_session_id)
+
+    if isinstance(args, ResponseMessage) and 'error' in args:
+        raise HTTPException(400, args.to_json())
+
+    return do_response(endpoint, kwargs, response, **args)
+
+
+IGNORE = ["cookie", "user-agent"]
+
+
+def service_endpoint(app, endpoint):
+    _log = app.srv_config.logger
+    _log.info('At the "{}" endpoint'.format(endpoint.name))
+
+    http_info = {
+        "headers": {k: v for k, v in request.headers.items(lower=True) if k not in IGNORE},
+        "method": request.method,
+        "url": request.url,
+        # name is not unique
+        "cookie": [{"name": k, "value": v} for k, v in request.cookies.items()]
+    }
+
+    if request.method == 'GET':
+        try:
+            req_args = endpoint.parse_request(request.args.to_dict(), http_info=http_info)
+        except (InvalidClient, UnknownClient) as err:
+            _log.error(err)
+            return make_response(json.dumps({
+                'error': 'unauthorized_client',
+                'error_description': str(err)
+            }), 400)
+        except Exception as err:
+            _log.error(err)
+            return make_response(json.dumps({
+                'error': 'invalid_request',
+                'error_description': str(err)
+            }), 400)
+    else:
+        if request.data:
+            if isinstance(request.data, str):
+                req_args = request.data
+            else:
+                req_args = request.data.decode()
+        else:
+            req_args = dict([(k, v) for k, v in request.form.items()])
+        try:
+            req_args = endpoint.parse_request(req_args, http_info=http_info)
+        except Exception as err:
+            _log.error(err)
+            err_msg = ResponseMessage(error='invalid_request', error_description=str(err))
+            return make_response(err_msg.to_json(), 400)
+
+    _log.info('request: {}'.format(req_args))
+    if isinstance(req_args, ResponseMessage) and 'error' in req_args:
+        return make_response(req_args.to_json(), 400)
+
+    try:
+        if isinstance(endpoint, Token):
+            args = endpoint.process_request(AccessTokenRequest(**req_args), http_info=http_info)
+        else:
+            args = endpoint.process_request(req_args, http_info=http_info)
+    except Exception as err:
+        message = traceback.format_exception(*sys.exc_info())
+        _log.error(message)
+        err_msg = ResponseMessage(error='invalid_request', error_description=str(err))
+        return make_response(err_msg.to_json(), 400)
+
+    _log.info('Response args: {}'.format(args))
+
+    if 'redirect_location' in args:
+        return redirect(args['redirect_location'])
+    if 'http_response' in args:
+        return make_response(args['http_response'], 200)
+
+    response = do_response(endpoint, req_args, **args)
+    return response
diff --git a/example/flask_op/config.json b/example/flask_op/config.json
index 1f0fb783..ae011032 100644
--- a/example/flask_op/config.json
+++ b/example/flask_op/config.json
@@ -116,6 +116,21 @@
           "implicit",
           "urn:ietf:params:oauth:grant-type:jwt-bearer",
           "refresh_token"
+        ],
+        "request_object_signing_alg_values_supported": [
+          "RS256",
+          "RS384",
+          "RS512",
+          "ES256",
+          "ES384",
+          "ES512",
+          "HS256",
+          "HS384",
+          "HS512",
+          "PS256",
+          "PS384",
+          "PS512",
+          "none"
         ]
       },
       "cookie_handler": {
diff --git a/example/flask_op/config_cdb.json b/example/flask_op/config_cdb.json
new file mode 100644
index 00000000..75d540ae
--- /dev/null
+++ b/example/flask_op/config_cdb.json
@@ -0,0 +1,332 @@
+{
+  "port": 5000,
+  "domain": "127.0.0.1",
+  "server_name": "{domain}:{port}",
+  "base_url": "https://{domain}:{port}",
+  "op": {
+    "server_info": {
+      "add_on": {
+        "pkce": {
+          "function": "oidcop.oidc.add_on.pkce.add_pkce_support",
+          "kwargs": {
+            "essential": false,
+            "code_challenge_method": "S256 S384 S512"
+          }
+        },
+        "claims": {
+          "function": "oidcop.oidc.add_on.custom_scopes.add_custom_scopes",
+          "kwargs": {
+            "research_and_scholarship": [
+              "name",
+              "given_name",
+              "family_name",
+              "email",
+              "email_verified",
+              "sub",
+              "iss",
+              "eduperson_scoped_affiliation"
+            ]
+          }
+        }
+      },
+      "authz": {
+        "class": "oidcop.authz.AuthzHandling",
+        "kwargs": {
+          "grant_config": {
+            "usage_rules": {
+              "authorization_code": {
+                "supports_minting": [
+                  "access_token",
+                  "refresh_token",
+                  "id_token"
+                ],
+                "max_usage": 1
+              },
+              "access_token": {},
+              "refresh_token": {
+                "supports_minting": [
+                  "access_token",
+                  "refresh_token"
+                ]
+              }
+            },
+            "expires_in": 43200
+          }
+        }
+      },
+      "authentication": {
+        "user": {
+          "acr": "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword",
+          "class": "oidcop.user_authn.user.UserPassJinja2",
+          "kwargs": {
+            "verify_endpoint": "/verify/user",
+            "template": "user_pass.jinja2",
+            "db": {
+              "class": "oidcop.util.JSONDictDB",
+              "kwargs": {
+                "filename": "passwd.json"
+              }
+            },
+            "page_header": "Testing log in",
+            "submit_btn": "Get me in!",
+            "user_label": "Nickname",
+            "passwd_label": "Secret sauce"
+          }
+        }
+      },
+      "capabilities": {
+        "subject_types_supported": [
+          "public",
+          "pairwise"
+        ],
+        "grant_types_supported": [
+          "authorization_code",
+          "implicit",
+          "urn:ietf:params:oauth:grant-type:jwt-bearer",
+          "refresh_token"
+        ]
+      },
+      "client_db": {
+        "class": "oidcmsg.storage.abfile.AbstractFileSystem",
+        "kwargs": {
+          "fdir": "cdb",
+          "key_conv": "oidcmsg.util.QPKey",
+          "value_conv": "oidcmsg.util.JSON"
+        }
+      },
+      "cookie_handler": {
+        "class": "oidcop.cookie_handler.CookieHandler",
+        "kwargs": {
+          "keys": {
+            "private_path": "private/cookie_jwks.json",
+            "key_defs": [
+              {
+                "type": "OCT",
+                "use": [
+                  "enc"
+                ],
+                "kid": "enc"
+              },
+              {
+                "type": "OCT",
+                "use": [
+                  "sig"
+                ],
+                "kid": "sig"
+              }
+            ],
+            "read_only": false
+          },
+          "name": {
+            "session": "oidc_op",
+            "register": "oidc_op_rp",
+            "session_management": "sman"
+          }
+        }
+      },
+      "endpoint": {
+        "webfinger": {
+          "path": ".well-known/webfinger",
+          "class": "oidcop.oidc.discovery.Discovery",
+          "kwargs": {
+            "client_authn_method": null
+          }
+        },
+        "provider_info": {
+          "path": ".well-known/openid-configuration",
+          "class": "oidcop.oidc.provider_config.ProviderConfiguration",
+          "kwargs": {
+            "client_authn_method": null
+          }
+        },
+        "registration": {
+          "path": "registration",
+          "class": "oidcop.oidc.registration.Registration",
+          "kwargs": {
+            "client_authn_method": null,
+            "client_secret_expiration_time": 432000
+          }
+        },
+        "registration_api": {
+          "path": "registration_api",
+          "class": "oidcop.oidc.read_registration.RegistrationRead",
+          "kwargs": {
+            "client_authn_method": [
+              "bearer_header"
+            ]
+          }
+        },
+        "introspection": {
+          "path": "introspection",
+          "class": "oidcop.oauth2.introspection.Introspection",
+          "kwargs": {
+            "client_authn_method": [
+              "client_secret_post",
+              "client_secret_basic",
+              "client_secret_jwt",
+              "private_key_jwt"
+            ],
+            "release": [
+              "username"
+            ]
+          }
+        },
+        "authorization": {
+          "path": "authorization",
+          "class": "oidcop.oidc.authorization.Authorization",
+          "kwargs": {
+            "client_authn_method": null,
+            "claims_parameter_supported": true,
+            "request_parameter_supported": true,
+            "request_uri_parameter_supported": true,
+            "response_types_supported": [
+              "code",
+              "token",
+              "id_token",
+              "code token",
+              "code id_token",
+              "id_token token",
+              "code id_token token",
+              "none"
+            ],
+            "response_modes_supported": [
+              "query",
+              "fragment",
+              "form_post"
+            ]
+          }
+        },
+        "token": {
+          "path": "token",
+          "class": "oidcop.oidc.token.Token",
+          "kwargs": {
+            "client_authn_method": [
+              "client_secret_post",
+              "client_secret_basic",
+              "client_secret_jwt",
+              "private_key_jwt"
+            ]
+          }
+        },
+        "userinfo": {
+          "path": "userinfo",
+          "class": "oidcop.oidc.userinfo.UserInfo",
+          "kwargs": {
+            "claim_types_supported": [
+              "normal",
+              "aggregated",
+              "distributed"
+            ]
+          }
+        },
+        "end_session": {
+          "path": "session",
+          "class": "oidcop.oidc.session.Session",
+          "kwargs": {
+            "logout_verify_url": "verify_logout",
+            "post_logout_uri_path": "post_logout",
+            "signing_alg": "ES256",
+            "frontchannel_logout_supported": true,
+            "frontchannel_logout_session_supported": true,
+            "backchannel_logout_supported": true,
+            "backchannel_logout_session_supported": true,
+            "check_session_iframe": "check_session_iframe"
+          }
+        }
+      },
+      "httpc_params": {
+        "verify": false
+      },
+      "issuer": "https://{domain}:{port}",
+      "keys": {
+        "private_path": "private/jwks.json",
+        "key_defs": [
+          {
+            "type": "RSA",
+            "use": [
+              "sig"
+            ]
+          },
+          {
+            "type": "EC",
+            "crv": "P-256",
+            "use": [
+              "sig"
+            ]
+          }
+        ],
+        "public_path": "static/jwks.json",
+        "read_only": false,
+        "uri_path": "static/jwks.json"
+      },
+      "login_hint2acrs": {
+        "class": "oidcop.login_hint.LoginHint2Acrs",
+        "kwargs": {
+          "scheme_map": {
+            "email": [
+              "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
+            ]
+          }
+        }
+      },
+      "template_dir": "templates",
+      "token_handler_args": {
+        "jwks_file": "private/token_jwks.json",
+        "code": {
+          "kwargs": {
+            "lifetime": 600
+          }
+        },
+        "token": {
+          "class": "oidcop.token.jwt_token.JWTToken",
+          "kwargs": {
+            "lifetime": 3600,
+            "add_claims": [
+              "email",
+              "email_verified",
+              "phone_number",
+              "phone_number_verified"
+            ],
+            "add_claim_by_scope": true,
+            "aud": [
+              "https://example.org/appl"
+            ]
+          }
+        },
+        "refresh": {
+          "kwargs": {
+            "lifetime": 86400
+          }
+        },
+        "id_token": {
+          "class": "oidcop.token.id_token.IDToken",
+          "kwargs": {
+            "base_claims": {
+              "email": {
+                "essential": true
+              },
+              "email_verified": {
+                "essential": true
+              }
+            }
+          }
+        }
+      },
+      "userinfo": {
+        "class": "oidcop.user_info.UserInfo",
+        "kwargs": {
+          "db_file": "users.json"
+        }
+      }
+    }
+  },
+  "webserver": {
+    "server_cert": "certs/client.crt",
+    "server_key": "certs/client.key",
+    "ca_bundle": null,
+    "verify_user": false,
+    "port": 5000,
+    "domain": "127.0.0.1",
+    "debug": true
+  }
+}
diff --git a/example/flask_op/config_martin.yaml b/example/flask_op/config_martin.yaml
new file mode 100644
index 00000000..c92e5662
--- /dev/null
+++ b/example/flask_op/config_martin.yaml
@@ -0,0 +1,309 @@
+logging:
+  version: 1
+  root:
+    handlers:
+      - default
+      - console
+    level: DEBUG
+  loggers:
+    bobcat_idp:
+      level: DEBUG
+  handlers:
+    default:
+      class: logging.FileHandler
+      filename: 'debug.log'
+      formatter: default
+    console:
+      class: logging.StreamHandler
+      stream: 'ext://sys.stdout'
+      formatter: default
+  formatters:
+    default:
+      format: '%(asctime)s %(name)s %(levelname)s %(message)s'
+
+port: &port 5000
+domain: 127.0.0.1
+server_name: '{domain}'
+base_url: &base_url 'https://{domain}:{port}'
+
+key_def: &key_def
+  -
+    type: RSA
+    use:
+      - sig
+  -
+    type: EC
+    crv: "P-256"
+    use:
+      - sig
+
+op:
+  server_info:
+    client_db:
+      class: oidcmsg.storage.abfile.AbstractFileSystem
+      kwargs:
+        fdir: cdb
+        key_conv: oidcmsg.util.QPKey
+        value_conv: oidcmsg.util.JSON
+    issuer: *base_url
+    httpc_params:
+      verify: False
+    session_key:
+      filename: private/session_jwk.json
+      type: OCT
+      use: sig
+    capabilities:
+      subject_types_supported:
+        - public
+        - pairwise
+      grant_types_supported:
+        - authorization_code
+        - implicit
+        - urn:ietf:params:oauth:grant-type:jwt-bearer
+        - refresh_token
+    template_dir: templates
+    token_handler_args:
+      jwks_def:
+        private_path: 'private/token_jwks.json'
+        read_only: False
+        key_defs:
+          -
+            type: oct
+            bytes: 24
+            use:
+              - enc
+            kid: code
+          -
+            type: oct
+            bytes: 24
+            use:
+              - enc
+            kid: refresh
+      code:
+        kwargs:
+          lifetime: 600
+      id_token:
+        class: oidcop.token.id_token.IDToken
+        kwargs:
+          base_claims:
+            email:
+              essential: True
+            email_verified:
+              essential: True
+      token:
+        class: oidcop.token.jwt_token.JWTToken
+        kwargs:
+          lifetime: 3600
+          add_claims:
+            - email
+            - email_verified
+            - phone_number
+            - phone_number_verified
+          add_claim_by_scope: True
+          aud:
+            - https://example.org/appl
+      refresh:
+        kwargs:
+          lifetime: 86400
+    keys:
+      private_path: "private/jwks.json"
+      key_defs: *key_def
+      public_path: 'static/jwks.json'
+      read_only: False
+      # otherwise OP metadata will have jwks_uri: https://127.0.0.1:5000/None!
+      uri_path: 'static/jwks.json'
+    endpoint:
+      webfinger:
+        path: '.well-known/webfinger'
+        class: oidcop.oidc.discovery.Discovery
+        kwargs:
+          client_authn_method: null
+      provider_info:
+        path: ".well-known/openid-configuration"
+        class: oidcop.oidc.provider_config.ProviderConfiguration
+        kwargs:
+          client_authn_method: null
+      registration:
+          path: registration
+          class: oidcop.oidc.registration.Registration
+          kwargs:
+            client_authn_method: null
+            client_secret_expiration_time: 432000
+      registration_api:
+          path: registration_api
+          class: oidcop.oidc.read_registration.RegistrationRead
+          kwargs:
+            client_authn_method:
+              - bearer_header
+      introspection:
+          path: introspection
+          class: oidcop.oauth2.introspection.Introspection
+          kwargs:
+            client_authn_method:
+              - client_secret_post
+            release:
+            - username
+      authorization:
+          path: authorization
+          class: oidcop.oidc.authorization.Authorization
+          kwargs:
+            client_authn_method: null
+            claims_parameter_supported: True
+            request_parameter_supported: True
+            request_uri_parameter_supported: True
+            response_types_supported:
+              - code
+              - token
+              - id_token
+              - "code token"
+              - "code id_token"
+              - "id_token token"
+              - "code id_token token"
+              - none
+            response_modes_supported:
+              - query
+              - fragment
+              - form_post
+      token:
+          path: token
+          class: oidcop.oidc.token.Token
+          kwargs:
+            client_authn_method:
+              - client_secret_post
+              - client_secret_basic
+              - client_secret_jwt
+              - private_key_jwt
+      userinfo:
+          path: userinfo
+          class: oidcop.oidc.userinfo.UserInfo
+          kwargs:
+            claim_types_supported:
+              - normal
+              - aggregated
+              - distributed
+      end_session:
+          path: session
+          class: oidcop.oidc.session.Session
+          kwargs:
+              logout_verify_url: verify_logout
+              post_logout_uri_path: post_logout
+              signing_alg: "ES256"
+              frontchannel_logout_supported: True
+              frontchannel_logout_session_supported: True
+              backchannel_logout_supported: True
+              backchannel_logout_session_supported: True
+              check_session_iframe: 'check_session_iframe'
+    userinfo:
+      class: oidcop.user_info.UserInfo
+      kwargs:
+        db_file: sram_users.json
+    authentication:
+      user:
+        acr: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
+        class: oidcop.user_authn.user.UserPassJinja2
+        kwargs:
+          verify_endpoint: 'verify/user'
+          template: user_pass.jinja2
+          db:
+            class: oidcop.util.JSONDictDB
+            kwargs:
+              filename: sram_passwd.json
+          page_header: "Testing log in"
+          submit_btn: "Get me in!"
+          user_label: "Nickname"
+          passwd_label: "Secret sauce"
+      mfa:
+        acr: https://refeds.org/profile/mfa
+        class: oidcop.user_authn.user.UserPassJinja2
+        kwargs:
+          verify_endpoint: 'verify/user'
+          template: user_pass.jinja2
+          db:
+            class: oidcop.util.JSONDictDB
+            kwargs:
+              filename: sram_passwd.json
+          page_header: "Testing MFA in"
+          submit_btn: "Get me in secure!"
+          user_label: "Nickname"
+          passwd_label: "Secret MFA sauce"
+    cookie_handler:
+      class: oidcop.cookie_handler.CookieHandler
+      kwargs:
+        keys:
+          private_path: "private/cookie_jwks.json"
+          key_defs:
+              -
+                type: OCT
+                kid: enc
+                use:
+                  - enc
+              -
+                type: OCT
+                kid: sig
+                use:
+                  - sig
+          read_only: false
+        name:
+          session: "oidc_op"
+          register: "oidc_op_rp"
+          session_management: "sman"
+    login_hint2acrs:
+      class: oidcop.login_hint.LoginHint2Acrs
+      kwargs:
+        scheme_map:
+          email:
+            - urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
+
+    # this adds PKCE support as mandatory - disable it if needed (essential: False)
+    add_on:
+      pkce:
+        function: oidcop.oidc.add_on.pkce.add_pkce_support
+        kwargs:
+          essential: false
+          code_challenge_method:
+            #plain
+            S256
+            S384
+            S512
+
+      claims:
+        function: oidcop.oidc.add_on.custom_scopes.add_custom_scopes
+        kwargs:
+          research_and_scholarship:
+            - name
+            - given_name
+            - family_name
+            - email
+            - email_verified
+            - sub
+            - iss
+            - eduperson_scoped_affiliation
+          eduperson_scoped_affiliation:
+            - eduperson_scoped_affiliation
+          voperson_external_affiliation:
+            - voperson_external_affiliation
+          ssh_public_key:
+            - ssh_public_key
+          eduperson_orcid:
+            - eduperson_orcid
+          uid:
+            - uid
+          voperson_external_id:
+            - voperson_external_id
+          eduperson_entitlement:
+            - eduperson_entitlement
+          eduperon_assurance:
+            - eduperon_assurance
+          eduperson_principal_name:
+            - eduperson_principal_name
+          voperson_id:
+            - voperson_id
+
+webserver:
+  server_cert: 'certs/89296913_127.0.0.1.cert'
+  server_key: 'certs/89296913_127.0.0.1.key'
+  ca_bundle: null
+  verify_user: false
+  port: *port
+  domain: 0.0.0.0
+  debug: true
\ No newline at end of file
diff --git a/example/flask_op/sram_passwd.json b/example/flask_op/sram_passwd.json
new file mode 100644
index 00000000..d07df8c1
--- /dev/null
+++ b/example/flask_op/sram_passwd.json
@@ -0,0 +1,5 @@
+{
+  "diana": "krall",
+  "babs": "howes",
+  "upper": "crust"
+}
\ No newline at end of file
diff --git a/example/flask_op/sram_users.json b/example/flask_op/sram_users.json
new file mode 100644
index 00000000..c46ecd6f
--- /dev/null
+++ b/example/flask_op/sram_users.json
@@ -0,0 +1,42 @@
+{
+  "diana": {
+    "sub": "dikr0001",
+    "name": "Diana Krall",
+    "given_name": "Diana",
+    "family_name": "Krall",
+    "nickname": "Dina",
+    "email": "diana@example.org",
+    "email_verified": false,
+    "phone_number": "+46 90 7865000",
+    "address": {
+      "street_address": "Umeå Universitet",
+      "locality": "Umeå",
+      "postal_code": "SE-90187",
+      "country": "Sweden"
+    }
+  },
+  "babs": {
+    "sub": "babs0001",
+    "name": "Barbara J Jensen",
+    "given_name": "Barbara",
+    "family_name": "Jensen",
+    "nickname": "babs",
+    "email": "babs@example.com",
+    "email_verified": true,
+    "address": {
+      "street_address": "100 Universal City Plaza",
+      "locality": "Hollywood",
+      "region": "CA",
+      "postal_code": "91608",
+      "country": "USA"
+    }
+  },
+  "upper": {
+    "sub": "uppe0001",
+    "name": "Upper Crust",
+    "given_name": "Upper",
+    "family_name": "Crust",
+    "email": "uc@example.com",
+    "email_verified": true
+  }
+}
\ No newline at end of file
diff --git a/example/flask_op/templates.tgz b/example/flask_op/templates.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..26cefef7dcfe17a135759405c2ebeaf0b6dce31d
GIT binary patch
literal 15872
zcmeHO|8m<l67Ju53RpKi(G!cJBwI>k%e~ZfCcR1PT<rdu&W(p6L5Vg+uq0?(b^R{)
zEcayhEkIHvMa5}r&*Y|78;c--#bOt`_;vwFzK8-_@}&FOqkSyP8tv_|&**zNRNq#A
zSAXLjeOPa>H^R&QUVp?a6s+NAZ12%HDiKZ-X~$qK7J(hQrHa}knt5LBUAdUegC>a&
zD_4EW&$7_JAG-X;oXbV<(ELIk!(FZKM*a8uJ?MYX+w1KP`XdYa-`gER|JFk@(nRks
zuK$CruTGB6etLJzNb`r!4(N-)6lRka4_owt+wS2rhR?x*OPe`!J5IQqw7xrg-Fbl)
zs!IAY;D=}Q_n@l_&knk}@4-~K%dFkJclgF<XLBC&E!6igKv!3zL>x5f=;_^~NnmCF
z&YU}!=Lt^|Uxeqr7uyT|Fz(>P_TRIHy_)~;TYH1OC;NXirI!dd+J9#CWjF9~_J68Z
z5BtUr?HOP2P_hm?dB^l>Djb6%mN>B=NtVRUq&1f^O2*x;<AxWB=>#Hmy}*vS>4-(w
zzOZk)fj>>U7s=_HSKYojFnir(Zuj?w=0(y{4v0w7#}6f+#lBolTDnE&+huz7)=RFu
zBk%aR!@nPPf9Sn@^Zb|Zqro>XoR_bEeKorn^^blSyu6-NX*sb-5)u0|Kb*AeP=w2c
zNR!s#L09vhxwH)vF(VNyJwFIcUv#hf-J-bgL$LjY$8DL$Jehc0I`hBB>0)A)Y1h2x
zvx96Lxr{j2iK4)FYzbTKUf5T*uFSl#;iaKNRm|9Cw}pJJ?3n549FeWR=SdpK{bxme
z(aW&|CnZ#9IDro(e(mmL9e0@R$kYyYSYiiqhdI;o0HgpJFH1wx8~XSjGuDQNqBV84
zHJPxY@Y`?eT$;MGYN#LU<LYrR{yY}fEacbhIF3bZv^Cvx-(|peU6G4`E&OC*L-OtI
z{Xzmck-N1wN_NpSVG}mv^5or@7$xEHsVqyWffDrtbd>1V#?BeexZ5s?JReZW2jn-+
z$`N5A0&WIkX0(46QRbij%>+7)S(`mqPtWm`%Td40OK8x}#F{l%>sq}gRqB`Y)G!I+
zQcYxTpG+?>6%wy9Mxzaj?7$G)JFI<n{Nq`ZG^sm`5natRa?1i!!z<=j+~jj9>h58R
z-$dMz+yz_NAW+a7JDD5pH^)D=w?W4s66_0Rv`wO}2r|r=m|fE}al296di85z>1V}e
z&V#PVOB*Cfy3YDeu<nc24Q4~U&?jF(FzaFs>6+@_yA9Ks8bqOipF75bge&uG&+X(?
ziWrXjmE*vXx8Y2gE1Z=4_@;%K*PHd;#<nTvJS@2)w9te%(W1GKaJD|GCAD^@Mw^qF
zZ(4TLD4XNT57Nu}2b4C5C~vv$6R75ne4sf+@MNS2pgce1aF#h!n<d`N&1NpDqu(*O
zerL`MOuk8)8|AVhQ(7u3zfar3AMp7~X>0Dii7~a;8G+C{ml@e|9s+0XY*_mUIOf8I
zRlPeoJ!|hY+A75uJcbi&7AYyIeIx)2LfJXP-q{AZ%I=wnaKDIZQt5SGY#8aTnE?u4
z#_XS`C*PWhjQw!tdrRZC*mlN+N6t6Vaps8cwwnpY-1TGlG%%_c_j<FtHR}SBh_FfU
zCaIGQNJn`aQ(SIpMorf=3D>$=xT_xdyw=&JHu)#tkxFuD)GM{W+uvCAyD&;KnR^|>
z8kX?GD?0#^D3n{p6q~%z%Ib0<K!3`DjgNO88@c@xl2|d;<PNX~xqrpK!Crt(!B|^b
zw4?})3XgFU`?{^*Sz8+cHs19$6LUb`u&Rv}4<sCd8Ic`J0$Q4=nE>fZqs{8lrKb5}
zLTlCQXY1cp>eMLTY_lf4S`(Uv>TCu)oXNSGMV|qNZWZLIpvnC4Y3cs&vdQUEJ~^{#
za#<{XDq~Eq)Vpz#3gT3oHBEG@L==-MQO#$6$ohY5jw*pr+C6v%+UqexvEAq$w_%xZ
zGZAU*aD-5a%$FZ+&pTKX8T_xR`L49nHZA23VD{ShYE=nw>2nA@#@=$I3Pu~zLRi<5
zUeADw)PBWL69*+ywByx9OvBRq<9}gTdLUdmL8y>>jNCXJ8x0E7rAN+J(SDsj58;kM
zq<wU<_VIN9<dA6^#ploKd=$f=gJb{f*KCEVujhWinc<j}34A3DYnu^{B?Dy+bu*K6
zs-1w*13b!xD`|+R(1$F~F;(LE#545tH8Ie<txR2aV9*G8kjfakUpC4I$E&)UYAGWe
zra`b0dP$MjU{hS1w(A~W0ZP2}6CetX_;R7$BLbkRzuaM-4Q!oF`)=F7(<*cDsiZwu
z`9CiPNTTo}<iR=OOp(fmN&nH2$cOU($ou!{{AXZ|MuXvKmsx#lcke0xSIW{o-s5`y
zFH85=lKl!7tMt-=&hEceE2Nat(;dhdC#@@=Uq>RAEsCTGc~4r`zANVwmtXk~@2J8K
z;!9upcF;)xVfX~TBAEj}Uv{MEc)py3LJz2p9VkWE;lHH*)ueUPN$n0&g9sn|X~0XP
z_<X|M8Q1+1xx|@-aw9qcd3)t2{?rGYSdQnu>+*0PI}CUb;n<!c!IDb8A8=2Ot$isX
z{GD@uHm9QE7~fM7Bia}v8OX_hz@YUYwQL<~$~i)E!GS=WLRkt+`xoVwRhFHw&h0Hr
z{9ie{%OG#DN#?;oDU+AEq9TflIgW50ZnSQ1|N9@>GPQ2rXJN#5u@ADX+z}~x6yy~H
zC*fN#R~jMX_4$PLa%V`sI-df(y%uOCU$x>i@1s4e{`)G9?WGyTLJGo+W`gu3^1F5r
z7{zY(OUmQrDGw0)i1-z1+IpDw_O^+w?AUhZrF;U~RWlRW3sZ!|D1=&?oMtJ92{^wx
z^A{X04l$7qwh)5eGO1reTuNFicg?6)E9<w!_DD~kiU<F5zG3D6Y2iGq-_JR_$NyXX
z(H{B#-QKX*vv5#s^{@*(o&V<Id(`iB|Nm#sf8SvZvD(hC<{9A|aqjz*NZH)J;w(hE
ze#&_W2RTD_oWUqzX<~s)zMnAU*splpd{q4GQ6=-&AilDHi2varUqyKL*#GX{F5$o3
z{-{3~4y``j{}}bGr}N*65Fe?qZvUIEd#n&347iK|*?Yh;p2!jwL<<GlYG|+&(LDez
z%m?}X$PhhC*pNcYfA|Z+t1OKJBR`Dx09_MvCd4e@cI4w+8i&zNf|FZ&;Rnmfdocx=
z8Sh%wPS3Ic7>emlQz=Eb!{)tO6f60S>>z_U3z7W<Eaq|1rxa?gbt6tX*BXj4jFsan
z9Tclt0*_<XGY5RpM3QpUHC|LVJ(V%jbD>k+FzLYO`d)R6g&pG*9Kbvpv;JOm(^v~}
zNU_ijnwWq9LuuoLB(AX%A*x2+e9SDiYehGhVtoV+zgd5@Td$eg&gCo?IDA1w5Quop
z{`PuA|245lBiN}F4I^k^--&J4PjQ&gUmHi<ba1|i8~_nPwfYy&rnX`2F#W$d$Ut_U
ztq|C|ynwpsaHB~oda=|bQr79(lq;Hh6(fS$tT@#+Upk}u(#gUbHW=2YTT;o3dR?Xr
zEX2>NLUw)RYHb{bOc9%0R_n4Al&_I>6&H~h@+i1_fW&i^Ko)uB;ZrW+T<M-yTe8a5
zRvPO;V>NB{YT9a8O1th$%d0Wsq%m%Vj9Db;vPq)_Yn_hgr2m>`H%#MxZtH8Sfm__6
zwfT$EA|oMf3Q-SS{|fnYJ4q(3!Z5Q7Bm~gD5^M>Kc5UMl4=g5u)9Mu14AGE?5CnYz
zbcZ{9YMgSwOD~ETQzMH~cuBQ7)sLudfk3T@0FkFX)?wY3%dcIdEh4(|fMH*wVLiL4
zBIqyzUMx{?kZ6@WBZ2^u>gyfVOOwJ-^lWR>tfg9Y6WYJ1iRPiP2@Zr()n>_)S_7J#
ziK9jyx<|;Fx`rZJTXd=s5~d5Bag?e`+d(16IC`sOaS{g0hnMC?Mo3rXNEjt*%Y1jz
zs_3W1^m*;1MX_Z0E)|X$kYkx()wm*yF|l~`x>4knWEg1#m%&tKrlqprxW#pGT_Huy
zaY_WCPmu3mR1H$CE^cKJSJ_(3oT><Mg5z9HTKN)e9sa}<cuOp1FiWupuAi#idPB#m
z%v*=w3iOutQjtKk;)g2&2VI!d|JjAs75-O8%@36Et%B8i@IS8o4+;MdMk8y0JK%)>
z@iTxY{9l#g<CN5WZ>(8;2OGD&dxyt#p$69}C>@6D+^{a~<e%MsPA4{b!t5ManIS^Y
zF1@hNkr9gy4{SD%xu<Ni(h@d$cm(|ChbeA|+c4MYkSMDAN9aqBp$qzWuBX<X0{zEP
zKB%tjKLzYRj{pbE3qQQD`wutdJ@((*>r?)3(CZC{yCbVd`M;s{Wd9GRfDceQ*aG%a
zNJ#(w<M;dkq#+~l4xuvc6Jooijj{GSklf3VlYw`MaH-^6-`-mJ7!55lyg(bgexxnF
ziY~JKdNXj4;u1e#DM1DGf(RYzNFCm)fXWAfJ>>xdf|#_(5D56Sh)HD?x{~~$dMb4*
z4^I%jrBG2pA;U1MG6kO=u2d$)$O_NUxi*fr;4rgkk#p3jdIOVWsMk1)QcS9Xd;W23
z7CjZKtCG&utjZt7k-wPf8~hLzVJvJ4>adC7!mZi^)XSW)Ji4IS(Yz}fC~X{4Bsn3{
z0Tpu+v~}pd_YuK;d*4}>>11!3Nok^GeQHo%UP1cJ`Ba8_8Rd|(_7kS3?dk&#=c(#R
L0#6e7WF+uE?UA=5

literal 0
HcmV?d00001

diff --git a/example/flask_op/views.py b/example/flask_op/views.py
index d17b7347..648c3de6 100644
--- a/example/flask_op/views.py
+++ b/example/flask_op/views.py
@@ -304,9 +304,9 @@ def check_session_iframe():
             return 'error'
         return 'OK'
 
-    current_app.logger.debug(
-        'check_session_iframe: {}'.format(req_args))
+    current_app.logger.debug('check_session_iframe: {}'.format(req_args))
     doc = open('templates/check_session_iframe.html').read()
+    current_app.logger.debug(f"check_session_iframe response: {doc}")
     return doc
 
 
diff --git a/example/flask_op/yaml_to_json.py b/example/flask_op/yaml_to_json.py
new file mode 100755
index 00000000..4f7052d4
--- /dev/null
+++ b/example/flask_op/yaml_to_json.py
@@ -0,0 +1,11 @@
+#! /usr/bin/env python3
+import json
+import sys
+
+import yaml
+
+"""Load a YAML configuration file."""
+with open(sys.argv[1], "rt", encoding='utf-8') as file:
+    config_dict = yaml.safe_load(file)
+
+print(json.dumps(config_dict))
diff --git a/pyproject.toml b/pyproject.toml
index 7564b0ee..f63cfeb0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
 
 [metadata]
 name = "oidcop"
-version = "2.1.0"
+version = "2.3.0"
 author = "Roland Hedberg"
 author_email = "roland@catalogix.se"
 description = "Python implementation of an OAuth2 AS and an OIDC Provider"
diff --git a/setup.py b/setup.py
index d707fd8a..8ab8a660 100644
--- a/setup.py
+++ b/setup.py
@@ -72,7 +72,7 @@ def run_tests(self):
         "Programming Language :: Python :: 3.9",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "oidcmsg==1.4.0",
+        "oidcmsg==1.5.0",
         "cryptojwt==1.5.2",
         "pyyaml",
         "jinja2>=2.11.3",
diff --git a/src/oidcop/__init__.py b/src/oidcop/__init__.py
index 29c1f2a8..de2c3aa2 100644
--- a/src/oidcop/__init__.py
+++ b/src/oidcop/__init__.py
@@ -1,6 +1,6 @@
 import secrets
 
-__version__ = "2.2.1"
+__version__ = "2.3.0"
 
 DEF_SIGN_ALG = {
     "id_token": "RS256",
diff --git a/src/oidcop/authn_event.py b/src/oidcop/authn_event.py
index 0b5bf0e8..6b7bae0a 100644
--- a/src/oidcop/authn_event.py
+++ b/src/oidcop/authn_event.py
@@ -2,7 +2,7 @@
 from oidcmsg.message import SINGLE_OPTIONAL_STRING
 from oidcmsg.message import SINGLE_REQUIRED_STRING
 from oidcmsg.message import Message
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 DEFAULT_AUTHN_EXPIRES_IN = 3600
 
@@ -20,10 +20,10 @@ def is_valid(self, now=0):
         if now:
             return self["valid_until"] > now
         else:
-            return self["valid_until"] > time_sans_frac()
+            return self["valid_until"] > utc_time_sans_frac()
 
     def expires_in(self):
-        return self["valid_until"] - time_sans_frac()
+        return self["valid_until"] - utc_time_sans_frac()
 
 
 def create_authn_event(
@@ -59,7 +59,7 @@ def create_authn_event(
         if _ts:
             args["authn_time"] = _ts
         else:
-            args["authn_time"] = time_sans_frac()
+            args["authn_time"] = utc_time_sans_frac()
 
     if valid_until:
         args["valid_until"] = valid_until
diff --git a/src/oidcop/endpoint.py b/src/oidcop/endpoint.py
index f5ea2bf8..3a9a1994 100755
--- a/src/oidcop/endpoint.py
+++ b/src/oidcop/endpoint.py
@@ -9,6 +9,7 @@
 from oidcmsg.exception import MissingRequiredValue
 from oidcmsg.message import Message
 from oidcmsg.oauth2 import ResponseMessage
+from oidcmsg.oidc import RegistrationRequest
 
 from oidcop import sanitize
 from oidcop.client_authn import client_auth_setup
@@ -128,6 +129,10 @@ def __init__(self, server_get: Callable, **kwargs):
         self.allowed_targets = [self.name]
         self.client_verification_method = []
 
+    def process_verify_error(self, exception):
+        _error = "invalid_request"
+        return self.error_cls(error=_error, error_description="%s" % exception)
+
     def parse_request(
         self, request: Union[Message, dict, str], http_info: Optional[dict] = None, **kwargs
     ):
@@ -185,7 +190,14 @@ def parse_request(
         try:
             req.verify(keyjar=keyjar, opponent_id=_client_id)
         except (MissingRequiredAttribute, ValueError, MissingRequiredValue) as err:
-            return self.error_cls(error="invalid_request", error_description="%s" % err)
+            return self.process_verify_error(err)
+            _error = "invalid_request"
+            if isinstance(err, ValueError) and self.request_cls == RegistrationRequest:
+                if len(err.args) > 1:
+                    if err.args[1] == 'initiate_login_uri':
+                        _error = "invalid_client_metadata"
+
+            return self.error_cls(error=_error, error_description="%s" % err)
 
         LOGGER.info("Parsed and verified request: %s" % sanitize(req))
 
diff --git a/src/oidcop/endpoint_context.py b/src/oidcop/endpoint_context.py
index 51629b67..9bdc4035 100755
--- a/src/oidcop/endpoint_context.py
+++ b/src/oidcop/endpoint_context.py
@@ -15,7 +15,6 @@
 from oidcop.configure import OPConfiguration
 from oidcop.scopes import SCOPE2CLAIMS
 from oidcop.scopes import Scopes
-from oidcop.session.claims import STANDARD_CLAIMS
 from oidcop.session.manager import SessionManager
 from oidcop.template_handler import Jinja2TemplateHandler
 from oidcop.util import get_http_params
@@ -75,13 +74,13 @@ def get_token_handler_args(conf: dict) -> dict:
             {"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"},
             {"type": "oct", "bytes": "24", "use": ["enc"], "kid": "token"},
             {"type": "oct", "bytes": "24", "use": ["enc"], "kid": "refresh"},
-        ]
+            ]
 
         jwks_def = {
             "private_path": "private/token_jwks.json",
             "key_defs": keydef,
             "read_only": False,
-        }
+            }
         th_args = {"jwks_def": jwks_def}
         for typ, tid in [("code", 600), ("token", 3600), ("refresh", 86400)]:
             th_args[typ] = {"lifetime": tid}
@@ -117,17 +116,17 @@ class EndpointContext(OidcContext):
         "symkey": "",
         "token_args_methods": [],
         # "userinfo": UserInfo,
-    }
+        }
 
     def __init__(
-        self,
-        conf: Union[dict, OPConfiguration],
-        server_get: Callable,
-        keyjar: Optional[KeyJar] = None,
-        cwd: Optional[str] = "",
-        cookie_handler: Optional[Any] = None,
-        httpc: Optional[Any] = None,
-    ):
+            self,
+            conf: Union[dict, OPConfiguration],
+            server_get: Callable,
+            keyjar: Optional[KeyJar] = None,
+            cwd: Optional[str] = "",
+            cookie_handler: Optional[Any] = None,
+            httpc: Optional[Any] = None,
+            ):
         OidcContext.__init__(self, conf, keyjar, entity_id=conf.get("issuer", ""))
         self.conf = conf
         self.server_get = server_get
@@ -176,7 +175,7 @@ def __init__(
             "symkey",
             "client_authn",
             # "id_token_schema",
-        ]:
+            ]:
             try:
                 setattr(self, param, conf[param])
             except KeyError:
@@ -217,7 +216,7 @@ def __init__(
             "authentication",
             "id_token",
             "scope2claims",
-        ]:
+            ]:
             _func = getattr(self, "do_{}".format(item), None)
             if _func:
                 _func()
@@ -244,7 +243,7 @@ def __init__(
     def new_cookie(self, name: str, max_age: Optional[int] = 0, **kwargs):
         cookie_cont = self.cookie_handler.make_cookie_content(
             name=name, value=json.dumps(kwargs), max_age=max_age
-        )
+            )
         return cookie_cont
 
     def set_scopes_handler(self):
@@ -258,7 +257,7 @@ def set_scopes_handler(self):
                 self.server_get,
                 allowed_scopes=self.conf.get("allowed_scopes"),
                 scopes_to_claims=self.conf.get("scopes_to_claims"),
-            )
+                )
 
     def do_add_on(self, endpoints):
         _add_on_conf = self.conf.get("add_on")
@@ -336,6 +335,6 @@ def create_providerinfo(self, capabilities):
         if "claims_supported" not in _provider_info:
             _provider_info["claims_supported"] = list(
                 self.scopes_handler.scopes_to_claims(_provider_info["scopes_supported"]).keys()
-            )
+                )
 
         return _provider_info
diff --git a/src/oidcop/oauth2/authorization.py b/src/oidcop/oauth2/authorization.py
index 2d13ad50..d84e36ef 100755
--- a/src/oidcop/oauth2/authorization.py
+++ b/src/oidcop/oauth2/authorization.py
@@ -37,6 +37,7 @@
 from oidcop.exception import UnAuthorizedClientScope
 from oidcop.exception import UnknownClient
 from oidcop.session import Revoked
+from oidcop.session.grant import Grant
 from oidcop.token.exception import UnknownToken
 from oidcop.user_authn.authn_context import pick_auth
 from oidcop.util import split_uri
@@ -116,20 +117,25 @@ def verify_uri(
         raise URIError("Contains fragment")
 
     (_base, _query) = split_uri(_redirect_uri)
-    # if _query:
-    #     _query = parse_qs(_query)
 
     # Get the clients registered redirect uris
     client_info = endpoint_context.cdb.get(_cid)
     if client_info is None:
         raise KeyError("No such client")
 
-    redirect_uris = client_info.get("{}s".format(uri_type))
+    redirect_uris = client_info.get(f"{uri_type}s")
+
     if redirect_uris is None:
-        raise ValueError(f"No registered {uri_type} for {_cid}")
+        raise RedirectURIError(f"No registered {uri_type} for {_cid}")
     else:
         match = False
-        for regbase, rquery in redirect_uris:
+        for _item in redirect_uris:
+            if isinstance(_item, str):
+                regbase = _item
+                rquery = {}
+            else:
+                regbase, rquery = _item
+
             # The URI MUST exactly match one of the Redirection URI
             if _base == regbase:
                 # every registered query component must exist in the uri
@@ -494,6 +500,17 @@ def _login_required_error(self, redirect_uri, request):
         logger.debug("Login required error: {}".format(_res))
         return _res
 
+    def _unwrap_identity(self, identity):
+        if isinstance(identity, dict):
+            try:
+                _id = b64d(as_bytes(identity["uid"]))
+            except BadSyntax:
+                return identity
+        else:
+            _id = b64d(as_bytes(identity))
+
+        return json.loads(as_unicode(_id))
+
     def setup_auth(
             self,
             request: Optional[Union[Message, dict]],
@@ -502,7 +519,7 @@ def setup_auth(
             cookie: List[dict] = None,
             acr: str = None,
             **kwargs,
-    ):
+    ) -> dict:
         """
 
         :param request: The authorization/authentication request
@@ -544,18 +561,16 @@ def setup_auth(
             _ts = 0
         else:
             if identity:
-                try:  # If identity['uid'] is in fact a base64 encoded JSON string
-                    _id = b64d(as_bytes(identity["uid"]))
-                except BadSyntax:
-                    pass
-                else:
-                    identity = json.loads(as_unicode(_id))
-
+                identity = self._unwrap_identity(identity)
+                _sid = identity.get("sid")
+                if _sid:
                     try:
-                        _csi = _context.session_manager[identity.get("sid")]
+                        _csi = _context.session_manager[_sid]
                     except Revoked:
+                        logger.debug("Authentication session revoked!!")
                         identity = None
                     else:
+                        logger.debug(f"Session info type: {_csi.__class__.__name__}")
                         if _csi.is_active() is False:
                             identity = None
 
@@ -574,7 +589,7 @@ def setup_auth(
             else:
                 return {"function": authn, "args": authn_args}
         else:
-            logger.info("Active authentication")
+            logger.info(f"Active authentication: {identity}")
             if re_authenticate(request, authn):
                 # demand re-authentication
                 return {"function": authn, "args": authn_args}
@@ -628,7 +643,7 @@ def aresp_check(self, aresp, request):
     def response_mode(
             self,
             request: Union[dict, AuthorizationRequest],
-            response_args: Optional[AuthorizationResponse] = None,
+            response_args: Optional[Union[dict, AuthorizationResponse]] = None,
             return_uri: Optional[str] = "",
             fragment_enc: Optional[bool] = None,
             **kwargs,
@@ -639,7 +654,15 @@ def response_mode(
                 _args = response_args.to_dict()
             else:
                 _args = response_args
-            msg = FORM_POST.format(inputs=inputs(_args), action=return_uri, )
+
+            if "error" in _args:
+                if not return_uri:
+                    return_uri = _args["return_uri"]
+                    del _args["return_uri"]
+                if "return_type" in _args:
+                    del _args["return_type"]
+
+            msg = FORM_POST.format(inputs=inputs(_args), action=return_uri)
             kwargs.update(
                 {"response_msg": msg, "content_type": "text/html", "response_placement": "body", }
             )
@@ -668,6 +691,13 @@ def error_response(self, response_info, request, error, error_description):
         response_info["response_args"] = resp
         return response_info
 
+    def error_by_response_mode(self, response_info, request, error, error_description):
+        response_info = self.error_response(response_info, request, error, error_description)
+        if 'return_uri' not in response_info:
+            response_info["return_uri"] = request["redirect_uri"]
+        response_info = self.response_mode(request, **response_info)
+        return response_info
+
     def create_authn_response(self, request: Union[dict, Message], sid: str) -> dict:
         """
         :param request:
@@ -730,11 +760,15 @@ def create_authn_response(self, request: Union[dict, Message], sid: str) -> dict
                 elif {"id_token", "token"}.issubset(rtype):
                     kwargs = {"access_token": _access_token.value}
 
+                if request["response_type"] == ["id_token"]:
+                    kwargs["as_if"] = "userinfo"
+
                 try:
                     id_token = self.mint_token(
                         token_class="id_token",
                         grant=grant,
                         session_id=_sinfo["session_id"],
+                        scope=request["scope"],
                         **kwargs,
                     )
                     # id_token = _context.idtoken.make(sid, **kwargs)
@@ -837,20 +871,22 @@ def authz_part2(self, request, session_id, **kwargs):
         try:
             resp_info = self.post_authentication(request, session_id, **kwargs)
         except Exception as err:
-            return self.error_response({}, request, "server_error", err)
+            return self.error_by_response_mode({}, request, "server_error", err)
 
         _context = self.server_get("endpoint_context")
 
+        logger.debug(f"resp_info: {resp_info}")
+
         if "check_session_iframe" in _context.provider_info:
             salt = rndstr()
             try:
                 authn_event = _context.session_manager.get_authentication_event(session_id)
             except KeyError:
-                return self.error_response({}, request, "server_error", "No such session")
+                return self.error_by_response_mode({}, request, "server_error", "No such session")
             else:
                 if authn_event.is_valid() is False:
-                    return self.error_response({}, request, "server_error",
-                                               "Authentication has timed out")
+                    return self.error_by_response_mode({}, request, "server_error",
+                                                       "Authentication has timed out")
 
             _state = b64e(as_bytes(json.dumps({"authn_time": authn_event["authn_time"]})))
 
@@ -860,16 +896,21 @@ def authz_part2(self, request, session_id, **kwargs):
 
             opbs_value = _session_cookie_content["value"]
 
+            if "return_uri" in resp_info:
+                re_uri = resp_info["return_uri"]
+            else:
+                re_uri = request["redirect_uri"]
+
             logger.debug(
                 "compute_session_state: client_id=%s, origin=%s, opbs=%s, salt=%s",
                 request["client_id"],
-                resp_info["return_uri"],
+                re_uri,
                 opbs_value,
                 salt,
             )
 
             _session_state = compute_session_state(
-                opbs_value, salt, request["client_id"], resp_info["return_uri"]
+                opbs_value, salt, request["client_id"], re_uri
             )
 
             if _session_cookie_content:
@@ -878,7 +919,8 @@ def authz_part2(self, request, session_id, **kwargs):
                 else:
                     resp_info["cookie"] = [_session_cookie_content]
 
-            resp_info["response_args"]["session_state"] = _session_state
+            if "response_args" in resp_info:
+                resp_info["response_args"]["session_state"] = _session_state
 
         # Mix-Up mitigation
         if "response_args" in resp_info:
@@ -930,7 +972,10 @@ def process_request(
         info = self.setup_auth(request, request["redirect_uri"], cinfo, _my_cookies, **kwargs)
 
         if "error" in info:
-            return info
+            if "response_mode" in request:
+                return self.response_mode(request, info)
+            else:
+                return info
 
         _function = info.get("function")
         if not _function:
diff --git a/src/oidcop/oauth2/token.py b/src/oidcop/oauth2/token.py
index 768c1734..3bc3850a 100755
--- a/src/oidcop/oauth2/token.py
+++ b/src/oidcop/oauth2/token.py
@@ -9,7 +9,7 @@
 from oidcmsg.oauth2 import ResponseMessage
 from oidcmsg.oidc import RefreshAccessTokenRequest
 from oidcmsg.oidc import TokenErrorResponse
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 from oidcop import sanitize
 from oidcop.constant import DEFAULT_TOKEN_LIFETIME
@@ -90,7 +90,7 @@ def _mint_token(
                 _exp_in = int(_exp_in)
 
             if _exp_in:
-                token.expires_at = time_sans_frac() + _exp_in
+                token.expires_at = utc_time_sans_frac() + _exp_in
 
         _context.session_manager.set(_context.session_manager.unpack_session_key(session_id), grant)
 
diff --git a/src/oidcop/oidc/add_on/custom_scopes.py b/src/oidcop/oidc/add_on/custom_scopes.py
index e3981e18..5d3d655a 100644
--- a/src/oidcop/oidc/add_on/custom_scopes.py
+++ b/src/oidcop/oidc/add_on/custom_scopes.py
@@ -19,7 +19,7 @@ def add_custom_scopes(endpoint, **kwargs):
     _scopes2claims = SCOPE2CLAIMS.copy()
     _scopes2claims.update(kwargs)
     _context = _endpoint.server_get("endpoint_context")
-    _context.scopes_handler.scopes_to_claims = _scopes2claims
+    _context.scopes_handler.set_scopes_mapping(_scopes2claims)
 
     pi = _context.provider_info
     _scopes = set(pi.get("scopes_supported", []))
diff --git a/src/oidcop/oidc/registration.py b/src/oidcop/oidc/registration.py
index cc67dcd1..dba6f355 100755
--- a/src/oidcop/oidc/registration.py
+++ b/src/oidcop/oidc/registration.py
@@ -86,31 +86,37 @@ def verify_url(url: str, urlset: List[list]) -> bool:
 
 
 def secret(seed: str, sid: str):
-    msg = "{}{}{}".format(time.time(), secrets.token_urlsafe(16), sid).encode("utf-8")
+    msg = "{}{}{}".format(utc_time_sans_frac(), secrets.token_urlsafe(16), sid).encode("utf-8")
     csum = hmac.new(as_bytes(seed), msg, hashlib.sha224)
     return csum.hexdigest()
 
 
 def comb_uri(args):
-    for param in ["redirect_uris", "post_logout_redirect_uris"]:
-        if param not in args:
-            continue
-
+    redirect_uris = args.get("redirect_uris")
+    if redirect_uris:
         val = []
-        for base, query_dict in args[param]:
+        for base, query_dict in redirect_uris:
             if query_dict:
                 query_string = urlencode(
-                    [
-                        (key, v)
-                        for key in query_dict
-                        for v in query_dict[key]
-                    ]
+                    [(key, v) for key in query_dict for v in query_dict[key]]
                 )
-                val.append("{base}?{query_string}")
+                val.append(f"{base}?{query_string}")
             else:
                 val.append(base)
 
-        args[param] = val
+        args["redirect_uris"] = val
+
+    post_logout_redirect_uri = args.get("post_logout_redirect_uri")
+    if post_logout_redirect_uri:
+        base, query_dict = post_logout_redirect_uri
+        if query_dict:
+            query_string = urlencode(
+                [(key, v) for key in query_dict for v in query_dict[key]]
+            )
+            val = f"{base}?{query_string}"
+        else:
+            val = base
+        args["post_logout_redirect_uri"] = val
 
     request_uris = args.get("request_uris")
     if request_uris:
@@ -179,17 +185,15 @@ def do_client_registration(self, request, client_id, ignore=None):
             if key not in ignore:
                 _cinfo[key] = val
 
-        if "post_logout_redirect_uris" in request:
-            plruri = []
-            for uri in request["post_logout_redirect_uris"]:
-                if urlparse(uri).fragment:
-                    err = self.error_cls(
-                        error="invalid_configuration_parameter",
-                        error_description="post_logout_redirect_uris contains fragment",
-                    )
-                    return err
-                plruri.append(split_uri(uri))
-            _cinfo["post_logout_redirect_uris"] = plruri
+        _uri = request.get("post_logout_redirect_uri")
+        if _uri:
+            if urlparse(_uri).fragment:
+                err = self.error_cls(
+                    error="invalid_configuration_parameter",
+                    error_description="post_logout_redirect_uri contains fragment",
+                )
+                return err
+            _cinfo["post_logout_redirect_uri"] = split_uri(_uri)
 
         if "redirect_uris" in request:
             try:
@@ -384,10 +388,13 @@ def client_registration_setup(self, request, new_id=True, set_secret=True):
         try:
             request.verify()
         except (MessageException, ValueError) as err:
-            logger.error("request.verify() on %s", request)
-            return ResponseMessage(
-                error="invalid_configuration_request", error_description="%s" % err
-            )
+            logger.error("request.verify() error on %s", request)
+            _error = "invalid_configuration_request"
+            if len(err.args) > 1:
+                if err.args[1] == 'initiate_login_uri':
+                    _error = "invalid_client_metadata"
+
+            return ResponseMessage(error=_error, error_description="%s" % err)
 
         request.rm_blanks()
         try:
@@ -474,3 +481,12 @@ def process_request(self, request=None, new_id=True, set_secret=True, **kwargs):
             )
 
             return {"response_args": reg_resp, "cookie": _cookie, "response_code": 201}
+
+    def process_verify_error(self, exception):
+        _error = "invalid_request"
+        if isinstance(exception, ValueError):
+            if len(exception.args) > 1:
+                if exception.args[1] == 'initiate_login_uri':
+                    _error = "invalid_client_metadata"
+
+        return self.error_cls(error=_error, error_description=f"{exception}")
diff --git a/src/oidcop/oidc/session.py b/src/oidcop/oidc/session.py
index 4e35141e..61ce226e 100644
--- a/src/oidcop/oidc/session.py
+++ b/src/oidcop/oidc/session.py
@@ -51,6 +51,8 @@ def do_front_channel_logout_iframe(cinfo, iss, sid):
     except KeyError:
         flsr = False
 
+    logger.debug(f"frontchannel_logout_uri: {frontchannel_logout_uri}")
+    logger.debug(f"frontchannel_logout_session_required: {flsr}")
     if flsr:
         _query = {"iss": iss, "sid": sid}
         if "?" in frontchannel_logout_uri:
@@ -61,6 +63,7 @@ def do_front_channel_logout_iframe(cinfo, iss, sid):
             _np = p._replace(query="")
             frontchannel_logout_uri = _np.geturl()
 
+        logger.debug(f"IFrame query: {_query}")
         _iframe = '<iframe src="{}?{}">'.format(
             frontchannel_logout_uri, urlencode(_query, doseq=True)
         )
@@ -123,9 +126,9 @@ def do_back_channel_logout(self, cinfo, sid):
         # always include sub and sid so I don't check for
         # backchannel_logout_session_required
 
-        enc_msg = self._encrypt_sid(sid)
+        # enc_msg = self._encrypt_sid(sid)
 
-        payload = {"sid": enc_msg, "events": {BACK_CHANNEL_LOGOUT_EVENT: {}}}
+        payload = {"sid": sid, "events": {BACK_CHANNEL_LOGOUT_EVENT: {}}}
 
         try:
             alg = cinfo["id_token_signed_response_alg"]
@@ -148,30 +151,52 @@ def logout_all_clients(self, sid):
         _context = self.server_get("endpoint_context")
         _mngr = _context.session_manager
         _session_info = _mngr.get_session_info(
-            sid, user_session_info=True, client_session_info=True
+            sid, user_session_info=True, client_session_info=True, grant=True
         )
 
         # Front-/Backchannel logout ?
         _cdb = _context.cdb
         _iss = _context.issuer
         _user_id = _session_info["user_id"]
+        logger.debug(
+            f"(logout_all_clients) user_id={_user_id},  client_id={_session_info['client_id']}, "
+            f"grant_id={_session_info['grant_id']}")
+
         bc_logouts = {}
         fc_iframes = {}
         _rel_sid = []
         for _client_id in _session_info["user_session_info"].subordinate:
+            # I prefer back-channel. Should it be configurable ?
             if "backchannel_logout_uri" in _cdb[_client_id]:
-                _sid = _mngr.encrypted_session_id(_user_id, _client_id)
-                _rel_sid.append(_sid)
-                _spec = self.do_back_channel_logout(_cdb[_client_id], _sid)
-                if _spec:
-                    bc_logouts[_client_id] = _spec
+                _cli = _mngr.get([_user_id, _client_id])
+                for gid in _cli.subordinate:
+                    grant = _mngr.get([_user_id, _client_id, gid])
+                    # Has to be connected to an authentication event
+                    if not grant.authentication_event:
+                        continue
+                    idt = grant.last_issued_token_of_type("id_token")
+                    if idt:
+                        _rel_sid.append(idt.session_id)
+                        _spec = self.do_back_channel_logout(_cdb[_client_id], idt.session_id)
+                        if _spec:
+                            bc_logouts[_client_id] = _spec
+                        break
             elif "frontchannel_logout_uri" in _cdb[_client_id]:
-                # Construct an IFrame
-                _sid = _mngr.encrypted_session_id(_user_id, _client_id)
-                _rel_sid.append(_sid)
-                _spec = do_front_channel_logout_iframe(_cdb[_client_id], _iss, _sid)
-                if _spec:
-                    fc_iframes[_client_id] = _spec
+                _cli = _mngr.get([_user_id, _client_id])
+                for gid in _cli.subordinate:
+                    grant = _mngr.get([_user_id, _client_id, gid])
+                    # Has to be connected to an authentication event
+                    if not grant.authentication_event:
+                        continue
+                    idt = grant.last_issued_token_of_type("id_token")
+                    if idt:
+                        _rel_sid.append(idt.session_id)
+                        # Construct an IFrame
+                        _spec = do_front_channel_logout_iframe(_cdb[_client_id], _iss,
+                                                               idt.session_id)
+                        if _spec:
+                            fc_iframes[_client_id] = _spec
+                        break
 
         self.clean_sessions(_rel_sid)
 
@@ -217,10 +242,10 @@ def logout_from_client(self, sid):
         return res
 
     def process_request(
-        self,
-        request: Optional[Union[Message, dict]] = None,
-        http_info: Optional[dict] = None,
-        **kwargs
+            self,
+            request: Optional[Union[Message, dict]] = None,
+            http_info: Optional[dict] = None,
+            **kwargs
     ):
         """
         Perform user logout
@@ -252,7 +277,7 @@ def process_request(
             if _cookie_infos:
                 # value is a JSON document
                 _cookie_info = json.loads(_cookie_infos[0]["value"])
-                logger.debug("Cookie info: {}".format(_cookie_info))
+                logger.debug("process_request: cookie_info={}".format(_cookie_info))
                 try:
                     _session_info = _mngr.get_session_info(_cookie_info["sid"], grant=True)
                 except KeyError:
@@ -356,14 +381,15 @@ def parse_request(self, request, http_info=None, **kwargs):
                 pass
             else:
                 if (
-                    _ith.jws_header["alg"]
-                    not in _context.provider_info["id_token_signing_alg_values_supported"]
+                        _ith.jws_header["alg"]
+                        not in _context.provider_info["id_token_signing_alg_values_supported"]
                 ):
                     raise JWSException("Unsupported signing algorithm")
 
         return request
 
     def do_verified_logout(self, sid, alla=False, **kwargs):
+        logger.debug(f"(do_verified_logout): sid={sid}")
         if alla:
             _res = self.logout_all_clients(sid=sid)
         else:
@@ -378,7 +404,9 @@ def do_verified_logout(self, sid, alla=False, **kwargs):
                 logger.info("logging out from {} at {}".format(_cid, _url))
 
                 res = _context.httpc.post(
-                    _url, data="logout_token={}".format(sjwt), **_context.httpc_params
+                    _url, data="logout_token={}".format(sjwt),
+                    headers={"Content-Type": "application/x-www-form-urlencoded"},
+                    **_context.httpc_params
                 )
 
                 if res.status_code < 300:
diff --git a/src/oidcop/scopes.py b/src/oidcop/scopes.py
index 8a15bf97..7aeb21f9 100644
--- a/src/oidcop/scopes.py
+++ b/src/oidcop/scopes.py
@@ -97,3 +97,6 @@ def scopes_to_claims(self, scopes, scopes_to_claims=None, client_id=None):
         scopes = self.filter_scopes(scopes, client_id)
 
         return convert_scopes2claims(scopes, scope2claim_map=scopes_to_claims)
+
+    def set_scopes_mapping(self, scopes_to_claims):
+        self._scopes_to_claims = scopes_to_claims
\ No newline at end of file
diff --git a/src/oidcop/session/claims.py b/src/oidcop/session/claims.py
index 2251b4bf..8690ff6c 100755
--- a/src/oidcop/session/claims.py
+++ b/src/oidcop/session/claims.py
@@ -6,7 +6,6 @@
 
 from oidcop.exception import ImproperlyConfigured
 from oidcop.exception import ServiceError
-from oidcop.scopes import convert_scopes2claims
 
 logger = logging.getLogger(__name__)
 
@@ -32,26 +31,15 @@ def __init__(self, server_get):
         self.server_get = server_get
 
     def authorization_request_claims(
-        self,
-        authorization_request: dict,
-        claims_release_point: Optional[str] = "",
+            self,
+            authorization_request: dict,
+            claims_release_point: Optional[str] = "",
     ) -> dict:
         if authorization_request and "claims" in authorization_request:
             return authorization_request["claims"].get(claims_release_point, {})
 
         return {}
 
-    def _get_client_claims(self, client_id, usage):
-        client_info = self.server_get("endpoint_context").cdb.get(client_id, {})
-        client_claims = (
-            client_info.get("add_claims", {})
-            .get("always", {})
-            .get(usage, {})
-        )
-        if isinstance(client_claims, list):
-            client_claims = {k: None for k in client_claims}
-        return client_claims
-
     def _get_module(self, usage, endpoint_context):
         module = None
         if usage == "userinfo":
@@ -71,51 +59,70 @@ def _get_module(self, usage, endpoint_context):
 
         return module
 
+    def _client_claims(self,
+                       client_id: str,
+                       module: object,
+                       claims_release_point: str,
+                       secondary_identifier: Optional[str] = ""):
+        _context = self.server_get("endpoint_context")
+        add_claims_by_scope = _context.cdb[client_id].get("add_claims", {}).get("by_scope", {})
+        if add_claims_by_scope:
+            _claims_by_scope = add_claims_by_scope.get(claims_release_point, False)
+            if not _claims_by_scope and secondary_identifier:
+                _claims_by_scope = add_claims_by_scope.get(secondary_identifier, False)
+
+            if not _claims_by_scope:
+                _claims_by_scope = module.kwargs.get("add_claims_by_scope", {})
+        else:
+            _claims_by_scope = module.kwargs.get("add_claims_by_scope", {})
+
+        add_claims_always = _context.cdb[client_id].get("add_claims", {}).get("always", {})
+        _always_add = add_claims_always.get(claims_release_point, [])
+        if secondary_identifier:
+            _always_2 = add_claims_always.get(secondary_identifier, [])
+            _always_add.extend(_always_2)
+
+        return _claims_by_scope, _always_add
+
     def get_claims_from_request(
-        self,
-        auth_req: dict,
-        claims_release_point: str,
-        scopes: str = None,
-        client_id: str = None,
-    ):
+            self,
+            auth_req: dict,
+            claims_release_point: str,
+            scopes: str = None,
+            client_id: str = None,
+            secondary_identifier: str = ""
+    ) -> dict:
         _context = self.server_get("endpoint_context")
         # which endpoint module configuration to get the base claims from
         module = self._get_module(claims_release_point, _context)
 
+        # claims that are always returned to any client.
         if module:
-            base_claims = module.kwargs.get("base_claims", {})
+            base_claims = module.kwargs.get("base_claims", {}).copy()
         else:
             return {}
 
         if not client_id:
             client_id = auth_req.get("client_id")
 
-        # Can there be per client specification of which claims to use.
-        if module.kwargs.get("enable_claims_per_client"):
-            claims = self._get_client_claims(client_id, claims_release_point)
-        else:
-            claims = {}
-
-        claims.update(base_claims)
-
         # If specific client configuration exists overwrite add_claims_by_scope
-        if client_id in _context.cdb:
-            add_claims_by_scope = (
-                _context.cdb[client_id].get("add_claims", {})
-                .get("by_scope", {})
-                .get(claims_release_point, {})
-            )
-            if isinstance(add_claims_by_scope, dict) and not add_claims_by_scope:
-                add_claims_by_scope = module.kwargs.get("add_claims_by_scope")
+        if module.kwargs.get("enable_claims_per_client") and client_id in _context.cdb:
+            _claims_by_scope, _always_add = self._client_claims(client_id, module,
+                                                                claims_release_point,
+                                                                secondary_identifier)
         else:
-            add_claims_by_scope = module.kwargs.get("add_claims_by_scope")
+            _claims_by_scope = module.kwargs.get("add_claims_by_scope")
+            _always_add = module.kwargs.get("always_add_claims", {})
 
-        if add_claims_by_scope:
+        if _always_add:
+            base_claims.update({k: None for k in _always_add})
+
+        if _claims_by_scope:
             if scopes is None:
                 scopes = auth_req.get("scope")
             if scopes:
                 _claims = _context.scopes_handler.scopes_to_claims(scopes, client_id=client_id)
-                claims.update(_claims)
+                base_claims.update(_claims)
 
         # Bring in claims specification from the authorization request
         # This only goes for ID Token and user info
@@ -128,13 +135,19 @@ def get_claims_from_request(
         # set filters on those claims that also appears in one of the sources
         # above
         if request_claims:
-            claims.update(request_claims)
+            base_claims.update(request_claims)
 
-        return claims
+        return base_claims
 
-    def get_claims(self, session_id: str, scopes: str, claims_release_point: str) -> dict:
+    def get_claims(self,
+                   session_id: str,
+                   scopes: str,
+                   claims_release_point: str,
+                   secondary_identifier: Optional[str] = "") -> dict:
         """
 
+        :param secondary_identifier: If claims should also be release by the rules for this
+            release_point.
         :param session_id: Session identifier
         :param scopes: Scopes
         :param claims_release_point: Where to release the claims. One of
@@ -142,9 +155,7 @@ def get_claims(self, session_id: str, scopes: str, claims_release_point: str) ->
         :return: Claims specification as a dictionary.
         """
         _context = self.server_get("endpoint_context")
-        session_info = _context.session_manager.get_session_info(
-            session_id, grant=True
-        )
+        session_info = _context.session_manager.get_session_info(session_id, grant=True)
         client_id = session_info["client_id"]
         grant = session_info["grant"]
 
@@ -157,12 +168,13 @@ def get_claims(self, session_id: str, scopes: str, claims_release_point: str) ->
             claims_release_point=claims_release_point,
             scopes=scopes,
             client_id=client_id,
+            secondary_identifier=secondary_identifier
         )
 
         return claims
 
     def get_claims_all_usage_from_request(
-        self, auth_req: dict, scopes: str = None, client_id: str = None
+            self, auth_req: dict, scopes: str = None, client_id: str = None
     ) -> dict:
         _claims = {}
         for usage in self.claims_release_points:
diff --git a/src/oidcop/session/grant.py b/src/oidcop/session/grant.py
index 25b66692..df517a17 100644
--- a/src/oidcop/session/grant.py
+++ b/src/oidcop/session/grant.py
@@ -1,3 +1,4 @@
+import logging
 from typing import Dict
 from typing import List
 from typing import Optional
@@ -19,6 +20,8 @@
 from oidcop.token import Token as TokenHandler
 from oidcop.util import importer
 
+logger = logging.getLogger(__name__)
+
 
 class GrantMessage(ImpExp):
     parameter = {
@@ -196,14 +199,17 @@ def payload_arguments(
             claims_release_point: str,
             scope: Optional[dict] = None,
             extra_payload: Optional[dict] = None,
+            secondary_identifier: str = ''
     ) -> dict:
         """
 
-        :param session_id:
-        :param endpoint_context:
+        :param session_id: Session ID
+        :param endpoint_context: EndPoint Context
         :param claims_release_point: One of "userinfo", "introspection", "id_token", "access_token"
-        :param scope:
+        :param scope: scope from the request
         :param extra_payload:
+        :param secondary_identifier: Used if the claims returned are also based on rules for
+            another release_point
         :return: dictionary containing information to place in a token value
         """
         if scope is None:
@@ -224,7 +230,8 @@ def payload_arguments(
                 payload.update({"client_id": client_id, "sub": client_id})
 
         _claims_restriction = endpoint_context.claims_interface.get_claims(
-            session_id, scopes=scope, claims_release_point=claims_release_point
+            session_id, scopes=scope, claims_release_point=claims_release_point,
+            secondary_identifier=secondary_identifier
         )
         user_id, _, _ = endpoint_context.session_manager.decrypt_session_id(session_id)
         user_info = endpoint_context.claims_interface.get_user_claims(user_id, _claims_restriction)
@@ -233,6 +240,8 @@ def payload_arguments(
         # Should I add the acr value
         if self.add_acr_value(claims_release_point):
             payload["acr"] = self.authentication_event["authn_info"]
+        elif self.add_acr_value(secondary_identifier):
+            payload["acr"] = self.authentication_event["authn_info"]
 
         return payload
 
@@ -277,7 +286,8 @@ def mint_token(
 
         _class = self.token_map.get(token_class)
         if token_class == "id_token":
-            class_args = {k: v for k, v in kwargs.items() if k not in ["code", "access_token"]}
+            class_args = {k: v for k, v in kwargs.items() if
+                          k not in ["code", "access_token", "as_if"]}
             handler_args = {k: v for k, v in kwargs.items() if k in ["code", "access_token"]}
         else:
             class_args = kwargs
@@ -303,19 +313,30 @@ def mint_token(
             if token_handler is None:
                 token_handler = endpoint_context.session_manager.token_handler.handler[token_class]
 
-            # Only access_token and id_token can give rise to claims release
-            if token_class in ["access_token", "id_token"]:
+            if token_class in endpoint_context.claims_interface.claims_release_points:
                 claims_release_point = token_class
             else:
                 claims_release_point = ""
 
+            _secondary_identifier = kwargs.get("as_if")
+            logger.debug(
+                f"claims_release_point: {claims_release_point}, secondary_identifier: "
+                f"{_secondary_identifier}")
+
+            if token_class == "id_token":
+                item.session_id = session_id
+
             token_payload = self.payload_arguments(
                 session_id,
                 endpoint_context,
                 claims_release_point=claims_release_point,
                 scope=scope,
                 extra_payload=handler_args,
+                secondary_identifier=_secondary_identifier
             )
+
+            logger.debug(f"token_payload: {token_payload}")
+
             item.value = token_handler(
                 session_id=session_id, usage_rules=usage_rules, **token_payload
             )
@@ -338,7 +359,7 @@ def revoke_token(
             value: Optional[str] = "",
             based_on: Optional[str] = "",
             recursive: bool = True
-        ):
+    ):
         for t in self.issued_token:
             if not value and not based_on:
                 t.revoked = True
@@ -369,6 +390,16 @@ def get_spec(self, token: SessionToken) -> Optional[dict]:
                     res[attr] = _val
         return res
 
+    def last_issued_token_of_type(self, token_class):
+        res = None
+        for t in self.issued_token:
+            if t.token_class == token_class:
+                if res is None:
+                    res = t
+                elif t.issued_at > res.issued_at:
+                    res = t
+        return res
+
 
 DEFAULT_USAGE = {
     "authorization_code": {
diff --git a/src/oidcop/session/manager.py b/src/oidcop/session/manager.py
index f4d81540..c575ccce 100644
--- a/src/oidcop/session/manager.py
+++ b/src/oidcop/session/manager.py
@@ -372,8 +372,19 @@ def revoke_client_session(self, session_id: str):
             raise ValueError("Invalid session ID")
 
         _info = self.get([_user_id, _client_id])
+        logger.debug(f"revoke_client_session: {_user_id}:{_client_id}")
         self.set([_user_id, _client_id], _info.revoke())
 
+        # revoked all grants
+        for gid in _info.subordinate:
+            _grant = self.get([_user_id, _client_id, gid])
+            _grant.revoke()
+
+    def client_session_is_revoked(self, session_id: str):
+        _user_id, _client_id, _ = self.decrypt_session_id(session_id)
+        _client_inst = self.get([_user_id, _client_id])
+        return _client_inst.revoked
+
     def revoke_grant(self, session_id: str):
         """
         Revokes the grant pointed to by a session identifier.
diff --git a/src/oidcop/session/token.py b/src/oidcop/session/token.py
index d7f301a9..4c9b1d04 100644
--- a/src/oidcop/session/token.py
+++ b/src/oidcop/session/token.py
@@ -2,7 +2,7 @@
 from uuid import uuid1
 
 from oidcmsg.impexp import ImpExp
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 
 class MintingNotAllowed(Exception):
@@ -30,7 +30,7 @@ def __init__(
             used: int = 0,
     ):
         ImpExp.__init__(self)
-        self.issued_at = issued_at or time_sans_frac()
+        self.issued_at = issued_at or utc_time_sans_frac()
         self.not_before = not_before
         if expires_at == 0 and expires_in != 0:
             self.set_expires_at(expires_in)
@@ -42,7 +42,7 @@ def __init__(
         self.usage_rules = usage_rules or {}
 
     def set_expires_at(self, expires_in):
-        self.expires_at = time_sans_frac() + expires_in
+        self.expires_at = utc_time_sans_frac() + expires_in
 
     def max_usage_reached(self):
         if "max_usage" in self.usage_rules:
@@ -58,7 +58,7 @@ def is_active(self, now=0):
             return False
 
         if now == 0:
-            now = time_sans_frac()
+            now = utc_time_sans_frac()
 
         if self.not_before:
             if now < self.not_before:
@@ -212,7 +212,51 @@ def set_defaults(self):
 
 
 class IDToken(SessionToken):
-    pass
+    parameter = SessionToken.parameter.copy()
+    parameter.update(
+        {
+            "session_id": ""
+        }
+    )
+
+    def __init__(
+            self,
+            token_class: str = "",
+            value: str = "",
+            based_on: Optional[str] = None,
+            usage_rules: Optional[dict] = None,
+            issued_at: int = 0,
+            expires_in: int = 0,
+            expires_at: int = 0,
+            not_before: int = 0,
+            revoked: bool = False,
+            used: int = 0,
+            id: str = "",
+            session_id: str = "",
+            scope: Optional[list] = None,
+            claims: Optional[dict] = None,
+            resources: Optional[list] = None,
+            token_type: Optional[str] = "bearer",
+    ):
+        SessionToken.__init__(
+            self,
+            token_class=token_class,
+            value=value,
+            based_on=based_on,
+            usage_rules=usage_rules,
+            issued_at=issued_at,
+            expires_in=expires_in,
+            expires_at=expires_at,
+            not_before=not_before,
+            revoked=revoked,
+            used=used,
+            id=id,
+            scope=scope,
+            claims=claims,
+            resources=resources
+        )
+
+        self.session_id = session_id
 
 
 SHORT_TYPE_NAME = {"authorization_code": "A", "access_token": "T", "refresh_token": "R"}
diff --git a/src/oidcop/token/__init__.py b/src/oidcop/token/__init__.py
index 9134bf55..1c912f68 100755
--- a/src/oidcop/token/__init__.py
+++ b/src/oidcop/token/__init__.py
@@ -2,7 +2,7 @@
 import logging
 from typing import Optional
 
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 from oidcop import rndstr
 from oidcop.token.exception import UnknownToken
@@ -28,7 +28,7 @@ def is_expired(exp, when=0):
         return False
 
     if not when:
-        when = time_sans_frac()
+        when = utc_time_sans_frac()
     return when > exp
 
 
@@ -95,7 +95,7 @@ def __call__(self, session_id: Optional[str] = "", token_class: Optional[str] =
             token_class = "authorization_code"
 
         if self.lifetime >= 0:
-            exp = str(time_sans_frac() + self.lifetime)
+            exp = str(utc_time_sans_frac() + self.lifetime)
         else:
             exp = "-1"  # Live for ever
 
diff --git a/src/oidcop/token/id_token.py b/src/oidcop/token/id_token.py
index 5f8bc1f4..87332c23 100755
--- a/src/oidcop/token/id_token.py
+++ b/src/oidcop/token/id_token.py
@@ -155,7 +155,7 @@ def payload(
         _mngr = _context.session_manager
         session_information = _mngr.get_session_info(session_id, grant=True)
         grant = session_information["grant"]
-        _args = {"sub": grant.sub}
+        _args = {"sub": grant.sub, "sid": session_id}
         if grant.authentication_event:
             for claim, attr in {"authn_time": "auth_time", "authn_info": "acr"}.items():
                 _val = grant.authentication_event.get(claim)
@@ -279,7 +279,7 @@ def __call__(
                 _context, client_id, "front"
         ):
 
-            xargs = {"sid": get_logout_id(_context, user_id=user_id, client_id=client_id)}
+            xargs = {"sid": session_id}
         else:
             xargs = {}
 
diff --git a/src/oidcop/user_authn/user.py b/src/oidcop/user_authn/user.py
index 5b5bdded..1e9b64c6 100755
--- a/src/oidcop/user_authn/user.py
+++ b/src/oidcop/user_authn/user.py
@@ -66,7 +66,7 @@ def authenticated_as(self, client_id, cookie=None, **kwargs):
             return None, 0
         else:
             _info = self.cookie_info(cookie, client_id)
-            logger.debug('Cookie info: {}'.format(_info))
+            logger.debug('authenticated_as: cookie info={}'.format(_info))
             if _info:
                 if 'max_age' in kwargs and kwargs["max_age"] != 0:
                     _max_age = kwargs["max_age"]
@@ -75,7 +75,7 @@ def authenticated_as(self, client_id, cookie=None, **kwargs):
                         logger.debug(
                             "Too old by {} seconds".format(_now - (_info["timestamp"] + _max_age)))
                         return None, 0
-            return _info, time.time()
+            return _info, utc_time_sans_frac()
 
     def verify(self, *args, **kwargs):
         """
@@ -102,25 +102,16 @@ def done(self, areq):
 
     def cookie_info(self, cookie: List[dict], client_id: str) -> dict:
         _context = self.server_get("endpoint_context")
-        try:
-            logger.debug("parse_cookie@UserAuthnMethod")
-            vals = _context.cookie_handler.parse_cookie(
-                cookies=cookie, name=_context.cookie_handler.name["session"]
-            )
-        except (InvalidCookieSign, AssertionError, AttributeError) as err:
-            logger.warning(err)
-            vals = []
-
-        logger.debug("Value cookies: {}".format(vals))
+        logger.debug("Value cookies: {}".format(cookie))
 
-        if vals is None:
+        if cookie is None:
             pass
         else:
-            for val in vals:
+            for val in cookie:
                 _info = json.loads(val["value"])
                 _info["timestamp"] = int(val["timestamp"])
                 session_id = _context.session_manager.decrypt_session_id(_info["sid"])
-                logger.debug("session id: {}".format(session_id))
+                logger.debug("cookie_info: session id={}".format(session_id))
                 # _, cid, _ = _context.session_manager.decrypt_session_id(_info["sid"])
                 if session_id[1] != client_id:
                     continue
@@ -239,7 +230,7 @@ def authenticated_as(self, client_id, cookie=None, authorization="", **kwargs):
         res = {"uid": user}
         if cookie:
             res.update(self.cookie_info(cookie, client_id))
-        return res, time.time()
+        return res, utc_time_sans_frac()
 
 
 class SymKeyAuthn(UserAuthnMethod):
@@ -273,7 +264,7 @@ def authenticated_as(self, client_id, cookie=None, authorization="", **kwargs):
         if cookie:
             res.update(self.cookie_info(cookie, client_id))
 
-        return res, time.time()
+        return res, utc_time_sans_frac()
 
 
 class NoAuthn(UserAuthnMethod):
@@ -299,7 +290,7 @@ def authenticated_as(self, client_id="", cookie=None, authorization="", **kwargs
         if cookie:
             res.update(self.cookie_info(cookie, client_id))
 
-        return res, time.time()
+        return res, utc_time_sans_frac()
 
 
 def factory(cls, **kwargs):
diff --git a/tests/donot_test_49_session_persistence.py b/tests/donot_test_49_session_persistence.py
new file mode 100644
index 00000000..5421a43e
--- /dev/null
+++ b/tests/donot_test_49_session_persistence.py
@@ -0,0 +1,227 @@
+import json
+import os
+
+import pytest
+from cryptojwt.key_jar import build_keyjar
+from oidcmsg.oidc import AuthorizationRequest
+
+from oidcop.authn_event import create_authn_event
+from oidcop.cookie_handler import CookieHandler
+from oidcop.oidc import userinfo
+from oidcop.oidc.authorization import Authorization
+from oidcop.oidc.provider_config import ProviderConfiguration
+from oidcop.oidc.registration import Registration
+from oidcop.oidc.session import Session
+from oidcop.oidc.token import Token
+from oidcop.server import Server
+from oidcop.user_authn.authn_context import INTERNETPROTOCOLPASSWORD
+from oidcop.user_info import UserInfo
+
+ISS = "https://example.com/"
+
+CLI1 = "https://client1.example.com/"
+CLI2 = "https://client2.example.com/"
+
+KEYDEFS = [
+    {"type": "RSA", "use": ["sig"]},
+    {"type": "EC", "crv": "P-256", "use": ["sig"]},
+]
+
+KEYJAR = build_keyjar(KEYDEFS)
+KEYJAR.import_jwks(KEYJAR.export_jwks(private=True), ISS)
+
+RESPONSE_TYPES_SUPPORTED = [
+    ["code"],
+    ["token"],
+    ["id_token"],
+    ["code", "token"],
+    ["code", "id_token"],
+    ["id_token", "token"],
+    ["code", "token", "id_token"],
+    ["none"],
+]
+
+CAPABILITIES = {
+    "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
+    "token_endpoint_auth_methods_supported": [
+        "client_secret_post",
+        "client_secret_basic",
+        "client_secret_jwt",
+        "private_key_jwt",
+    ],
+    "response_modes_supported": ["query", "fragment", "form_post"],
+    "subject_types_supported": ["public", "pairwise", "ephemeral"],
+    "grant_types_supported": [
+        "authorization_code",
+        "implicit",
+        "urn:ietf:params:oauth:grant-type:jwt-bearer",
+        "refresh_token",
+    ],
+    "claim_types_supported": ["normal", "aggregated", "distributed"],
+    "claims_parameter_supported": True,
+    "request_parameter_supported": True,
+    "request_uri_parameter_supported": True,
+}
+
+AUTH_REQ = AuthorizationRequest(
+    client_id="client_1",
+    redirect_uri="{}cb".format(ISS),
+    scope=["openid"],
+    state="STATE",
+    response_type="code",
+    client_secret="hemligt",
+)
+
+AUTH_REQ_DICT = AUTH_REQ.to_dict()
+
+BASEDIR = os.path.abspath(os.path.dirname(__file__))
+
+
+def full_path(local_file):
+    return os.path.join(BASEDIR, local_file)
+
+
+USERINFO_db = json.loads(open(full_path("users.json")).read())
+
+CDB = {
+    "client_1": {
+        "client_secret": "hemligt",
+        "redirect_uris": [("{}cb".format(CLI1), None)],
+        "client_salt": "salted",
+        "token_endpoint_auth_method": "client_secret_post",
+        "response_types": ["code", "token", "code id_token", "id_token"],
+        "post_logout_redirect_uri": ("{}logout_cb".format(CLI1), ""),
+    },
+    "client_2": {
+        "client_secret": "hemligare",
+        "redirect_uris": [("{}cb".format(CLI2), None)],
+        "client_salt": "saltare",
+        "token_endpoint_auth_method": "client_secret_post",
+        "response_types": ["code", "token", "code id_token", "id_token"],
+        "post_logout_redirect_uri": ("{}logout_cb".format(CLI2), ""),
+    },
+}
+
+CONF = {
+    "issuer": ISS,
+    "password": "mycket hemlig zebra",
+    "token_expires_in": 600,
+    "grant_expires_in": 300,
+    "refresh_token_expires_in": 86400,
+    "verify_ssl": False,
+    "capabilities": CAPABILITIES,
+    "keys": {"uri_path": "jwks.json", "key_defs": KEYDEFS},
+    "endpoint": {
+        "provider_config": {
+            "path": "{}/.well-known/openid-configuration",
+            "class": ProviderConfiguration,
+            "kwargs": {"client_authn_method": None},
+        },
+        "registration": {
+            "path": "{}/registration",
+            "class": Registration,
+            "kwargs": {"client_authn_method": None},
+        },
+        "authorization": {
+            "path": "{}/authorization",
+            "class": Authorization,
+            "kwargs": {"client_authn_method": None},
+        },
+        "token": {"path": "{}/token", "class": Token, "kwargs": {}},
+        "userinfo": {
+            "path": "{}/userinfo",
+            "class": userinfo.UserInfo,
+            "kwargs": {"db_file": "users.json"},
+        },
+        "session": {
+            "path": "{}/end_session",
+            "class": Session,
+            "kwargs": {
+                "post_logout_uri_path": "post_logout",
+                "signing_alg": "ES256",
+                "logout_verify_url": "{}/verify_logout".format(ISS),
+                "client_authn_method": None,
+            },
+        },
+    },
+    "authentication": {
+        "anon": {
+            "acr": INTERNETPROTOCOLPASSWORD,
+            "class": "oidcop.user_authn.user.NoAuthn",
+            "kwargs": {"user": "diana"},
+        }
+    },
+    "userinfo": {"class": UserInfo, "kwargs": {"db": USERINFO_db}},
+    "template_dir": "template",
+}
+
+COOKIE_CONF = {"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"}
+
+
+class TestEndpoint(object):
+    @pytest.fixture(autouse=True)
+    def create_endpoint(self):
+
+        self.cd = CookieHandler(**COOKIE_CONF)
+
+        server = Server(CONF, cookie_handler=self.cd, keyjar=KEYJAR)
+        endpoint_context = server.endpoint_context
+        endpoint_context.cdb = CDB
+
+        self.session_manager = endpoint_context.session_manager
+        self.authn_endpoint = server.server_get("endpoint", "authorization")
+        self.session_endpoint = server.server_get("endpoint", "session")
+        self.token_endpoint = server.server_get("endpoint", "token")
+        self.user_id = "diana"
+
+    def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
+        if sector_identifier:
+            authz_req = auth_req.copy()
+            authz_req["sector_identifier_uri"] = sector_identifier
+        else:
+            authz_req = auth_req
+        client_id = authz_req["client_id"]
+        ae = create_authn_event(self.user_id)
+        return self.session_manager.create_session(
+            ae, authz_req, self.user_id, client_id=client_id, sub_type=sub_type
+        )
+
+    def _mint_code(self, grant, session_id):
+        return grant.mint_token(
+            session_id=session_id,
+            endpoint_context=self.authn_endpoint.server_get("endpoint_context"),
+            token_type="authorization_code",
+            token_handler=self.session_manager.token_handler["code"],
+        )
+
+    def _mint_access_token(self, grant, session_id, token_ref=None, resources=None):
+        return grant.mint_token(
+            session_id=session_id,
+            endpoint_context=self.authn_endpoint.server_get("endpoint_context"),
+            token_type="access_token",
+            token_handler=self.session_manager.token_handler["access_token"],
+            based_on=token_ref,
+            resources=resources,
+        )
+
+    def test_to(self):
+        session_id = self._create_session(AUTH_REQ)
+        grant = self.session_manager[session_id]
+        code = self._mint_code(grant, session_id)
+        access_token = self._mint_access_token(grant, session_id, code)
+
+        _store = self.session_manager.dump()
+        assert _store
+        _store_str = json.dumps(_store)
+
+        # 2nd server
+        server = Server(CONF, cookie_handler=self.cd, keyjar=KEYJAR)
+        server.endpoint_context.cdb = CDB
+        _mngr = server.endpoint_context.session_manager
+
+        _mngr.load(_store)
+
+        _session_info = _mngr.get_session_info_by_token(access_token.value)
+        assert _session_info
+        code = _mngr.find_token(_session_info["session_id"], code.value)
+        assert code.is_active()
diff --git a/tests/logging_config.json b/tests/logging_config.json
new file mode 100644
index 00000000..e8918a7a
--- /dev/null
+++ b/tests/logging_config.json
@@ -0,0 +1,31 @@
+{
+  "version": 1,
+  "root": {
+    "handlers": [
+      "default", "console"
+    ],
+    "level": "DEBUG"
+  },
+  "loggers": {
+    "bobcat": {
+      "level": "DEBUG"
+    }
+  },
+  "handlers": {
+    "default": {
+      "class": "logging.FileHandler",
+      "filename": "debug.log",
+      "formatter": "default"
+    },
+    "console": {
+      "class": "logging.StreamHandler",
+      "stream": "ext//sys.stdout",
+      "formatter": "default"
+    }
+  },
+  "formatters": {
+    "default": {
+      "format": "%(asctime)s %(name)s %(levelname)s %(message)s"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/test_00_server.py b/tests/test_00_server.py
index 2b8aa386..a784e87a 100755
--- a/tests/test_00_server.py
+++ b/tests/test_00_server.py
@@ -88,8 +88,7 @@ def full_path(local_file):
     client_secret: '2222222222222222222222222222222222222222'
     redirect_uris:
       - ['https://127.0.0.1:8090/authz_cb/bobcat', '']
-    post_logout_redirect_uris:
-      - ['https://openidconnect.net/', '']
+    post_logout_redirect_uri: ['https://openidconnect.net/', '']
     response_types:
       - code
 """
diff --git a/tests/test_01_claims.py b/tests/test_01_claims.py
index ca60643c..24873b7e 100644
--- a/tests/test_01_claims.py
+++ b/tests/test_01_claims.py
@@ -2,7 +2,6 @@
 
 import pytest
 from oidcmsg.oidc import AuthorizationRequest
-from oidcmsg.time_util import time_sans_frac
 
 from oidcop.authn_event import create_authn_event
 from oidcop.server import Server
@@ -17,7 +16,7 @@ def full_path(local_file):
 KEYDEFS = [
     {"type": "RSA", "key": "", "use": ["sig"]},
     {"type": "EC", "crv": "P-256", "use": ["sig"]},
-]
+    ]
 
 AREQ = AuthorizationRequest(
     response_type="code",
@@ -26,7 +25,7 @@ def full_path(local_file):
     scope=["openid"],
     state="state000",
     nonce="nonce",
-)
+    )
 
 AREQ_2 = AuthorizationRequest(
     response_type="code",
@@ -36,7 +35,7 @@ def full_path(local_file):
     state="state000",
     nonce="nonce",
     claims={"id_token": {"nickname": None}},
-)
+    )
 
 AREQ_3 = AuthorizationRequest(
     response_type="code",
@@ -48,8 +47,8 @@ def full_path(local_file):
     claims={
         "id_token": {"nickname": None},
         "userinfo": {"name": None, "email": None, "email_verified": None},
-    },
-)
+        },
+    )
 
 conf = {
     "issuer": "https://example.com/",
@@ -60,25 +59,25 @@ def full_path(local_file):
             "path": "authorization",
             "class": "oidcop.oidc.authorization.Authorization",
             "kwargs": {},
-        },
-        "token_endpoint": {"path": "token", "class": "oidcop.oidc.token.Token", "kwargs": {},},
+            },
+        "token_endpoint": {"path": "token", "class": "oidcop.oidc.token.Token", "kwargs": {}, },
         "userinfo_endpoint": {
             "path": "userinfo",
             "class": "oidcop.oidc.userinfo.UserInfo",
             "kwargs": {},
-        },
+            },
         "introspection_endpoint": {
             "path": "introspection",
             "class": "oidcop.oauth2.introspection.Introspection",
             "kwargs": {},
+            },
         },
-    },
     "token_handler_args": {
         "jwks_def": {
             "private_path": "private/token_jwks.json",
             "read_only": False,
             "key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}],
-        },
+            },
         "code": {"kwargs": {"lifetime": 600}},
         "token": {
             "class": "oidcop.token.jwt_token.JWTToken",
@@ -86,20 +85,20 @@ def full_path(local_file):
                 "lifetime": 3600,
                 "add_claims_by_scope": True,
                 "aud": ["https://example.org/appl"],
+                },
             },
-        },
         "refresh": {
             "class": "oidcop.token.jwt_token.JWTToken",
-            "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
-        },
+            "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
+            },
         "id_token": {"class": "oidcop.token.id_token.IDToken", "kwargs": {}},
-    },
+        },
     "userinfo": {
         "class": "oidcop.user_info.UserInfo",
         "kwargs": {"db_file": full_path("users.json")},
-    },
+        },
     "claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
-}
+    }
 
 USER_ID = "diana"
 
@@ -116,11 +115,11 @@ def create_idtoken(self):
             "response_types": ["code", "token", "code id_token", "id_token"],
             "add_claims": {
                 "always": {},
-            },
-        }
+                },
+            }
         server.endpoint_context.keyjar.add_symmetric(
             "client_1", "hemligtochintekort", ["sig", "enc"]
-        )
+            )
         self.claims_interface = server.endpoint_context.claims_interface
         self.endpoint_context = server.endpoint_context
         self.session_manager = self.endpoint_context.session_manager
@@ -138,7 +137,7 @@ def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
         ae = create_authn_event(self.user_id)
         return self.session_manager.create_session(
             ae, authz_req, self.user_id, client_id=client_id, sub_type=sub_type
-        )
+            )
 
     def test_authorization_request_id_token_claims(self):
         claims = self.claims_interface.authorization_request_claims(AREQ, "id_token")
@@ -161,27 +160,7 @@ def test_authorization_request_userinfo_claims_3(self):
         claims = self.claims_interface.authorization_request_claims(AREQ_3, "userinfo")
         assert set(claims.keys()) == {"name", "email", "email_verified"}
 
-    @pytest.mark.parametrize("usage", ["id_token", "userinfo", "introspection", "token"])
-    def test_get_client_claims_0(self, usage):
-        claims = self.claims_interface._get_client_claims("client_1", usage)
-        assert claims == {}
-
-    def test_get_client_claims_id_token_1(self):
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["id_token"] = ["name", "email"]
-        claims = self.claims_interface._get_client_claims("client_1", "id_token")
-        assert set(claims.keys()) == {"name", "email"}
-
-    def test_get_client_claims_userinfo_1(self):
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["userinfo"] = ["email", "address"]
-        claims = self.claims_interface._get_client_claims("client_1", "userinfo")
-        assert set(claims.keys()) == {"address", "email"}
-
-    def test_get_client_claims_introspection_1(self):
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["introspection"] = ["email"]
-        claims = self.claims_interface._get_client_claims("client_1", "introspection")
-        assert set(claims.keys()) == {"email"}
-
-    @pytest.mark.parametrize("usage", ["id_token", "userinfo", "introspection", "token"])
+    @pytest.mark.parametrize("usage", ["id_token", "userinfo", "introspection", "access_token"])
     def test_get_claims(self, usage):
         session_id = self._create_session(AREQ)
         claims = self.claims_interface.get_claims(session_id, [], usage)
@@ -191,7 +170,7 @@ def test_get_claims_id_token_1(self):
         session_id = self._create_session(AREQ)
         self.session_manager.token_handler["id_token"].kwargs = {
             "base_claims": {"email": None, "email_verified": None}
-        }
+            }
         claims = self.claims_interface.get_claims(session_id, [], "id_token")
         assert set(claims.keys()) == {"email", "email_verified"}
 
@@ -200,8 +179,9 @@ def test_get_claims_id_token_2(self):
         self.session_manager.token_handler["id_token"].kwargs = {
             "base_claims": {"email": None, "email_verified": None},
             "enable_claims_per_client": True,
-        }
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["id_token"] = ["name", "email"]
+            }
+        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["id_token"] = ["name",
+                                                                                     "email"]
 
         claims = self.claims_interface.get_claims(session_id, [], "id_token")
         assert set(claims.keys()) == {"name", "email", "email_verified"}
@@ -212,8 +192,9 @@ def test_get_claims_id_token_3(self):
             "base_claims": {"email": None, "email_verified": None},
             "enable_claims_per_client": True,
             "add_claims_by_scope": True,
-        }
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["id_token"] = ["name", "email"]
+            }
+        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["id_token"] = ["name",
+                                                                                     "email"]
 
         claims = self.claims_interface.get_claims(session_id, ["openid", "address"], "id_token")
         assert set(claims.keys()) == {
@@ -222,7 +203,7 @@ def test_get_claims_id_token_3(self):
             "email_verified",
             "sub",
             "address",
-        }
+            }
 
     def test_get_claims_userinfo_3(self):
         _module = self.server.server_get("endpoint", "userinfo")
@@ -231,8 +212,9 @@ def test_get_claims_userinfo_3(self):
             "base_claims": {"email": None, "email_verified": None},
             "enable_claims_per_client": True,
             "add_claims_by_scope": True,
-        }
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["userinfo"] = ["name", "email"]
+            }
+        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["userinfo"] = ["name",
+                                                                                     "email"]
 
         claims = self.claims_interface.get_claims(session_id, ["openid", "address"], "userinfo")
         assert set(claims.keys()) == {
@@ -241,7 +223,31 @@ def test_get_claims_userinfo_3(self):
             "email_verified",
             "sub",
             "address",
-        }
+            }
+
+    def test_get_claims_id_token_and_userinfo(self):
+        session_id = self._create_session(AREQ)
+        self.session_manager.token_handler["id_token"].kwargs = {
+            "base_claims": {"email": None, "email_verified": None},
+            "enable_claims_per_client": True,
+            "add_claims_by_scope": True,
+            }
+        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["id_token"] = ["name",
+                                                                                     "email"]
+        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["userinfo"] = [
+            "phone", "phone_verified"]
+
+        claims = self.claims_interface.get_claims(session_id, ["openid", "address"], "id_token",
+                                                  "userinfo")
+        assert set(claims.keys()) == {
+            "name",
+            "email",
+            "email_verified",
+            "sub",
+            "address",
+            "phone",
+            "phone_verified"
+            }
 
     def test_get_claims_introspection_3(self):
         _module = self.server.server_get("endpoint", "introspection")
@@ -249,23 +255,23 @@ def test_get_claims_introspection_3(self):
             "base_claims": {"email": None, "email_verified": None},
             "enable_claims_per_client": True,
             "add_claims_by_scope": True,
-        }
+            }
         self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["introspection"] = [
             "name",
             "email",
-        ]
+            ]
 
         session_id = self._create_session(AREQ)
         claims = self.claims_interface.get_claims(
             session_id, ["openid", "address"], "introspection"
-        )
+            )
         assert set(claims.keys()) == {
             "name",
             "email",
             "email_verified",
             "sub",
             "address",
-        }
+            }
 
     def test_get_claims_access_token_3(self):
         _module = self.endpoint_context.session_manager.token_handler["access_token"]
@@ -273,8 +279,9 @@ def test_get_claims_access_token_3(self):
             "base_claims": {"email": None, "email_verified": None},
             "enable_claims_per_client": True,
             "add_claims_by_scope": True,
-        }
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["access_token"] = ["name", "email"]
+            }
+        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["access_token"] = ["name",
+                                                                                         "email"]
 
         session_id = self._create_session(AREQ)
         claims = self.claims_interface.get_claims(session_id, ["openid", "address"], "access_token")
@@ -284,7 +291,7 @@ def test_get_claims_access_token_3(self):
             "email_verified",
             "sub",
             "address",
-        }
+            }
 
     def test_get_claims_all_usage(self):
         # Make sure everything is reset
@@ -301,7 +308,7 @@ def test_get_claims_all_usage(self):
             "userinfo",
             "introspection",
             "access_token",
-        }
+            }
         for usage in ["id_token", "userinfo", "introspection", "access_token"]:
             assert claims[usage] == {}
 
@@ -309,12 +316,13 @@ def test_get_claims_all_usage_2(self):
         # make all different
         self.session_manager.token_handler["id_token"].kwargs = {
             "base_claims": {"email": None, "email_verified": None}
-        }
+            }
 
         self.server.server_get("endpoint", "userinfo").kwargs = {
             "enable_claims_per_client": True,
-        }
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["userinfo"] = ["name", "email"]
+            }
+        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["userinfo"] = ["name",
+                                                                                     "email"]
 
         self.server.server_get("endpoint", "introspection").kwargs = {"add_claims_by_scope": True}
 
@@ -328,7 +336,7 @@ def test_get_claims_all_usage_2(self):
             "userinfo",
             "introspection",
             "access_token",
-        }
+            }
 
         assert set(claims["id_token"].keys()) == {"email", "email_verified"}
         assert set(claims["userinfo"].keys()) == {"email", "name"}
@@ -338,21 +346,21 @@ def test_get_claims_all_usage_2(self):
     def test_get_user_claims(self):
         self.session_manager.token_handler["id_token"].kwargs = {
             "base_claims": {"email": None, "email_verified": None}
-        }
+            }
 
         self.server.server_get("endpoint", "userinfo").kwargs = {
             "enable_claims_per_client": True,
-        }
-        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["userinfo"] = ["name", "email"]
+            }
+        self.endpoint_context.cdb["client_1"]["add_claims"]["always"]["userinfo"] = ["name",
+                                                                                     "email"]
 
         self.server.server_get("endpoint", "introspection").kwargs = {"add_claims_by_scope": True}
 
         self.endpoint_context.session_manager.token_handler["access_token"].kwargs = {}
 
         session_id = self._create_session(AREQ)
-        claims_restriction = self.claims_interface.get_claims_all_usage(
-            session_id, ["openid", "address"]
-        )
+        claims_restriction = self.claims_interface.get_claims_all_usage(session_id,
+                                                                        ["openid", "address"])
 
         _claims = self.claims_interface.get_user_claims(USER_ID, claims_restriction["userinfo"])
         assert _claims == {"name": "Diana Krall", "email": "diana@example.org"}
@@ -362,7 +370,7 @@ def test_get_user_claims(self):
 
         _claims = self.claims_interface.get_user_claims(
             USER_ID, claims_restriction["introspection"]
-        )
+            )
         # Note that sub is not a user claim
         assert _claims == {
             "address": {
@@ -370,8 +378,8 @@ def test_get_user_claims(self):
                 "locality": "Umeå",
                 "postal_code": "SE-90187",
                 "street_address": "Umeå Universitet",
+                }
             }
-        }
 
         _claims = self.claims_interface.get_user_claims(USER_ID, claims_restriction["access_token"])
         assert _claims == {}
diff --git a/tests/test_01_session_token.py b/tests/test_01_session_token.py
index 622e4b6d..1ae59396 100644
--- a/tests/test_01_session_token.py
+++ b/tests/test_01_session_token.py
@@ -1,4 +1,4 @@
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 from oidcop.session.token import AccessToken
 from oidcop.session.token import AuthorizationCode
@@ -103,5 +103,5 @@ def test_is_active_revoke():
 
 def test_is_active_expired():
     token = AccessToken(usage_rules={"max_usage": 2})
-    token.expires_at = time_sans_frac() - 60
+    token.expires_at = utc_time_sans_frac() - 60
     assert token.is_active() is False
diff --git a/tests/test_04_token_handler.py b/tests/test_04_token_handler.py
index 36c1b6dd..bdd9c937 100644
--- a/tests/test_04_token_handler.py
+++ b/tests/test_04_token_handler.py
@@ -5,6 +5,7 @@
 import secrets
 import time
 
+from cryptojwt.jwt import utc_time_sans_frac
 import pytest
 
 from oidcop.configure import OPConfiguration
@@ -30,7 +31,7 @@ def test_is_expired():
     assert is_expired(1, 1) is False
     assert is_expired(2, 1) is False
 
-    now = time.time()
+    now = utc_time_sans_frac()
     assert is_expired(now - 1)
     assert is_expired(now + 1) is False
 
@@ -60,7 +61,7 @@ def test_encrypt_decrypt(self):
 
     def test_crypt_with_b64(self):
         db = {}
-        msg = "secret{}{}".format(time.time(), secrets.token_urlsafe(16))
+        msg = "secret{}{}".format(utc_time_sans_frac(), secrets.token_urlsafe(16))
         csum = hmac.new(msg.encode("utf-8"), digestmod=hashlib.sha224)
         txt = csum.digest()  # 28 bytes long, 224 bits
         db[txt] = "foobar"
diff --git a/tests/test_05_id_token.py b/tests/test_05_id_token.py
index 5965c292..ab25aaee 100644
--- a/tests/test_05_id_token.py
+++ b/tests/test_05_id_token.py
@@ -6,7 +6,7 @@
 from cryptojwt import KeyJar
 from cryptojwt.jws.jws import factory
 from oidcmsg.oidc import AuthorizationRequest
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 from oidcop.authn_event import create_authn_event
 from oidcop.client_authn import verify_client
@@ -129,7 +129,10 @@ def full_path(local_file):
                     "max_usage": 1,
                 },
                 "access_token": {},
-                "refresh_token": {"supports_minting": ["access_token", "refresh_token"]},
+                "refresh_token": {
+                    "supports_minting": ["access_token", "refresh_token"],
+                    "expires_in": 3600
+                },
             },
             "expires_in": 43200,
         }
@@ -198,7 +201,7 @@ def _mint_code(self, grant, session_id):
             endpoint_context=self.endpoint_context,
             token_class="authorization_code",
             token_handler=self.session_manager.token_handler["authorization_code"],
-            expires_at=time_sans_frac() + 300,  # 5 minutes from now
+            expires_at=utc_time_sans_frac() + 300,  # 5 minutes from now
         )
 
     def _mint_access_token(self, grant, session_id, token_ref):
@@ -207,7 +210,7 @@ def _mint_access_token(self, grant, session_id, token_ref):
             endpoint_context=self.endpoint_context,
             token_class="access_token",
             token_handler=self.session_manager.token_handler["access_token"],
-            expires_at=time_sans_frac() + 900,  # 15 minutes from now
+            expires_at=utc_time_sans_frac() + 900,  # 15 minutes from now
             based_on=token_ref,  # Means the token (tok) was used to mint this token
         )
         return access_token
@@ -218,7 +221,7 @@ def _mint_id_token(self, grant, session_id, token_ref=None, code=None, access_to
             endpoint_context=self.endpoint_context,
             token_class="id_token",
             token_handler=self.session_manager.token_handler["id_token"],
-            expires_at=time_sans_frac() + 900,  # 15 minutes from now
+            expires_at=utc_time_sans_frac() + 900,  # 15 minutes from now
             based_on=token_ref,  # Means the token (tok) was used to mint this token
             code=code,
             access_token=access_token,
@@ -244,6 +247,7 @@ def test_id_token_payload_0(self):
             "scope",
             "client_id",
             "iss",
+            "sid"
         }
 
     def test_id_token_payload_with_code(self):
@@ -269,6 +273,7 @@ def test_id_token_payload_with_code(self):
             "iss",
             "iat",
             "nonce",
+            "sid"
         }
 
     def test_id_token_payload_with_access_token(self):
@@ -299,6 +304,7 @@ def test_id_token_payload_with_access_token(self):
             "iat",
             "nonce",
             "at_hash",
+            "sid"
         }
 
     def test_id_token_payload_with_code_and_access_token(self):
@@ -328,6 +334,7 @@ def test_id_token_payload_with_code_and_access_token(self):
             "nonce",
             "at_hash",
             "c_hash",
+            "sid"
         }
 
     def test_id_token_payload_with_userinfo(self):
@@ -354,6 +361,7 @@ def test_id_token_payload_with_userinfo(self):
             "exp",
             "auth_time",
             "sub",
+            "sid"
         }
 
     def test_id_token_payload_many_0(self):
@@ -386,6 +394,7 @@ def test_id_token_payload_many_0(self):
             "exp",
             "iat",
             "iss",
+            "sid"
         }
 
     def test_sign_encrypt_id_token(self):
diff --git a/tests/test_05_jwt_token.py b/tests/test_05_jwt_token.py
index 249d8d86..a1e07bf5 100644
--- a/tests/test_05_jwt_token.py
+++ b/tests/test_05_jwt_token.py
@@ -5,7 +5,7 @@
 from cryptojwt.key_jar import init_key_jar
 from oidcmsg.oidc import AccessTokenRequest
 from oidcmsg.oidc import AuthorizationRequest
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 from oidcop import user_info
 from oidcop.authn_event import create_authn_event
@@ -213,7 +213,7 @@ def _mint_token(self, token_class, grant, session_id, based_on=None, **kwargs):
             endpoint_context=self.endpoint_context,
             token_class=token_class,
             token_handler=self.session_manager.token_handler.handler[token_class],
-            expires_at=time_sans_frac() + 300,  # 5 minutes from now
+            expires_at=utc_time_sans_frac() + 300,  # 5 minutes from now
             based_on=based_on,
             **kwargs
         )
@@ -274,4 +274,4 @@ def test_is_expired(self):
 
         assert access_token.is_active()
         # 4000 seconds in the future. Passed the lifetime.
-        assert access_token.is_active(now=time_sans_frac() + 4000) is False
+        assert access_token.is_active(now=utc_time_sans_frac() + 4000) is False
diff --git a/tests/test_06_authn_context.py b/tests/test_06_authn_context.py
index 34fffbda..b2c297f5 100644
--- a/tests/test_06_authn_context.py
+++ b/tests/test_06_authn_context.py
@@ -3,7 +3,7 @@
 
 import pytest
 from cryptojwt.jwk.hmac import SYMKey
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 from oidcop.authn_event import AuthnEvent
 from oidcop.cookie_handler import CookieHandler
@@ -184,11 +184,11 @@ def test_pick_authn_all(self):
 
 
 def test_authn_event():
-    an = AuthnEvent(uid="uid", valid_until=time_sans_frac() + 1, authn_info="authn_class_ref",)
+    an = AuthnEvent(uid="uid", valid_until=utc_time_sans_frac() + 1, authn_info="authn_class_ref",)
 
     assert an.is_valid()
 
-    n = time_sans_frac() + 3
+    n = utc_time_sans_frac() + 3
     assert an.is_valid(n) is False
 
     n = an.expires_in()
diff --git a/tests/test_06_session_manager.py b/tests/test_06_session_manager.py
index a65fdd44..34953c75 100644
--- a/tests/test_06_session_manager.py
+++ b/tests/test_06_session_manager.py
@@ -1,8 +1,8 @@
+from cryptojwt.jws.jws import factory
 from oidcmsg.oidc import AuthorizationRequest
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 import pytest
 
-from . import full_path
 from oidcop.authn_event import AuthnEvent
 from oidcop.authn_event import create_authn_event
 from oidcop.authz import AuthzHandling
@@ -10,11 +10,11 @@
 from oidcop.oidc.token import Token
 from oidcop.server import Server
 from oidcop.session import MintingNotAllowed
-from oidcop.session.grant import Grant
 from oidcop.session.info import ClientSessionInfo
 from oidcop.session.token import AccessToken
 from oidcop.session.token import AuthorizationCode
 from oidcop.session.token import RefreshToken
+from . import full_path
 
 AUTH_REQ = AuthorizationRequest(
     client_id="client_1",
@@ -31,6 +31,8 @@
 
 USER_ID = "diana"
 
+CLI1 = "https://client1.example.com/"
+
 
 class TestSessionManager:
     @pytest.fixture(autouse=True)
@@ -61,7 +63,19 @@ def create_session_manager(self):
                 },
                 "refresh": {
                     "class": "oidcop.token.jwt_token.JWTToken",
-                    "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
+                    "kwargs": {
+                        "lifetime": 3600,
+                        "aud": ["https://example.org/appl"],
+                    },
+                },
+                "id_token": {
+                    "class": "oidcop.token.id_token.IDToken",
+                    "kwargs": {
+                        "base_claims": {
+                            "email": {"essential": True},
+                            "email_verified": {"essential": True},
+                        }
+                    },
                 },
             },
             "endpoint": {
@@ -86,9 +100,28 @@ def create_session_manager(self):
         server = Server(conf)
         self.server = server
         self.endpoint_context = server.endpoint_context
+        self.endpoint_context.cdb = {
+            "client_1": {
+                "client_secret": "hemligt",
+                "redirect_uris": [("{}cb".format(CLI1), None)],
+                "client_salt": "salted",
+                "token_endpoint_auth_method": "client_secret_post",
+                "response_types": ["code", "token", "code id_token", "id_token"],
+                "post_logout_redirect_uri": (f"{CLI1}logout_cb", ""),
+                "token_usage_rules": {
+                    "authorization_code": {
+                        "supports_minting": ["access_token", "refresh_token", "id_token"]
+                    },
+                    "refresh_token": {
+                        "supports_minting": ["id_token"]
+                    }
+                }
+            }
+        }
+
         self.session_manager = server.endpoint_context.session_manager
         self.authn_event = AuthnEvent(
-            uid="uid", valid_until=time_sans_frac() + 1, authn_info="authn_class_ref"
+            uid="uid", valid_until=utc_time_sans_frac() + 1, authn_info="authn_class_ref"
         )
         self.dummy_session_id = self.session_manager.encrypted_session_id(
             "user_id", "client_id", "grant.id"
@@ -203,22 +236,10 @@ def _mint_token(self, token_class, grant, session_id, based_on=None):
             endpoint_context=self.endpoint_context,
             token_class=token_class,
             token_handler=self.session_manager.token_handler.handler[token_class],
-            expires_at=time_sans_frac() + 300,  # 5 minutes from now
+            expires_at=utc_time_sans_frac() + 300,  # 5 minutes from now
             based_on=based_on,
         )
 
-    def test_grant(self):
-        sid = self._create_session(AUTH_REQ)
-        grant = self.session_manager.get_grant(sid)
-        assert grant.issued_token == []
-        assert grant.is_active() is True
-
-        code = self._mint_token("authorization_code", grant, sid)
-        assert isinstance(code, AuthorizationCode)
-        assert code.is_active()
-        assert len(grant.issued_token) == 1
-        assert code.max_usage_reached() is False
-
     def test_code_usage(self):
         session_id = self._create_session(AUTH_REQ)
         session_info = self.endpoint_context.session_manager.get_session_info(
@@ -416,7 +437,6 @@ def test_token_usage_authz(self):
                     "expires_in": 120,
                 },
                 "access_token": {"expires_in": 600},
-                "refresh_token": {},
             },
             "expires_in": 43200,
         }
@@ -448,6 +468,7 @@ def test_token_usage_authz(self):
         token = self._mint_token("access_token", grant, _session_id, code)
         assert token.usage_rules == {"expires_in": 600}
 
+        # Only allowed to mint access_tokens using the authorization_code
         with pytest.raises(MintingNotAllowed):
             self._mint_token("refresh_token", grant, _session_id, code)
 
@@ -630,3 +651,36 @@ def test_grants(self):
         for i in ("not_before", "used"):
             grant_kwargs.pop(i)
         self.session_manager.add_grant("diana", "client_1", **grant_kwargs)
+
+    def test_find_latest_idtoken(self):
+        token_usage_rules = self.endpoint_context.authz.usage_rules("client_1")
+        _session_id = self.session_manager.create_session(
+            authn_event=self.authn_event,
+            auth_req=AUTH_REQ,
+            user_id="diana",
+            client_id="client_1",
+            token_usage_rules=token_usage_rules,
+        )
+        grant = self.session_manager[_session_id]
+
+        code = self._mint_token("authorization_code", grant, _session_id)
+        id_token_1 = self._mint_token("id_token", grant, _session_id)
+
+        refresh_token = self._mint_token("refresh_token", grant, _session_id, code)
+        id_token_2 = self._mint_token("id_token", grant, _session_id, code)
+
+        _jwt1 = factory(id_token_1.value)
+        _jwt2 = factory(id_token_2.value)
+        assert _jwt1.jwt.payload()['sid'] == _jwt2.jwt.payload()['sid']
+
+        assert id_token_1.session_id == id_token_2.session_id
+
+        idt = grant.last_issued_token_of_type("id_token")
+
+        assert idt.session_id == id_token_2.session_id
+
+        id_token_3 = self._mint_token("id_token", grant, _session_id, refresh_token)
+
+        idt = grant.last_issued_token_of_type("id_token")
+
+        assert idt.session_id == id_token_3.session_id
diff --git a/tests/test_08_session_life.py b/tests/test_08_session_life.py
index 65742d76..cf9b0a9e 100644
--- a/tests/test_08_session_life.py
+++ b/tests/test_08_session_life.py
@@ -6,7 +6,7 @@
 from oidcmsg.oidc import AccessTokenRequest
 from oidcmsg.oidc import AuthorizationRequest
 from oidcmsg.oidc import RefreshAccessTokenRequest
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 from . import full_path
 from oidcop import user_info
@@ -76,7 +76,7 @@ def auth(self):
 
         # User info is stored in the Session DB
         authn_event = create_authn_event(
-            user_id, authn_info=INTERNETPROTOCOLPASSWORD, authn_time=time_sans_frac(),
+            user_id, authn_info=INTERNETPROTOCOLPASSWORD, authn_time=utc_time_sans_frac(),
         )
 
         user_info = UserSessionInfo(user_id=user_id)
@@ -107,7 +107,7 @@ def auth(self):
             endpoint_context=self.endpoint_context,
             token_class="authorization_code",
             token_handler=self.session_manager.token_handler["authorization_code"],
-            expires_at=time_sans_frac() + 300,  # 5 minutes from now
+            expires_at=utc_time_sans_frac() + 300,  # 5 minutes from now
         )
 
         # get user info
@@ -153,7 +153,7 @@ def test_code_flow(self):
             endpoint_context=self.endpoint_context,
             token_class="access_token",
             token_handler=self.session_manager.token_handler["access_token"],
-            expires_at=time_sans_frac() + 900,  # 15 minutes from now
+            expires_at=utc_time_sans_frac() + 900,  # 15 minutes from now
             based_on=tok,  # Means the token (tok) was used to mint this token
         )
 
@@ -190,7 +190,7 @@ def test_code_flow(self):
             endpoint_context=self.endpoint_context,
             token_class="access_token",
             token_handler=self.session_manager.token_handler["access_token"],
-            expires_at=time_sans_frac() + 900,  # 15 minutes from now
+            expires_at=utc_time_sans_frac() + 900,  # 15 minutes from now
             based_on=reftok,  # Means the token (tok) was used to mint this token
         )
 
@@ -329,7 +329,7 @@ def auth(self):
 
         # Now for client session information
         authn_event = create_authn_event(
-            user_id, authn_info=INTERNETPROTOCOLPASSWORD, authn_time=time_sans_frac(),
+            user_id, authn_info=INTERNETPROTOCOLPASSWORD, authn_time=utc_time_sans_frac(),
         )
 
         client_id = AUTH_REQ["client_id"]
@@ -355,7 +355,7 @@ def auth(self):
             endpoint_context=self.endpoint_context,
             token_class="authorization_code",
             token_handler=self.session_manager.token_handler["authorization_code"],
-            expires_at=time_sans_frac() + 300,  # 5 minutes from now
+            expires_at=utc_time_sans_frac() + 300,  # 5 minutes from now
         )
         return code
 
@@ -403,7 +403,7 @@ def test_code_flow(self):
             endpoint_context=self.endpoint_context,
             token_class="access_token",
             token_handler=self.session_manager.token_handler["access_token"],
-            expires_at=time_sans_frac() + 900,  # 15 minutes from now
+            expires_at=utc_time_sans_frac() + 900,  # 15 minutes from now
             based_on=tok,  # Means the token (tok) was used to mint this token
         )
 
@@ -449,7 +449,7 @@ def test_code_flow(self):
             endpoint_context=self.endpoint_context,
             token_class="access_token",
             token_handler=self.session_manager.token_handler["access_token"],
-            expires_at=time_sans_frac() + 900,  # 15 minutes from now
+            expires_at=utc_time_sans_frac() + 900,  # 15 minutes from now
             based_on=reftok,  # Means the refresh token (reftok) was used to mint this token
         )
 
diff --git a/tests/test_100_temp.py b/tests/test_100_temp.py
new file mode 100644
index 00000000..bb0c4afe
--- /dev/null
+++ b/tests/test_100_temp.py
@@ -0,0 +1,422 @@
+import copy
+import os
+
+from oidcmsg.oidc import AuthorizationRequest
+import pytest
+
+from oidcop.authn_event import create_authn_event
+from oidcop.server import Server
+
+BASEDIR = os.path.abspath(os.path.dirname(__file__))
+
+
+def full_path(local_file):
+    return os.path.join(BASEDIR, local_file)
+
+
+KEYDEFS = [
+    {"type": "RSA", "key": "", "use": ["sig"]},
+    {"type": "EC", "crv": "P-256", "use": ["sig"]},
+]
+
+AREQS = AuthorizationRequest(
+    response_type="code",
+    client_id='CLIENT_ID',
+    redirect_uri="http://example.com/authz",
+    scope=["openid", "address", "email"],
+    state="state000",
+    nonce="nonce",
+)
+
+conf = {
+    "issuer": "https://example.com/",
+    "template_dir": "template",
+    "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS, "read_only": True},
+    "endpoint": {
+        "authorization_endpoint": {
+            "path": "authorization",
+            "class": "oidcop.oidc.authorization.Authorization",
+            "kwargs": {},
+        },
+        "token_endpoint": {"path": "token", "class": "oidcop.oidc.token.Token", "kwargs": {}, },
+        "userinfo_endpoint": {
+            "path": "userinfo",
+            "class": "oidcop.oidc.userinfo.UserInfo",
+            "kwargs": {},
+        },
+        "introspection_endpoint": {
+            "path": "introspection",
+            "class": "oidcop.oauth2.introspection.Introspection",
+            "kwargs": {},
+        },
+    },
+    "token_handler_args": {
+        "jwks_def": {
+            "private_path": "private/token_jwks.json",
+            "read_only": False,
+            "key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}],
+        },
+        "code": {"kwargs": {"lifetime": 600}},
+        "token": {
+            "class": "oidcop.token.jwt_token.JWTToken",
+            "kwargs": {
+                "lifetime": 3600,
+                "add_claims_by_scope": True,
+                "aud": ["https://example.org/appl"],
+            },
+        },
+        "refresh": {
+            "class": "oidcop.token.jwt_token.JWTToken",
+            "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
+        },
+        "id_token": {"class": "oidcop.token.id_token.IDToken", "kwargs": {}},
+    },
+    "userinfo": {
+        "class": "oidcop.user_info.UserInfo",
+        "kwargs": {"db_file": full_path("users.json")},
+    },
+    "claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
+}
+
+USER_ID = "diana"
+
+oidc_clients = {
+    "client_1": {
+        "client_secret": "Namnam",
+        "redirect_uris": [('https://openidconnect.net/callback', '')],
+        "response_types": ["code"],
+        "userinfo_add_claims_by_scope": False,
+        "id_token_add_claims_by_scope": False,
+        "userinfo_claims": ["email", "email_verified"],
+        "id_token_claims": ["email", "phone"]
+    }
+}
+
+oidc_clients_s = {
+    "client_1": {
+        "client_secret": "Namnam",
+        "redirect_uris": [('https://openidconnect.net/callback', '')],
+        "response_types": ["code"],
+        "add_claims": {
+            "by_scope": {
+                "userinfo": False,
+                "id_token": False
+            },
+            "always": {
+                "userinfo": ["email", "email_verified"],
+                "id_token": ["email", "phone"]
+            }
+        }
+    }
+}
+
+
+class TestEndpoint(object):
+    @pytest.fixture(autouse=True)
+    def create_idtoken(self):
+        server = Server(conf)
+        server.endpoint_context.cdb["client_1"] = {
+            "client_secret": "Namnam",
+            "redirect_uris": [('https://openidconnect.net/callback', '')],
+            "response_types": ["code"],
+            "add_claims_by_scope": False,
+        }
+        server.endpoint_context.cdb["client_2"] = {
+            "client_secret": "spraket",
+            "redirect_uris": [('https://app1.example.net/foo', ''),
+                              ('https://app2.example.net/bar', '')],
+            "response_types": ["code"],
+        }
+        server.endpoint_context.keyjar.add_symmetric(
+            "client_1", "Namnam", ["sig", "enc"]
+        )
+        server.endpoint_context.keyjar.add_symmetric(
+            "client_2", "spraket", ["sig", "enc"]
+        )
+        self.claims_interface = server.endpoint_context.claims_interface
+        self.endpoint_context = server.endpoint_context
+        self.session_manager = self.endpoint_context.session_manager
+        self.user_id = USER_ID
+        self.server = server
+
+    def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
+        if sector_identifier:
+            authz_req = auth_req.copy()
+            authz_req["sector_identifier_uri"] = sector_identifier
+        else:
+            authz_req = auth_req
+
+        client_id = authz_req["client_id"]
+        ae = create_authn_event(self.user_id)
+        return self.session_manager.create_session(
+            ae, authz_req, self.user_id, client_id=client_id, sub_type=sub_type
+        )
+
+    def test_get_claims_id_token_1(self):
+        areq = copy.deepcopy(AREQS)
+        areq["client_id"] = "client_1"
+        session_id = self._create_session(areq)
+        self.session_manager.token_handler["id_token"].kwargs = {
+            "base_claims": {"email": None, "email_verified": None}
+        }
+        claims = self.claims_interface.get_claims(session_id, areq["scope"], "id_token")
+        assert set(claims.keys()) == {"email", "email_verified"}
+
+    def test_get_claims_id_token_2(self):
+        areq = copy.deepcopy(AREQS)
+        areq["client_id"] = "client_2"
+        session_id = self._create_session(areq)
+        self.session_manager.token_handler["id_token"].kwargs = {
+            "base_claims": {"email": None, "email_verified": None}
+        }
+        claims = self.claims_interface.get_claims(session_id, areq["scope"], "id_token")
+        assert set(claims.keys()) == {"email", "email_verified"}
+
+    def test_get_claims_userinfo_1(self):
+        areq = copy.deepcopy(AREQS)
+        areq["client_id"] = "client_1"
+        session_id = self._create_session(areq)
+        self.session_manager.token_handler["id_token"].kwargs = {
+            "base_claims": {"email": None, "email_verified": None}
+        }
+        claims = self.claims_interface.get_claims(session_id, areq["scope"], "userinfo")
+        assert set(claims.keys()) == {"email", "email_verified", "sub", "address"}
+
+    def test_get_claims_userinfo_2(self):
+        areq = copy.deepcopy(AREQS)
+        areq["client_id"] = "client_2"
+        session_id = self._create_session(areq)
+        self.session_manager.token_handler["id_token"].kwargs = {
+            "base_claims": {"email": None, "email_verified": None}
+        }
+        claims = self.claims_interface.get_claims(session_id, areq["scope"], "userinfo")
+        assert set(claims.keys()) == {"email", "email_verified", "sub", "address"}
+
+    # def test_authorization_request_userinfo_claims_2(self):
+    #     session_id = self._create_session(AREQ_2)
+    #
+    #     claims = self.claims_interface.authorization_request_claims(session_id, "userinfo")
+    #     assert claims == {}
+    #
+    # def test_authorization_request_userinfo_claims_3(self):
+    #     session_id = self._create_session(AREQ_3)
+    #
+    #     claims = self.claims_interface.authorization_request_claims(session_id, "userinfo")
+    #     assert set(claims.keys()) == {"name", "email", "email_verified"}
+    #
+    # @pytest.mark.parametrize("usage", ["id_token", "userinfo", "introspection", "token"])
+    # def test_get_client_claims_0(self, usage):
+    #     claims = self.claims_interface._get_client_claims("client_1", usage)
+    #     assert claims == {}
+    #
+    # def test_get_client_claims_id_token_1(self):
+    #     self.endpoint_context.cdb["client_1"]["id_token_claims"] = ["name", "email"]
+    #     claims = self.claims_interface._get_client_claims("client_1", "id_token")
+    #     assert set(claims.keys()) == {"name", "email"}
+    #
+    # def test_get_client_claims_userinfo_1(self):
+    #     self.endpoint_context.cdb["client_1"]["userinfo_claims"] = ["email", "address"]
+    #     claims = self.claims_interface._get_client_claims("client_1", "userinfo")
+    #     assert set(claims.keys()) == {"address", "email"}
+    #
+    # def test_get_client_claims_introspection_1(self):
+    #     self.endpoint_context.cdb["client_1"]["introspection_claims"] = ["email"]
+    #     claims = self.claims_interface._get_client_claims("client_1", "introspection")
+    #     assert set(claims.keys()) == {"email"}
+    #
+    # @pytest.mark.parametrize("usage", ["id_token", "userinfo", "introspection", "token"])
+    # def test_get_claims(self, usage):
+    #     session_id = self._create_session(AREQ)
+    #     claims = self.claims_interface.get_claims(session_id, [], usage)
+    #     assert claims == {}
+    #
+    # def test_get_claims_id_token_1(self):
+    #     session_id = self._create_session(AREQ)
+    #     self.session_manager.token_handler["id_token"].kwargs = {
+    #         "base_claims": {"email": None, "email_verified": None}
+    #     }
+    #     claims = self.claims_interface.get_claims(session_id, [], "id_token")
+    #     assert set(claims.keys()) == {"email", "email_verified"}
+    #
+    # def test_get_claims_id_token_2(self):
+    #     session_id = self._create_session(AREQ)
+    #     self.session_manager.token_handler["id_token"].kwargs = {
+    #         "base_claims": {"email": None, "email_verified": None},
+    #         "enable_claims_per_client": True,
+    #     }
+    #     self.endpoint_context.cdb["client_1"]["id_token_claims"] = ["name", "email"]
+    #
+    #     claims = self.claims_interface.get_claims(session_id, [], "id_token")
+    #     assert set(claims.keys()) == {"name", "email", "email_verified"}
+    #
+    # def test_get_claims_id_token_3(self):
+    #     session_id = self._create_session(AREQ)
+    #     self.session_manager.token_handler["id_token"].kwargs = {
+    #         "base_claims": {"email": None, "email_verified": None},
+    #         "enable_claims_per_client": True,
+    #         "add_claims_by_scope": True,
+    #     }
+    #     self.endpoint_context.cdb["client_1"]["id_token_claims"] = ["name", "email"]
+    #
+    #     claims = self.claims_interface.get_claims(session_id, ["openid", "address"], "id_token")
+    #     assert set(claims.keys()) == {
+    #         "name",
+    #         "email",
+    #         "email_verified",
+    #         "sub",
+    #         "address",
+    #     }
+    #
+    # def test_get_claims_userinfo_3(self):
+    #     _module = self.server.server_get("endpoint", "userinfo")
+    #     session_id = self._create_session(AREQ)
+    #     _module.kwargs = {
+    #         "base_claims": {"email": None, "email_verified": None},
+    #         "enable_claims_per_client": True,
+    #         "add_claims_by_scope": True,
+    #     }
+    #     self.endpoint_context.cdb["client_1"]["userinfo_claims"] = ["name", "email"]
+    #
+    #     claims = self.claims_interface.get_claims(session_id, ["openid", "address"], "userinfo")
+    #     assert set(claims.keys()) == {
+    #         "name",
+    #         "email",
+    #         "email_verified",
+    #         "sub",
+    #         "address",
+    #     }
+    #
+    # def test_get_claims_introspection_3(self):
+    #     _module = self.server.server_get("endpoint", "introspection")
+    #     _module.kwargs = {
+    #         "base_claims": {"email": None, "email_verified": None},
+    #         "enable_claims_per_client": True,
+    #         "add_claims_by_scope": True,
+    #     }
+    #     self.endpoint_context.cdb["client_1"]["introspection_claims"] = [
+    #         "name",
+    #         "email",
+    #     ]
+    #
+    #     session_id = self._create_session(AREQ)
+    #     claims = self.claims_interface.get_claims(
+    #         session_id, ["openid", "address"], "introspection"
+    #     )
+    #     assert set(claims.keys()) == {
+    #         "name",
+    #         "email",
+    #         "email_verified",
+    #         "sub",
+    #         "address",
+    #     }
+    #
+    # def test_get_claims_access_token_3(self):
+    #     _module = self.endpoint_context.session_manager.token_handler["access_token"]
+    #     _module.kwargs = {
+    #         "base_claims": {"email": None, "email_verified": None},
+    #         "enable_claims_per_client": True,
+    #         "add_claims_by_scope": True,
+    #     }
+    #     self.endpoint_context.cdb["client_1"]["access_token_claims"] = ["name", "email"]
+    #
+    #     session_id = self._create_session(AREQ)
+    #     claims = self.claims_interface.get_claims(session_id, ["openid", "address"],
+    #     "access_token")
+    #     assert set(claims.keys()) == {
+    #         "name",
+    #         "email",
+    #         "email_verified",
+    #         "sub",
+    #         "address",
+    #     }
+    #
+    # def test_get_claims_all_usage(self):
+    #     # Make sure everything is reset
+    #     self.session_manager.token_handler["id_token"].kwargs = {}
+    #     self.session_manager.token_handler["access_token"].kwargs = {}
+    #
+    #     self.server.server_get("endpoint", "userinfo").kwargs = {}
+    #     self.server.server_get("endpoint", "introspection").kwargs = {}
+    #
+    #     session_id = self._create_session(AREQ)
+    #     claims = self.claims_interface.get_claims_all_usage(session_id, ["openid", "address"])
+    #     assert set(claims.keys()) == {
+    #         "id_token",
+    #         "userinfo",
+    #         "introspection",
+    #         "access_token",
+    #     }
+    #     for usage in ["id_token", "userinfo", "introspection", "access_token"]:
+    #         assert claims[usage] == {}
+    #
+    # def test_get_claims_all_usage_2(self):
+    #     # make all different
+    #     self.session_manager.token_handler["id_token"].kwargs = {
+    #         "base_claims": {"email": None, "email_verified": None}
+    #     }
+    #
+    #     self.server.server_get("endpoint", "userinfo").kwargs = {
+    #         "enable_claims_per_client": True,
+    #     }
+    #     self.endpoint_context.cdb["client_1"]["userinfo_claims"] = ["name", "email"]
+    #
+    #     self.server.server_get("endpoint", "introspection").kwargs = {"add_claims_by_scope": True}
+    #
+    #     self.endpoint_context.session_manager.token_handler["access_token"].kwargs = {}
+    #
+    #     session_id = self._create_session(AREQ)
+    #     claims = self.claims_interface.get_claims_all_usage(session_id, ["openid", "address"])
+    #
+    #     assert set(claims.keys()) == {
+    #         "id_token",
+    #         "userinfo",
+    #         "introspection",
+    #         "access_token",
+    #     }
+    #
+    #     assert set(claims["id_token"].keys()) == {"email", "email_verified"}
+    #     assert set(claims["userinfo"].keys()) == {"email", "name"}
+    #     assert set(claims["introspection"].keys()) == {"address", "sub"}
+    #     assert set(claims["access_token"].keys()) == set()
+    #
+    # def test_get_user_claims(self):
+    #     self.session_manager.token_handler["id_token"].kwargs = {
+    #         "base_claims": {"email": None, "email_verified": None}
+    #     }
+    #
+    #     self.server.server_get("endpoint", "userinfo").kwargs = {
+    #         "enable_claims_per_client": True,
+    #     }
+    #     self.endpoint_context.cdb["client_1"]["userinfo_claims"] = ["name", "email"]
+    #
+    #     self.server.server_get("endpoint", "introspection").kwargs = {"add_claims_by_scope": True}
+    #
+    #     self.endpoint_context.session_manager.token_handler["access_token"].kwargs = {}
+    #
+    #     session_id = self._create_session(AREQ)
+    #     claims_restriction = self.claims_interface.get_claims_all_usage(
+    #         session_id, ["openid", "address"]
+    #     )
+    #
+    #     _claims = self.claims_interface.get_user_claims(USER_ID, claims_restriction["userinfo"])
+    #     assert _claims == {"name": "Diana Krall", "email": "diana@example.org"}
+    #
+    #     _claims = self.claims_interface.get_user_claims(USER_ID, claims_restriction["id_token"])
+    #     assert _claims == {"email_verified": False, "email": "diana@example.org"}
+    #
+    #     _claims = self.claims_interface.get_user_claims(
+    #         USER_ID, claims_restriction["introspection"]
+    #     )
+    #     # Note that sub is not a user claim
+    #     assert _claims == {
+    #         "address": {
+    #             "country": "Sweden",
+    #             "locality": "Umeå",
+    #             "postal_code": "SE-90187",
+    #             "street_address": "Umeå Universitet",
+    #         }
+    #     }
+    #
+    #     _claims = self.claims_interface.get_user_claims(USER_ID, claims_restriction[
+    #     "access_token"])
+    #     assert _claims == {}
diff --git a/tests/test_12_user_authn.py b/tests/test_12_user_authn.py
index 1c817b22..2c78b08c 100644
--- a/tests/test_12_user_authn.py
+++ b/tests/test_12_user_authn.py
@@ -98,7 +98,11 @@ def test_authenticated_as_with_cookie(self):
             client_id=authn_req["client_id"],
         )
 
-        _info, _time_stamp = method.authenticated_as("client 12345", [_cookie])
+        # Parsed once before authenticated_as
+        kakor = self.endpoint_context.cookie_handler.parse_cookie(
+            cookies=[_cookie], name=self.endpoint_context.cookie_handler.name["session"])
+
+        _info, _time_stamp = method.authenticated_as("client 12345", kakor)
         assert set(_info.keys()) == {'sub', 'uid', 'state', 'grant_id', 'timestamp', 'sid',
                                      'client_id'}
         assert _info["sub"] == "diana"
diff --git a/tests/test_23_oidc_registration_endpoint.py b/tests/test_23_oidc_registration_endpoint.py
index 4ef99fcc..27e32c8f 100755
--- a/tests/test_23_oidc_registration_endpoint.py
+++ b/tests/test_23_oidc_registration_endpoint.py
@@ -62,10 +62,7 @@
         "https://client.example.org/rf.txt#qpXaRLh_n93TT",
         "https://client.example.org/rf.txt",
     ],
-    "post_logout_redirect_uris": [
-        "https://rp.example.com/pl?foo=bar",
-        "https://rp.example.com/pl",
-    ],
+    "post_logout_redirect_uri": "https://rp.example.com/pl"
 }
 
 CLI_REQ = RegistrationRequest(**MSG)
@@ -213,14 +210,14 @@ def test_register_unsupported_set(self):
 
     def test_register_post_logout_redirect_uri_with_fragment(self):
         _msg = MSG.copy()
-        _msg["post_logout_redirect_uris"] = ["https://rp.example.com/pl#fragment"]
+        _msg["post_logout_redirect_uri"] = "https://rp.example.com/pl#fragment"
         _req = self.endpoint.parse_request(RegistrationRequest(**_msg).to_json())
         _resp = self.endpoint.process_request(request=_req)
         assert _resp["error"] == "invalid_configuration_parameter"
 
     def test_register_redirect_uri_with_fragment(self):
         _msg = MSG.copy()
-        _msg["post_logout_redirect_uris"] = ["https://rp.example.com/cb#fragment"]
+        _msg["post_logout_redirect_uri"] = "https://rp.example.com/cb#fragment"
         _req = self.endpoint.parse_request(RegistrationRequest(**_msg).to_json())
         _resp = self.endpoint.process_request(request=_req)
         assert _resp["error"] == "invalid_configuration_parameter"
@@ -331,6 +328,13 @@ def test_register_request_uris_with_query_part(self):
         assert "error" in _resp
         assert _resp["error_description"] == "request_uris contains query part"
 
+    def test_register_initiate_login_uri_wrong_scheme(self):
+        _req = MSG.copy()
+        _req["initiate_login_uri"] = "http://ilu.example.com"
+        _resp = self.endpoint.process_request(request=RegistrationRequest(**_req))
+        assert "error" in _resp
+        assert _resp["error"] == "invalid_configuration_request"
+
 
 def test_match_sp_sep():
     assert match_sp_sep("foo bar", "bar foo")
diff --git a/tests/test_24_oauth2_authorization_endpoint.py b/tests/test_24_oauth2_authorization_endpoint.py
index 319a9a15..5ea6b389 100755
--- a/tests/test_24_oauth2_authorization_endpoint.py
+++ b/tests/test_24_oauth2_authorization_endpoint.py
@@ -237,6 +237,7 @@ def create_endpoint(self):
         endpoint_context.keyjar.import_jwks(
             endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
         )
+        self.endpoint_context = endpoint_context
         self.endpoint = server.server_get("endpoint", "authorization")
         self.session_manager = endpoint_context.session_manager
         self.user_id = "diana"
@@ -406,7 +407,7 @@ def test_verify_uri_none_registered(self):
         }
 
         request = {"redirect_uri": "https://rp.example.com/cb"}
-        with pytest.raises(ValueError):
+        with pytest.raises(RedirectURIError):
             verify_uri(_context, request, "redirect_uri", "client_id")
 
     def test_get_uri(self):
@@ -492,7 +493,11 @@ def test_setup_auth(self):
             "value", "sso"
         )
 
-        res = self.endpoint.setup_auth(request, redirect_uri, cinfo, [kaka])
+        # Parsed once before setup_auth
+        kakor = self.endpoint_context.cookie_handler.parse_cookie(
+            cookies=[kaka], name=self.endpoint_context.cookie_handler.name["session"])
+
+        res = self.endpoint.setup_auth(request, redirect_uri, cinfo, kakor)
         assert set(res.keys()) == {"session_id", "identity", "user"}
 
     def test_setup_auth_error(self):
diff --git a/tests/test_24_oidc_authorization_endpoint.py b/tests/test_24_oidc_authorization_endpoint.py
index 10ebbf20..9771ec81 100755
--- a/tests/test_24_oidc_authorization_endpoint.py
+++ b/tests/test_24_oidc_authorization_endpoint.py
@@ -4,14 +4,9 @@
 from urllib.parse import parse_qs
 from urllib.parse import urlparse
 
-from cryptojwt.jws.jws import factory
-
-from oidcop.configure import OPConfiguration
-import pytest
-import responses
-import yaml
 from cryptojwt import JWT
 from cryptojwt import KeyJar
+from cryptojwt.jws.jws import factory
 from cryptojwt.utils import as_bytes
 from cryptojwt.utils import b64e
 from oidcmsg.exception import ParameterError
@@ -22,9 +17,13 @@
 from oidcmsg.oidc import AuthorizationResponse
 from oidcmsg.oidc import verified_claim_name
 from oidcmsg.oidc import verify_id_token
+import pytest
+import responses
+import yaml
 
 from oidcop.authn_event import create_authn_event
 from oidcop.authz import AuthzHandling
+from oidcop.configure import OPConfiguration
 from oidcop.cookie_handler import CookieHandler
 from oidcop.endpoint_context import init_service
 from oidcop.endpoint_context import init_user_info
@@ -137,8 +136,7 @@ def full_path(local_file):
     client_secret: '2222222222222222222222222222222222222222'
     redirect_uris:
       - ['https://127.0.0.1:8090/authz_cb/bobcat', '']
-    post_logout_redirect_uris:
-      - ['https://openidconnect.net/', '']
+    post_logout_redirect_uri: ['https://openidconnect.net/', '']
     response_types:
       - code
 """
@@ -166,7 +164,7 @@ def create_endpoint(self):
                 },
                 "refresh": {
                     "class": "oidcop.token.jwt_token.JWTToken",
-                    "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
+                    "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
                 },
                 "id_token": {
                     "class": "oidcop.token.id_token.IDToken",
@@ -186,7 +184,7 @@ def create_endpoint(self):
                     "class": ProviderConfiguration,
                     "kwargs": {},
                 },
-                "registration": {"path": "{}/registration", "class": Registration, "kwargs": {},},
+                "registration": {"path": "{}/registration", "class": Registration, "kwargs": {}, },
                 "authorization": {
                     "path": "{}/authorization",
                     "class": Authorization,
@@ -215,7 +213,8 @@ def create_endpoint(self):
                     "class": userinfo.UserInfo,
                     "kwargs": {
                         "db_file": "users.json",
-                        "claim_types_supported": ["normal", "aggregated", "distributed",],
+                        "claim_types_supported": ["normal", "aggregated", "distributed"],
+                        "add_claims_by_scope": True
                     },
                 },
             },
@@ -234,7 +233,7 @@ def create_endpoint(self):
                     "grant_config": {
                         "usage_rules": {
                             "authorization_code": {
-                                "supports_minting": ["access_token", "refresh_token", "id_token",],
+                                "supports_minting": ["access_token", "refresh_token", "id_token", ],
                                 "max_usage": 1,
                             },
                             "access_token": {},
@@ -271,6 +270,7 @@ def create_endpoint(self):
         endpoint_context.keyjar.import_jwks(
             endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
         )
+        self.endpoint_context = endpoint_context
         self.endpoint = server.server_get("endpoint", "authorization")
         self.session_manager = endpoint_context.session_manager
         self.user_id = "diana"
@@ -401,7 +401,7 @@ def test_do_response_code_id_token_token(self):
     def test_id_token_claims(self):
         _req = AUTH_REQ_DICT.copy()
         _req["claims"] = CLAIMS
-        _req["response_type"] = "code id_token token"
+        _req["response_type"] = "id_token"
         _req["nonce"] = "rnd_nonce"
         _pr_resp = self.endpoint.parse_request(_req)
         _resp = self.endpoint.process_request(_pr_resp)
@@ -562,14 +562,14 @@ def test_get_uri_more_then_one_registered(self):
         with pytest.raises(ParameterError):
             get_uri(_ec, request, "redirect_uri")
 
-    def test_create_authn_response(self):
+    def test_create_authn_response_id_token(self):
         request = AuthorizationRequest(
             client_id="client_id",
             redirect_uri="https://rp.example.com/cb",
             response_type=["id_token"],
             state="state",
             nonce="nonce",
-            scope="openid",
+            scope=["openid", "profile"],
         )
 
         _ec = self.endpoint.server_get("endpoint_context")
@@ -584,6 +584,37 @@ def test_create_authn_response(self):
         resp = self.endpoint.create_authn_response(request, session_id)
         assert isinstance(resp["response_args"], AuthorizationResponse)
 
+        _jws = factory(resp["response_args"]["id_token"])
+        _payload = _jws.jwt.payload()
+        assert "given_name" in _payload
+
+    def test_create_authn_response_id_token_request_claims(self):
+        request = AuthorizationRequest(
+            client_id="client_id",
+            redirect_uri="https://rp.example.com/cb",
+            response_type=["id_token"],
+            claims={"id_token": {"name": {"essential": True}}},
+            state="state",
+            nonce="nonce",
+            scope=["openid"],
+        )
+
+        _ec = self.endpoint.server_get("endpoint_context")
+        _ec.cdb["client_id"] = {
+            "client_id": "client_id",
+            "redirect_uris": [("https://rp.example.com/cb", {})],
+            "id_token_signed_response_alg": "ES256",
+        }
+
+        session_id = self._create_session(request)
+
+        resp = self.endpoint.create_authn_response(request, session_id)
+        assert isinstance(resp["response_args"], AuthorizationResponse)
+
+        _jws = factory(resp["response_args"]["id_token"])
+        _payload = _jws.jwt.payload()
+        assert "name" in _payload
+
     def test_setup_auth(self):
         request = AuthorizationRequest(
             client_id="client_id",
@@ -599,12 +630,18 @@ def test_setup_auth(self):
             "redirect_uris": [("https://rp.example.com/cb", {})],
             "id_token_signed_response_alg": "RS256",
         }
+        session_id = self._create_session(request)
 
         kaka = self.endpoint.server_get("endpoint_context").cookie_handler.make_cookie_content(
-            "value", "sso"
+            value=json.dumps({'sid': session_id, 'state': request.get("state")}),
+            name=self.endpoint_context.cookie_handler.name["session"]
         )
 
-        res = self.endpoint.setup_auth(request, redirect_uri, cinfo, [kaka])
+        # Parsed once before setup_auth
+        kakor = self.endpoint_context.cookie_handler.parse_cookie(
+            cookies=[kaka], name=self.endpoint_context.cookie_handler.name["session"])
+
+        res = self.endpoint.setup_auth(request, redirect_uri, cinfo, kakor)
         assert set(res.keys()) == {"session_id", "identity", "user"}
 
     def test_setup_auth_error(self):
@@ -636,21 +673,16 @@ def test_setup_auth_error(self):
 
         item["method"].file = ""
 
-    def test_setup_auth_user(self):
+    def test_setup_auth_user_form_post(self):
         request = AuthorizationRequest(
-            client_id="client_id",
-            redirect_uri="https://rp.example.com/cb",
-            response_type=["id_token"],
+            client_id="client_1",
+            redirect_uri="https://example.com/cb",
+            response_type=["code"],
+            response_mode="form_post",
             state="state",
             nonce="nonce",
             scope="openid",
         )
-        redirect_uri = request["redirect_uri"]
-        cinfo = {
-            "client_id": "client_id",
-            "redirect_uris": [("https://rp.example.com/cb", {})],
-            "id_token_signed_response_alg": "RS256",
-        }
         _ec = self.endpoint.server_get("endpoint_context")
 
         session_id = self._create_session(request)
@@ -658,9 +690,30 @@ def test_setup_auth_user(self):
         item = _ec.authn_broker.db["anon"]
         item["method"].user = b64e(as_bytes(json.dumps({"uid": "krall", "sid": session_id})))
 
-        res = self.endpoint.setup_auth(request, redirect_uri, cinfo, None)
-        assert set(res.keys()) == {"session_id", "identity", "user"}
-        assert res["identity"]["uid"] == "krall"
+        res = self.endpoint.process_request(request)
+        assert set(res.keys()) == {'content_type', 'cookie', 'response_msg', 'response_placement',
+                                   'session_id'}
+
+    def test_setup_auth_error_form_post(self):
+        request = AuthorizationRequest(
+            client_id="client_1",
+            redirect_uri="https://example.com/cb",
+            response_type=["code"],
+            response_mode="form_post",
+            prompt="none",
+            state="state",
+            nonce="nonce",
+            scope=["openid"],
+        )
+
+        item = self.endpoint.server_get("endpoint_context").authn_broker.db["anon"]
+        item["method"].fail = NoSuchAuthentication
+
+        res = self.endpoint.process_request(request)
+        assert set(res.keys()) == {'content_type', 'response_msg', 'response_placement'}
+        assert res["response_placement"] == "body"
+        assert res["content_type"] == "text/html"
+        assert "Submit This Form" in res["response_msg"]
 
     def test_setup_auth_session_revoked(self):
         request = AuthorizationRequest(
@@ -823,24 +876,22 @@ def test_verify_response_type(self):
 
         assert self.endpoint.verify_response_type(request, client_info) is True
 
-    @pytest.mark.parametrize("exp_in", [360, "360", 0])
-    def test_mint_token_exp_at(self, exp_in):
-        request = AuthorizationRequest(
-            client_id="client_1",
-            response_type=["code"],
-            redirect_uri="https://example.com/cb",
-            state="state",
-            scope="openid",
-        )
-        sid = self._create_session(request)
-        grant = self.session_manager.get_grant(sid)
-        grant.usage_rules = {"authorization_code": {"expires_in": exp_in}}
-
-        code = self.endpoint.mint_token("authorization_code", grant, sid)
-        if exp_in in [360, "360"]:
-            assert code.expires_at
-        else:
-            assert code.expires_at == 0
+    # @pytest.mark.parametrize("exp_in", [360, "360", 0])
+    # def test_mint_token_exp_at(self, exp_in):
+    #     request = AuthorizationRequest(
+    #         client_id="client_1",
+    #         response_type=["code"],
+    #         redirect_uri="https://example.com/cb",
+    #         state="state",
+    #         scope="openid",
+    #     )
+    #     self.session_manager.set(["user_id", "client_id", "grant.id"], grant)
+    #
+    #     code = self.endpoint.mint_token("authorization_code", grant, sid)
+    #     if exp_in in [360, "360"]:
+    #         assert code.expires_at
+    #     else:
+    #         assert code.expires_at == 0
 
     def test_do_request_uri(self):
         request = AuthorizationRequest(
@@ -984,7 +1035,8 @@ def test_do_request_user(self):
         endpoint_context = self.endpoint.server_get("endpoint_context")
         # userinfo
         _userinfo = init_user_info(
-            {"class": "oidcop.user_info.UserInfo", "kwargs": {"db_file": full_path("users.json")},},
+            {"class": "oidcop.user_info.UserInfo",
+             "kwargs": {"db_file": full_path("users.json")}, },
             "",
         )
         # login_hint
@@ -996,6 +1048,7 @@ def test_do_request_user(self):
         # With login_hint and login_hint_lookup
         assert self.endpoint.do_request_user(request) == {"req_user": "diana"}
 
+
 class TestACR(object):
     @pytest.fixture(autouse=True)
     def create_endpoint(self):
@@ -1226,7 +1279,6 @@ class TestUserAuthn(object):
     def create_endpoint_context(self):
         conf = {
             "issuer": "https://example.com/",
-            "httpc_params": {"verify": False, "timeout": 1},
             "token_expires_in": 600,
             "grant_expires_in": 300,
             "refresh_token_expires_in": 86400,
@@ -1257,7 +1309,7 @@ def create_endpoint_context(self):
                         "passwd_label": "Secret sauce",
                     },
                 },
-                "anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "diana"},},
+                "anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "diana"}, },
             },
             "cookie_handler": {
                 "class": "oidcop.cookie_handler.CookieHandler",
@@ -1290,5 +1342,9 @@ def test_authenticated_as_with_cookie(self):
             client_id=authn_req["client_id"],
         )
 
-        _info, _time_stamp = method.authenticated_as(client_id="client 12345", cookie=[_cookie])
+        # Parsed once before setup_auth
+        kakor = self.endpoint_context.cookie_handler.parse_cookie(
+            cookies=[_cookie], name=self.endpoint_context.cookie_handler.name["session"])
+
+        _info, _time_stamp = method.authenticated_as(client_id="client 12345", cookie=kakor)
         assert _info["sub"] == "diana"
diff --git a/tests/test_26_oidc_userinfo_endpoint.py b/tests/test_26_oidc_userinfo_endpoint.py
index 489d8a2f..5c6a6337 100755
--- a/tests/test_26_oidc_userinfo_endpoint.py
+++ b/tests/test_26_oidc_userinfo_endpoint.py
@@ -5,7 +5,7 @@
 from oidcmsg.oauth2 import ResponseMessage
 from oidcmsg.oidc import AccessTokenRequest
 from oidcmsg.oidc import AuthorizationRequest
-from oidcmsg.time_util import time_sans_frac
+from oidcmsg.time_util import utc_time_sans_frac
 
 from oidcop import user_info
 from oidcop.authn_event import create_authn_event
@@ -195,7 +195,7 @@ def _mint_code(self, grant, session_id):
             endpoint_context=self.endpoint.server_get("endpoint_context"),
             token_class="authorization_code",
             token_handler=self.session_manager.token_handler["authorization_code"],
-            expires_at=time_sans_frac() + 300,  # 5 minutes from now
+            expires_at=utc_time_sans_frac() + 300,  # 5 minutes from now
         )
 
     def _mint_token(self, token_class, grant, session_id, token_ref=None):
@@ -205,7 +205,7 @@ def _mint_token(self, token_class, grant, session_id, token_ref=None):
             endpoint_context=self.endpoint.server_get("endpoint_context"),
             token_class=token_class,
             token_handler=self.session_manager.token_handler[token_class],
-            expires_at=time_sans_frac() + 900,  # 15 minutes from now
+            expires_at=utc_time_sans_frac() + 900,  # 15 minutes from now
             based_on=token_ref,  # Means the token (tok) was used to mint this token
         )
 
@@ -476,7 +476,7 @@ def test_invalid_token(self):
         http_info = {"headers": {"authorization": "Bearer {}".format(access_token.value)}}
         _req = self.endpoint.parse_request({}, http_info=http_info)
 
-        access_token.expires_at = time_sans_frac() - 10
+        access_token.expires_at = utc_time_sans_frac() - 10
         args = self.endpoint.process_request(_req)
 
         assert isinstance(args, ResponseMessage)
@@ -509,9 +509,9 @@ def test_expired_token(self, monkeypatch):
         http_info = {"headers": {"authorization": "Bearer {}".format(access_token.value)}}
 
         def mock():
-            return time_sans_frac() + access_token.expires_at + 1
+            return utc_time_sans_frac() + access_token.expires_at + 1
 
-        monkeypatch.setattr("oidcop.token.time_sans_frac", mock)
+        monkeypatch.setattr("oidcop.token.utc_time_sans_frac", mock)
 
         _req = self.endpoint.parse_request({}, http_info=http_info)
 
diff --git a/tests/test_30_oidc_end_session.py b/tests/test_30_oidc_end_session.py
index 5690cf75..8dc0e433 100644
--- a/tests/test_30_oidc_end_session.py
+++ b/tests/test_30_oidc_end_session.py
@@ -10,6 +10,7 @@
 from oidcmsg.oidc import AuthorizationRequest
 from oidcmsg.oidc import verified_claim_name
 from oidcmsg.oidc import verify_id_token
+from oidcmsg.time_util import utc_time_sans_frac
 import pytest
 import responses
 
@@ -163,7 +164,7 @@ def create_endpoint(self):
                 },
                 "refresh": {
                     "class": "oidcop.token.jwt_token.JWTToken",
-                    "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
+                    "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
                 },
                 "id_token": {
                     "class": "oidcop.token.id_token.IDToken",
@@ -200,7 +201,7 @@ def create_endpoint(self):
                 "client_salt": "salted",
                 "token_endpoint_auth_method": "client_secret_post",
                 "response_types": ["code", "token", "code id_token", "id_token"],
-                "post_logout_redirect_uris": [("{}logout_cb".format(CLI1), "")],
+                "post_logout_redirect_uri": [f"{CLI1}logout_cb", ""],
             },
             "client_2": {
                 "client_secret": "hemligare",
@@ -208,9 +209,10 @@ def create_endpoint(self):
                 "client_salt": "saltare",
                 "token_endpoint_auth_method": "client_secret_post",
                 "response_types": ["code", "token", "code id_token", "id_token"],
-                "post_logout_redirect_uris": [("{}logout_cb".format(CLI2), "")],
+                "post_logout_redirect_uri": [f"{CLI2}logout_cb", ""],
             },
         }
+        self.endpoint_context = endpoint_context
         self.session_manager = endpoint_context.session_manager
         self.authn_endpoint = server.server_get("endpoint", "authorization")
         self.session_endpoint = server.server_get("endpoint", "session")
@@ -226,7 +228,7 @@ def test_end_session_endpoint(self):
 
     def _create_cookie(self, session_id):
         ec = self.session_endpoint.server_get("endpoint_context")
-        return ec.new_cookie(name=ec.cookie_handler.name["session"], sid=session_id,)
+        return ec.new_cookie(name=ec.cookie_handler.name["session"], sid=session_id, )
 
     def _code_auth(self, state):
         req = AuthorizationRequest(
@@ -270,6 +272,16 @@ def _auth_with_id_token(self, state):
 
         return _resp["response_args"], _cookie_info["sid"]
 
+    def _mint_token(self, token_class, grant, session_id, token_ref=None):
+        return grant.mint_token(
+            session_id=session_id,
+            endpoint_context=self.endpoint_context,
+            token_class=token_class,
+            token_handler=self.session_manager.token_handler[token_class],
+            expires_at=utc_time_sans_frac() + 900,  # 15 minutes from now
+            based_on=token_ref,  # Means the token (tok) was used to mint this token
+        )
+
     def test_end_session_endpoint_with_cookie(self):
         _resp = self._code_auth("1234567")
         _code = _resp["response_args"]["code"]
@@ -348,13 +360,12 @@ def test_end_session_endpoint_with_post_logout_redirect_uri(self):
 
         post_logout_redirect_uri = join_query(
             *self.session_endpoint.server_get("endpoint_context").cdb["client_1"][
-                "post_logout_redirect_uris"
-            ][0]
+                "post_logout_redirect_uri"]
         )
 
         with pytest.raises(InvalidRequest):
             self.session_endpoint.process_request(
-                {"post_logout_redirect_uri": post_logout_redirect_uri, "state": "abcde",},
+                {"post_logout_redirect_uri": post_logout_redirect_uri, "state": "abcde", },
                 http_info=http_info,
             )
 
@@ -384,21 +395,22 @@ def test_end_session_endpoint_with_wrong_post_logout_redirect_uri(self):
                 http_info=http_info,
             )
 
-    def test_back_channel_logout_no_uri(self):
-        self._code_auth("1234567")
+    def test_back_channel_logout_no_backchannel_logout_uri(self):
+        info = self._code_auth("1234567")
 
         res = self.session_endpoint.do_back_channel_logout(
-            self.session_endpoint.server_get("endpoint_context").cdb["client_1"], 0
+            self.session_endpoint.server_get("endpoint_context").cdb["client_1"],
+            info["session_id"]
         )
         assert res is None
 
     def test_back_channel_logout(self):
-        self._code_auth("1234567")
+        info = self._code_auth("1234567")
 
         _cdb = copy.copy(self.session_endpoint.server_get("endpoint_context").cdb["client_1"])
         _cdb["backchannel_logout_uri"] = "https://example.com/bc_logout"
         _cdb["client_id"] = "client_1"
-        res = self.session_endpoint.do_back_channel_logout(_cdb, "_sid_")
+        res = self.session_endpoint.do_back_channel_logout(_cdb, info["session_id"])
         assert isinstance(res, tuple)
         assert res[0] == "https://example.com/bc_logout"
         _jwt = self.session_endpoint.unpack_signed_jwt(res[1], "RS256")
@@ -475,8 +487,7 @@ def test_logout_from_client_bc(self):
         assert _jwt["aud"] == ["client_1"]
         assert "sid" in _jwt  # This session ID is not the same as the session_id mentioned above
 
-        _sid = self.session_endpoint._decrypt_sid(_jwt["sid"])
-        assert _sid == _session_info["session_id"]
+        assert _jwt["sid"] == _session_info["session_id"]
         assert _session_info["client_session_info"].is_revoked()
 
     def test_logout_from_client_fc(self):
@@ -507,9 +518,20 @@ def test_logout_from_client(self):
         _resp = self._code_auth("1234567")
         _code = _resp["response_args"]["code"]
         _session_info = self.session_manager.get_session_info_by_token(
-            _code, client_session_info=True
+            _code, client_session_info=True, grant=True
         )
-        self._code_auth2("abcdefg")
+        _grant_code = self.session_manager.find_token(_session_info["session_id"], _code)
+        id_token1 = self._mint_token("id_token", _session_info["grant"],
+                                     _session_info["session_id"], _grant_code)
+
+        _resp2 = self._code_auth2("abcdefg")
+        _code2 = _resp2["response_args"]["code"]
+        _session_info2 = self.session_manager.get_session_info_by_token(
+            _code2, client_session_info=True, grant=True
+        )
+        _grant_code2 = self.session_manager.find_token(_session_info2["session_id"], _code2)
+        id_token2 = self._mint_token("id_token", _session_info2["grant"],
+                                     _session_info2["session_id"], _grant_code2)
 
         # client0
         self.session_endpoint.server_get("endpoint_context").cdb["client_1"][
@@ -529,16 +551,21 @@ def test_logout_from_client(self):
 
         assert res
         assert set(res.keys()) == {"blu", "flu"}
+        # Front channel logout
         assert set(res["flu"].keys()) == {"client_2"}
         _spec = res["flu"]["client_2"]
         assert _spec == '<iframe src="https://example.com/fc_logout">'
+        # Back channel logout
         assert set(res["blu"].keys()) == {"client_1"}
-        _spec = res["blu"]["client_1"]
-        assert _spec[0] == "https://example.com/bc_logout"
-        _jwt = self.session_endpoint.unpack_signed_jwt(_spec[1], "RS256")
+        logout_url, logout_token = res["blu"]["client_1"]
+        assert logout_url == "https://example.com/bc_logout"
+        _jwt = self.session_endpoint.unpack_signed_jwt(logout_token, "RS256")
         assert _jwt
         assert _jwt["iss"] == ISS
         assert _jwt["aud"] == ["client_1"]
+        assert _jwt["sid"] == id_token1.session_id
+        _id_token = self.session_endpoint.unpack_signed_jwt(id_token1.value, "RS256")
+        assert _id_token["sid"] == _jwt["sid"]
 
         # both should be revoked
         assert _session_info["client_session_info"].is_revoked()
diff --git a/tests/test_31_oauth2_introspection.py b/tests/test_31_oauth2_introspection.py
index 9c42b550..fcfb23cf 100644
--- a/tests/test_31_oauth2_introspection.py
+++ b/tests/test_31_oauth2_introspection.py
@@ -13,7 +13,6 @@
 from oidcmsg.oauth2 import TokenIntrospectionRequest
 from oidcmsg.oidc import AccessTokenRequest
 from oidcmsg.oidc import AuthorizationRequest
-from oidcmsg.time_util import time_sans_frac
 from oidcmsg.time_util import utc_time_sans_frac
 
 from oidcop.authn_event import create_authn_event
@@ -225,7 +224,7 @@ def _mint_token(self, token_class, grant, session_id, based_on=None, **kwargs):
             endpoint_context=self.token_endpoint.server_get("endpoint_context"),
             token_class=token_class,
             token_handler=self.session_manager.token_handler.handler[token_class],
-            expires_at=time_sans_frac() + 300,  # 5 minutes from now
+            expires_at=utc_time_sans_frac() + 300,  # 5 minutes from now
             based_on=based_on,
             **kwargs
         )
diff --git a/tests/test_32_oidc_read_registration.py b/tests/test_32_oidc_read_registration.py
index 301c08a2..c021c14c 100644
--- a/tests/test_32_oidc_read_registration.py
+++ b/tests/test_32_oidc_read_registration.py
@@ -65,10 +65,7 @@
         "https://client.example.org/rf.txt#qpXaRLh_n93TT",
         "https://client.example.org/rf.txt",
     ],
-    "post_logout_redirect_uris": [
-        "https://rp.example.com/pl?foo=bar",
-        "https://rp.example.com/pl",
-    ],
+    "post_logout_redirect_uri": "https://rp.example.com/pl"
 }
 
 CLI_REQ = RegistrationRequest(**msg)
diff --git a/tests/test_33_oauth2_pkce.py b/tests/test_33_oauth2_pkce.py
index 0a46659b..46cdb286 100644
--- a/tests/test_33_oauth2_pkce.py
+++ b/tests/test_33_oauth2_pkce.py
@@ -109,8 +109,7 @@ def full_path(local_file):
     client_secret: '2222222222222222222222222222222222222222'
     redirect_uris:
       - ['https://127.0.0.1:8090/authz_cb/bobcat', '']
-    post_logout_redirect_uris:
-      - ['https://openidconnect.net/', '']
+    post_logout_redirect_uri: ['https://openidconnect.net/', '']
     response_types:
       - code
 """
diff --git a/tests/test_34_oidc_sso.py b/tests/test_34_oidc_sso.py
index fa7085d2..658167cd 100755
--- a/tests/test_34_oidc_sso.py
+++ b/tests/test_34_oidc_sso.py
@@ -113,8 +113,7 @@ def full_path(local_file):
     client_secret: '2222222222222222222222222222222222222222'
     redirect_uris:
       - ['https://127.0.0.1:8090/authz_cb/bobcat', '']
-    post_logout_redirect_uris:
-      - ['https://openidconnect.net/', '']
+    post_logout_redirect_uri: ['https://openidconnect.net/', '']
     response_types:
       - code
 """
@@ -172,7 +171,7 @@ def create_endpoint_context(self):
             endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
         )
         self.endpoint = server.server_get("endpoint", "authorization")
-
+        self.endpoint_context = endpoint_context
         self.rp_keyjar = KeyJar()
         self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
         endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
@@ -216,10 +215,16 @@ def test_sso(self):
         cookies_3 = res["cookie"]
 
         # fourth login - from 1st client
+
         request = self.endpoint.parse_request(AUTH_REQ_4.to_dict())
         redirect_uri = request["redirect_uri"]
         cinfo = self.endpoint.server_get("endpoint_context").cdb[request["client_id"]]
-        info = self.endpoint.setup_auth(request, redirect_uri, cinfo, cookie=cookies_1)
+
+        # Parse cookies once before setup_auth
+        kakor = self.endpoint_context.cookie_handler.parse_cookie(
+            cookies=cookies_1, name=self.endpoint_context.cookie_handler.name["session"])
+
+        info = self.endpoint.setup_auth(request, redirect_uri, cinfo, cookie=kakor)
 
         assert set(info.keys()) == {"session_id", "identity", "user"}
         assert info["user"] == "diana"
@@ -230,7 +235,7 @@ def test_sso(self):
         request = self.endpoint.parse_request(AUTH_REQ_2.to_dict())
         redirect_uri = request["redirect_uri"]
         cinfo = self.endpoint.server_get("endpoint_context").cdb[request["client_id"]]
-        info = self.endpoint.setup_auth(request, redirect_uri, cinfo, cookie=cookies_1)
+        info = self.endpoint.setup_auth(request, redirect_uri, cinfo, cookie=kakor)
         # No valid login cookie so new session
         assert info["session_id"] != sid2
 
diff --git a/unsupported/chpy/certs/cert.pem b/unsupported/chpy/certs/cert.pem
deleted file mode 100644
index 210fd240..00000000
--- a/unsupported/chpy/certs/cert.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFUDCCAzigAwIBAgIJAJWgBcizyJrFMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
-BAYTAlNFMQ0wCwYDVQQKDARPSURGMR8wHQYDVQQDDBZGZWQgYXdhcmUgUlAgdGVz
-dCB0b29sMB4XDTE3MDIxMzE5MDg1MloXDTE4MDIxMzE5MDg1MlowPTELMAkGA1UE
-BhMCU0UxDTALBgNVBAoMBE9JREYxHzAdBgNVBAMMFkZlZCBhd2FyZSBSUCB0ZXN0
-IHRvb2wwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3NrEL+VKs00NT
-R+ZpGRxvDoeLhD7EM+uf7IqHl6IN3H6pflAOE8YqnTepdglhGH4a7nyftINTZjDU
-86anR+OKPoY2Padf4E+YceJOcaT6lB5XOWxBu4j3wDRHb6jMUwMDUXHsmh389Bvx
-X44KSYe/mhjkrIV8bolhT9NpNjPVUdUvpwpSxDOhSjq7BCmfdvXJrNNYElEQaDSc
-yJ4h6BAOp/FfdnWKAeiVDpIF5QqZgr0gzKiV5LEvwsNfHynsLgrlgK2+Fd8qIqbC
-/fHtB1BEL3h01dlBR1Y4ocMM5we23Phe4lwQs8QojPTnnr14fWynrjNi0Km0TcMT
-TDHVnw5qO5dSr4LpBcfIo82YWpj6lTEKQwKin+SPz0k0kD4E83rtsGp8n3FWHVAo
-BsIJ4O58REi3YTh1NCe/bjsQWiFOPW0N9GOl0UTOUj90cGVbO9i91aDFHHQWOIiA
-VsmZ35yOjQ031It9Kzv4YcmWXQcdKYnzUQ5eSXZPmJFoebKgQF6neFlg1hp6uDKi
-NRxkaPWGVCVZXPmgRwVcFdbxI8OpNqPEFQGskUPGJS5CF1o8o6wuVwPSSwxDVoYM
-12TTdATH1he4cK69ej/1F2oHCVQ0KE46fNABaxNKxGls0bPPPJBPrQBjoAR2qxgg
-iFz2DjumVC3EySwXLsH4tXTjyuVbSQIDAQABo1MwUTAdBgNVHQ4EFgQUiD0bTabj
-Q0Pf0vVJneGr5TQRO+4wHwYDVR0jBBgwFoAUiD0bTabjQ0Pf0vVJneGr5TQRO+4w
-DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAnYCE5MdqVXHBxMGZ
-1bIZxwLg9pe5poaX7l7XGdXxnBKWxfqwCx2UHQZIBdV3eIt8lgtuOL1en9ZCHAIY
-X0OZCafQ1Jzx3nXV4qOoolfmri0DQs60LPozoXKW61mah8fFhf/XdjuZxYH+XVV6
-39E08MY4ZWDzzNoDe5zhGWw+IOfowx5wNTtZ8CipWUv4FiO9cUZJ/1hnJgE0CQNH
-v4v0g0lIuWs7eArbzvxTu3jHWx/+eYvl2TSYxEHpVulbesnI27M34nS0OePqbywO
-eGBtM65UuCCBh27FO+O7qJWA3sRPuw/cll0vi69WVYHO5rk7yji1hiTT2MKTEizP
-GmdT/FXG4nEsM6WaEe4FMJN6cZf49BUzRcEdW6k8i2YIysHf8fi3Xv1JF74OB5bF
-TogV/Fu/LzXsfA/XTj9ki0hUNmueyNT/xBD5tOH4FqHQvMWpjpzfwI90ENVeY+Ad
-BCU2Ck1HBEuUhUNaC1d6QkU6pn3voPvaWK49+T9NyrFVMNHVWHeLUHJ/i9kgWXLl
-TgAbTCmnJOHTxxCVCf40EjOpPR3hlCadYr8vOGyuHPk1M2Lppgh2kQtFX5ubhhfW
-IKP5TPKuZlu3z9RjfUvIxqWC6cbwjlOGIx2K0uCnIbpTzTuaLHJSWWRUpDzNL6lg
-V620B7/n1jo2JDudjhjD2uLekJg=
------END CERTIFICATE-----
diff --git a/unsupported/chpy/certs/key.pem b/unsupported/chpy/certs/key.pem
deleted file mode 100644
index 15449664..00000000
--- a/unsupported/chpy/certs/key.pem
+++ /dev/null
@@ -1,52 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC3NrEL+VKs00NT
-R+ZpGRxvDoeLhD7EM+uf7IqHl6IN3H6pflAOE8YqnTepdglhGH4a7nyftINTZjDU
-86anR+OKPoY2Padf4E+YceJOcaT6lB5XOWxBu4j3wDRHb6jMUwMDUXHsmh389Bvx
-X44KSYe/mhjkrIV8bolhT9NpNjPVUdUvpwpSxDOhSjq7BCmfdvXJrNNYElEQaDSc
-yJ4h6BAOp/FfdnWKAeiVDpIF5QqZgr0gzKiV5LEvwsNfHynsLgrlgK2+Fd8qIqbC
-/fHtB1BEL3h01dlBR1Y4ocMM5we23Phe4lwQs8QojPTnnr14fWynrjNi0Km0TcMT
-TDHVnw5qO5dSr4LpBcfIo82YWpj6lTEKQwKin+SPz0k0kD4E83rtsGp8n3FWHVAo
-BsIJ4O58REi3YTh1NCe/bjsQWiFOPW0N9GOl0UTOUj90cGVbO9i91aDFHHQWOIiA
-VsmZ35yOjQ031It9Kzv4YcmWXQcdKYnzUQ5eSXZPmJFoebKgQF6neFlg1hp6uDKi
-NRxkaPWGVCVZXPmgRwVcFdbxI8OpNqPEFQGskUPGJS5CF1o8o6wuVwPSSwxDVoYM
-12TTdATH1he4cK69ej/1F2oHCVQ0KE46fNABaxNKxGls0bPPPJBPrQBjoAR2qxgg
-iFz2DjumVC3EySwXLsH4tXTjyuVbSQIDAQABAoICAQCoZ801hGdKFKa91kkkMcDB
-FEnjJBvNnSvoRDTRjb+XniWPBlvvlJ2CbiDL04OrjCfd+Xj0E6ji7/vSwmNdP+cX
-G4GiOemvZy/CoGu0TyGmcp+w7Udk5Exx7moff7NYnLUYR7TAFqmZ6YgFxh95tTzi
-EXLwPuQ0DCabHBTnkLr0SdP7iT8j9NTAXMq/PIRF38LtLb7WJX/95Mr3kjBIWlbo
-IdbsOKaxxC9VU59Fa9LiaBoQHA6aOSvlCtEqjiqqvWemrTEGmHQY9uDyOxo1FZPi
-GQBP5IFeT4Qhag8vvOyKWXKzRL37XEHiRC6Y+ICQUDmfp6/0FHjpEtFM26yy/xDv
-ZtL7/b7TEQMmp2CWD8WV8a9oalTRqyrGTBeeSg6CV5tnx3wnM0krkCvJ+Eadki23
-Wp34s7v8NPmVMTqG/UIW21tmzb40KjXNI8MgNXASBIKm9W2z2xXQ07xELsSfWm9O
-p0umh1xHLqX7rNmigg/odW3K9aocF8NOhuc4aYgVZH18sMhkhja3dgwCe8YSImyW
-0uHZC6wKIXnD44lS2BmdYsIY/k+uZKNum6lE7x/F1V2vbzkzShuJ7VCD3IhQW6nK
-XNQBXju/CnMiMW6mpZsSZG8mIjx8hNKLYv492ZNgnbeP2HHM5WAsKTOKLO0FldFS
-sbRSXTTM40j7AcurS7DKQQKCAQEA2WdkRhGXOuOlHSq/W4YZ6Mq2kydp46ARQS8b
-zKbUXX6+7GyU6TSB71eblP4003NGx8rdasyZTpexRH4sTKv0/GLM2eSDEi7/GV1w
-HISwdIa8NlHiOT9qPONqdhH0KDy5lDrCTMa9B5QpbYo4l/F/4O52zJc1CuRacpyi
-58hY3Me2UND2yHqb2TKxOwwHumE8FEMs9CqixLE4oAaoiNdJi08pyg7o/6oxPaUE
-CKmGX6r9eW5piFCLGAkmfAgBjYejrFDAp8eY6Yx5dRWMdLddQnm/5tl0rzFho+71
-UwtOIZtowKeWms1N/+duOmcfYyDsRJ/Ec3pzxphzcHrWEllP9wKCAQEA171qkSxv
-+53viIJbaJ636emDg4kZ3asGLODefEcbe0XS0xHmsb+WZpRIBkNMJFj3k2IYcUSO
-7DObemF4ln9CJY+DxHZJzr/mo8T3X0yt0aK8O75+fXHQ/991kUMcx21BmXMjybYj
-TA5vv956AYV9Kt37ye87dYMtEINtchdukYqyrLZ9+0lBV1XrGKALMC68EyyTtDFs
-AtJzKVTYnKNkYFWkA6cq+GZvlEbx74dZopH/yVo+P/wGiU5AH1bq5847uq5LIwIU
-j2ZkKBJr8Y3YvFjAaRNRGNXOhHUo3BPkgkYZGnC2WP9UJT3w7PgjwyUpbFZurwIr
-Sz1QdbNZ+spevwKCAQBgyN6jMwGYfe/r5DP8kt7F/Dj7mfhSFdiYpFhD66FvXhWx
-O0Wv7GhMHTxuQB1UZWWFXJLmEN/PVUjdrS4blBIkqfd4qXqQhcubhzV5/Lhxp+ny
-ZNHJmqm5IaUrmyKPJzmW+/G0LGXLEfK/iWFYg3LiuEa7HjXG+5IopAMCHPcyktZf
-dCfpaGwpbZ/pIZnvJ4qPmrhQmwqLdjo3Q7+T7AQZuMxp3+lqqGHzh5scIBxqSr09
-aiIhRXom4Sv427eVQmVjOTALgZhZoOgRb95vt5IVHg6IvxZrSBin2qHsroPCAmXI
-HtO1ZuDqpCU2auJWRznn8xiKMGGKcCQ0VvsmgAxRAoIBAQDPsB7OQRxQ+3skTHIZ
-Jmrg+ZdM4oiPGFyqiZRFyeKP6ukJnvsadNkiSW+I7/J2L1uve8kSCbEZfJkZ2InR
-QBN6u01brZBiQ+WSFUUbbmMLJIHXdgypUQ+ltAanYBdteSWkxu5V+kzCpEc6S7/i
-hRK5WNhTT0ZLW4vfkNak9h/QZtiZYlmntp77p8/adgAvU15liw1qdAWKNfT9fhvF
-t5ojD28EwUKhvWN/OEkikYdd9PVsbr7ss//K4RTj1rXvkF952N6mhhMq9aRH22wl
-L6vNrhcVUK5KnVHhvDQoodHjA/6YsJcq2Cq2a4nrZvpum/DjxdVqD0mEdjNmC9H8
-mCNbAoIBAHbkApjatORw6Bb+zAbfLs2vKLMs0sVABmA2AzTukm8+k3Clji4npGxh
-IGj4c2kBa93yOd25qONoNvFfcig+LbCnq5aT8qSLTl7iecRNvvAlxA1r7MHRqjYO
-bFGAM5cCZC+hpOmXF80IOmQMfaV33tCHJ0uf1fOvkreAQxPOJqEskYGFHqN8zfeW
-zsSMnea+oHvfAhHmQcikJV/YiomYb0Urz838o5o+JLTkBs+miwPNTZW5iVEnYLUh
-NtABZU3c1ohXAw8i4Z/Jdmxzsro75D3ekRfa/coPCcnUK0MqYd8C/uEVe5rgXOWZ
-Svp9rK9sO9LqfKBeV9NKW9/wb/X6lU4=
------END PRIVATE KEY-----
diff --git a/unsupported/chpy/conf.py b/unsupported/chpy/conf.py
deleted file mode 100644
index a4601fd6..00000000
--- a/unsupported/chpy/conf.py
+++ /dev/null
@@ -1,143 +0,0 @@
-from oidcop import user_info
-from oidcop.oidc.authorization import Authorization
-from oidcop.oidc.discovery import Discovery
-from oidcop.oidc.provider_config import ProviderConfiguration
-from oidcop.oidc.registration import Registration
-from oidcop.oidc.session import Session
-from oidcop.oidc.token import AccessToken
-from oidcop.oidc.userinfo import UserInfo
-from oidcop.user_authn.authn_context import INTERNETPROTOCOLPASSWORD
-from oidcop.user_authn.user import NoAuthn
-from oidcop.user_authn.user import UserPassJinja2
-from oidcop.util import JSONDictDB
-
-RESPONSE_TYPES_SUPPORTED = [
-    ["code"], ["token"], ["id_token"], ["code", "token"], ["code", "id_token"],
-    ["id_token", "token"], ["code", "token", "id_token"], ['none']]
-
-CAPABILITIES = {
-    "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
-    "token_endpoint_auth_methods_supported": [
-        "client_secret_post", "client_secret_basic",
-        "client_secret_jwt", "private_key_jwt"],
-    "response_modes_supported": ['query', 'fragment', 'form_post'],
-    "subject_types_supported": ["public", "pairwise"],
-    "grant_types_supported": [
-        "authorization_code", "implicit",
-        "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token"],
-    "claim_types_supported": ["normal", "aggregated", "distributed"],
-    "claims_parameter_supported": True,
-    "request_parameter_supported": True,
-    "request_uri_parameter_supported": True
-    }
-
-# Make sure capabilities match key set !!!
-KEY_DEF = [
-    {"type": "RSA", "use": ["sig"]},
-    {"type": "EC", "crv": "P-256", "use": ["sig"]}
-    ]
-
-PORT = 8100
-DOMAIN = '127.0.0.1'
-
-BASEURL = "https://{}:{}/".format(DOMAIN, PORT)
-PUBLIC_JWKS_PATH: 'https://127.0.0.1:8089/static/jwks.json'
-
-OIDC_KEYS = {
-    'private_path': "./jwks_dir/jwks.json",
-    'key_defs': KEY_DEF,
-    'public_path': './static/jwks.json',
-    'read_only': False
-    }
-
-
-CONFIG = {
-    'server_info': {
-        "issuer": BASEURL,
-        "password": "mycket hemligt",
-        "token_expires_in": 600,
-        "grant_expires_in": 300,
-        "refresh_token_expires_in": 86400,
-        "verify_ssl": False,
-        "capabilities": CAPABILITIES,
-        'template_dir': 'templates',
-        "jwks": OIDC_KEYS,
-        'endpoint': {
-            'webfinger': {
-                'path': '.well-known/webfinger',
-                'class': Discovery,
-                'kwargs': {'client_authn_method': None}
-                },
-            'provider_info': {
-                'path': '.well-known/openid-configuration',
-                'class': ProviderConfiguration,
-                'kwargs': {'client_authn_method': None}
-                },
-            'registration': {
-                'path': 'registration',
-                'class': Registration,
-                'kwargs': {'client_authn_method': None}
-                },
-            'authorization': {
-                'path': 'authorization',
-                'class': Authorization,
-                'kwargs': {'client_authn_method': None}
-                },
-            'token': {
-                'path': 'token',
-                'class': AccessToken,
-                'kwargs': {}
-                },
-            'userinfo': {
-                'path': 'userinfo',
-                'class': UserInfo,
-                },
-            'end_session': {
-                'path': 'end_session',
-                'class': Session,
-                'provider_info': {
-                    'check_session_iframe': "{}check_session".format(BASEURL)
-                    }
-                }
-            },
-        'userinfo': {
-            'class': user_info.UserInfo,
-            'kwargs': {'db_file': 'users.json'}
-            },
-        'authentication': [
-            {
-                'acr': INTERNETPROTOCOLPASSWORD,
-                'class': UserPassJinja2,
-                'kwargs': {
-                    'template': 'user_pass.jinja2',
-                    'sym_key': '24AA/LR6HighEnergy',
-                    'db': {
-                        'class': JSONDictDB,
-                        'kwargs':
-                            {'filename': 'passwd.json'}
-                        },
-                    'page_header': "Testing log in",
-                    'submit_btn': "Get me in!",
-                    'user_label': "Nickname",
-                    'passwd_label': "Secret sauce"
-                    }
-                },
-            {
-                'acr': 'anon',
-                'class': NoAuthn,
-                'kwargs': {'user': 'diana'}
-                }
-            ],
-        'cookie_handler': {
-            'symkey': 'ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch',
-            },
-        'post_logout_page': "https://{}:{}/post_logout.html".format(DOMAIN,
-                                                                    PORT)
-        },
-    'webserver': {
-        'cert': 'certs/cert.pem',
-        'key': 'certs/key.pem',
-        'cert_chain': '',
-        'port': PORT,
-        }
-    }
diff --git a/unsupported/chpy/provider.py b/unsupported/chpy/provider.py
deleted file mode 100644
index fe3d979d..00000000
--- a/unsupported/chpy/provider.py
+++ /dev/null
@@ -1,182 +0,0 @@
-import logging
-import sys
-import traceback
-
-import cherrypy
-from cryptojwt.utils import as_bytes
-from oidcop.authn_event import create_authn_event
-from oidcmsg.oauth2 import AuthorizationRequest
-from oidcmsg.oauth2 import ResponseMessage
-
-logger = logging.getLogger(__name__)
-
-
-def add_cookie(cookie_spec):
-    for key, _morsel in cookie_spec.items():
-        cherrypy.response.cookie[key] = getattr(_morsel, 'value', '')
-        for attr in ['domain', 'path', 'expires', 'comment', 'max-age',
-                     'secure', 'httponly', 'version']:
-            try:
-                _v = _morsel[attr]
-            except KeyError:
-                pass
-            else:
-                if _v:
-                    cherrypy.response.cookie[key][attr] = _v
-
-
-def do_response(endpoint, req_args, error='', **args):
-    info = endpoint.do_response(request=req_args, error=error, **args)
-
-    for key, value in info['http_headers']:
-        cherrypy.response.headers[key] = value
-
-    if 'cookie' in info:
-        add_cookie(info['cookie'])
-
-    try:
-        _response_placement = info['response_placement']
-    except KeyError:
-        _response_placement = endpoint.response_placement
-
-    if error:
-        if _response_placement == 'body':
-            logger.info('Error Response: {}'.format(info['response']))
-            cherrypy.response.status = 400
-            return as_bytes(info['response'])
-        elif _response_placement == 'url':
-            logger.info('Redirect to: {}'.format(info['response']))
-            raise cherrypy.HTTPRedirect(info['response'])
-    else:
-        if _response_placement == 'body':
-            logger.info('Response: {}'.format(info['response']))
-            return as_bytes(info['response'])
-        elif _response_placement == 'url':
-            logger.info('Redirect to: {}'.format(info['response']))
-            raise cherrypy.HTTPRedirect(info['response'])
-
-
-def do_endpoint(endpoint, **kwargs):
-    try:
-        authn = cherrypy.request.headers['Authorization']
-    except KeyError:
-        pr_args = {}
-    else:
-        pr_args = {'auth': authn}
-
-    if endpoint.request_placement == 'body':
-        if cherrypy.request.process_request_body is True:
-            _request = cherrypy.request.body.read()
-        else:
-            raise cherrypy.HTTPError(400, 'Missing HTTP body')
-        if not _request:
-            _request = kwargs
-
-        try:
-            req_args = endpoint.parse_request(_request, **pr_args)
-        except Exception as err:
-            message = traceback.format_exception(*sys.exc_info())
-            logger.exception(message)
-            err_msg = ResponseMessage(error='invalid_request',
-                                      error_description=str(err))
-            raise cherrypy.HTTPError(400, err_msg.to_json())
-    else:
-        try:
-            req_args = endpoint.parse_request(kwargs, **pr_args)
-        except Exception as err:
-            message = traceback.format_exception(*sys.exc_info())
-            logger.exception(message)
-            err_msg = ResponseMessage(error='invalid_request',
-                                      error_description=str(err))
-            raise cherrypy.HTTPError(400, err_msg.to_json())
-    logger.info('request: {}'.format(req_args))
-
-    if isinstance(req_args, ResponseMessage) and 'error' in req_args:
-        return as_bytes(req_args.to_json())
-
-    try:
-        if cherrypy.request.cookie:
-            args = endpoint.process_request(req_args,
-                                            cookie=cherrypy.request.cookie)
-        else:
-            args = endpoint.process_request(req_args)
-    except Exception as err:
-        message = traceback.format_exception(*sys.exc_info())
-        logger.exception(message)
-        cherrypy.response.headers['Content-Type'] = 'text/html'
-        err_msg = ResponseMessage(error='invalid_request',
-                                  error_description=str(err))
-        raise cherrypy.HTTPError(400, err_msg.to_json())
-
-    if 'http_response' in args:
-        return as_bytes(args['http_response'])
-
-    return do_response(endpoint, req_args, **args)
-
-
-class OpenIDProvider(object):
-    def __init__(self, config, endpoint_context):
-        self.config = config
-        self.endpoint_context = endpoint_context
-
-    @cherrypy.expose
-    def service_endpoint(self, name, **kwargs):
-        logger.info(kwargs)
-        logger.info('At the {} endpoint'.format(name))
-
-        endpoint = self.endpoint_context.endpoint[name]
-
-        return do_endpoint(endpoint, **kwargs)
-
-    @cherrypy.expose
-    def authn_verify(self, url_endpoint, **kwargs):
-        """
-        Authentication verification
-
-        :param url_endpoint: Which endpoint to use
-        :param kwargs: response arguments
-        :return: HTTP redirect
-        """
-        authn_method = self.endpoint_context.endpoint_to_authn_method[
-            url_endpoint]
-
-        username = authn_method.verify(**kwargs)
-        if not username:
-            raise cherrypy.HTTPError(403, message='Authentication failed')
-
-        auth_args = authn_method.unpack_token(kwargs['token'])
-        request = AuthorizationRequest().from_urlencoded(auth_args['query'])
-
-        authn_event = create_authn_event(
-            uid=username, salt='salt',
-            authn_info=auth_args['authn_class_ref'],
-            authn_time=auth_args['iat'])
-
-        endpoint = self.endpoint_context.endpoint['authorization']
-        args = endpoint.authz_part2(user=username, request=request,
-                                    authn_event=authn_event)
-
-        if isinstance(args, ResponseMessage):
-            raise cherrypy.HTTPError(400, message=args.to_json())
-
-        return do_response(endpoint, request, **args)
-
-    def _cp_dispatch(self, vpath):
-        # Only get here if vpath != None
-        ent = cherrypy.request.remote.ip
-        logger.info('ent:{}, vpath: {}'.format(ent, vpath))
-
-        if len(vpath) == 2 and vpath[0] == 'verify':
-            a = vpath.pop(0)
-            b = vpath.pop(0)
-            cherrypy.request.params['url_endpoint'] = '/'.join(['', a, b])
-            return self.authn_verify
-
-        for name, instance in self.endpoint_context.endpoint.items():
-            if vpath == instance.vpath:
-                cherrypy.request.params['name'] = name
-                for n in range(len(vpath)):
-                    vpath.pop()
-                return self.service_endpoint
-
-        return self
diff --git a/unsupported/chpy/seed.txt b/unsupported/chpy/seed.txt
deleted file mode 100644
index bab6c830..00000000
--- a/unsupported/chpy/seed.txt
+++ /dev/null
@@ -1 +0,0 @@
-CZb8UrPbfaQqXVASwxWVdQCwmzXDtPI5xmtUibKvCSvUjy74
\ No newline at end of file
diff --git a/unsupported/chpy/server.py b/unsupported/chpy/server.py
deleted file mode 100644
index 3df6346a..00000000
--- a/unsupported/chpy/server.py
+++ /dev/null
@@ -1,117 +0,0 @@
-import importlib
-import logging
-import os
-import sys
-from urllib.parse import urlparse
-
-import cherrypy
-from cryptojwt.key_jar import init_key_jar
-from oidcop.cookie_handler import CookieHandler
-from oidcop.endpoint_context import EndpointContext
-
-from .provider import OpenIDProvider
-
-logger = logging.getLogger("")
-LOGFILE_NAME = 'op.log'
-hdlr = logging.FileHandler(LOGFILE_NAME)
-base_formatter = logging.Formatter(
-    "%(asctime)s %(name)s:%(levelname)s %(message)s")
-
-hdlr.setFormatter(base_formatter)
-logger.addHandler(hdlr)
-logger.setLevel(logging.DEBUG)
-
-
-if __name__ == '__main__':
-    import argparse
-
-    parser = argparse.ArgumentParser()
-    parser.add_argument('-t', dest='tls', action='store_true')
-    parser.add_argument('-k', dest='insecure', action='store_true')
-    parser.add_argument(dest="config")
-    args = parser.parse_args()
-
-    folder = os.path.abspath(os.curdir)
-    sys.path.insert(0, ".")
-    config = importlib.import_module(args.config)
-    _webserver_config = config.CONFIG['webserver']
-
-    try:
-        _port = int(_webserver_config['port'])
-    except KeyError:
-        if args.tls:
-            _port = 443
-        else:
-            _port = 80
-
-    cherrypy.config.update(
-        {
-            'environment': 'production',
-            'log.error_file': 'error.log',
-            'log.access_file': 'access.log',
-            'tools.trailing_slash.on': False,
-            'server.socket_host': '0.0.0.0',
-            'log.screen': True,
-            'tools.sessions.on': True,
-            'tools.encode.on': True,
-            'tools.encode.encoding': 'utf-8',
-            'server.socket_port': _port
-            })
-
-    provider_config = {
-        '/': {
-            'root_path': 'localhost',
-            'log.screen': True
-            },
-        '/static': {
-            'tools.staticdir.dir': os.path.join(folder, 'static'),
-            'tools.staticdir.debug': True,
-            'tools.staticdir.on': True,
-            'tools.staticdir.content_types': {
-                'json': 'application/json',
-                'jwks': 'application/json',
-                'jose': 'application/jose'
-                },
-            'log.screen': True,
-            'cors.expose_public.on': True
-            }
-    }
-
-    _server_info_config = config.CONFIG['server_info']
-    _jwks_config = _server_info_config['jwks']
-
-    _kj = init_key_jar(owner=_server_info_config['issuer'], **_jwks_config)
-
-    cookie_handler = CookieHandler(**_server_info_config['cookie_handler'])
-
-    endpoint_context = EndpointContext(config.CONFIG['server_info'], keyjar=_kj,
-                                       cwd=folder, cookie_handler=cookie_handler)
-
-    for endp in endpoint_context.endpoint.values():
-        p = urlparse(endp.endpoint_path)
-        _vpath = p.path.split('/')
-        if _vpath[0] == '':
-            endp.vpath = _vpath[1:]
-        else:
-            endp.vpath = _vpath
-
-    cherrypy.tree.mount(
-        OpenIDProvider(config, endpoint_context),
-        '/', provider_config)
-
-    _webserver_config = config.CONFIG['webserver']
-
-    # If HTTPS
-    if args.tls:
-        cherrypy.server.ssl_certificate = _webserver_config['cert']
-        cherrypy.server.ssl_private_key = _webserver_config['key']
-        try:
-            _cert_chain = _webserver_config['cert_chain']
-        except KeyError:
-            pass
-        else:
-            if _cert_chain:
-                cherrypy.server.ssl_certificate_chain = _cert_chain
-
-    cherrypy.engine.start()
-    cherrypy.engine.block()

From a5c54bfd1534f4eb57f30cabd0f50a1ec9845542 Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland@catalogix.se>
Date: Tue, 16 Nov 2021 08:28:18 +0100
Subject: [PATCH 02/11] Should be removed.

---
 example/fastapi.tgz | Bin 2901 -> 0 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 example/fastapi.tgz

diff --git a/example/fastapi.tgz b/example/fastapi.tgz
deleted file mode 100644
index d9ff83002720ee47101a4028e17d7643d43ccda0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2901
zcmV-b3##-ViwFQbcZy&D1MM5zZreKYJo_uOdZ}|ZkuPzaHoyT+n&kAd-6n_=^q~j@
zTB2>nvZN)cxNecp*)Q22+aX0tq%7HKo3_|R^bkwrkeoYbhRg&pj#APIl6XR<-YrYw
z-yZwvcDuvDz!ATP!=e1`_VaIedc$G2=kx~ML4PpZ?;i}DZtq~f+x^YyJ~}2fPX_c;
zK!qj|io<3&0GmuU%##!26u<u?&zF|txF`($BzBJ+@de-MJix^ld{44C;6y^W2?>KF
z^~8^tkMjh$d>1c1%hEKV+}+iq=SxJV%$N__Fk?981Vzw1K@r2dWnYkl*binXif}x|
z{sQw^5{jiq{ez)1+J8Q9MhCsVt47?*-}`(5H;52fu&+Qq00l@EK7)45WTVxxnGA{<
zMl_iDpgJ&M20BF9jHCedv48@&7%i~7Yqm_u9gh9=_6b^$XjRjJ7l=ePP5vFGWI}Lg
z_pxkjHxR}uqr)u46zn~xH1t8gNkow3RRMTobGfBB?V^m&K9?E;Y-h~iu<Z7Z#oyP!
zn~20ywfZ_A-6=&e_j3<q^EYD%G=OFiwi&MwNGSO%@%4qyR3Ic1q$)ChK|tB!X+<pg
zJV5};=<{TbV~atum*NS?c-GWSLe*n++}LpL0)6r&C9r<a=(@M$VIcyf*u6F)Kb%sV
z9uw!{-N4VqpHc#&eIigB?DxCf4Qe9{KS0VPmHuQ5Q&S~SKn-mYy}lS4OT`l6jye9s
zy*KZ#&Mx1dU0qzBU!9+vzq>ddjXs=To|aZyRZL?l@#<Z}p9=taOX6G9-)!yD(pEl>
z!!!Xli&^ugjzr(!2gi#vLR<)3lIEwdgm-JN0dV2Cs@7}xauRuON9XTPNx)BE+9q6s
zq-+<vI4sF$Vj{8hGL$>JyH${>u(ugTp%jOEg_+PMCrYLcF_lL6mj&Vem`lI<3Ug<H
z0pxEcjHEn5V=TP9`<?{zid$2-l`tb5P?(CL3^t$!6$(&_#^9(pF`R<H=N1Rt=PPj9
zdJn>(VFzxSjUy72B2E#ZOTyGb%4n4{+AvLx<0+;jAa)WEWAn>sd_*vx9Hoe&1v^T_
z@FTg%o>=7QcFFg~u!$H7RA-AfCH+Y<Cm<x@Rt=+B(;OSlJCUES)u={aJjbhw)~A%*
zfhw2!lz(^B{I|<F%azNJE6n1Dc)}`fsG_EVelg?u$yLQ43Dv1{VK@#pyV^OCkwOK|
za;4vm1cP1bAxKo<N`o`tLDWcuA<;?)LR#w!Wso*wNrZtLHv$?zNnLBkDPbH_quZwz
zgc|QJPz>h2z_}}9@Y!T@hRajhw#4HJcm~^RYZdX9IEwb>ak7j%C19gZmf=`PAPfO_
zy7Er-+h%VZL<BI;eR&xq##t2A28Jn3?g+Rw*rO)NHl!gQib=Saha?%zH>=I~7xSx3
z>Oy^=)X(t<6y<`Z_D*ULWc6=G-URh7YsY;Z!n<ogOuBYoMhdy><U}gA3>UgvDfA&r
z-A1K^*+wbYTO+xb(EBYUTfu(r&GjzY6iF)*!Ki4$QXDi%(FSNHPGHpcENJgd{n&4$
z%NAssFm4cMIiLumHP<Pl0qM)OaKzeQ>o{TqY!<f#EAx?>k>8=(BH8ri){epDS^)#6
z8Me6cuMDE8uLI5~dFTL^CNaYs0+$?PGhC4^>*+w5)$CS>I!*2MLv-ubVRZm;65}QX
zQ^YP{jt#^D4~<PkHccp+$_>wMP3WSk(6zc*&AtkqwDGUkMG50w*^rNCi@VMJW5kTW
zw*~-$P`g_PeIk$(om==KY`bY+E&4WdM}x_X?2QFq&m%CsZQ34#Tv4THf~He&|A<!$
zCZX5_$T$-nTd2jN*i*z{YXs}A&GafLZ&Zb@qZab7B;&qHKr<SZxu>7^Sy>gRgKAbD
zL`CjpyA=+SX$%pXk0MbvaL+`U&Fr60$hHH>BVrusX*al{T5uI{ZWuO3!TjNi)Io1w
zBbeb}UI3B_%|q+@_J&Y+#(5g#PT5F5b6FTMd=6Z=#l|d6LwIjaP0vu1nL$2<vWWX@
z6;4MN2P>rnv&JeIQS@1r8@q=1;3*ooLm12Q)I;!z9d$Zi!UUFx?~lF+soYEY>@2e}
z!>p#3b!nx+1f9uUj*cr;h^k+(GPA<Qcblg?J27Vr=$&Z1*sB=IgIAKjy5NwPB?{sh
zhv+0&r+qC^)UMYs@U^jpT);+1?9U)P?4y9PW_>IHy?5gEwHR_NhBPWB1M^wHW{lE$
zrL-9G%@w^SpInfr%@>rUByU0@tP<!#tu!F8$>Q*OB|u43OEF(Z*Y^C7NJZD*IfwE{
zKv!LSi&w4?j8I@}*Jx1we4h2{N|Pegn}=QQC`e3#%6>myaam3453J_83P`oMVpTtM
z?L)?ybq?p(prZ<E21e@b#@g5`rwH|1F_~bMxegoB*0m_HYGk>`hqy}l{<j~l9uO89
zEAPY7hU1Z^R(e~o%<U^rjnWwe-F}=c##TMM(o+sDjj|3Kf4s`imezM-l&uA8dc(k<
z5EvBp5<2amG>x`JV_LQkm)rB<pz(lWEt0K2L8yyV>-OxiFFcSAgPBo<mrJ(pTfg}H
zccRY!jZ=b0Ut{z6zi2(k&;R?wUhm*Qp8xlUPv`$X<B{k8Awe+`N;;<~%H0J-*kh^n
zvt+5aHVCZq*e;-%$d&JZHS$l-cR$+xOZW8nYizOq-eG^u{(FbLC;R^yk7fVmS*oz|
zkj$wNkKW#N9DORFoqrUr!m)0%XaL=1UTA?nYgnw0gyo=ejLsZ##QroQ0t>=STg{Zn
zieg}vzYm7ai>`C{e0Tu#=qVsffw;lWWH`l``(=-Ny}<wZw{sl>eUuT7jg#Fd2~b4%
zssJ-imJ`sHNMA~EM`wF4y1nOzMnx#eVov4I(GrK)j0sHdYYRj))(PY#qGLpn^VWHb
zV^-D>Y^f-y2D#WHO~FW1s)7-Xg<OJU(I}TP?t2)+dtf_?-6(QSfWOW~gg&EszQ0bQ
zXthj|&`gh}>TLAnxKSc6dc*GXT5(*Dj;pfJ+ny~9(OM^rYXR+?$Q`m)4icb23f8cK
z*;(*lR_8(GSJ=Py|2~AYg!{git{&aTY>odw=IZ`uzc)A({=dJ!|K$IF#-rsgYIHwB
z_Tt&L{|^p_O8$rY`v*gi|6nk9ivNGgLl&Ye>xjUwrQV}tIwkS6)tb;`;V1=hROcy9
zaU8PRzQ5q}_~MP#Ckl#FaEQj-n5wD8@m<7p*9ScQOI{SY%nv_v7?pHGbb43LGLm1d
zRz4ea@^|<SM{R|<cY5~n`qfUWh0@gdL!;H+5#M^IKb-dvB(z$s5Ko+`*n`rvy>ld8
zE5$scu>&p8|ECy~#6Bz#^R_6lQl6#mjvSbzzG~28;af~DE|9dJ8JFsx?Z~SKfP{bw
z;t2qWcHj>RSz8Rty9)erBHIAE>jca254R(D;pR{lB}}m+#}$ZayPf(gI62m$%a>hk
zDT1Rl-ovCy(Cr;XnBsMa$Jw;)zDf*%IqJAt;ifMO!6YS`>c^MZ71xP&<++=>?V~88
zQwAe7h`3iHudS*za*Vx@1RPLX$4m_0QBurLiOtEv#MjO3-+#AZZGmX8kHu-Td$VI|
zhiLxQ#hXWX3jZ%{@yF}{+xGwdq5l65$OL;mNA3s*PyYXBJkrVXRVr@zD(`xpit8~b
zQeHY;g-G1k*4-}=!~Yc80uD#kM%TPYy8tO1D)<;Z?MHBRH(+efM8Wr{qwd;yG3Fg{
zRf&mzMT&92J3X)4$<Gs?X(LTC8sH-bX81oay{G5td3v6nU;6wPGmI@?06G8w(?qa`


From 7735cfc2567489ef7a41d9ae406d77bb74d9d5ea Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland@catalogix.se>
Date: Tue, 16 Nov 2021 10:55:52 +0100
Subject: [PATCH 03/11] Should be removed.

---
 example/flask_op/config.json        |   3 +-
 example/flask_op/config.yaml        | 268 ----------------------
 example/flask_op/config_cdb.json    | 332 ----------------------------
 example/flask_op/config_martin.yaml | 309 --------------------------
 example/flask_op/seed.txt           |   1 -
 example/flask_op/sram_passwd.json   |   5 -
 example/flask_op/sram_users.json    |  42 ----
 example/flask_op/templates.tgz      | Bin 15872 -> 0 bytes
 8 files changed, 1 insertion(+), 959 deletions(-)
 delete mode 100644 example/flask_op/config.yaml
 delete mode 100644 example/flask_op/config_cdb.json
 delete mode 100644 example/flask_op/config_martin.yaml
 delete mode 100644 example/flask_op/seed.txt
 delete mode 100644 example/flask_op/sram_passwd.json
 delete mode 100644 example/flask_op/sram_users.json
 delete mode 100644 example/flask_op/templates.tgz

diff --git a/example/flask_op/config.json b/example/flask_op/config.json
index ae011032..e3fe080d 100644
--- a/example/flask_op/config.json
+++ b/example/flask_op/config.json
@@ -129,8 +129,7 @@
           "HS512",
           "PS256",
           "PS384",
-          "PS512",
-          "none"
+          "PS512"
         ]
       },
       "cookie_handler": {
diff --git a/example/flask_op/config.yaml b/example/flask_op/config.yaml
deleted file mode 100644
index b79a5fc9..00000000
--- a/example/flask_op/config.yaml
+++ /dev/null
@@ -1,268 +0,0 @@
-logging:
-  version: 1
-  root:
-    handlers:
-      - default
-      - console
-    level: DEBUG
-  loggers:
-    bobcat_idp:
-      level: DEBUG
-  handlers:
-    default:
-      class: logging.FileHandler
-      filename: 'debug.log'
-      formatter: default
-    console:
-      class: logging.StreamHandler
-      stream: 'ext://sys.stdout'
-      formatter: default
-  formatters:
-    default:
-      format: '%(asctime)s %(name)s %(levelname)s %(message)s'
-
-port: &port 5000
-domain: &domain 192.168.1.158
-server_name: '{domain}:{port}'
-base_url: &base_url 'https://{domain}:{port}'
-
-key_def: &key_def
-  -
-    type: RSA
-    use:
-      - sig
-  -
-    type: EC
-    crv: "P-256"
-    use:
-      - sig
-
-
-op:
-  server_info:
-    issuer: *base_url
-    httpc_params:
-      verify: False
-    capabilities:
-      subject_types_supported:
-        - public
-        - pairwise
-      grant_types_supported:
-        - authorization_code
-        - implicit
-        - urn:ietf:params:oauth:grant-type:jwt-bearer
-        - refresh_token
-    template_dir: templates
-    token_handler_args:
-      jwks_def:
-        private_path: 'private/token_jwks.json'
-        read_only: False
-        key_defs:
-          -
-            type: oct
-            bytes: 24
-            use:
-              - enc
-            kid: code
-          -
-            type: oct
-            bytes: 24
-            use:
-              - enc
-            kid: refresh
-      code:
-        lifetime: 600
-      id_token:
-        class: oidcop.token.id_token.IDToken
-        kwargs:
-          base_claims:
-            email:
-              essential: True
-            email_verified:
-              essential: True
-      token:
-        class: oidcop.token.jwt_token.JWTToken
-        lifetime: 3600
-        add_claims:
-          - email
-          - email_verified
-          - phone_number
-          - phone_number_verified
-        add_claims_by_scope: True
-        aud:
-          - https://example.org/appl
-      refresh:
-        lifetime: 86400
-    keys:
-      private_path: "private/jwks.json"
-      key_defs: *key_def
-      public_path: 'static/jwks.json'
-      read_only: False
-      # otherwise OP metadata will have jwks_uri: https://127.0.0.1:5000/None!
-      uri_path: 'static/jwks.json'
-    endpoint:
-      webfinger:
-        path: '.well-known/webfinger'
-        class: oidcop.oidc.discovery.Discovery
-        kwargs:
-          client_authn_method: null
-      provider_info:
-        path: ".well-known/openid-configuration"
-        class: oidcop.oidc.provider_config.ProviderConfiguration
-        kwargs:
-          client_authn_method: null
-      registration:
-          path: registration
-          class: oidcop.oidc.registration.Registration
-          kwargs:
-            client_authn_method: null
-            client_secret_expiration_time: 432000
-      registration_api:
-          path: registration_api
-          class: oidcop.oidc.read_registration.RegistrationRead
-          kwargs:
-            client_authn_method:
-              - bearer_header
-      introspection:
-          path: introspection
-          class: oidcop.oauth2.introspection.Introspection
-          kwargs:
-            client_authn_method:
-              - client_secret_post
-            release:
-            - username
-      authorization:
-          path: authorization
-          class: oidcop.oidc.authorization.Authorization
-          kwargs:
-            client_authn_method: null
-            claims_parameter_supported: True
-            request_parameter_supported: True
-            request_uri_parameter_supported: True
-            response_types_supported:
-              - code
-              - token
-              - id_token
-              - "code token"
-              - "code id_token"
-              - "id_token token"
-              - "code id_token token"
-              - none
-            response_modes_supported:
-              - query
-              - fragment
-              - form_post
-      token:
-          path: token
-          class: oidcop.oidc.token.Token
-          kwargs:
-            client_authn_method:
-              - client_secret_post
-              - client_secret_basic
-              - client_secret_jwt
-              - private_key_jwt
-      userinfo:
-          path: userinfo
-          class: oidcop.oidc.userinfo.UserInfo
-          kwargs:
-            claim_types_supported:
-              - normal
-              - aggregated
-              - distributed
-      end_session:
-          path: session
-          class: oidcop.oidc.session.Session
-          kwargs:
-              logout_verify_url: verify_logout
-              post_logout_uri_path: post_logout
-              signing_alg: "ES256"
-              frontchannel_logout_supported: True
-              frontchannel_logout_session_supported: True
-              backchannel_logout_supported: True
-              backchannel_logout_session_supported: True
-              check_session_iframe: 'check_session_iframe'
-    userinfo:
-      class: oidcop.user_info.UserInfo
-      kwargs:
-        db_file: users.json
-    authentication:
-      user:
-        acr: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
-        class: oidcop.user_authn.user.UserPassJinja2
-        kwargs:
-          verify_endpoint: 'verify/user'
-          template: user_pass.jinja2
-          db:
-            class: oidcop.util.JSONDictDB
-            kwargs:
-              filename: passwd.json
-          page_header: "Testing log in"
-          submit_btn: "Get me in!"
-          user_label: "Nickname"
-          passwd_label: "Secret sauce"
-      #anon:
-        #acr: oidcop.user_authn.authn_context.UNSPECIFIED
-        #class: oidcop.user_authn.user.NoAuthn
-        #kwargs:
-          #user: diana
-    cookie_handler:
-      class: oidcop.cookie_handler.CookieHandler
-      kwargs":
-        keys:
-          private_path: "private/cookie_jwks.json"
-          key_defs:
-              -
-                type: OCT
-                kid: enc
-                use:
-                  - enc
-              -
-                type: OCT
-                kid: sig
-                use:
-                  - sig
-          read_only: false
-        name:
-          session: "oidc_op"
-          register: "oidc_op_rp"
-          session_management: "sman"
-    login_hint2acrs:
-      class: oidcop.login_hint.LoginHint2Acrs
-      kwargs:
-        scheme_map:
-          email:
-            - urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
-
-    # this adds PKCE support as mandatory - disable it if needed (essential: False)
-    add_on:
-      pkce:
-        function: oidcop.oidc.add_on.pkce.add_pkce_support
-        kwargs:
-          essential: false
-          code_challenge_method:
-            #plain
-            S256
-            S384
-            S512
-
-      claims:
-        function: oidcop.oidc.add_on.custom_scopes.add_custom_scopes
-        kwargs:
-          research_and_scholarship:
-            - name
-            - given_name
-            - family_name
-            - email
-            - email_verified
-            - sub
-            - iss
-            - eduperson_scoped_affiliation
-
-webserver:
-  server_cert: 'certs/89296913_127.0.0.1.cert'
-  server_key: 'certs/89296913_127.0.0.1.key'
-  ca_bundle: null
-  verify_user: false
-  port: *port
-  domain: 0.0.0.0
-  debug: true
diff --git a/example/flask_op/config_cdb.json b/example/flask_op/config_cdb.json
deleted file mode 100644
index 75d540ae..00000000
--- a/example/flask_op/config_cdb.json
+++ /dev/null
@@ -1,332 +0,0 @@
-{
-  "port": 5000,
-  "domain": "127.0.0.1",
-  "server_name": "{domain}:{port}",
-  "base_url": "https://{domain}:{port}",
-  "op": {
-    "server_info": {
-      "add_on": {
-        "pkce": {
-          "function": "oidcop.oidc.add_on.pkce.add_pkce_support",
-          "kwargs": {
-            "essential": false,
-            "code_challenge_method": "S256 S384 S512"
-          }
-        },
-        "claims": {
-          "function": "oidcop.oidc.add_on.custom_scopes.add_custom_scopes",
-          "kwargs": {
-            "research_and_scholarship": [
-              "name",
-              "given_name",
-              "family_name",
-              "email",
-              "email_verified",
-              "sub",
-              "iss",
-              "eduperson_scoped_affiliation"
-            ]
-          }
-        }
-      },
-      "authz": {
-        "class": "oidcop.authz.AuthzHandling",
-        "kwargs": {
-          "grant_config": {
-            "usage_rules": {
-              "authorization_code": {
-                "supports_minting": [
-                  "access_token",
-                  "refresh_token",
-                  "id_token"
-                ],
-                "max_usage": 1
-              },
-              "access_token": {},
-              "refresh_token": {
-                "supports_minting": [
-                  "access_token",
-                  "refresh_token"
-                ]
-              }
-            },
-            "expires_in": 43200
-          }
-        }
-      },
-      "authentication": {
-        "user": {
-          "acr": "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword",
-          "class": "oidcop.user_authn.user.UserPassJinja2",
-          "kwargs": {
-            "verify_endpoint": "/verify/user",
-            "template": "user_pass.jinja2",
-            "db": {
-              "class": "oidcop.util.JSONDictDB",
-              "kwargs": {
-                "filename": "passwd.json"
-              }
-            },
-            "page_header": "Testing log in",
-            "submit_btn": "Get me in!",
-            "user_label": "Nickname",
-            "passwd_label": "Secret sauce"
-          }
-        }
-      },
-      "capabilities": {
-        "subject_types_supported": [
-          "public",
-          "pairwise"
-        ],
-        "grant_types_supported": [
-          "authorization_code",
-          "implicit",
-          "urn:ietf:params:oauth:grant-type:jwt-bearer",
-          "refresh_token"
-        ]
-      },
-      "client_db": {
-        "class": "oidcmsg.storage.abfile.AbstractFileSystem",
-        "kwargs": {
-          "fdir": "cdb",
-          "key_conv": "oidcmsg.util.QPKey",
-          "value_conv": "oidcmsg.util.JSON"
-        }
-      },
-      "cookie_handler": {
-        "class": "oidcop.cookie_handler.CookieHandler",
-        "kwargs": {
-          "keys": {
-            "private_path": "private/cookie_jwks.json",
-            "key_defs": [
-              {
-                "type": "OCT",
-                "use": [
-                  "enc"
-                ],
-                "kid": "enc"
-              },
-              {
-                "type": "OCT",
-                "use": [
-                  "sig"
-                ],
-                "kid": "sig"
-              }
-            ],
-            "read_only": false
-          },
-          "name": {
-            "session": "oidc_op",
-            "register": "oidc_op_rp",
-            "session_management": "sman"
-          }
-        }
-      },
-      "endpoint": {
-        "webfinger": {
-          "path": ".well-known/webfinger",
-          "class": "oidcop.oidc.discovery.Discovery",
-          "kwargs": {
-            "client_authn_method": null
-          }
-        },
-        "provider_info": {
-          "path": ".well-known/openid-configuration",
-          "class": "oidcop.oidc.provider_config.ProviderConfiguration",
-          "kwargs": {
-            "client_authn_method": null
-          }
-        },
-        "registration": {
-          "path": "registration",
-          "class": "oidcop.oidc.registration.Registration",
-          "kwargs": {
-            "client_authn_method": null,
-            "client_secret_expiration_time": 432000
-          }
-        },
-        "registration_api": {
-          "path": "registration_api",
-          "class": "oidcop.oidc.read_registration.RegistrationRead",
-          "kwargs": {
-            "client_authn_method": [
-              "bearer_header"
-            ]
-          }
-        },
-        "introspection": {
-          "path": "introspection",
-          "class": "oidcop.oauth2.introspection.Introspection",
-          "kwargs": {
-            "client_authn_method": [
-              "client_secret_post",
-              "client_secret_basic",
-              "client_secret_jwt",
-              "private_key_jwt"
-            ],
-            "release": [
-              "username"
-            ]
-          }
-        },
-        "authorization": {
-          "path": "authorization",
-          "class": "oidcop.oidc.authorization.Authorization",
-          "kwargs": {
-            "client_authn_method": null,
-            "claims_parameter_supported": true,
-            "request_parameter_supported": true,
-            "request_uri_parameter_supported": true,
-            "response_types_supported": [
-              "code",
-              "token",
-              "id_token",
-              "code token",
-              "code id_token",
-              "id_token token",
-              "code id_token token",
-              "none"
-            ],
-            "response_modes_supported": [
-              "query",
-              "fragment",
-              "form_post"
-            ]
-          }
-        },
-        "token": {
-          "path": "token",
-          "class": "oidcop.oidc.token.Token",
-          "kwargs": {
-            "client_authn_method": [
-              "client_secret_post",
-              "client_secret_basic",
-              "client_secret_jwt",
-              "private_key_jwt"
-            ]
-          }
-        },
-        "userinfo": {
-          "path": "userinfo",
-          "class": "oidcop.oidc.userinfo.UserInfo",
-          "kwargs": {
-            "claim_types_supported": [
-              "normal",
-              "aggregated",
-              "distributed"
-            ]
-          }
-        },
-        "end_session": {
-          "path": "session",
-          "class": "oidcop.oidc.session.Session",
-          "kwargs": {
-            "logout_verify_url": "verify_logout",
-            "post_logout_uri_path": "post_logout",
-            "signing_alg": "ES256",
-            "frontchannel_logout_supported": true,
-            "frontchannel_logout_session_supported": true,
-            "backchannel_logout_supported": true,
-            "backchannel_logout_session_supported": true,
-            "check_session_iframe": "check_session_iframe"
-          }
-        }
-      },
-      "httpc_params": {
-        "verify": false
-      },
-      "issuer": "https://{domain}:{port}",
-      "keys": {
-        "private_path": "private/jwks.json",
-        "key_defs": [
-          {
-            "type": "RSA",
-            "use": [
-              "sig"
-            ]
-          },
-          {
-            "type": "EC",
-            "crv": "P-256",
-            "use": [
-              "sig"
-            ]
-          }
-        ],
-        "public_path": "static/jwks.json",
-        "read_only": false,
-        "uri_path": "static/jwks.json"
-      },
-      "login_hint2acrs": {
-        "class": "oidcop.login_hint.LoginHint2Acrs",
-        "kwargs": {
-          "scheme_map": {
-            "email": [
-              "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
-            ]
-          }
-        }
-      },
-      "template_dir": "templates",
-      "token_handler_args": {
-        "jwks_file": "private/token_jwks.json",
-        "code": {
-          "kwargs": {
-            "lifetime": 600
-          }
-        },
-        "token": {
-          "class": "oidcop.token.jwt_token.JWTToken",
-          "kwargs": {
-            "lifetime": 3600,
-            "add_claims": [
-              "email",
-              "email_verified",
-              "phone_number",
-              "phone_number_verified"
-            ],
-            "add_claim_by_scope": true,
-            "aud": [
-              "https://example.org/appl"
-            ]
-          }
-        },
-        "refresh": {
-          "kwargs": {
-            "lifetime": 86400
-          }
-        },
-        "id_token": {
-          "class": "oidcop.token.id_token.IDToken",
-          "kwargs": {
-            "base_claims": {
-              "email": {
-                "essential": true
-              },
-              "email_verified": {
-                "essential": true
-              }
-            }
-          }
-        }
-      },
-      "userinfo": {
-        "class": "oidcop.user_info.UserInfo",
-        "kwargs": {
-          "db_file": "users.json"
-        }
-      }
-    }
-  },
-  "webserver": {
-    "server_cert": "certs/client.crt",
-    "server_key": "certs/client.key",
-    "ca_bundle": null,
-    "verify_user": false,
-    "port": 5000,
-    "domain": "127.0.0.1",
-    "debug": true
-  }
-}
diff --git a/example/flask_op/config_martin.yaml b/example/flask_op/config_martin.yaml
deleted file mode 100644
index c92e5662..00000000
--- a/example/flask_op/config_martin.yaml
+++ /dev/null
@@ -1,309 +0,0 @@
-logging:
-  version: 1
-  root:
-    handlers:
-      - default
-      - console
-    level: DEBUG
-  loggers:
-    bobcat_idp:
-      level: DEBUG
-  handlers:
-    default:
-      class: logging.FileHandler
-      filename: 'debug.log'
-      formatter: default
-    console:
-      class: logging.StreamHandler
-      stream: 'ext://sys.stdout'
-      formatter: default
-  formatters:
-    default:
-      format: '%(asctime)s %(name)s %(levelname)s %(message)s'
-
-port: &port 5000
-domain: 127.0.0.1
-server_name: '{domain}'
-base_url: &base_url 'https://{domain}:{port}'
-
-key_def: &key_def
-  -
-    type: RSA
-    use:
-      - sig
-  -
-    type: EC
-    crv: "P-256"
-    use:
-      - sig
-
-op:
-  server_info:
-    client_db:
-      class: oidcmsg.storage.abfile.AbstractFileSystem
-      kwargs:
-        fdir: cdb
-        key_conv: oidcmsg.util.QPKey
-        value_conv: oidcmsg.util.JSON
-    issuer: *base_url
-    httpc_params:
-      verify: False
-    session_key:
-      filename: private/session_jwk.json
-      type: OCT
-      use: sig
-    capabilities:
-      subject_types_supported:
-        - public
-        - pairwise
-      grant_types_supported:
-        - authorization_code
-        - implicit
-        - urn:ietf:params:oauth:grant-type:jwt-bearer
-        - refresh_token
-    template_dir: templates
-    token_handler_args:
-      jwks_def:
-        private_path: 'private/token_jwks.json'
-        read_only: False
-        key_defs:
-          -
-            type: oct
-            bytes: 24
-            use:
-              - enc
-            kid: code
-          -
-            type: oct
-            bytes: 24
-            use:
-              - enc
-            kid: refresh
-      code:
-        kwargs:
-          lifetime: 600
-      id_token:
-        class: oidcop.token.id_token.IDToken
-        kwargs:
-          base_claims:
-            email:
-              essential: True
-            email_verified:
-              essential: True
-      token:
-        class: oidcop.token.jwt_token.JWTToken
-        kwargs:
-          lifetime: 3600
-          add_claims:
-            - email
-            - email_verified
-            - phone_number
-            - phone_number_verified
-          add_claim_by_scope: True
-          aud:
-            - https://example.org/appl
-      refresh:
-        kwargs:
-          lifetime: 86400
-    keys:
-      private_path: "private/jwks.json"
-      key_defs: *key_def
-      public_path: 'static/jwks.json'
-      read_only: False
-      # otherwise OP metadata will have jwks_uri: https://127.0.0.1:5000/None!
-      uri_path: 'static/jwks.json'
-    endpoint:
-      webfinger:
-        path: '.well-known/webfinger'
-        class: oidcop.oidc.discovery.Discovery
-        kwargs:
-          client_authn_method: null
-      provider_info:
-        path: ".well-known/openid-configuration"
-        class: oidcop.oidc.provider_config.ProviderConfiguration
-        kwargs:
-          client_authn_method: null
-      registration:
-          path: registration
-          class: oidcop.oidc.registration.Registration
-          kwargs:
-            client_authn_method: null
-            client_secret_expiration_time: 432000
-      registration_api:
-          path: registration_api
-          class: oidcop.oidc.read_registration.RegistrationRead
-          kwargs:
-            client_authn_method:
-              - bearer_header
-      introspection:
-          path: introspection
-          class: oidcop.oauth2.introspection.Introspection
-          kwargs:
-            client_authn_method:
-              - client_secret_post
-            release:
-            - username
-      authorization:
-          path: authorization
-          class: oidcop.oidc.authorization.Authorization
-          kwargs:
-            client_authn_method: null
-            claims_parameter_supported: True
-            request_parameter_supported: True
-            request_uri_parameter_supported: True
-            response_types_supported:
-              - code
-              - token
-              - id_token
-              - "code token"
-              - "code id_token"
-              - "id_token token"
-              - "code id_token token"
-              - none
-            response_modes_supported:
-              - query
-              - fragment
-              - form_post
-      token:
-          path: token
-          class: oidcop.oidc.token.Token
-          kwargs:
-            client_authn_method:
-              - client_secret_post
-              - client_secret_basic
-              - client_secret_jwt
-              - private_key_jwt
-      userinfo:
-          path: userinfo
-          class: oidcop.oidc.userinfo.UserInfo
-          kwargs:
-            claim_types_supported:
-              - normal
-              - aggregated
-              - distributed
-      end_session:
-          path: session
-          class: oidcop.oidc.session.Session
-          kwargs:
-              logout_verify_url: verify_logout
-              post_logout_uri_path: post_logout
-              signing_alg: "ES256"
-              frontchannel_logout_supported: True
-              frontchannel_logout_session_supported: True
-              backchannel_logout_supported: True
-              backchannel_logout_session_supported: True
-              check_session_iframe: 'check_session_iframe'
-    userinfo:
-      class: oidcop.user_info.UserInfo
-      kwargs:
-        db_file: sram_users.json
-    authentication:
-      user:
-        acr: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
-        class: oidcop.user_authn.user.UserPassJinja2
-        kwargs:
-          verify_endpoint: 'verify/user'
-          template: user_pass.jinja2
-          db:
-            class: oidcop.util.JSONDictDB
-            kwargs:
-              filename: sram_passwd.json
-          page_header: "Testing log in"
-          submit_btn: "Get me in!"
-          user_label: "Nickname"
-          passwd_label: "Secret sauce"
-      mfa:
-        acr: https://refeds.org/profile/mfa
-        class: oidcop.user_authn.user.UserPassJinja2
-        kwargs:
-          verify_endpoint: 'verify/user'
-          template: user_pass.jinja2
-          db:
-            class: oidcop.util.JSONDictDB
-            kwargs:
-              filename: sram_passwd.json
-          page_header: "Testing MFA in"
-          submit_btn: "Get me in secure!"
-          user_label: "Nickname"
-          passwd_label: "Secret MFA sauce"
-    cookie_handler:
-      class: oidcop.cookie_handler.CookieHandler
-      kwargs:
-        keys:
-          private_path: "private/cookie_jwks.json"
-          key_defs:
-              -
-                type: OCT
-                kid: enc
-                use:
-                  - enc
-              -
-                type: OCT
-                kid: sig
-                use:
-                  - sig
-          read_only: false
-        name:
-          session: "oidc_op"
-          register: "oidc_op_rp"
-          session_management: "sman"
-    login_hint2acrs:
-      class: oidcop.login_hint.LoginHint2Acrs
-      kwargs:
-        scheme_map:
-          email:
-            - urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword
-
-    # this adds PKCE support as mandatory - disable it if needed (essential: False)
-    add_on:
-      pkce:
-        function: oidcop.oidc.add_on.pkce.add_pkce_support
-        kwargs:
-          essential: false
-          code_challenge_method:
-            #plain
-            S256
-            S384
-            S512
-
-      claims:
-        function: oidcop.oidc.add_on.custom_scopes.add_custom_scopes
-        kwargs:
-          research_and_scholarship:
-            - name
-            - given_name
-            - family_name
-            - email
-            - email_verified
-            - sub
-            - iss
-            - eduperson_scoped_affiliation
-          eduperson_scoped_affiliation:
-            - eduperson_scoped_affiliation
-          voperson_external_affiliation:
-            - voperson_external_affiliation
-          ssh_public_key:
-            - ssh_public_key
-          eduperson_orcid:
-            - eduperson_orcid
-          uid:
-            - uid
-          voperson_external_id:
-            - voperson_external_id
-          eduperson_entitlement:
-            - eduperson_entitlement
-          eduperon_assurance:
-            - eduperon_assurance
-          eduperson_principal_name:
-            - eduperson_principal_name
-          voperson_id:
-            - voperson_id
-
-webserver:
-  server_cert: 'certs/89296913_127.0.0.1.cert'
-  server_key: 'certs/89296913_127.0.0.1.key'
-  ca_bundle: null
-  verify_user: false
-  port: *port
-  domain: 0.0.0.0
-  debug: true
\ No newline at end of file
diff --git a/example/flask_op/seed.txt b/example/flask_op/seed.txt
deleted file mode 100644
index e5bd6105..00000000
--- a/example/flask_op/seed.txt
+++ /dev/null
@@ -1 +0,0 @@
-5gRv9mEEqMwO1xwkNblGXNsvbMVMghbaZbCAYMzBYOxj2Sji
\ No newline at end of file
diff --git a/example/flask_op/sram_passwd.json b/example/flask_op/sram_passwd.json
deleted file mode 100644
index d07df8c1..00000000
--- a/example/flask_op/sram_passwd.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "diana": "krall",
-  "babs": "howes",
-  "upper": "crust"
-}
\ No newline at end of file
diff --git a/example/flask_op/sram_users.json b/example/flask_op/sram_users.json
deleted file mode 100644
index c46ecd6f..00000000
--- a/example/flask_op/sram_users.json
+++ /dev/null
@@ -1,42 +0,0 @@
-{
-  "diana": {
-    "sub": "dikr0001",
-    "name": "Diana Krall",
-    "given_name": "Diana",
-    "family_name": "Krall",
-    "nickname": "Dina",
-    "email": "diana@example.org",
-    "email_verified": false,
-    "phone_number": "+46 90 7865000",
-    "address": {
-      "street_address": "Umeå Universitet",
-      "locality": "Umeå",
-      "postal_code": "SE-90187",
-      "country": "Sweden"
-    }
-  },
-  "babs": {
-    "sub": "babs0001",
-    "name": "Barbara J Jensen",
-    "given_name": "Barbara",
-    "family_name": "Jensen",
-    "nickname": "babs",
-    "email": "babs@example.com",
-    "email_verified": true,
-    "address": {
-      "street_address": "100 Universal City Plaza",
-      "locality": "Hollywood",
-      "region": "CA",
-      "postal_code": "91608",
-      "country": "USA"
-    }
-  },
-  "upper": {
-    "sub": "uppe0001",
-    "name": "Upper Crust",
-    "given_name": "Upper",
-    "family_name": "Crust",
-    "email": "uc@example.com",
-    "email_verified": true
-  }
-}
\ No newline at end of file
diff --git a/example/flask_op/templates.tgz b/example/flask_op/templates.tgz
deleted file mode 100644
index 26cefef7dcfe17a135759405c2ebeaf0b6dce31d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 15872
zcmeHO|8m<l67Ju53RpKi(G!cJBwI>k%e~ZfCcR1PT<rdu&W(p6L5Vg+uq0?(b^R{)
zEcayhEkIHvMa5}r&*Y|78;c--#bOt`_;vwFzK8-_@}&FOqkSyP8tv_|&**zNRNq#A
zSAXLjeOPa>H^R&QUVp?a6s+NAZ12%HDiKZ-X~$qK7J(hQrHa}knt5LBUAdUegC>a&
zD_4EW&$7_JAG-X;oXbV<(ELIk!(FZKM*a8uJ?MYX+w1KP`XdYa-`gER|JFk@(nRks
zuK$CruTGB6etLJzNb`r!4(N-)6lRka4_owt+wS2rhR?x*OPe`!J5IQqw7xrg-Fbl)
zs!IAY;D=}Q_n@l_&knk}@4-~K%dFkJclgF<XLBC&E!6igKv!3zL>x5f=;_^~NnmCF
z&YU}!=Lt^|Uxeqr7uyT|Fz(>P_TRIHy_)~;TYH1OC;NXirI!dd+J9#CWjF9~_J68Z
z5BtUr?HOP2P_hm?dB^l>Djb6%mN>B=NtVRUq&1f^O2*x;<AxWB=>#Hmy}*vS>4-(w
zzOZk)fj>>U7s=_HSKYojFnir(Zuj?w=0(y{4v0w7#}6f+#lBolTDnE&+huz7)=RFu
zBk%aR!@nPPf9Sn@^Zb|Zqro>XoR_bEeKorn^^blSyu6-NX*sb-5)u0|Kb*AeP=w2c
zNR!s#L09vhxwH)vF(VNyJwFIcUv#hf-J-bgL$LjY$8DL$Jehc0I`hBB>0)A)Y1h2x
zvx96Lxr{j2iK4)FYzbTKUf5T*uFSl#;iaKNRm|9Cw}pJJ?3n549FeWR=SdpK{bxme
z(aW&|CnZ#9IDro(e(mmL9e0@R$kYyYSYiiqhdI;o0HgpJFH1wx8~XSjGuDQNqBV84
zHJPxY@Y`?eT$;MGYN#LU<LYrR{yY}fEacbhIF3bZv^Cvx-(|peU6G4`E&OC*L-OtI
z{Xzmck-N1wN_NpSVG}mv^5or@7$xEHsVqyWffDrtbd>1V#?BeexZ5s?JReZW2jn-+
z$`N5A0&WIkX0(46QRbij%>+7)S(`mqPtWm`%Td40OK8x}#F{l%>sq}gRqB`Y)G!I+
zQcYxTpG+?>6%wy9Mxzaj?7$G)JFI<n{Nq`ZG^sm`5natRa?1i!!z<=j+~jj9>h58R
z-$dMz+yz_NAW+a7JDD5pH^)D=w?W4s66_0Rv`wO}2r|r=m|fE}al296di85z>1V}e
z&V#PVOB*Cfy3YDeu<nc24Q4~U&?jF(FzaFs>6+@_yA9Ks8bqOipF75bge&uG&+X(?
ziWrXjmE*vXx8Y2gE1Z=4_@;%K*PHd;#<nTvJS@2)w9te%(W1GKaJD|GCAD^@Mw^qF
zZ(4TLD4XNT57Nu}2b4C5C~vv$6R75ne4sf+@MNS2pgce1aF#h!n<d`N&1NpDqu(*O
zerL`MOuk8)8|AVhQ(7u3zfar3AMp7~X>0Dii7~a;8G+C{ml@e|9s+0XY*_mUIOf8I
zRlPeoJ!|hY+A75uJcbi&7AYyIeIx)2LfJXP-q{AZ%I=wnaKDIZQt5SGY#8aTnE?u4
z#_XS`C*PWhjQw!tdrRZC*mlN+N6t6Vaps8cwwnpY-1TGlG%%_c_j<FtHR}SBh_FfU
zCaIGQNJn`aQ(SIpMorf=3D>$=xT_xdyw=&JHu)#tkxFuD)GM{W+uvCAyD&;KnR^|>
z8kX?GD?0#^D3n{p6q~%z%Ib0<K!3`DjgNO88@c@xl2|d;<PNX~xqrpK!Crt(!B|^b
zw4?})3XgFU`?{^*Sz8+cHs19$6LUb`u&Rv}4<sCd8Ic`J0$Q4=nE>fZqs{8lrKb5}
zLTlCQXY1cp>eMLTY_lf4S`(Uv>TCu)oXNSGMV|qNZWZLIpvnC4Y3cs&vdQUEJ~^{#
za#<{XDq~Eq)Vpz#3gT3oHBEG@L==-MQO#$6$ohY5jw*pr+C6v%+UqexvEAq$w_%xZ
zGZAU*aD-5a%$FZ+&pTKX8T_xR`L49nHZA23VD{ShYE=nw>2nA@#@=$I3Pu~zLRi<5
zUeADw)PBWL69*+ywByx9OvBRq<9}gTdLUdmL8y>>jNCXJ8x0E7rAN+J(SDsj58;kM
zq<wU<_VIN9<dA6^#ploKd=$f=gJb{f*KCEVujhWinc<j}34A3DYnu^{B?Dy+bu*K6
zs-1w*13b!xD`|+R(1$F~F;(LE#545tH8Ie<txR2aV9*G8kjfakUpC4I$E&)UYAGWe
zra`b0dP$MjU{hS1w(A~W0ZP2}6CetX_;R7$BLbkRzuaM-4Q!oF`)=F7(<*cDsiZwu
z`9CiPNTTo}<iR=OOp(fmN&nH2$cOU($ou!{{AXZ|MuXvKmsx#lcke0xSIW{o-s5`y
zFH85=lKl!7tMt-=&hEceE2Nat(;dhdC#@@=Uq>RAEsCTGc~4r`zANVwmtXk~@2J8K
z;!9upcF;)xVfX~TBAEj}Uv{MEc)py3LJz2p9VkWE;lHH*)ueUPN$n0&g9sn|X~0XP
z_<X|M8Q1+1xx|@-aw9qcd3)t2{?rGYSdQnu>+*0PI}CUb;n<!c!IDb8A8=2Ot$isX
z{GD@uHm9QE7~fM7Bia}v8OX_hz@YUYwQL<~$~i)E!GS=WLRkt+`xoVwRhFHw&h0Hr
z{9ie{%OG#DN#?;oDU+AEq9TflIgW50ZnSQ1|N9@>GPQ2rXJN#5u@ADX+z}~x6yy~H
zC*fN#R~jMX_4$PLa%V`sI-df(y%uOCU$x>i@1s4e{`)G9?WGyTLJGo+W`gu3^1F5r
z7{zY(OUmQrDGw0)i1-z1+IpDw_O^+w?AUhZrF;U~RWlRW3sZ!|D1=&?oMtJ92{^wx
z^A{X04l$7qwh)5eGO1reTuNFicg?6)E9<w!_DD~kiU<F5zG3D6Y2iGq-_JR_$NyXX
z(H{B#-QKX*vv5#s^{@*(o&V<Id(`iB|Nm#sf8SvZvD(hC<{9A|aqjz*NZH)J;w(hE
ze#&_W2RTD_oWUqzX<~s)zMnAU*splpd{q4GQ6=-&AilDHi2varUqyKL*#GX{F5$o3
z{-{3~4y``j{}}bGr}N*65Fe?qZvUIEd#n&347iK|*?Yh;p2!jwL<<GlYG|+&(LDez
z%m?}X$PhhC*pNcYfA|Z+t1OKJBR`Dx09_MvCd4e@cI4w+8i&zNf|FZ&;Rnmfdocx=
z8Sh%wPS3Ic7>emlQz=Eb!{)tO6f60S>>z_U3z7W<Eaq|1rxa?gbt6tX*BXj4jFsan
z9Tclt0*_<XGY5RpM3QpUHC|LVJ(V%jbD>k+FzLYO`d)R6g&pG*9Kbvpv;JOm(^v~}
zNU_ijnwWq9LuuoLB(AX%A*x2+e9SDiYehGhVtoV+zgd5@Td$eg&gCo?IDA1w5Quop
z{`PuA|245lBiN}F4I^k^--&J4PjQ&gUmHi<ba1|i8~_nPwfYy&rnX`2F#W$d$Ut_U
ztq|C|ynwpsaHB~oda=|bQr79(lq;Hh6(fS$tT@#+Upk}u(#gUbHW=2YTT;o3dR?Xr
zEX2>NLUw)RYHb{bOc9%0R_n4Al&_I>6&H~h@+i1_fW&i^Ko)uB;ZrW+T<M-yTe8a5
zRvPO;V>NB{YT9a8O1th$%d0Wsq%m%Vj9Db;vPq)_Yn_hgr2m>`H%#MxZtH8Sfm__6
zwfT$EA|oMf3Q-SS{|fnYJ4q(3!Z5Q7Bm~gD5^M>Kc5UMl4=g5u)9Mu14AGE?5CnYz
zbcZ{9YMgSwOD~ETQzMH~cuBQ7)sLudfk3T@0FkFX)?wY3%dcIdEh4(|fMH*wVLiL4
zBIqyzUMx{?kZ6@WBZ2^u>gyfVOOwJ-^lWR>tfg9Y6WYJ1iRPiP2@Zr()n>_)S_7J#
ziK9jyx<|;Fx`rZJTXd=s5~d5Bag?e`+d(16IC`sOaS{g0hnMC?Mo3rXNEjt*%Y1jz
zs_3W1^m*;1MX_Z0E)|X$kYkx()wm*yF|l~`x>4knWEg1#m%&tKrlqprxW#pGT_Huy
zaY_WCPmu3mR1H$CE^cKJSJ_(3oT><Mg5z9HTKN)e9sa}<cuOp1FiWupuAi#idPB#m
z%v*=w3iOutQjtKk;)g2&2VI!d|JjAs75-O8%@36Et%B8i@IS8o4+;MdMk8y0JK%)>
z@iTxY{9l#g<CN5WZ>(8;2OGD&dxyt#p$69}C>@6D+^{a~<e%MsPA4{b!t5ManIS^Y
zF1@hNkr9gy4{SD%xu<Ni(h@d$cm(|ChbeA|+c4MYkSMDAN9aqBp$qzWuBX<X0{zEP
zKB%tjKLzYRj{pbE3qQQD`wutdJ@((*>r?)3(CZC{yCbVd`M;s{Wd9GRfDceQ*aG%a
zNJ#(w<M;dkq#+~l4xuvc6Jooijj{GSklf3VlYw`MaH-^6-`-mJ7!55lyg(bgexxnF
ziY~JKdNXj4;u1e#DM1DGf(RYzNFCm)fXWAfJ>>xdf|#_(5D56Sh)HD?x{~~$dMb4*
z4^I%jrBG2pA;U1MG6kO=u2d$)$O_NUxi*fr;4rgkk#p3jdIOVWsMk1)QcS9Xd;W23
z7CjZKtCG&utjZt7k-wPf8~hLzVJvJ4>adC7!mZi^)XSW)Ji4IS(Yz}fC~X{4Bsn3{
z0Tpu+v~}pd_YuK;d*4}>>11!3Nok^GeQHo%UP1cJ`Ba8_8Rd|(_7kS3?dk&#=c(#R
L0#6e7WF+uE?UA=5


From c087917f9f5152c532d727cb6019eb017b31995d Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland@catalogix.se>
Date: Tue, 16 Nov 2021 15:37:39 +0100
Subject: [PATCH 04/11] Latest version.

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 8ab8a660..c8b3c305 100644
--- a/setup.py
+++ b/setup.py
@@ -72,7 +72,7 @@ def run_tests(self):
         "Programming Language :: Python :: 3.9",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "oidcmsg==1.5.0",
+        "oidcmsg==1.5.1",
         "cryptojwt==1.5.2",
         "pyyaml",
         "jinja2>=2.11.3",

From bc2e30149b23d304e967c32eeebf93e3a19048c2 Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland@catalogix.se>
Date: Tue, 16 Nov 2021 16:01:25 +0100
Subject: [PATCH 05/11] Latest oidcmsg version doesn't work. So one step back
 for the time being.

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index c8b3c305..8ab8a660 100644
--- a/setup.py
+++ b/setup.py
@@ -72,7 +72,7 @@ def run_tests(self):
         "Programming Language :: Python :: 3.9",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "oidcmsg==1.5.1",
+        "oidcmsg==1.5.0",
         "cryptojwt==1.5.2",
         "pyyaml",
         "jinja2>=2.11.3",

From a2e76e3453297d356edff22699a9ee21e0ccce1a Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland@catalogix.se>
Date: Wed, 17 Nov 2021 08:41:01 +0100
Subject: [PATCH 06/11] Use latest oidcmsg. Don't specify cryptojwt
 requirement.

---
 setup.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/setup.py b/setup.py
index 8ab8a660..1f22bc4b 100644
--- a/setup.py
+++ b/setup.py
@@ -72,8 +72,7 @@ def run_tests(self):
         "Programming Language :: Python :: 3.9",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "oidcmsg==1.5.0",
-        "cryptojwt==1.5.2",
+        "oidcmsg==1.5.1",
         "pyyaml",
         "jinja2>=2.11.3",
         "responses>=0.13.0"

From f4783073f011bfb5cbf5d6fc450582d8c9c9419b Mon Sep 17 00:00:00 2001
From: peppelinux <giuseppe.demarco@unical.it>
Date: Wed, 17 Nov 2021 12:09:51 +0100
Subject: [PATCH 07/11] fix: userinfo endpoint authn timestamp event comparison

---
 src/oidcop/oidc/userinfo.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/oidcop/oidc/userinfo.py b/src/oidcop/oidc/userinfo.py
index 1abbbaa0..5bb69eec 100755
--- a/src/oidcop/oidc/userinfo.py
+++ b/src/oidcop/oidc/userinfo.py
@@ -1,5 +1,6 @@
 import json
 import logging
+from datetime import datetime
 from typing import Callable
 from typing import Optional
 from typing import Union
@@ -127,12 +128,11 @@ def process_request(self, request=None, **kwargs):
         allowed = True
         _auth_event = _grant.authentication_event
         # if the authenticate is still active or offline_access is granted.
-        if _auth_event["valid_until"] > utc_time_sans_frac():
-            pass
-        else:
+        if not _auth_event["valid_until"] >= utc_time_sans_frac():
             logger.debug(
                 "authentication not valid: {} > {}".format(
-                    _auth_event["valid_until"], utc_time_sans_frac()
+                    datetime.fromtimestamp(_auth_event["valid_until"]),
+                    datetime.fromtimestamp(utc_time_sans_frac())
                 )
             )
             allowed = False

From 39a0f7efc016622a401464a7e1e7a705bf380b9e Mon Sep 17 00:00:00 2001
From: peppelinux <giuseppe.demarco@unical.it>
Date: Wed, 17 Nov 2021 12:11:30 +0100
Subject: [PATCH 08/11] fix: oidcmsg dep up to 1.5.3

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index 1f22bc4b..47b7b04b 100644
--- a/setup.py
+++ b/setup.py
@@ -72,7 +72,7 @@ def run_tests(self):
         "Programming Language :: Python :: 3.9",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "oidcmsg==1.5.1",
+        "oidcmsg==1.5.3",
         "pyyaml",
         "jinja2>=2.11.3",
         "responses>=0.13.0"

From b86b705093d79bfa7641005c184ad1a995716f3d Mon Sep 17 00:00:00 2001
From: peppelinux <giuseppe.demarco@unical.it>
Date: Thu, 18 Nov 2021 23:45:33 +0100
Subject: [PATCH 09/11] chore: code linting

---
 src/oidcop/authz/__init__.py           |  10 +-
 src/oidcop/client_authn.py             |   9 +-
 src/oidcop/configure.py                | 193 +++++++++++++++----------
 src/oidcop/cookie_handler.py           |  22 +--
 src/oidcop/endpoint.py                 |   8 +-
 src/oidcop/endpoint_context.py         |  32 ++--
 src/oidcop/logging.py                  |   4 +-
 src/oidcop/login_hint.py               |   1 +
 src/oidcop/oauth2/authorization.py     | 159 +++++++++++---------
 src/oidcop/oauth2/token.py             |  10 +-
 src/oidcop/oidc/add_on/pkce.py         |  17 ++-
 src/oidcop/oidc/authorization.py       |  15 +-
 src/oidcop/oidc/registration.py        |  34 +++--
 src/oidcop/oidc/session.py             |  30 ++--
 src/oidcop/oidc/token.py               |  10 +-
 src/oidcop/oidc/userinfo.py            |  12 +-
 src/oidcop/scopes.py                   |   6 +-
 src/oidcop/server.py                   |   2 +-
 src/oidcop/session/claims.py           |  63 ++++----
 src/oidcop/session/database.py         |   2 +-
 src/oidcop/session/grant.py            | 125 ++++++++--------
 src/oidcop/session/info.py             |   4 +-
 src/oidcop/session/manager.py          | 104 +++++++------
 src/oidcop/session/token.py            | 128 ++++++++--------
 src/oidcop/token/__init__.py           |   7 +-
 src/oidcop/token/handler.py            |  37 ++---
 src/oidcop/token/id_token.py           |  15 +-
 src/oidcop/token/jwt_token.py          |  23 ++-
 src/oidcop/user_authn/authn_context.py |   8 +-
 src/oidcop/user_authn/user.py          |  23 ++-
 src/oidcop/util.py                     |   2 +-
 31 files changed, 604 insertions(+), 511 deletions(-)

diff --git a/src/oidcop/authz/__init__.py b/src/oidcop/authz/__init__.py
index a22a11bb..72b69797 100755
--- a/src/oidcop/authz/__init__.py
+++ b/src/oidcop/authz/__init__.py
@@ -57,7 +57,10 @@ def usage_rules_for(self, client_id, token_type):
             return {}
 
     def __call__(
-        self, session_id: str, request: Union[dict, Message], resources: Optional[list] = None,
+        self,
+        session_id: str,
+        request: Union[dict, Message],
+        resources: Optional[list] = None,
     ) -> Grant:
         session_info = self.server_get("endpoint_context").session_manager.get_session_info(
             session_id=session_id, grant=True
@@ -93,7 +96,10 @@ def __call__(
 
 class Implicit(AuthzHandling):
     def __call__(
-        self, session_id: str, request: Union[dict, Message], resources: Optional[list] = None,
+        self,
+        session_id: str,
+        request: Union[dict, Message],
+        resources: Optional[list] = None,
     ) -> Grant:
         args = self.grant_config.copy()
         grant = self.server_get("endpoint_context").session_manager.get_grant(session_id=session_id)
diff --git a/src/oidcop/client_authn.py b/src/oidcop/client_authn.py
index 7678419a..8c540b01 100755
--- a/src/oidcop/client_authn.py
+++ b/src/oidcop/client_authn.py
@@ -141,8 +141,7 @@ def verify(self, request, **kwargs):
 
 
 class BearerHeader(ClientSecretBasic):
-    """
-    """
+    """"""
 
     tag = "bearer_header"
 
@@ -348,7 +347,7 @@ def verify_client(
         authorization_token = None
 
     auth_info = {}
-    _methods = getattr(endpoint, 'client_authn_method', [])
+    _methods = getattr(endpoint, "client_authn_method", [])
 
     for _method in _methods:
         if _method is None:
@@ -356,7 +355,9 @@ def verify_client(
         if _method.is_usable(request, authorization_token):
             try:
                 auth_info = _method.verify(
-                    request=request, authorization_token=authorization_token, endpoint=endpoint,
+                    request=request,
+                    authorization_token=authorization_token,
+                    endpoint=endpoint,
                 )
             except Exception as err:
                 logger.warning("Verifying auth using {} failed: {}".format(_method.tag, err))
diff --git a/src/oidcop/configure.py b/src/oidcop/configure.py
index 5f51bac9..2b9cc6d9 100755
--- a/src/oidcop/configure.py
+++ b/src/oidcop/configure.py
@@ -24,7 +24,7 @@
     "private_path",
     "public_path",
     "db_file",
-    "jwks_file"
+    "jwks_file",
 ]
 
 OP_DEFAULT_CONFIG = {
@@ -48,8 +48,11 @@
                 ],
                 "read_only": False,
             },
-            "name": {"session": "oidc_op", "register": "oidc_op_rp",
-                     "session_management": "sman", },
+            "name": {
+                "session": "oidc_op",
+                "register": "oidc_op_rp",
+                "session_management": "sman",
+            },
         },
     },
     "claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
@@ -59,13 +62,17 @@
             "grant_config": {
                 "usage_rules": {
                     "authorization_code": {
-                        "supports_minting": ["access_token", "refresh_token", "id_token", ],
+                        "supports_minting": [
+                            "access_token",
+                            "refresh_token",
+                            "id_token",
+                        ],
                         "max_usage": 1,
                     },
                     "access_token": {},
                     "refresh_token": {
                         "supports_minting": ["access_token", "refresh_token"],
-                        "expires_in": -1
+                        "expires_in": -1,
                     },
                 },
                 "expires_in": 43200,
@@ -78,8 +85,14 @@
     "token_handler_args": {
         "jwks_file": "private/token_jwks.json",
         "code": {"kwargs": {"lifetime": 600}},
-        "token": {"class": "oidcop.token.jwt_token.JWTToken", "kwargs": {"lifetime": 3600}, },
-        "refresh": {"class": "oidcop.token.jwt_token.JWTToken", "kwargs": {"lifetime": 86400}, },
+        "token": {
+            "class": "oidcop.token.jwt_token.JWTToken",
+            "kwargs": {"lifetime": 3600},
+        },
+        "refresh": {
+            "class": "oidcop.token.jwt_token.JWTToken",
+            "kwargs": {"lifetime": 86400},
+        },
         "id_token": {"class": "oidcop.token.id_token.IDToken", "kwargs": {}},
     },
     "scopes_to_claims": SCOPE2CLAIMS,
@@ -87,7 +100,8 @@
 
 AS_DEFAULT_CONFIG = copy.deepcopy(OP_DEFAULT_CONFIG)
 AS_DEFAULT_CONFIG["claims_interface"] = {
-    "class": "oidcop.session.claims.OAuth2ClaimsInterface", "kwargs": {}
+    "class": "oidcop.session.claims.OAuth2ClaimsInterface",
+    "kwargs": {},
 }
 
 
@@ -128,13 +142,13 @@ def set_domain_and_port(conf: dict, uris: List[str], domain: str, port: int):
 
 
 def create_from_config_file(
-        cls,
-        filename: str,
-        base_path: str = "",
-        entity_conf: Optional[List[dict]] = None,
-        file_attributes: Optional[List[str]] = None,
-        domain: Optional[str] = "",
-        port: Optional[int] = 0,
+    cls,
+    filename: str,
+    base_path: str = "",
+    entity_conf: Optional[List[dict]] = None,
+    file_attributes: Optional[List[str]] = None,
+    domain: Optional[str] = "",
+    port: Optional[int] = 0,
 ):
     if filename.endswith(".yaml"):
         """Load configuration as YAML"""
@@ -166,7 +180,10 @@ class Base(dict):
     parameter = {}
 
     def __init__(
-            self, conf: Dict, base_path: str = "", file_attributes: Optional[List[str]] = None,
+        self,
+        conf: Dict,
+        base_path: str = "",
+        file_attributes: Optional[List[str]] = None,
     ):
         dict.__init__(self)
 
@@ -182,12 +199,12 @@ def __getattr__(self, item):
 
     def __setattr__(self, key, value):
         if key in self:
-            raise KeyError('{} has already been set'.format(key))
+            raise KeyError("{} has already been set".format(key))
         super(Base, self).__setitem__(key, value)
 
     def __setitem__(self, key, value):
         if key in self:
-            raise KeyError('{} has already been set'.format(key))
+            raise KeyError("{} has already been set".format(key))
         super(Base, self).__setitem__(key, value)
 
 
@@ -214,13 +231,13 @@ class EntityConfiguration(Base):
     }
 
     def __init__(
-            self,
-            conf: Dict,
-            base_path: Optional[str] = "",
-            entity_conf: Optional[List[dict]] = None,
-            domain: Optional[str] = "",
-            port: Optional[int] = 0,
-            file_attributes: Optional[List[str]] = None,
+        self,
+        conf: Dict,
+        base_path: Optional[str] = "",
+        entity_conf: Optional[List[dict]] = None,
+        domain: Optional[str] = "",
+        port: Optional[int] = 0,
+        file_attributes: Optional[List[str]] = None,
     ):
 
         conf = copy.deepcopy(conf)
@@ -240,19 +257,20 @@ def __init__(
             if not _val:
                 if key in self.default_config:
                     _val = copy.deepcopy(self.default_config[key])
-                    self.format(_val, base_path=base_path, file_attributes=file_attributes,
-                                domain=domain, port=port)
+                    self.format(
+                        _val,
+                        base_path=base_path,
+                        file_attributes=file_attributes,
+                        domain=domain,
+                        port=port,
+                    )
                 else:
                     continue
 
             if key not in DEFAULT_EXTENDED_CONF:
-                logger.warning(
-                    f"{key} not seems to be a valid configuration parameter"
-                )
+                logger.warning(f"{key} not seems to be a valid configuration parameter")
             elif not _val:
-                logger.warning(
-                        f"{key} not configured, using default configuration values"
-                    )
+                logger.warning(f"{key} not configured, using default configuration values")
 
             if key == "template_dir":
                 _val = os.path.abspath(_val)
@@ -314,38 +332,45 @@ def __init__(
             port=port,
             file_attributes=file_attributes,
         )
-        scopes_to_claims = self.scopes_to_claims
+        self.scopes_to_claims
 
 
 class ASConfiguration(EntityConfiguration):
     "Authorization server configuration"
 
     def __init__(
-            self,
-            conf: Dict,
-            base_path: Optional[str] = "",
-            entity_conf: Optional[List[dict]] = None,
-            domain: Optional[str] = "",
-            port: Optional[int] = 0,
-            file_attributes: Optional[List[str]] = None,
+        self,
+        conf: Dict,
+        base_path: Optional[str] = "",
+        entity_conf: Optional[List[dict]] = None,
+        domain: Optional[str] = "",
+        port: Optional[int] = 0,
+        file_attributes: Optional[List[str]] = None,
     ):
-        EntityConfiguration.__init__(self, conf=conf, base_path=base_path,
-                                     entity_conf=entity_conf, domain=domain, port=port,
-                                     file_attributes=file_attributes)
+        EntityConfiguration.__init__(
+            self,
+            conf=conf,
+            base_path=base_path,
+            entity_conf=entity_conf,
+            domain=domain,
+            port=port,
+            file_attributes=file_attributes,
+        )
 
 
 class Configuration(Base):
     """Server Configuration"""
+
     uris = ["issuer", "base_url"]
 
     def __init__(
-            self,
-            conf: Dict,
-            entity_conf: Optional[List[dict]] = None,
-            base_path: str = "",
-            file_attributes: Optional[List[str]] = None,
-            domain: Optional[str] = "",
-            port: Optional[int] = 0,
+        self,
+        conf: Dict,
+        entity_conf: Optional[List[dict]] = None,
+        base_path: str = "",
+        file_attributes: Optional[List[str]] = None,
+        domain: Optional[str] = "",
+        port: Optional[int] = 0,
     ):
         Base.__init__(self, conf, base_path, file_attributes)
 
@@ -415,13 +440,17 @@ def __init__(
             "grant_config": {
                 "usage_rules": {
                     "authorization_code": {
-                        "supports_minting": ["access_token", "refresh_token", "id_token", ],
+                        "supports_minting": [
+                            "access_token",
+                            "refresh_token",
+                            "id_token",
+                        ],
                         "max_usage": 1,
                     },
                     "access_token": {},
                     "refresh_token": {
                         "supports_minting": ["access_token", "refresh_token"],
-                        "expires_in": -1
+                        "expires_in": -1,
                     },
                 },
                 "expires_in": 43200,
@@ -435,7 +464,10 @@ def __init__(
             "kwargs": {
                 "verify_endpoint": "verify/user",
                 "template": "user_pass.jinja2",
-                "db": {"class": "oidcop.util.JSONDictDB", "kwargs": {"filename": "passwd.json"}, },
+                "db": {
+                    "class": "oidcop.util.JSONDictDB",
+                    "kwargs": {"filename": "passwd.json"},
+                },
                 "page_header": "Testing log in",
                 "submit_btn": "Get me in!",
                 "user_label": "Nickname",
@@ -463,8 +495,11 @@ def __init__(
                 ],
                 "read_only": False,
             },
-            "name": {"session": "oidc_op", "register": "oidc_op_rp",
-                     "session_management": "sman", },
+            "name": {
+                "session": "oidc_op",
+                "register": "oidc_op_rp",
+                "session_management": "sman",
+            },
         },
     },
     "endpoint": {
@@ -481,7 +516,10 @@ def __init__(
         "registration": {
             "path": "registration",
             "class": "oidcop.oidc.registration.Registration",
-            "kwargs": {"client_authn_method": None, "client_secret_expiration_time": 432000, },
+            "kwargs": {
+                "client_authn_method": None,
+                "client_secret_expiration_time": 432000,
+            },
         },
         "registration_api": {
             "path": "registration_api",
@@ -491,7 +529,10 @@ def __init__(
         "introspection": {
             "path": "introspection",
             "class": "oidcop.oauth2.introspection.Introspection",
-            "kwargs": {"client_authn_method": ["client_secret_post"], "release": ["username"], },
+            "kwargs": {
+                "client_authn_method": ["client_secret_post"],
+                "release": ["username"],
+            },
         },
         "authorization": {
             "path": "authorization",
@@ -562,7 +603,8 @@ def __init__(
         "class": "oidcop.login_hint.LoginHint2Acrs",
         "kwargs": {
             "scheme_map": {
-                "email": ["urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"]}
+                "email": ["urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"]
+            }
         },
     },
     "template_dir": "templates",
@@ -583,7 +625,10 @@ def __init__(
         },
         "refresh": {
             "class": "oidcop.token.jwt_token.JWTToken",
-            "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
+            "kwargs": {
+                "lifetime": 3600,
+                "aud": ["https://example.org/appl"],
+            },
         },
         "id_token": {
             "class": "oidcop.token.id_token.IDToken",
@@ -595,24 +640,20 @@ def __init__(
             },
         },
     },
-    "userinfo": {"class": "oidcop.user_info.UserInfo", "kwargs": {"db_file": "users.json"}, },
+    "userinfo": {
+        "class": "oidcop.user_info.UserInfo",
+        "kwargs": {"db_file": "users.json"},
+    },
     "scopes_to_claims": SCOPE2CLAIMS,
     "session_params": {
-      "password": "ses_key",
-      "salt": "ses_salt",
-      "sub_func": {
-        "public": {
-          "class": "oidcop.session.manager.PublicID",
-          "kwargs": {
-            "salt": "mysalt"
-          }
+        "password": "ses_key",
+        "salt": "ses_salt",
+        "sub_func": {
+            "public": {"class": "oidcop.session.manager.PublicID", "kwargs": {"salt": "mysalt"}},
+            "pairwise": {
+                "class": "oidcop.session.manager.PairWiseID",
+                "kwargs": {"salt": "mysalt"},
+            },
         },
-        "pairwise": {
-          "class": "oidcop.session.manager.PairWiseID",
-          "kwargs": {
-            "salt": "mysalt"
-          }
-        }
-     }
     },
 }
diff --git a/src/oidcop/cookie_handler.py b/src/oidcop/cookie_handler.py
index 7812f825..ea2549b5 100755
--- a/src/oidcop/cookie_handler.py
+++ b/src/oidcop/cookie_handler.py
@@ -37,7 +37,7 @@ def __init__(
         keys: Optional[dict] = None,
         sign_alg: [str] = "SHA256",
         name: Optional[dict] = None,
-        **kwargs
+        **kwargs,
     ):
 
         if keys:
@@ -79,12 +79,12 @@ def __init__(
             self.name = name
 
         self.flags = kwargs.get(
-            'flags',
+            "flags",
             {
-              "samesite": "None",
-              "httponly": True,
-              "secure": True,
-            }
+                "samesite": "None",
+                "httponly": True,
+                "secure": True,
+            },
         )
 
     def _sign_enc_payload(self, payload: str, timestamp: Optional[Union[int, str]] = 0):
@@ -153,7 +153,9 @@ def _ver_dec_content(self, parts):
             mac = base64.b64decode(b64_mac)
             verifier = HMACSigner(algorithm=self.sign_alg)
             if verifier.verify(
-                payload.encode("utf-8") + timestamp.encode("utf-8"), mac, self.sign_key.key,
+                payload.encode("utf-8") + timestamp.encode("utf-8"),
+                mac,
+                self.sign_key.key,
             ):
                 return payload, timestamp
             else:
@@ -194,7 +196,7 @@ def make_cookie_content(
         typ: Optional[str] = "",
         timestamp: Optional[Union[int, str]] = "",
         max_age: Optional[int] = 0,
-        **kwargs
+        **kwargs,
     ) -> dict:
         """
         Create and return information to put in a cookie
@@ -228,7 +230,7 @@ def make_cookie_content(
         elif max_age:
             content["max-age"] = epoch_in_a_while(seconds=max_age)
 
-        for k,v in self.flags.items():
+        for k, v in self.flags.items():
             content[k] = v
 
         return content
@@ -253,7 +255,7 @@ def parse_cookie(self, name: str, cookies: List[dict]) -> Optional[List[dict]]:
         LOGGER.debug("Looking for '{}' cookies".format(name))
         res = []
         for _cookie in cookies:
-            LOGGER.debug('Cookie: {}'.format(_cookie))
+            LOGGER.debug("Cookie: {}".format(_cookie))
             if "name" in _cookie and _cookie["name"] == name:
                 _content = self._ver_dec_content(_cookie["value"].split("|"))
                 if _content:
diff --git a/src/oidcop/endpoint.py b/src/oidcop/endpoint.py
index 3a9a1994..854b85ae 100755
--- a/src/oidcop/endpoint.py
+++ b/src/oidcop/endpoint.py
@@ -1,6 +1,5 @@
 import logging
 from typing import Callable
-from typing import List
 from typing import Optional
 from typing import Union
 from urllib.parse import urlparse
@@ -194,7 +193,7 @@ def parse_request(
             _error = "invalid_request"
             if isinstance(err, ValueError) and self.request_cls == RegistrationRequest:
                 if len(err.args) > 1:
-                    if err.args[1] == 'initiate_login_uri':
+                    if err.args[1] == "initiate_login_uri":
                         _error = "invalid_client_metadata"
 
             return self.error_cls(error=_error, error_description="%s" % err)
@@ -202,8 +201,9 @@ def parse_request(
         LOGGER.info("Parsed and verified request: %s" % sanitize(req))
 
         # Do any endpoint specific parsing
-        return self.do_post_parse_request(request=req, client_id=_client_id, http_info=http_info,
-                                          **kwargs)
+        return self.do_post_parse_request(
+            request=req, client_id=_client_id, http_info=http_info, **kwargs
+        )
 
     def get_client_id_from_token(
         self,
diff --git a/src/oidcop/endpoint_context.py b/src/oidcop/endpoint_context.py
index 9bdc4035..fb513a58 100755
--- a/src/oidcop/endpoint_context.py
+++ b/src/oidcop/endpoint_context.py
@@ -74,13 +74,13 @@ def get_token_handler_args(conf: dict) -> dict:
             {"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"},
             {"type": "oct", "bytes": "24", "use": ["enc"], "kid": "token"},
             {"type": "oct", "bytes": "24", "use": ["enc"], "kid": "refresh"},
-            ]
+        ]
 
         jwks_def = {
             "private_path": "private/token_jwks.json",
             "key_defs": keydef,
             "read_only": False,
-            }
+        }
         th_args = {"jwks_def": jwks_def}
         for typ, tid in [("code", 600), ("token", 3600), ("refresh", 86400)]:
             th_args[typ] = {"lifetime": tid}
@@ -116,17 +116,17 @@ class EndpointContext(OidcContext):
         "symkey": "",
         "token_args_methods": [],
         # "userinfo": UserInfo,
-        }
+    }
 
     def __init__(
-            self,
-            conf: Union[dict, OPConfiguration],
-            server_get: Callable,
-            keyjar: Optional[KeyJar] = None,
-            cwd: Optional[str] = "",
-            cookie_handler: Optional[Any] = None,
-            httpc: Optional[Any] = None,
-            ):
+        self,
+        conf: Union[dict, OPConfiguration],
+        server_get: Callable,
+        keyjar: Optional[KeyJar] = None,
+        cwd: Optional[str] = "",
+        cookie_handler: Optional[Any] = None,
+        httpc: Optional[Any] = None,
+    ):
         OidcContext.__init__(self, conf, keyjar, entity_id=conf.get("issuer", ""))
         self.conf = conf
         self.server_get = server_get
@@ -175,7 +175,7 @@ def __init__(
             "symkey",
             "client_authn",
             # "id_token_schema",
-            ]:
+        ]:
             try:
                 setattr(self, param, conf[param])
             except KeyError:
@@ -216,7 +216,7 @@ def __init__(
             "authentication",
             "id_token",
             "scope2claims",
-            ]:
+        ]:
             _func = getattr(self, "do_{}".format(item), None)
             if _func:
                 _func()
@@ -243,7 +243,7 @@ def __init__(
     def new_cookie(self, name: str, max_age: Optional[int] = 0, **kwargs):
         cookie_cont = self.cookie_handler.make_cookie_content(
             name=name, value=json.dumps(kwargs), max_age=max_age
-            )
+        )
         return cookie_cont
 
     def set_scopes_handler(self):
@@ -257,7 +257,7 @@ def set_scopes_handler(self):
                 self.server_get,
                 allowed_scopes=self.conf.get("allowed_scopes"),
                 scopes_to_claims=self.conf.get("scopes_to_claims"),
-                )
+            )
 
     def do_add_on(self, endpoints):
         _add_on_conf = self.conf.get("add_on")
@@ -335,6 +335,6 @@ def create_providerinfo(self, capabilities):
         if "claims_supported" not in _provider_info:
             _provider_info["claims_supported"] = list(
                 self.scopes_handler.scopes_to_claims(_provider_info["scopes_supported"]).keys()
-                )
+            )
 
         return _provider_info
diff --git a/src/oidcop/logging.py b/src/oidcop/logging.py
index d04c577e..10dfdc1e 100755
--- a/src/oidcop/logging.py
+++ b/src/oidcop/logging.py
@@ -17,7 +17,9 @@
 
 
 def configure_logging(
-    debug: Optional[bool] = False, config: Optional[dict] = None, filename: Optional[str] = "",
+    debug: Optional[bool] = False,
+    config: Optional[dict] = None,
+    filename: Optional[str] = "",
 ) -> logging.Logger:
     """Configure logging"""
 
diff --git a/src/oidcop/login_hint.py b/src/oidcop/login_hint.py
index cd64a3c9..904a64a2 100644
--- a/src/oidcop/login_hint.py
+++ b/src/oidcop/login_hint.py
@@ -24,6 +24,7 @@ class LoginHint2Acrs(object):
     """
     OIDC Login hint support
     """
+
     def __init__(self, scheme_map, server_get=None):
         self.scheme_map = scheme_map
         self.server_get = server_get
diff --git a/src/oidcop/oauth2/authorization.py b/src/oidcop/oauth2/authorization.py
index d84e36ef..86b7ce82 100755
--- a/src/oidcop/oauth2/authorization.py
+++ b/src/oidcop/oauth2/authorization.py
@@ -37,7 +37,6 @@
 from oidcop.exception import UnAuthorizedClientScope
 from oidcop.exception import UnknownClient
 from oidcop.session import Revoked
-from oidcop.session.grant import Grant
 from oidcop.token.exception import UnknownToken
 from oidcop.user_authn.authn_context import pick_auth
 from oidcop.util import split_uri
@@ -46,11 +45,18 @@
 
 # For the time being. This is JAR specific and should probably be configurable.
 ALG_PARAMS = {
-    "sign": ["request_object_signing_alg", "request_object_signing_alg_values_supported", ],
-    "enc_alg": ["request_object_encryption_alg",
-                "request_object_encryption_alg_values_supported", ],
-    "enc_enc": ["request_object_encryption_enc",
-                "request_object_encryption_enc_values_supported", ],
+    "sign": [
+        "request_object_signing_alg",
+        "request_object_signing_alg_values_supported",
+    ],
+    "enc_alg": [
+        "request_object_encryption_alg",
+        "request_object_encryption_alg_values_supported",
+    ],
+    "enc_enc": [
+        "request_object_encryption_enc",
+        "request_object_encryption_enc_values_supported",
+    ],
 }
 
 FORM_POST = """<html>
@@ -84,10 +90,10 @@ def max_age(request):
 
 
 def verify_uri(
-        endpoint_context: EndpointContext,
-        request: Union[dict, Message],
-        uri_type: str,
-        client_id: Optional[str] = None,
+    endpoint_context: EndpointContext,
+    request: Union[dict, Message],
+    uri_type: str,
+    client_id: Optional[str] = None,
 ):
     """
     A redirect URI
@@ -183,7 +189,7 @@ def join_query(base, query):
 
 
 def get_uri(endpoint_context, request, uri_type):
-    """ verify that the redirect URI is reasonable.
+    """verify that the redirect URI is reasonable.
 
     :param endpoint_context: An EndpointContext instance
     :param request: The Authorization request
@@ -214,7 +220,10 @@ def get_uri(endpoint_context, request, uri_type):
 
 
 def authn_args_gather(
-        request: Union[AuthorizationRequest, dict], authn_class_ref: str, cinfo: dict, **kwargs,
+    request: Union[AuthorizationRequest, dict],
+    authn_class_ref: str,
+    cinfo: dict,
+    **kwargs,
 ):
     """
     Gather information to be used by the authentication method
@@ -257,9 +266,7 @@ def check_unknown_scopes_policy(request_info, client_id, endpoint_context):
         return
 
     scope = request_info["scope"]
-    filtered_scopes = set(
-        endpoint_context.scopes_handler.filter_scopes(scope, client_id=client_id)
-    )
+    filtered_scopes = set(endpoint_context.scopes_handler.filter_scopes(scope, client_id=client_id))
     scopes = set(scope)
     # this prevents that authz would be released for unavailable scopes
     if scopes != filtered_scopes:
@@ -383,10 +390,16 @@ def _do_request_uri(self, request, client_id, endpoint_context, **kwargs):
                 )
                 if _ver_request.jwe_header is not None:
                     self.allowed_request_algorithms(
-                        client_id, endpoint_context, _ver_request.jws_header.get("alg"), "enc_alg",
+                        client_id,
+                        endpoint_context,
+                        _ver_request.jws_header.get("alg"),
+                        "enc_alg",
                     )
                     self.allowed_request_algorithms(
-                        client_id, endpoint_context, _ver_request.jws_header.get("enc"), "enc_enc",
+                        client_id,
+                        endpoint_context,
+                        _ver_request.jws_header.get("enc"),
+                        "enc_enc",
                     )
                 # The protected info overwrites the non-protected
                 for k, v in _ver_request.items():
@@ -410,18 +423,18 @@ def _post_parse_request(self, request, client_id, endpoint_context, **kwargs):
         """
         if not request:
             logger.debug("No AuthzRequest")
-            return self.authentication_error_response(request,
-                                                      error="invalid_request",
-                                                      error_description="Can not parse AuthzRequest"
-                                                      )
+            return self.authentication_error_response(
+                request, error="invalid_request", error_description="Can not parse AuthzRequest"
+            )
 
         request = self.filter_request(endpoint_context, request)
 
         _cinfo = endpoint_context.cdb.get(client_id)
         if not _cinfo:
             logger.error("Client ID ({}) not in client database".format(request["client_id"]))
-            return self.authentication_error_response(request, error="unauthorized_client",
-                                                      error_description="unknown client")
+            return self.authentication_error_response(
+                request, error="unauthorized_client", error_description="unknown client"
+            )
 
         # Is the asked for response_type among those that are permitted
         if not self.verify_response_type(request, _cinfo):
@@ -458,9 +471,7 @@ def pick_authn_method(self, request, redirect_uri, acr=None, **kwargs):
             try:
                 res = pick_auth(_context, request)
             except Exception as exc:
-                logger.exception(
-                    f"An error occurred while picking the authN broker: {exc}"
-                )
+                logger.exception(f"An error occurred while picking the authN broker: {exc}")
         if res:
             return res
         else:
@@ -474,7 +485,11 @@ def pick_authn_method(self, request, redirect_uri, acr=None, **kwargs):
     def create_session(self, request, user_id, acr, time_stamp, authn_method):
         _context = self.server_get("endpoint_context")
         _mngr = _context.session_manager
-        authn_event = create_authn_event(user_id, authn_info=acr, time_stamp=time_stamp, )
+        authn_event = create_authn_event(
+            user_id,
+            authn_info=acr,
+            time_stamp=time_stamp,
+        )
         _exp_in = authn_method.kwargs.get("expires_in")
         if _exp_in and "valid_until" in authn_event:
             authn_event["valid_until"] = utc_time_sans_frac() + _exp_in
@@ -512,13 +527,13 @@ def _unwrap_identity(self, identity):
         return json.loads(as_unicode(_id))
 
     def setup_auth(
-            self,
-            request: Optional[Union[Message, dict]],
-            redirect_uri: str,
-            cinfo: dict,
-            cookie: List[dict] = None,
-            acr: str = None,
-            **kwargs,
+        self,
+        request: Optional[Union[Message, dict]],
+        redirect_uri: str,
+        cinfo: dict,
+        cookie: List[dict] = None,
+        acr: str = None,
+        **kwargs,
     ) -> dict:
         """
 
@@ -544,7 +559,7 @@ def setup_auth(
                 _max_age = 0
             else:
                 _max_age = max_age(request)
-            logger.debug(f'Max age: {_max_age}')
+            logger.debug(f"Max age: {_max_age}")
             identity, _ts = authn.authenticated_as(
                 client_id, cookie, authorization=_auth_info, max_age=_max_age
             )
@@ -641,12 +656,12 @@ def aresp_check(self, aresp, request):
         return ""
 
     def response_mode(
-            self,
-            request: Union[dict, AuthorizationRequest],
-            response_args: Optional[Union[dict, AuthorizationResponse]] = None,
-            return_uri: Optional[str] = "",
-            fragment_enc: Optional[bool] = None,
-            **kwargs,
+        self,
+        request: Union[dict, AuthorizationRequest],
+        response_args: Optional[Union[dict, AuthorizationResponse]] = None,
+        return_uri: Optional[str] = "",
+        fragment_enc: Optional[bool] = None,
+        **kwargs,
     ) -> dict:
         resp_mode = request["response_mode"]
         if resp_mode == "form_post":
@@ -664,7 +679,11 @@ def response_mode(
 
             msg = FORM_POST.format(inputs=inputs(_args), action=return_uri)
             kwargs.update(
-                {"response_msg": msg, "content_type": "text/html", "response_placement": "body", }
+                {
+                    "response_msg": msg,
+                    "content_type": "text/html",
+                    "response_placement": "body",
+                }
             )
         elif resp_mode == "fragment":
             if fragment_enc is False:
@@ -685,15 +704,15 @@ def response_mode(
         return kwargs
 
     def error_response(self, response_info, request, error, error_description):
-        resp = self.authentication_error_response(request,
-                                                  error=error,
-                                                  error_description=str(error_description))
+        resp = self.authentication_error_response(
+            request, error=error, error_description=str(error_description)
+        )
         response_info["response_args"] = resp
         return response_info
 
     def error_by_response_mode(self, response_info, request, error, error_description):
         response_info = self.error_response(response_info, request, error, error_description)
-        if 'return_uri' not in response_info:
+        if "return_uri" not in response_info:
             response_info["return_uri"] = request["redirect_uri"]
         response_info = self.response_mode(request, **response_info)
         return response_info
@@ -732,7 +751,9 @@ def create_authn_response(self, request: Union[dict, Message], sid: str) -> dict
 
             if "code" in request["response_type"]:
                 _code = self.mint_token(
-                    token_class="authorization_code", grant=grant, session_id=_sinfo["session_id"],
+                    token_class="authorization_code",
+                    grant=grant,
+                    session_id=_sinfo["session_id"],
                 )
                 aresp["code"] = _code.value
                 handled_response_type.append("code")
@@ -741,7 +762,9 @@ def create_authn_response(self, request: Union[dict, Message], sid: str) -> dict
 
             if "token" in rtype:
                 _access_token = self.mint_token(
-                    token_class="access_token", grant=grant, session_id=_sinfo["session_id"],
+                    token_class="access_token",
+                    grant=grant,
+                    session_id=_sinfo["session_id"],
                 )
                 aresp["access_token"] = _access_token.value
                 aresp["token_type"] = "Bearer"
@@ -788,7 +811,8 @@ def create_authn_response(self, request: Union[dict, Message], sid: str) -> dict
             if not_handled:
                 resp = self.authentication_error_response(
                     request,
-                    error="invalid_request", error_description="unsupported_response_type",
+                    error="invalid_request",
+                    error_description="unsupported_response_type",
                 )
                 return {"response_args": resp, "fragment_enc": fragment_enc}
 
@@ -820,8 +844,9 @@ def post_authentication(self, request: Union[dict, Message], session_id: str, **
         try:
             _mngr.set([user_id, client_id, grant_id], grant)
         except Exception as err:
-            return self.error_response(response_info, request, "server_error",
-                                       "{}".format(err.args))
+            return self.error_response(
+                response_info, request, "server_error", "{}".format(err.args)
+            )
 
         logger.debug("response type: %s" % request["response_type"])
 
@@ -833,8 +858,9 @@ def post_authentication(self, request: Union[dict, Message], session_id: str, **
         try:
             redirect_uri = get_uri(_context, request, "redirect_uri")
         except (RedirectURIError, ParameterError) as err:
-            return self.error_response(response_info, request, "invalid_request",
-                                       "{}".format(err.args))
+            return self.error_response(
+                response_info, request, "invalid_request", "{}".format(err.args)
+            )
         else:
             response_info["return_uri"] = redirect_uri
 
@@ -846,8 +872,9 @@ def post_authentication(self, request: Union[dict, Message], session_id: str, **
             try:
                 response_info = self.response_mode(request, **response_info)
             except InvalidRequest as err:
-                return self.error_response(response_info, request, "invalid_request",
-                                           "{}".format(err.args))
+                return self.error_response(
+                    response_info, request, "invalid_request", "{}".format(err.args)
+                )
 
         _cookie_info = _context.new_cookie(
             name=_context.cookie_handler.name["session"],
@@ -885,13 +912,15 @@ def authz_part2(self, request, session_id, **kwargs):
                 return self.error_by_response_mode({}, request, "server_error", "No such session")
             else:
                 if authn_event.is_valid() is False:
-                    return self.error_by_response_mode({}, request, "server_error",
-                                                       "Authentication has timed out")
+                    return self.error_by_response_mode(
+                        {}, request, "server_error", "Authentication has timed out"
+                    )
 
             _state = b64e(as_bytes(json.dumps({"authn_time": authn_event["authn_time"]})))
 
             _session_cookie_content = _context.new_cookie(
-                name=_context.cookie_handler.name["session_management"], state=as_unicode(_state),
+                name=_context.cookie_handler.name["session_management"],
+                state=as_unicode(_state),
             )
 
             opbs_value = _session_cookie_content["value"]
@@ -909,9 +938,7 @@ def authz_part2(self, request, session_id, **kwargs):
                 salt,
             )
 
-            _session_state = compute_session_state(
-                opbs_value, salt, request["client_id"], re_uri
-            )
+            _session_state = compute_session_state(opbs_value, salt, request["client_id"], re_uri)
 
             if _session_cookie_content:
                 if "cookie" in resp_info:
@@ -933,12 +960,12 @@ def do_request_user(self, request_info, **kwargs):
         return kwargs
 
     def process_request(
-            self,
-            request: Optional[Union[Message, dict]] = None,
-            http_info: Optional[dict] = None,
-            **kwargs,
+        self,
+        request: Optional[Union[Message, dict]] = None,
+        http_info: Optional[dict] = None,
+        **kwargs,
     ):
-        """ The AuthorizationRequest endpoint
+        """The AuthorizationRequest endpoint
 
         :param http_info: Information on the HTTP request
         :param request: The authorization request as a Message instance
diff --git a/src/oidcop/oauth2/token.py b/src/oidcop/oauth2/token.py
index 3bc3850a..108bfc7e 100755
--- a/src/oidcop/oauth2/token.py
+++ b/src/oidcop/oauth2/token.py
@@ -3,7 +3,6 @@
 from typing import Union
 
 from cryptojwt.jwe.exception import JWEException
-from cryptojwt.jwt import utc_time_sans_frac
 from oidcmsg.message import Message
 from oidcmsg.oauth2 import AccessTokenResponse
 from oidcmsg.oauth2 import ResponseMessage
@@ -54,7 +53,7 @@ def _mint_token(
         based_on: Optional[SessionToken] = None,
         scope: Optional[list] = None,
         token_args: Optional[dict] = None,
-        token_type: Optional[str] = ""
+        token_type: Optional[str] = "",
     ) -> SessionToken:
         _context = self.endpoint.server_get("endpoint_context")
         _mngr = _context.session_manager
@@ -296,7 +295,8 @@ def process_request(self, req: Union[Message, dict], **kwargs):
 
         token.register_usage()
 
-        if ("client_id" in req
+        if (
+            "client_id" in req
             and req["client_id"] in _context.cdb
             and "revoke_refresh_on_issue" in _context.cdb[req["client_id"]]
         ):
@@ -477,7 +477,9 @@ def process_request(self, request: Optional[Union[Message, dict]] = None, **kwar
             name=_context.cookie_handler.name["session"],
             sub=_session_info["grant"].sub,
             sid=_context.session_manager.session_key(
-                _session_info["user_id"], _session_info["user_id"], _session_info["grant"].id,
+                _session_info["user_id"],
+                _session_info["user_id"],
+                _session_info["grant"].id,
             ),
         )
 
diff --git a/src/oidcop/oidc/add_on/pkce.py b/src/oidcop/oidc/add_on/pkce.py
index 6825c38c..3e7fa054 100644
--- a/src/oidcop/oidc/add_on/pkce.py
+++ b/src/oidcop/oidc/add_on/pkce.py
@@ -43,12 +43,11 @@ def post_authn_parse(request, client_id, endpoint_context, **kwargs):
     if "pkce_essential" in client:
         essential = client["pkce_essential"]
     else:
-        essential = endpoint_context.args["pkce"].get(
-            "essential", False
-        )
+        essential = endpoint_context.args["pkce"].get("essential", False)
     if essential and "code_challenge" not in request:
         return AuthorizationErrorResponse(
-            error="invalid_request", error_description="Missing required code_challenge",
+            error="invalid_request",
+            error_description="Missing required code_challenge",
         )
 
     if "code_challenge_method" not in request:
@@ -93,7 +92,8 @@ def post_token_parse(request, client_id, endpoint_context, **kwargs):
     :return:
     """
     if isinstance(
-        request, (AuthorizationErrorResponse, RefreshAccessTokenRequest, TokenExchangeRequest),
+        request,
+        (AuthorizationErrorResponse, RefreshAccessTokenRequest, TokenExchangeRequest),
     ):
         return request
 
@@ -109,13 +109,16 @@ def post_token_parse(request, client_id, endpoint_context, **kwargs):
     if "code_challenge" in _authn_req:
         if "code_verifier" not in request:
             return TokenErrorResponse(
-                error="invalid_grant", error_description="Missing code_verifier",
+                error="invalid_grant",
+                error_description="Missing code_verifier",
             )
 
         _method = _authn_req["code_challenge_method"]
 
         if not verify_code_challenge(
-            request["code_verifier"], _authn_req["code_challenge"], _method,
+            request["code_verifier"],
+            _authn_req["code_challenge"],
+            _method,
         ):
             return TokenErrorResponse(error="invalid_grant", error_description="PKCE check failed")
 
diff --git a/src/oidcop/oidc/authorization.py b/src/oidcop/oidc/authorization.py
index 670b42a7..fb4d73e8 100755
--- a/src/oidcop/oidc/authorization.py
+++ b/src/oidcop/oidc/authorization.py
@@ -43,9 +43,18 @@ def host_component(url):
 
 
 ALG_PARAMS = {
-    "sign": ["request_object_signing_alg", "request_object_signing_alg_values_supported",],
-    "enc_alg": ["request_object_encryption_alg", "request_object_encryption_alg_values_supported",],
-    "enc_enc": ["request_object_encryption_enc", "request_object_encryption_enc_values_supported",],
+    "sign": [
+        "request_object_signing_alg",
+        "request_object_signing_alg_values_supported",
+    ],
+    "enc_alg": [
+        "request_object_encryption_alg",
+        "request_object_encryption_alg_values_supported",
+    ],
+    "enc_enc": [
+        "request_object_encryption_enc",
+        "request_object_encryption_enc_values_supported",
+    ],
 }
 
 
diff --git a/src/oidcop/oidc/registration.py b/src/oidcop/oidc/registration.py
index dba6f355..529664a9 100755
--- a/src/oidcop/oidc/registration.py
+++ b/src/oidcop/oidc/registration.py
@@ -3,7 +3,6 @@
 import json
 import logging
 import secrets
-import time
 from typing import List
 from urllib.parse import urlencode
 from urllib.parse import urlparse
@@ -97,9 +96,7 @@ def comb_uri(args):
         val = []
         for base, query_dict in redirect_uris:
             if query_dict:
-                query_string = urlencode(
-                    [(key, v) for key in query_dict for v in query_dict[key]]
-                )
+                query_string = urlencode([(key, v) for key in query_dict for v in query_dict[key]])
                 val.append(f"{base}?{query_string}")
             else:
                 val.append(base)
@@ -110,9 +107,7 @@ def comb_uri(args):
     if post_logout_redirect_uri:
         base, query_dict = post_logout_redirect_uri
         if query_dict:
-            query_string = urlencode(
-                [(key, v) for key in query_dict for v in query_dict[key]]
-            )
+            query_string = urlencode([(key, v) for key in query_dict for v in query_dict[key]])
             val = f"{base}?{query_string}"
         else:
             val = base
@@ -221,9 +216,10 @@ def do_client_registration(self, request, client_id, ignore=None):
 
         if "sector_identifier_uri" in request:
             try:
-                (_cinfo["si_redirects"], _cinfo["sector_id"],) = self._verify_sector_identifier(
-                    request
-                )
+                (
+                    _cinfo["si_redirects"],
+                    _cinfo["sector_id"],
+                ) = self._verify_sector_identifier(request)
             except InvalidSectorIdentifier as err:
                 return ResponseMessage(
                     error="invalid_configuration_parameter", error_description=str(err)
@@ -296,7 +292,9 @@ def verify_redirect_uris(registration_request):
                     pass
                 else:
                     logger.error(
-                        "InvalidRedirectURI: scheme:%s, hostname:%s", p.scheme, p.hostname,
+                        "InvalidRedirectURI: scheme:%s, hostname:%s",
+                        p.scheme,
+                        p.hostname,
                     )
                     raise InvalidRedirectURIError(
                         "Redirect_uri must use custom " "scheme or http and localhost"
@@ -391,7 +389,7 @@ def client_registration_setup(self, request, new_id=True, set_secret=True):
             logger.error("request.verify() error on %s", request)
             _error = "invalid_configuration_request"
             if len(err.args) > 1:
-                if err.args[1] == 'initiate_login_uri':
+                if err.args[1] == "initiate_login_uri":
                     _error = "invalid_client_metadata"
 
             return ResponseMessage(error=_error, error_description="%s" % err)
@@ -401,7 +399,8 @@ def client_registration_setup(self, request, new_id=True, set_secret=True):
             self.match_client_request(request)
         except CapabilitiesMisMatch as err:
             return ResponseMessage(
-                error="invalid_request", error_description="Don't support proposed %s" % err,
+                error="invalid_request",
+                error_description="Don't support proposed %s" % err,
             )
 
         _context = self.server_get("endpoint_context")
@@ -436,7 +435,9 @@ def client_registration_setup(self, request, new_id=True, set_secret=True):
 
         _context.cdb[client_id] = _cinfo
         _cinfo = self.do_client_registration(
-            request, client_id, ignore=["redirect_uris", "policy_uri", "logo_uri", "tos_uri"],
+            request,
+            client_id,
+            ignore=["redirect_uris", "policy_uri", "logo_uri", "tos_uri"],
         )
         if isinstance(_cinfo, ResponseMessage):
             return _cinfo
@@ -477,7 +478,8 @@ def process_request(self, request=None, new_id=True, set_secret=True, **kwargs):
         else:
             _context = self.server_get("endpoint_context")
             _cookie = _context.new_cookie(
-                name=_context.cookie_handler.name["register"], client_id=reg_resp["client_id"],
+                name=_context.cookie_handler.name["register"],
+                client_id=reg_resp["client_id"],
             )
 
             return {"response_args": reg_resp, "cookie": _cookie, "response_code": 201}
@@ -486,7 +488,7 @@ def process_verify_error(self, exception):
         _error = "invalid_request"
         if isinstance(exception, ValueError):
             if len(exception.args) > 1:
-                if exception.args[1] == 'initiate_login_uri':
+                if exception.args[1] == "initiate_login_uri":
                     _error = "invalid_client_metadata"
 
         return self.error_cls(error=_error, error_description=f"{exception}")
diff --git a/src/oidcop/oidc/session.py b/src/oidcop/oidc/session.py
index 61ce226e..79a7f9dc 100644
--- a/src/oidcop/oidc/session.py
+++ b/src/oidcop/oidc/session.py
@@ -160,7 +160,8 @@ def logout_all_clients(self, sid):
         _user_id = _session_info["user_id"]
         logger.debug(
             f"(logout_all_clients) user_id={_user_id},  client_id={_session_info['client_id']}, "
-            f"grant_id={_session_info['grant_id']}")
+            f"grant_id={_session_info['grant_id']}"
+        )
 
         bc_logouts = {}
         fc_iframes = {}
@@ -192,8 +193,9 @@ def logout_all_clients(self, sid):
                     if idt:
                         _rel_sid.append(idt.session_id)
                         # Construct an IFrame
-                        _spec = do_front_channel_logout_iframe(_cdb[_client_id], _iss,
-                                                               idt.session_id)
+                        _spec = do_front_channel_logout_iframe(
+                            _cdb[_client_id], _iss, idt.session_id
+                        )
                         if _spec:
                             fc_iframes[_client_id] = _spec
                         break
@@ -242,10 +244,10 @@ def logout_from_client(self, sid):
         return res
 
     def process_request(
-            self,
-            request: Optional[Union[Message, dict]] = None,
-            http_info: Optional[dict] = None,
-            **kwargs
+        self,
+        request: Optional[Union[Message, dict]] = None,
+        http_info: Optional[dict] = None,
+        **kwargs,
     ):
         """
         Perform user logout
@@ -316,7 +318,10 @@ def process_request(
         else:
             plur = True
             verify_uri(
-                _context, request, "post_logout_redirect_uri", client_id=_session_info["client_id"],
+                _context,
+                request,
+                "post_logout_redirect_uri",
+                client_id=_session_info["client_id"],
             )
 
         payload = {
@@ -381,8 +386,8 @@ def parse_request(self, request, http_info=None, **kwargs):
                 pass
             else:
                 if (
-                        _ith.jws_header["alg"]
-                        not in _context.provider_info["id_token_signing_alg_values_supported"]
+                    _ith.jws_header["alg"]
+                    not in _context.provider_info["id_token_signing_alg_values_supported"]
                 ):
                     raise JWSException("Unsupported signing algorithm")
 
@@ -404,9 +409,10 @@ def do_verified_logout(self, sid, alla=False, **kwargs):
                 logger.info("logging out from {} at {}".format(_cid, _url))
 
                 res = _context.httpc.post(
-                    _url, data="logout_token={}".format(sjwt),
+                    _url,
+                    data="logout_token={}".format(sjwt),
                     headers={"Content-Type": "application/x-www-form-urlencoded"},
-                    **_context.httpc_params
+                    **_context.httpc_params,
                 )
 
                 if res.status_code < 300:
diff --git a/src/oidcop/oidc/token.py b/src/oidcop/oidc/token.py
index 07bb41a5..337588b8 100755
--- a/src/oidcop/oidc/token.py
+++ b/src/oidcop/oidc/token.py
@@ -159,7 +159,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         return _response
 
     def post_parse_request(
-            self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
+        self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
     ):
         """
         This is where clients come to get their access tokens
@@ -280,7 +280,8 @@ def process_request(self, req: Union[Message, dict], **kwargs):
             except (JWEException, NoSuitableSigningKeys) as err:
                 logger.warning(str(err))
                 resp = self.error_cls(
-                    error="invalid_request", error_description="Could not sign/encrypt id_token",
+                    error="invalid_request",
+                    error_description="Could not sign/encrypt id_token",
                 )
                 return resp
 
@@ -288,7 +289,8 @@ def process_request(self, req: Union[Message, dict], **kwargs):
 
         token.register_usage()
 
-        if ("client_id" in req
+        if (
+            "client_id" in req
             and req["client_id"] in _context.cdb
             and "revoke_refresh_on_issue" in _context.cdb[req["client_id"]]
         ):
@@ -302,7 +304,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         return _resp
 
     def post_parse_request(
-            self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
+        self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
     ):
         """
         This is where clients come to refresh their access tokens
diff --git a/src/oidcop/oidc/userinfo.py b/src/oidcop/oidc/userinfo.py
index 5bb69eec..d6a4ceb1 100755
--- a/src/oidcop/oidc/userinfo.py
+++ b/src/oidcop/oidc/userinfo.py
@@ -11,7 +11,6 @@
 from oidcmsg import oidc
 from oidcmsg.message import Message
 from oidcmsg.oauth2 import ResponseMessage
-from oidcop.session.claims import claims_match
 
 from oidcop.endpoint import Endpoint
 from oidcop.token.exception import UnknownToken
@@ -38,7 +37,10 @@ class UserInfo(Endpoint):
 
     def __init__(self, server_get: Callable, add_claims_by_scope: Optional[bool] = True, **kwargs):
         Endpoint.__init__(
-            self, server_get, add_claims_by_scope=add_claims_by_scope, **kwargs,
+            self,
+            server_get,
+            add_claims_by_scope=add_claims_by_scope,
+            **kwargs,
         )
         # Add the issuer ID as an allowed JWT target
         self.allowed_targets.append("")
@@ -109,9 +111,7 @@ def do_response(
     def process_request(self, request=None, **kwargs):
         _mngr = self.server_get("endpoint_context").session_manager
         try:
-            _session_info = _mngr.get_session_info_by_token(
-                request["access_token"], grant=True
-            )
+            _session_info = _mngr.get_session_info_by_token(request["access_token"], grant=True)
         except (KeyError, ValueError):
             return self.error_cls(error="invalid_token", error_description="Invalid Token")
 
@@ -132,7 +132,7 @@ def process_request(self, request=None, **kwargs):
             logger.debug(
                 "authentication not valid: {} > {}".format(
                     datetime.fromtimestamp(_auth_event["valid_until"]),
-                    datetime.fromtimestamp(utc_time_sans_frac())
+                    datetime.fromtimestamp(utc_time_sans_frac()),
                 )
             )
             allowed = False
diff --git a/src/oidcop/scopes.py b/src/oidcop/scopes.py
index 7aeb21f9..97bdf9c2 100644
--- a/src/oidcop/scopes.py
+++ b/src/oidcop/scopes.py
@@ -36,7 +36,9 @@ def convert_scopes2claims(scopes, allowed_claims=None, scope2claim_map=None):
     else:
         for scope in scopes:
             try:
-                claims = {name: None for name in scope2claim_map.get(scope, []) if name in allowed_claims}
+                claims = {
+                    name: None for name in scope2claim_map.get(scope, []) if name in allowed_claims
+                }
                 res.update(claims)
             except KeyError:
                 continue
@@ -99,4 +101,4 @@ def scopes_to_claims(self, scopes, scopes_to_claims=None, client_id=None):
         return convert_scopes2claims(scopes, scope2claim_map=scopes_to_claims)
 
     def set_scopes_mapping(self, scopes_to_claims):
-        self._scopes_to_claims = scopes_to_claims
\ No newline at end of file
+        self._scopes_to_claims = scopes_to_claims
diff --git a/src/oidcop/server.py b/src/oidcop/server.py
index c7d698ea..1972aff6 100644
--- a/src/oidcop/server.py
+++ b/src/oidcop/server.py
@@ -88,7 +88,7 @@ def __init__(
             self.server_get,
             self.endpoint_context.th_args,
             sub_func=self.endpoint_context._sub_func,
-            conf=self.conf
+            conf=self.conf,
         )
         self.endpoint_context.do_userinfo()
         # Must be done after userinfo
diff --git a/src/oidcop/session/claims.py b/src/oidcop/session/claims.py
index 8690ff6c..7ca31cc7 100755
--- a/src/oidcop/session/claims.py
+++ b/src/oidcop/session/claims.py
@@ -31,9 +31,9 @@ def __init__(self, server_get):
         self.server_get = server_get
 
     def authorization_request_claims(
-            self,
-            authorization_request: dict,
-            claims_release_point: Optional[str] = "",
+        self,
+        authorization_request: dict,
+        claims_release_point: Optional[str] = "",
     ) -> dict:
         if authorization_request and "claims" in authorization_request:
             return authorization_request["claims"].get(claims_release_point, {})
@@ -59,11 +59,13 @@ def _get_module(self, usage, endpoint_context):
 
         return module
 
-    def _client_claims(self,
-                       client_id: str,
-                       module: object,
-                       claims_release_point: str,
-                       secondary_identifier: Optional[str] = ""):
+    def _client_claims(
+        self,
+        client_id: str,
+        module: object,
+        claims_release_point: str,
+        secondary_identifier: Optional[str] = "",
+    ):
         _context = self.server_get("endpoint_context")
         add_claims_by_scope = _context.cdb[client_id].get("add_claims", {}).get("by_scope", {})
         if add_claims_by_scope:
@@ -85,12 +87,12 @@ def _client_claims(self,
         return _claims_by_scope, _always_add
 
     def get_claims_from_request(
-            self,
-            auth_req: dict,
-            claims_release_point: str,
-            scopes: str = None,
-            client_id: str = None,
-            secondary_identifier: str = ""
+        self,
+        auth_req: dict,
+        claims_release_point: str,
+        scopes: str = None,
+        client_id: str = None,
+        secondary_identifier: str = "",
     ) -> dict:
         _context = self.server_get("endpoint_context")
         # which endpoint module configuration to get the base claims from
@@ -107,9 +109,9 @@ def get_claims_from_request(
 
         # If specific client configuration exists overwrite add_claims_by_scope
         if module.kwargs.get("enable_claims_per_client") and client_id in _context.cdb:
-            _claims_by_scope, _always_add = self._client_claims(client_id, module,
-                                                                claims_release_point,
-                                                                secondary_identifier)
+            _claims_by_scope, _always_add = self._client_claims(
+                client_id, module, claims_release_point, secondary_identifier
+            )
         else:
             _claims_by_scope = module.kwargs.get("add_claims_by_scope")
             _always_add = module.kwargs.get("always_add_claims", {})
@@ -127,8 +129,7 @@ def get_claims_from_request(
         # Bring in claims specification from the authorization request
         # This only goes for ID Token and user info
         request_claims = self.authorization_request_claims(
-            authorization_request=auth_req,
-            claims_release_point=claims_release_point
+            authorization_request=auth_req, claims_release_point=claims_release_point
         )
 
         # This will add claims that has not be added before and
@@ -139,11 +140,13 @@ def get_claims_from_request(
 
         return base_claims
 
-    def get_claims(self,
-                   session_id: str,
-                   scopes: str,
-                   claims_release_point: str,
-                   secondary_identifier: Optional[str] = "") -> dict:
+    def get_claims(
+        self,
+        session_id: str,
+        scopes: str,
+        claims_release_point: str,
+        secondary_identifier: Optional[str] = "",
+    ) -> dict:
         """
 
         :param secondary_identifier: If claims should also be release by the rules for this
@@ -168,13 +171,13 @@ def get_claims(self,
             claims_release_point=claims_release_point,
             scopes=scopes,
             client_id=client_id,
-            secondary_identifier=secondary_identifier
+            secondary_identifier=secondary_identifier,
         )
 
         return claims
 
     def get_claims_all_usage_from_request(
-            self, auth_req: dict, scopes: str = None, client_id: str = None
+        self, auth_req: dict, scopes: str = None, client_id: str = None
     ) -> dict:
         _claims = {}
         for usage in self.claims_release_points:
@@ -184,9 +187,7 @@ def get_claims_all_usage_from_request(
         return _claims
 
     def get_claims_all_usage(self, session_id: str, scopes: str) -> dict:
-        grant = self.server_get(
-            "endpoint_context"
-        ).session_manager.get_grant(session_id)
+        grant = self.server_get("endpoint_context").session_manager.get_grant(session_id)
         if grant.authorization_request:
             auth_req = grant.authorization_request
         else:
@@ -202,9 +203,7 @@ def get_user_claims(self, user_id: str, claims_restriction: dict) -> dict:
         """
         meth = self.server_get("endpoint_context").userinfo
         if not meth:
-            raise ImproperlyConfigured(
-                "userinfo MUST be defined in the configuration"
-            )
+            raise ImproperlyConfigured("userinfo MUST be defined in the configuration")
         if claims_restriction:
             # Get all possible claims
             user_info = meth(user_id, client_id=None)
diff --git a/src/oidcop/session/database.py b/src/oidcop/session/database.py
index cd4bdd76..8f4e79ee 100644
--- a/src/oidcop/session/database.py
+++ b/src/oidcop/session/database.py
@@ -42,7 +42,7 @@ def __init__(self, key: Optional[str] = "", **kwargs):
         ImpExp.__init__(self)
         self.db = DLDict()
 
-        for k,v in kwargs.items():
+        for k, v in kwargs.items():
             setattr(self, k, v)
 
         self.key = key or rndstr(24)
diff --git a/src/oidcop/session/grant.py b/src/oidcop/session/grant.py
index df517a17..16b4eb0a 100644
--- a/src/oidcop/session/grant.py
+++ b/src/oidcop/session/grant.py
@@ -32,11 +32,11 @@ class GrantMessage(ImpExp):
     }
 
     def __init__(
-            self,
-            scope: Optional[str] = "",
-            authorization_details: Optional[dict] = None,
-            claims: Optional[list] = None,
-            resources: Optional[list] = None,
+        self,
+        scope: Optional[str] = "",
+        authorization_details: Optional[dict] = None,
+        claims: Optional[list] = None,
+        resources: Optional[list] = None,
     ):
         ImpExp.__init__(self)
         self.scope = scope
@@ -61,7 +61,7 @@ def find_token(issued, token_id):
 
 
 def qualified_name(cls):
-    """ Does both classes and class instances
+    """Does both classes and class instances
 
     :param cls: The item, class or class instance
     :return: fully qualified class name
@@ -122,22 +122,22 @@ class Grant(Item):
     }
 
     def __init__(
-            self,
-            scope: Optional[list] = None,
-            claims: Optional[dict] = None,
-            resources: Optional[list] = None,
-            authorization_details: Optional[dict] = None,
-            authorization_request: Optional[Message] = None,
-            authentication_event: Optional[AuthnEvent] = None,
-            issued_token: Optional[list] = None,
-            usage_rules: Optional[dict] = None,
-            issued_at: int = 0,
-            expires_in: int = 0,
-            expires_at: int = 0,
-            revoked: bool = False,
-            token_map: Optional[dict] = None,
-            sub: Optional[str] = "",
-            extra: Optional[Dict[str, str]] = None
+        self,
+        scope: Optional[list] = None,
+        claims: Optional[dict] = None,
+        resources: Optional[list] = None,
+        authorization_details: Optional[dict] = None,
+        authorization_request: Optional[Message] = None,
+        authentication_event: Optional[AuthnEvent] = None,
+        issued_token: Optional[list] = None,
+        usage_rules: Optional[dict] = None,
+        issued_at: int = 0,
+        expires_in: int = 0,
+        expires_at: int = 0,
+        revoked: bool = False,
+        token_map: Optional[dict] = None,
+        sub: Optional[str] = "",
+        extra: Optional[Dict[str, str]] = None,
     ):
         Item.__init__(
             self,
@@ -193,13 +193,13 @@ def add_acr_value(self, claims_release_point):
         return False
 
     def payload_arguments(
-            self,
-            session_id: str,
-            endpoint_context,
-            claims_release_point: str,
-            scope: Optional[dict] = None,
-            extra_payload: Optional[dict] = None,
-            secondary_identifier: str = ''
+        self,
+        session_id: str,
+        endpoint_context,
+        claims_release_point: str,
+        scope: Optional[dict] = None,
+        extra_payload: Optional[dict] = None,
+        secondary_identifier: str = "",
     ) -> dict:
         """
 
@@ -230,8 +230,10 @@ def payload_arguments(
                 payload.update({"client_id": client_id, "sub": client_id})
 
         _claims_restriction = endpoint_context.claims_interface.get_claims(
-            session_id, scopes=scope, claims_release_point=claims_release_point,
-            secondary_identifier=secondary_identifier
+            session_id,
+            scopes=scope,
+            claims_release_point=claims_release_point,
+            secondary_identifier=secondary_identifier,
         )
         user_id, _, _ = endpoint_context.session_manager.decrypt_session_id(session_id)
         user_info = endpoint_context.claims_interface.get_user_claims(user_id, _claims_restriction)
@@ -246,16 +248,16 @@ def payload_arguments(
         return payload
 
     def mint_token(
-            self,
-            session_id: str,
-            endpoint_context: object,
-            token_class: str,
-            token_handler: TokenHandler = None,
-            based_on: Optional[SessionToken] = None,
-            usage_rules: Optional[dict] = None,
-            scope: Optional[list] = None,
-            token_type: Optional[str] = "",
-            **kwargs,
+        self,
+        session_id: str,
+        endpoint_context: object,
+        token_class: str,
+        token_handler: TokenHandler = None,
+        based_on: Optional[SessionToken] = None,
+        usage_rules: Optional[dict] = None,
+        scope: Optional[list] = None,
+        token_type: Optional[str] = "",
+        **kwargs,
     ) -> Optional[SessionToken]:
         """
 
@@ -286,8 +288,9 @@ def mint_token(
 
         _class = self.token_map.get(token_class)
         if token_class == "id_token":
-            class_args = {k: v for k, v in kwargs.items() if
-                          k not in ["code", "access_token", "as_if"]}
+            class_args = {
+                k: v for k, v in kwargs.items() if k not in ["code", "access_token", "as_if"]
+            }
             handler_args = {k: v for k, v in kwargs.items() if k in ["code", "access_token"]}
         else:
             class_args = kwargs
@@ -321,7 +324,8 @@ def mint_token(
             _secondary_identifier = kwargs.get("as_if")
             logger.debug(
                 f"claims_release_point: {claims_release_point}, secondary_identifier: "
-                f"{_secondary_identifier}")
+                f"{_secondary_identifier}"
+            )
 
             if token_class == "id_token":
                 item.session_id = session_id
@@ -332,7 +336,7 @@ def mint_token(
                 claims_release_point=claims_release_point,
                 scope=scope,
                 extra_payload=handler_args,
-                secondary_identifier=_secondary_identifier
+                secondary_identifier=_secondary_identifier,
             )
 
             logger.debug(f"token_payload: {token_payload}")
@@ -355,10 +359,7 @@ def get_token(self, value: str) -> Optional[SessionToken]:
         return None
 
     def revoke_token(
-            self,
-            value: Optional[str] = "",
-            based_on: Optional[str] = "",
-            recursive: bool = True
+        self, value: Optional[str] = "", based_on: Optional[str] = "", recursive: bool = True
     ):
         for t in self.issued_token:
             if not value and not based_on:
@@ -441,19 +442,19 @@ class ExchangeGrant(Grant):
     type = "exchange_grant"
 
     def __init__(
-            self,
-            scope: Optional[list] = None,
-            claims: Optional[dict] = None,
-            resources: Optional[list] = None,
-            authorization_details: Optional[dict] = None,
-            issued_token: Optional[list] = None,
-            usage_rules: Optional[dict] = None,
-            issued_at: int = 0,
-            expires_in: int = 0,
-            expires_at: int = 0,
-            revoked: bool = False,
-            token_map: Optional[dict] = None,
-            users: list = None,
+        self,
+        scope: Optional[list] = None,
+        claims: Optional[dict] = None,
+        resources: Optional[list] = None,
+        authorization_details: Optional[dict] = None,
+        issued_token: Optional[list] = None,
+        usage_rules: Optional[dict] = None,
+        issued_at: int = 0,
+        expires_in: int = 0,
+        expires_at: int = 0,
+        revoked: bool = False,
+        token_map: Optional[dict] = None,
+        users: list = None,
     ):
         Grant.__init__(
             self,
diff --git a/src/oidcop/session/info.py b/src/oidcop/session/info.py
index 1c2ebcb9..303e0bc7 100644
--- a/src/oidcop/session/info.py
+++ b/src/oidcop/session/info.py
@@ -43,7 +43,9 @@ def keys(self):
 class UserSessionInfo(SessionInfo):
     parameter = SessionInfo.parameter.copy()
     parameter.update(
-        {"user_id": "",}
+        {
+            "user_id": "",
+        }
     )
 
     def __init__(self, **kwargs):
diff --git a/src/oidcop/session/manager.py b/src/oidcop/session/manager.py
index c575ccce..3bddebc4 100644
--- a/src/oidcop/session/manager.py
+++ b/src/oidcop/session/manager.py
@@ -47,7 +47,7 @@ def __init__(self, salt: Optional[str] = "", filename: Optional[str] = ""):
             if os.path.isfile(filename):
                 self.salt = open(filename).read()
             elif not os.path.isfile(filename) and os.path.exists(
-                    filename
+                filename
             ):  # Not a file, Something else
                 raise ConfigurationError("Salt filename points to something that is not a file")
             else:
@@ -82,8 +82,10 @@ class SessionManager(Database):
     init_args = ["handler"]
 
     def __init__(
-            self, handler: TokenHandler, conf: Optional[dict] = None,
-            sub_func: Optional[dict] = None,
+        self,
+        handler: TokenHandler,
+        conf: Optional[dict] = None,
+        sub_func: Optional[dict] = None,
     ):
         super(SessionManager, self).__init__()
         self.conf = conf or {}
@@ -125,21 +127,14 @@ def load_salt(self):
         return self._salt
 
     def __setattr__(self, key, value):
-        if key in ('_key', '_salt'):
+        if key in ("_key", "_salt"):
             if hasattr(self, key):
                 # not first time we configure it!
-                raise AttributeError(
-                    f"{key} is a ReadOnly attribute "
-                    "that can't be overwritten!"
-                )
+                raise AttributeError(f"{key} is a ReadOnly attribute " "that can't be overwritten!")
         super().__setattr__(key, value)
 
     def _init_db(self):
-        Database.__init__(
-            self,
-            key=self.load_key(),
-            salt=self.load_salt()
-        )
+        Database.__init__(self, key=self.load_key(), salt=self.load_salt())
 
     def get_user_info(self, uid: str) -> UserSessionInfo:
         usi = self.get([uid])
@@ -164,14 +159,14 @@ def find_token(self, session_id: str, token_value: str) -> Optional[SessionToken
         return None  # pragma: no cover
 
     def create_grant(
-            self,
-            authn_event: AuthnEvent,
-            auth_req: AuthorizationRequest,
-            user_id: str,
-            client_id: Optional[str] = "",
-            sub_type: Optional[str] = "public",
-            token_usage_rules: Optional[dict] = None,
-            scopes: Optional[list] = None,
+        self,
+        authn_event: AuthnEvent,
+        auth_req: AuthorizationRequest,
+        user_id: str,
+        client_id: Optional[str] = "",
+        sub_type: Optional[str] = "public",
+        token_usage_rules: Optional[dict] = None,
+        scopes: Optional[list] = None,
     ) -> str:
         """
 
@@ -191,11 +186,12 @@ def create_grant(
         grant = Grant(
             authorization_request=auth_req,
             authentication_event=authn_event,
-            sub=self.sub_func[sub_type](user_id, salt=self.salt,
-                                        sector_identifier=sector_identifier),
+            sub=self.sub_func[sub_type](
+                user_id, salt=self.salt, sector_identifier=sector_identifier
+            ),
             usage_rules=token_usage_rules,
             scope=scopes,
-            claims=_claims
+            claims=_claims,
         )
 
         self.set([user_id, client_id, grant.id], grant)
@@ -203,14 +199,14 @@ def create_grant(
         return self.encrypted_session_id(user_id, client_id, grant.id)
 
     def create_session(
-            self,
-            authn_event: AuthnEvent,
-            auth_req: AuthorizationRequest,
-            user_id: str,
-            client_id: Optional[str] = "",
-            sub_type: Optional[str] = "public",
-            token_usage_rules: Optional[dict] = None,
-            scopes: Optional[list] = None,
+        self,
+        authn_event: AuthnEvent,
+        auth_req: AuthorizationRequest,
+        user_id: str,
+        client_id: Optional[str] = "",
+        sub_type: Optional[str] = "public",
+        token_usage_rules: Optional[dict] = None,
+        scopes: Optional[list] = None,
     ) -> str:
         """
         Create part of a user session. The parts added are user- and client
@@ -324,10 +320,10 @@ def revoke_token(self, session_id: str, token_value: str, recursive: bool = Fals
             self._revoke_dependent(grant, token)
 
     def get_authentication_events(
-            self,
-            session_id: Optional[str] = "",
-            user_id: Optional[str] = "",
-            client_id: Optional[str] = "",
+        self,
+        session_id: Optional[str] = "",
+        user_id: Optional[str] = "",
+        client_id: Optional[str] = "",
     ) -> List[AuthnEvent]:
         """
         Return the authentication events that exists for a user/client combination.
@@ -397,10 +393,10 @@ def revoke_grant(self, session_id: str):
         self.set(_path, _info)
 
     def grants(
-            self,
-            session_id: Optional[str] = "",
-            user_id: Optional[str] = "",
-            client_id: Optional[str] = "",
+        self,
+        session_id: Optional[str] = "",
+        user_id: Optional[str] = "",
+        client_id: Optional[str] = "",
     ) -> List[Grant]:
         """
         Find all grant connected to a user session
@@ -421,13 +417,13 @@ def grants(
         return [self.get([user_id, client_id, gid]) for gid in _csi.subordinate]
 
     def get_session_info(
-            self,
-            session_id: str,
-            user_session_info: bool = False,
-            client_session_info: bool = False,
-            grant: bool = False,
-            authentication_event: bool = False,
-            authorization_request: bool = False,
+        self,
+        session_id: str,
+        user_session_info: bool = False,
+        client_session_info: bool = False,
+        grant: bool = False,
+        authentication_event: bool = False,
+        authorization_request: bool = False,
     ) -> dict:
         """
         Returns information connected to a session.
@@ -482,13 +478,13 @@ def _compatible_sid(self, sid):
         return sid
 
     def get_session_info_by_token(
-            self,
-            token_value: str,
-            user_session_info: bool = False,
-            client_session_info: bool = False,
-            grant: bool = False,
-            authentication_event: bool = False,
-            authorization_request: bool = False,
+        self,
+        token_value: str,
+        user_session_info: bool = False,
+        client_session_info: bool = False,
+        grant: bool = False,
+        authentication_event: bool = False,
+        authorization_request: bool = False,
     ) -> dict:
         _token_info = self.token_handler.info(token_value)
         sid = _token_info.get("sid")
diff --git a/src/oidcop/session/token.py b/src/oidcop/session/token.py
index 4c9b1d04..52ada60e 100644
--- a/src/oidcop/session/token.py
+++ b/src/oidcop/session/token.py
@@ -20,14 +20,14 @@ class Item(ImpExp):
     }
 
     def __init__(
-            self,
-            usage_rules: Optional[dict] = None,
-            issued_at: int = 0,
-            expires_in: int = 0,
-            expires_at: int = 0,
-            not_before: int = 0,
-            revoked: bool = False,
-            used: int = 0,
+        self,
+        usage_rules: Optional[dict] = None,
+        issued_at: int = 0,
+        expires_in: int = 0,
+        expires_at: int = 0,
+        not_before: int = 0,
+        revoked: bool = False,
+        used: int = 0,
     ):
         ImpExp.__init__(self)
         self.issued_at = issued_at or utc_time_sans_frac()
@@ -92,21 +92,21 @@ class SessionToken(Item):
     )
 
     def __init__(
-            self,
-            token_class: str = "",
-            value: str = "",
-            based_on: Optional[str] = None,
-            usage_rules: Optional[dict] = None,
-            issued_at: int = 0,
-            expires_in: int = 0,
-            expires_at: int = 0,
-            not_before: int = 0,
-            revoked: bool = False,
-            used: int = 0,
-            id: str = "",
-            scope: Optional[list] = None,
-            claims: Optional[dict] = None,
-            resources: Optional[list] = None,
+        self,
+        token_class: str = "",
+        value: str = "",
+        based_on: Optional[str] = None,
+        usage_rules: Optional[dict] = None,
+        issued_at: int = 0,
+        expires_in: int = 0,
+        expires_at: int = 0,
+        not_before: int = 0,
+        revoked: bool = False,
+        used: int = 0,
+        id: str = "",
+        scope: Optional[list] = None,
+        claims: Optional[dict] = None,
+        resources: Optional[list] = None,
     ):
         Item.__init__(
             self,
@@ -148,29 +148,25 @@ def supports_minting(self, token_class):
 
 class AccessToken(SessionToken):
     parameter = SessionToken.parameter.copy()
-    parameter.update(
-        {
-            "token_type": ""
-        }
-    )
+    parameter.update({"token_type": ""})
 
     def __init__(
-            self,
-            token_class: str = "",
-            value: str = "",
-            based_on: Optional[str] = None,
-            usage_rules: Optional[dict] = None,
-            issued_at: int = 0,
-            expires_in: int = 0,
-            expires_at: int = 0,
-            not_before: int = 0,
-            revoked: bool = False,
-            used: int = 0,
-            id: str = "",
-            scope: Optional[list] = None,
-            claims: Optional[dict] = None,
-            resources: Optional[list] = None,
-            token_type: Optional[str] = "bearer"
+        self,
+        token_class: str = "",
+        value: str = "",
+        based_on: Optional[str] = None,
+        usage_rules: Optional[dict] = None,
+        issued_at: int = 0,
+        expires_in: int = 0,
+        expires_at: int = 0,
+        not_before: int = 0,
+        revoked: bool = False,
+        used: int = 0,
+        id: str = "",
+        scope: Optional[list] = None,
+        claims: Optional[dict] = None,
+        resources: Optional[list] = None,
+        token_type: Optional[str] = "bearer",
     ):
         SessionToken.__init__(
             self,
@@ -187,7 +183,7 @@ def __init__(
             id=id,
             scope=scope,
             claims=claims,
-            resources=resources
+            resources=resources,
         )
 
         self.token_type = token_type
@@ -213,30 +209,26 @@ def set_defaults(self):
 
 class IDToken(SessionToken):
     parameter = SessionToken.parameter.copy()
-    parameter.update(
-        {
-            "session_id": ""
-        }
-    )
+    parameter.update({"session_id": ""})
 
     def __init__(
-            self,
-            token_class: str = "",
-            value: str = "",
-            based_on: Optional[str] = None,
-            usage_rules: Optional[dict] = None,
-            issued_at: int = 0,
-            expires_in: int = 0,
-            expires_at: int = 0,
-            not_before: int = 0,
-            revoked: bool = False,
-            used: int = 0,
-            id: str = "",
-            session_id: str = "",
-            scope: Optional[list] = None,
-            claims: Optional[dict] = None,
-            resources: Optional[list] = None,
-            token_type: Optional[str] = "bearer",
+        self,
+        token_class: str = "",
+        value: str = "",
+        based_on: Optional[str] = None,
+        usage_rules: Optional[dict] = None,
+        issued_at: int = 0,
+        expires_in: int = 0,
+        expires_at: int = 0,
+        not_before: int = 0,
+        revoked: bool = False,
+        used: int = 0,
+        id: str = "",
+        session_id: str = "",
+        scope: Optional[list] = None,
+        claims: Optional[dict] = None,
+        resources: Optional[list] = None,
+        token_type: Optional[str] = "bearer",
     ):
         SessionToken.__init__(
             self,
@@ -253,7 +245,7 @@ def __init__(
             id=id,
             scope=scope,
             claims=claims,
-            resources=resources
+            resources=resources,
         )
 
         self.session_id = session_id
diff --git a/src/oidcop/token/__init__.py b/src/oidcop/token/__init__.py
index 1c912f68..b1de26f2 100755
--- a/src/oidcop/token/__init__.py
+++ b/src/oidcop/token/__init__.py
@@ -19,7 +19,7 @@
     "authorization_code": "A",
     "access_token": "T",
     "refresh_token": "R",
-    "id_token": "I"
+    "id_token": "I",
 }
 
 
@@ -81,8 +81,9 @@ def __init__(self, password, token_class="", token_type="Bearer", **kwargs):
         self.crypt = Crypt(password)
         self.token_type = token_type
 
-    def __call__(self, session_id: Optional[str] = "", token_class: Optional[str] = "",
-                 **payload) -> str:
+    def __call__(
+        self, session_id: Optional[str] = "", token_class: Optional[str] = "", **payload
+    ) -> str:
         """
         Return a token.
 
diff --git a/src/oidcop/token/handler.py b/src/oidcop/token/handler.py
index 9da5bedd..c4fb2386 100755
--- a/src/oidcop/token/handler.py
+++ b/src/oidcop/token/handler.py
@@ -24,15 +24,14 @@ class TokenHandler(ImpExp):
     parameter = {"handler": DLDict, "handler_order": [""]}
 
     def __init__(
-            self,
-            access_token: Optional[Token] = None,
-            authorization_code: Optional[Token] = None,
-            refresh_token: Optional[Token] = None,
-            id_token: Optional[Token] = None,
+        self,
+        access_token: Optional[Token] = None,
+        authorization_code: Optional[Token] = None,
+        refresh_token: Optional[Token] = None,
+        id_token: Optional[Token] = None,
     ):
         ImpExp.__init__(self)
-        self.handler = {"authorization_code": authorization_code,
-                        "access_token": access_token}
+        self.handler = {"authorization_code": authorization_code, "access_token": access_token}
 
         self.handler_order = ["authorization_code", "access_token"]
 
@@ -142,13 +141,13 @@ def default_token(spec):
 
 
 def factory(
-        server_get,
-        code: Optional[dict] = None,
-        token: Optional[dict] = None,
-        refresh: Optional[dict] = None,
-        id_token: Optional[dict] = None,
-        jwks_file: Optional[str] = "",
-        **kwargs
+    server_get,
+    code: Optional[dict] = None,
+    token: Optional[dict] = None,
+    refresh: Optional[dict] = None,
+    id_token: Optional[dict] = None,
+    jwks_file: Optional[str] = "",
+    **kwargs
 ) -> TokenHandler:
     """
     Create a token handler
@@ -160,10 +159,12 @@ def factory(
     :return: TokenHandler instance
     """
 
-    token_class_map = {"code": "authorization_code",
-                       "token": "access_token",
-                       "refresh": "refresh_token",
-                       'idtoken': 'id_token'}
+    token_class_map = {
+        "code": "authorization_code",
+        "token": "access_token",
+        "refresh": "refresh_token",
+        "idtoken": "id_token",
+    }
 
     key_defs = []
     read_only = False
diff --git a/src/oidcop/token/id_token.py b/src/oidcop/token/id_token.py
index 87332c23..e8555ef4 100755
--- a/src/oidcop/token/id_token.py
+++ b/src/oidcop/token/id_token.py
@@ -13,7 +13,6 @@
 from oidcop.token import is_expired
 from oidcop.token.exception import InvalidToken
 
-from ..util import get_logout_id
 from . import Token
 from . import UnknownToken
 
@@ -59,7 +58,7 @@ def include_session_id(endpoint_context, client_id, where):
 
 
 def get_sign_and_encrypt_algorithms(
-        endpoint_context, client_info, payload_type, sign=False, encrypt=False
+    endpoint_context, client_info, payload_type, sign=False, encrypt=False
 ):
     args = {"sign": sign, "encrypt": encrypt}
     if sign:
@@ -118,11 +117,11 @@ class IDToken(Token):
     }
 
     def __init__(
-            self,
-            token_class: Optional[str] = "id_token",
-            lifetime: Optional[int] = 300,
-            server_get: Callable = None,
-            **kwargs
+        self,
+        token_class: Optional[str] = "id_token",
+        lifetime: Optional[int] = 300,
+        server_get: Callable = None,
+        **kwargs,
     ):
         Token.__init__(self, token_class, **kwargs)
         self.lifetime = lifetime
@@ -276,7 +275,7 @@ def __call__(
 
         # Should I add session ID. This is about Single Logout.
         if include_session_id(_context, client_id, "back") or include_session_id(
-                _context, client_id, "front"
+            _context, client_id, "front"
         ):
 
             xargs = {"sid": session_id}
diff --git a/src/oidcop/token/jwt_token.py b/src/oidcop/token/jwt_token.py
index 7d4f12b5..d8653498 100644
--- a/src/oidcop/token/jwt_token.py
+++ b/src/oidcop/token/jwt_token.py
@@ -15,17 +15,17 @@
 
 class JWTToken(Token):
     def __init__(
-            self,
-            token_class,
-            # keyjar: KeyJar = None,
-            issuer: str = None,
-            aud: Optional[list] = None,
-            alg: str = "ES256",
-            lifetime: int = DEFAULT_TOKEN_LIFETIME,
-            server_get: Callable = None,
-            token_type: str = "Bearer",
-            password: str = "",
-            **kwargs
+        self,
+        token_class,
+        # keyjar: KeyJar = None,
+        issuer: str = None,
+        aud: Optional[list] = None,
+        alg: str = "ES256",
+        lifetime: int = DEFAULT_TOKEN_LIFETIME,
+        server_get: Callable = None,
+        token_type: str = "Bearer",
+        password: str = "",
+        **kwargs
     ):
         Token.__init__(self, token_class, **kwargs)
         self.token_type = token_type
@@ -53,7 +53,6 @@ def __call__(
         usage_rules: Optional[dict] = None,
         **payload
     ) -> str:
-
         """
         Return a token.
 
diff --git a/src/oidcop/user_authn/authn_context.py b/src/oidcop/user_authn/authn_context.py
index d49f5c0d..8aa94df1 100755
--- a/src/oidcop/user_authn/authn_context.py
+++ b/src/oidcop/user_authn/authn_context.py
@@ -114,9 +114,9 @@ def _acr_claim(request):
         _id_token_claim = _claims.get("id_token")
         if _id_token_claim:
             _acr = _id_token_claim.get("acr")
-            if 'value' in _acr:
+            if "value" in _acr:
                 return [_acr["value"]]
-            elif 'values' in _acr:
+            elif "values" in _acr:
                 return _acr["values"]
     return None
 
@@ -154,9 +154,7 @@ def pick_auth(endpoint_context, areq, pick_all=False):
 
     for acr in acrs:
         res = endpoint_context.authn_broker.pick(acr)
-        logger.debug(
-            f"Picked AuthN broker for ACR {str(acr)}: {str(res)}"
-        )
+        logger.debug(f"Picked AuthN broker for ACR {str(acr)}: {str(res)}")
         if res:
             return res if pick_all else res[0]
 
diff --git a/src/oidcop/user_authn/user.py b/src/oidcop/user_authn/user.py
index 1e9b64c6..9e54e3a6 100755
--- a/src/oidcop/user_authn/user.py
+++ b/src/oidcop/user_authn/user.py
@@ -4,7 +4,6 @@
 import json
 import logging
 import sys
-import time
 from typing import List
 from urllib.parse import unquote
 import warnings
@@ -15,7 +14,6 @@
 
 from oidcop.exception import FailedAuthentication
 from oidcop.exception import ImproperlyConfigured
-from oidcop.exception import InvalidCookieSign
 from oidcop.exception import OnlyForTestingWarning
 from oidcop.util import instantiate
 
@@ -66,14 +64,15 @@ def authenticated_as(self, client_id, cookie=None, **kwargs):
             return None, 0
         else:
             _info = self.cookie_info(cookie, client_id)
-            logger.debug('authenticated_as: cookie info={}'.format(_info))
+            logger.debug("authenticated_as: cookie info={}".format(_info))
             if _info:
-                if 'max_age' in kwargs and kwargs["max_age"] != 0:
+                if "max_age" in kwargs and kwargs["max_age"] != 0:
                     _max_age = kwargs["max_age"]
                     _now = utc_time_sans_frac()
                     if _now > _info["timestamp"] + _max_age:
                         logger.debug(
-                            "Too old by {} seconds".format(_now - (_info["timestamp"] + _max_age)))
+                            "Too old by {} seconds".format(_now - (_info["timestamp"] + _max_age))
+                        )
                         return None, 0
             return _info, utc_time_sans_frac()
 
@@ -139,13 +138,13 @@ class UserPassJinja2(UserAuthnMethod):
     url_endpoint = "/verify/user_pass_jinja"
 
     def __init__(
-            self,
-            db,
-            template_handler,
-            template="user_pass.jinja2",
-            server_get=None,
-            verify_endpoint="",
-            **kwargs,
+        self,
+        db,
+        template_handler,
+        template="user_pass.jinja2",
+        server_get=None,
+        verify_endpoint="",
+        **kwargs,
     ):
 
         super(UserPassJinja2, self).__init__(server_get=server_get)
diff --git a/src/oidcop/util.py b/src/oidcop/util.py
index 613de27c..58004050 100755
--- a/src/oidcop/util.py
+++ b/src/oidcop/util.py
@@ -136,7 +136,7 @@ def lv_unpack(txt):
     while txt:
         l, v = txt.split(":", 1)
         res.append(v[: int(l)])
-        txt = v[int(l) :]
+        txt = v[int(l):]
     return res
 
 

From 733dc547e3c1880a3530e9cddf4bf420a2be92bb Mon Sep 17 00:00:00 2001
From: peppelinux <giuseppe.demarco@unical.it>
Date: Mon, 22 Nov 2021 15:48:05 +0100
Subject: [PATCH 10/11] fix: oauth2.token session_key args

---
 src/oidcop/oauth2/token.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/oidcop/oauth2/token.py b/src/oidcop/oauth2/token.py
index 108bfc7e..bfee6dff 100755
--- a/src/oidcop/oauth2/token.py
+++ b/src/oidcop/oauth2/token.py
@@ -478,7 +478,7 @@ def process_request(self, request: Optional[Union[Message, dict]] = None, **kwar
             sub=_session_info["grant"].sub,
             sid=_context.session_manager.session_key(
                 _session_info["user_id"],
-                _session_info["user_id"],
+                _session_info["client_id"],
                 _session_info["grant"].id,
             ),
         )

From accc68d26c1add00adde6c474eb1cfe256b06e40 Mon Sep 17 00:00:00 2001
From: peppelinux <giuseppe.demarco@unical.it>
Date: Mon, 22 Nov 2021 17:09:05 +0100
Subject: [PATCH 11/11] chore: removed useless tests/test_100_temp

---
 tests/test_100_temp.py | 422 -----------------------------------------
 1 file changed, 422 deletions(-)
 delete mode 100644 tests/test_100_temp.py

diff --git a/tests/test_100_temp.py b/tests/test_100_temp.py
deleted file mode 100644
index bb0c4afe..00000000
--- a/tests/test_100_temp.py
+++ /dev/null
@@ -1,422 +0,0 @@
-import copy
-import os
-
-from oidcmsg.oidc import AuthorizationRequest
-import pytest
-
-from oidcop.authn_event import create_authn_event
-from oidcop.server import Server
-
-BASEDIR = os.path.abspath(os.path.dirname(__file__))
-
-
-def full_path(local_file):
-    return os.path.join(BASEDIR, local_file)
-
-
-KEYDEFS = [
-    {"type": "RSA", "key": "", "use": ["sig"]},
-    {"type": "EC", "crv": "P-256", "use": ["sig"]},
-]
-
-AREQS = AuthorizationRequest(
-    response_type="code",
-    client_id='CLIENT_ID',
-    redirect_uri="http://example.com/authz",
-    scope=["openid", "address", "email"],
-    state="state000",
-    nonce="nonce",
-)
-
-conf = {
-    "issuer": "https://example.com/",
-    "template_dir": "template",
-    "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS, "read_only": True},
-    "endpoint": {
-        "authorization_endpoint": {
-            "path": "authorization",
-            "class": "oidcop.oidc.authorization.Authorization",
-            "kwargs": {},
-        },
-        "token_endpoint": {"path": "token", "class": "oidcop.oidc.token.Token", "kwargs": {}, },
-        "userinfo_endpoint": {
-            "path": "userinfo",
-            "class": "oidcop.oidc.userinfo.UserInfo",
-            "kwargs": {},
-        },
-        "introspection_endpoint": {
-            "path": "introspection",
-            "class": "oidcop.oauth2.introspection.Introspection",
-            "kwargs": {},
-        },
-    },
-    "token_handler_args": {
-        "jwks_def": {
-            "private_path": "private/token_jwks.json",
-            "read_only": False,
-            "key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}],
-        },
-        "code": {"kwargs": {"lifetime": 600}},
-        "token": {
-            "class": "oidcop.token.jwt_token.JWTToken",
-            "kwargs": {
-                "lifetime": 3600,
-                "add_claims_by_scope": True,
-                "aud": ["https://example.org/appl"],
-            },
-        },
-        "refresh": {
-            "class": "oidcop.token.jwt_token.JWTToken",
-            "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
-        },
-        "id_token": {"class": "oidcop.token.id_token.IDToken", "kwargs": {}},
-    },
-    "userinfo": {
-        "class": "oidcop.user_info.UserInfo",
-        "kwargs": {"db_file": full_path("users.json")},
-    },
-    "claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
-}
-
-USER_ID = "diana"
-
-oidc_clients = {
-    "client_1": {
-        "client_secret": "Namnam",
-        "redirect_uris": [('https://openidconnect.net/callback', '')],
-        "response_types": ["code"],
-        "userinfo_add_claims_by_scope": False,
-        "id_token_add_claims_by_scope": False,
-        "userinfo_claims": ["email", "email_verified"],
-        "id_token_claims": ["email", "phone"]
-    }
-}
-
-oidc_clients_s = {
-    "client_1": {
-        "client_secret": "Namnam",
-        "redirect_uris": [('https://openidconnect.net/callback', '')],
-        "response_types": ["code"],
-        "add_claims": {
-            "by_scope": {
-                "userinfo": False,
-                "id_token": False
-            },
-            "always": {
-                "userinfo": ["email", "email_verified"],
-                "id_token": ["email", "phone"]
-            }
-        }
-    }
-}
-
-
-class TestEndpoint(object):
-    @pytest.fixture(autouse=True)
-    def create_idtoken(self):
-        server = Server(conf)
-        server.endpoint_context.cdb["client_1"] = {
-            "client_secret": "Namnam",
-            "redirect_uris": [('https://openidconnect.net/callback', '')],
-            "response_types": ["code"],
-            "add_claims_by_scope": False,
-        }
-        server.endpoint_context.cdb["client_2"] = {
-            "client_secret": "spraket",
-            "redirect_uris": [('https://app1.example.net/foo', ''),
-                              ('https://app2.example.net/bar', '')],
-            "response_types": ["code"],
-        }
-        server.endpoint_context.keyjar.add_symmetric(
-            "client_1", "Namnam", ["sig", "enc"]
-        )
-        server.endpoint_context.keyjar.add_symmetric(
-            "client_2", "spraket", ["sig", "enc"]
-        )
-        self.claims_interface = server.endpoint_context.claims_interface
-        self.endpoint_context = server.endpoint_context
-        self.session_manager = self.endpoint_context.session_manager
-        self.user_id = USER_ID
-        self.server = server
-
-    def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
-        if sector_identifier:
-            authz_req = auth_req.copy()
-            authz_req["sector_identifier_uri"] = sector_identifier
-        else:
-            authz_req = auth_req
-
-        client_id = authz_req["client_id"]
-        ae = create_authn_event(self.user_id)
-        return self.session_manager.create_session(
-            ae, authz_req, self.user_id, client_id=client_id, sub_type=sub_type
-        )
-
-    def test_get_claims_id_token_1(self):
-        areq = copy.deepcopy(AREQS)
-        areq["client_id"] = "client_1"
-        session_id = self._create_session(areq)
-        self.session_manager.token_handler["id_token"].kwargs = {
-            "base_claims": {"email": None, "email_verified": None}
-        }
-        claims = self.claims_interface.get_claims(session_id, areq["scope"], "id_token")
-        assert set(claims.keys()) == {"email", "email_verified"}
-
-    def test_get_claims_id_token_2(self):
-        areq = copy.deepcopy(AREQS)
-        areq["client_id"] = "client_2"
-        session_id = self._create_session(areq)
-        self.session_manager.token_handler["id_token"].kwargs = {
-            "base_claims": {"email": None, "email_verified": None}
-        }
-        claims = self.claims_interface.get_claims(session_id, areq["scope"], "id_token")
-        assert set(claims.keys()) == {"email", "email_verified"}
-
-    def test_get_claims_userinfo_1(self):
-        areq = copy.deepcopy(AREQS)
-        areq["client_id"] = "client_1"
-        session_id = self._create_session(areq)
-        self.session_manager.token_handler["id_token"].kwargs = {
-            "base_claims": {"email": None, "email_verified": None}
-        }
-        claims = self.claims_interface.get_claims(session_id, areq["scope"], "userinfo")
-        assert set(claims.keys()) == {"email", "email_verified", "sub", "address"}
-
-    def test_get_claims_userinfo_2(self):
-        areq = copy.deepcopy(AREQS)
-        areq["client_id"] = "client_2"
-        session_id = self._create_session(areq)
-        self.session_manager.token_handler["id_token"].kwargs = {
-            "base_claims": {"email": None, "email_verified": None}
-        }
-        claims = self.claims_interface.get_claims(session_id, areq["scope"], "userinfo")
-        assert set(claims.keys()) == {"email", "email_verified", "sub", "address"}
-
-    # def test_authorization_request_userinfo_claims_2(self):
-    #     session_id = self._create_session(AREQ_2)
-    #
-    #     claims = self.claims_interface.authorization_request_claims(session_id, "userinfo")
-    #     assert claims == {}
-    #
-    # def test_authorization_request_userinfo_claims_3(self):
-    #     session_id = self._create_session(AREQ_3)
-    #
-    #     claims = self.claims_interface.authorization_request_claims(session_id, "userinfo")
-    #     assert set(claims.keys()) == {"name", "email", "email_verified"}
-    #
-    # @pytest.mark.parametrize("usage", ["id_token", "userinfo", "introspection", "token"])
-    # def test_get_client_claims_0(self, usage):
-    #     claims = self.claims_interface._get_client_claims("client_1", usage)
-    #     assert claims == {}
-    #
-    # def test_get_client_claims_id_token_1(self):
-    #     self.endpoint_context.cdb["client_1"]["id_token_claims"] = ["name", "email"]
-    #     claims = self.claims_interface._get_client_claims("client_1", "id_token")
-    #     assert set(claims.keys()) == {"name", "email"}
-    #
-    # def test_get_client_claims_userinfo_1(self):
-    #     self.endpoint_context.cdb["client_1"]["userinfo_claims"] = ["email", "address"]
-    #     claims = self.claims_interface._get_client_claims("client_1", "userinfo")
-    #     assert set(claims.keys()) == {"address", "email"}
-    #
-    # def test_get_client_claims_introspection_1(self):
-    #     self.endpoint_context.cdb["client_1"]["introspection_claims"] = ["email"]
-    #     claims = self.claims_interface._get_client_claims("client_1", "introspection")
-    #     assert set(claims.keys()) == {"email"}
-    #
-    # @pytest.mark.parametrize("usage", ["id_token", "userinfo", "introspection", "token"])
-    # def test_get_claims(self, usage):
-    #     session_id = self._create_session(AREQ)
-    #     claims = self.claims_interface.get_claims(session_id, [], usage)
-    #     assert claims == {}
-    #
-    # def test_get_claims_id_token_1(self):
-    #     session_id = self._create_session(AREQ)
-    #     self.session_manager.token_handler["id_token"].kwargs = {
-    #         "base_claims": {"email": None, "email_verified": None}
-    #     }
-    #     claims = self.claims_interface.get_claims(session_id, [], "id_token")
-    #     assert set(claims.keys()) == {"email", "email_verified"}
-    #
-    # def test_get_claims_id_token_2(self):
-    #     session_id = self._create_session(AREQ)
-    #     self.session_manager.token_handler["id_token"].kwargs = {
-    #         "base_claims": {"email": None, "email_verified": None},
-    #         "enable_claims_per_client": True,
-    #     }
-    #     self.endpoint_context.cdb["client_1"]["id_token_claims"] = ["name", "email"]
-    #
-    #     claims = self.claims_interface.get_claims(session_id, [], "id_token")
-    #     assert set(claims.keys()) == {"name", "email", "email_verified"}
-    #
-    # def test_get_claims_id_token_3(self):
-    #     session_id = self._create_session(AREQ)
-    #     self.session_manager.token_handler["id_token"].kwargs = {
-    #         "base_claims": {"email": None, "email_verified": None},
-    #         "enable_claims_per_client": True,
-    #         "add_claims_by_scope": True,
-    #     }
-    #     self.endpoint_context.cdb["client_1"]["id_token_claims"] = ["name", "email"]
-    #
-    #     claims = self.claims_interface.get_claims(session_id, ["openid", "address"], "id_token")
-    #     assert set(claims.keys()) == {
-    #         "name",
-    #         "email",
-    #         "email_verified",
-    #         "sub",
-    #         "address",
-    #     }
-    #
-    # def test_get_claims_userinfo_3(self):
-    #     _module = self.server.server_get("endpoint", "userinfo")
-    #     session_id = self._create_session(AREQ)
-    #     _module.kwargs = {
-    #         "base_claims": {"email": None, "email_verified": None},
-    #         "enable_claims_per_client": True,
-    #         "add_claims_by_scope": True,
-    #     }
-    #     self.endpoint_context.cdb["client_1"]["userinfo_claims"] = ["name", "email"]
-    #
-    #     claims = self.claims_interface.get_claims(session_id, ["openid", "address"], "userinfo")
-    #     assert set(claims.keys()) == {
-    #         "name",
-    #         "email",
-    #         "email_verified",
-    #         "sub",
-    #         "address",
-    #     }
-    #
-    # def test_get_claims_introspection_3(self):
-    #     _module = self.server.server_get("endpoint", "introspection")
-    #     _module.kwargs = {
-    #         "base_claims": {"email": None, "email_verified": None},
-    #         "enable_claims_per_client": True,
-    #         "add_claims_by_scope": True,
-    #     }
-    #     self.endpoint_context.cdb["client_1"]["introspection_claims"] = [
-    #         "name",
-    #         "email",
-    #     ]
-    #
-    #     session_id = self._create_session(AREQ)
-    #     claims = self.claims_interface.get_claims(
-    #         session_id, ["openid", "address"], "introspection"
-    #     )
-    #     assert set(claims.keys()) == {
-    #         "name",
-    #         "email",
-    #         "email_verified",
-    #         "sub",
-    #         "address",
-    #     }
-    #
-    # def test_get_claims_access_token_3(self):
-    #     _module = self.endpoint_context.session_manager.token_handler["access_token"]
-    #     _module.kwargs = {
-    #         "base_claims": {"email": None, "email_verified": None},
-    #         "enable_claims_per_client": True,
-    #         "add_claims_by_scope": True,
-    #     }
-    #     self.endpoint_context.cdb["client_1"]["access_token_claims"] = ["name", "email"]
-    #
-    #     session_id = self._create_session(AREQ)
-    #     claims = self.claims_interface.get_claims(session_id, ["openid", "address"],
-    #     "access_token")
-    #     assert set(claims.keys()) == {
-    #         "name",
-    #         "email",
-    #         "email_verified",
-    #         "sub",
-    #         "address",
-    #     }
-    #
-    # def test_get_claims_all_usage(self):
-    #     # Make sure everything is reset
-    #     self.session_manager.token_handler["id_token"].kwargs = {}
-    #     self.session_manager.token_handler["access_token"].kwargs = {}
-    #
-    #     self.server.server_get("endpoint", "userinfo").kwargs = {}
-    #     self.server.server_get("endpoint", "introspection").kwargs = {}
-    #
-    #     session_id = self._create_session(AREQ)
-    #     claims = self.claims_interface.get_claims_all_usage(session_id, ["openid", "address"])
-    #     assert set(claims.keys()) == {
-    #         "id_token",
-    #         "userinfo",
-    #         "introspection",
-    #         "access_token",
-    #     }
-    #     for usage in ["id_token", "userinfo", "introspection", "access_token"]:
-    #         assert claims[usage] == {}
-    #
-    # def test_get_claims_all_usage_2(self):
-    #     # make all different
-    #     self.session_manager.token_handler["id_token"].kwargs = {
-    #         "base_claims": {"email": None, "email_verified": None}
-    #     }
-    #
-    #     self.server.server_get("endpoint", "userinfo").kwargs = {
-    #         "enable_claims_per_client": True,
-    #     }
-    #     self.endpoint_context.cdb["client_1"]["userinfo_claims"] = ["name", "email"]
-    #
-    #     self.server.server_get("endpoint", "introspection").kwargs = {"add_claims_by_scope": True}
-    #
-    #     self.endpoint_context.session_manager.token_handler["access_token"].kwargs = {}
-    #
-    #     session_id = self._create_session(AREQ)
-    #     claims = self.claims_interface.get_claims_all_usage(session_id, ["openid", "address"])
-    #
-    #     assert set(claims.keys()) == {
-    #         "id_token",
-    #         "userinfo",
-    #         "introspection",
-    #         "access_token",
-    #     }
-    #
-    #     assert set(claims["id_token"].keys()) == {"email", "email_verified"}
-    #     assert set(claims["userinfo"].keys()) == {"email", "name"}
-    #     assert set(claims["introspection"].keys()) == {"address", "sub"}
-    #     assert set(claims["access_token"].keys()) == set()
-    #
-    # def test_get_user_claims(self):
-    #     self.session_manager.token_handler["id_token"].kwargs = {
-    #         "base_claims": {"email": None, "email_verified": None}
-    #     }
-    #
-    #     self.server.server_get("endpoint", "userinfo").kwargs = {
-    #         "enable_claims_per_client": True,
-    #     }
-    #     self.endpoint_context.cdb["client_1"]["userinfo_claims"] = ["name", "email"]
-    #
-    #     self.server.server_get("endpoint", "introspection").kwargs = {"add_claims_by_scope": True}
-    #
-    #     self.endpoint_context.session_manager.token_handler["access_token"].kwargs = {}
-    #
-    #     session_id = self._create_session(AREQ)
-    #     claims_restriction = self.claims_interface.get_claims_all_usage(
-    #         session_id, ["openid", "address"]
-    #     )
-    #
-    #     _claims = self.claims_interface.get_user_claims(USER_ID, claims_restriction["userinfo"])
-    #     assert _claims == {"name": "Diana Krall", "email": "diana@example.org"}
-    #
-    #     _claims = self.claims_interface.get_user_claims(USER_ID, claims_restriction["id_token"])
-    #     assert _claims == {"email_verified": False, "email": "diana@example.org"}
-    #
-    #     _claims = self.claims_interface.get_user_claims(
-    #         USER_ID, claims_restriction["introspection"]
-    #     )
-    #     # Note that sub is not a user claim
-    #     assert _claims == {
-    #         "address": {
-    #             "country": "Sweden",
-    #             "locality": "Umeå",
-    #             "postal_code": "SE-90187",
-    #             "street_address": "Umeå Universitet",
-    #         }
-    #     }
-    #
-    #     _claims = self.claims_interface.get_user_claims(USER_ID, claims_restriction[
-    #     "access_token"])
-    #     assert _claims == {}