diff --git a/src/oidcendpoint/authz/__init__.py b/src/oidcendpoint/authz/__init__.py index b21b9a3..2277df8 100755 --- a/src/oidcendpoint/authz/__init__.py +++ b/src/oidcendpoint/authz/__init__.py @@ -62,7 +62,9 @@ def __call__(self, session_id: str, request: Union[dict, Message], claims = request.get("claims") if claims: - args["claims"] = claims.to_dict() + if isinstance(request, Message): + claims = claims.to_dict() + args["claims"] = claims session_info = self.endpoint_context.session_manager.get_session_info( session_id=session_id, grant=True diff --git a/src/oidcendpoint/oauth2/authorization.py b/src/oidcendpoint/oauth2/authorization.py index b80a3c2..d4b006e 100755 --- a/src/oidcendpoint/oauth2/authorization.py +++ b/src/oidcendpoint/oauth2/authorization.py @@ -316,7 +316,6 @@ def mint_token(self, token_type, grant, session_id, based_on=None): session_id=session_id, endpoint_context=self.endpoint_context, token_type=token_type, - token_handler=_mngr.token_handler["access_token"], based_on=based_on, usage_rules=usage_rules ) @@ -795,7 +794,7 @@ def post_authentication(self, request: Union[dict, Message], _cookie = new_cookie( self.endpoint_context, sid=session_id, - state=request["state"], + state=request.get("state"), cookie_name=self.endpoint_context.cookie_name["session"], ) diff --git a/src/oidcendpoint/oidc/add_on/pkce.py b/src/oidcendpoint/oidc/add_on/pkce.py index ffb9845..e760dd0 100644 --- a/src/oidcendpoint/oidc/add_on/pkce.py +++ b/src/oidcendpoint/oidc/add_on/pkce.py @@ -47,8 +47,11 @@ def post_authn_parse(request, client_id, endpoint_context, **kwargs): request["code_challenge_method"] = "plain" if ( - request["code_challenge_method"] - not in endpoint_context.args["pkce"]["code_challenge_methods"] + "code_challenge" in request + and ( + request["code_challenge_method"] + not in endpoint_context.args["pkce"]["code_challenge_methods"] + ) ): return AuthorizationErrorResponse( error="invalid_request", @@ -121,7 +124,22 @@ def post_token_parse(request, client_id, endpoint_context, **kwargs): def add_pkce_support(endpoint, **kwargs): - endpoint["authorization"].post_parse_request.append(post_authn_parse) + authn_endpoint = endpoint.get("authorization") + if authn_endpoint is None: + LOGGER.warning( + "No authorization endpoint found, skipping PKCE configuration" + ) + return + + token_endpoint = endpoint.get("token") + if token_endpoint is None: + LOGGER.warning( + "No token endpoint found, skipping PKCE configuration" + ) + return + + authn_endpoint.post_parse_request.append(post_authn_parse) + token_endpoint.post_parse_request.append(post_token_parse) if "essential" not in kwargs: kwargs["essential"] = False @@ -136,6 +154,4 @@ def add_pkce_support(endpoint, **kwargs): raise ValueError("Unsupported method: {}".format(method)) kwargs["code_challenge_methods"][method] = CC_METHOD[method] - endpoint["authorization"].endpoint_context.args["pkce"] = kwargs - - endpoint["token"].post_parse_request.append(post_token_parse) + authn_endpoint.endpoint_context.args["pkce"] = kwargs diff --git a/src/oidcendpoint/oidc/token.py b/src/oidcendpoint/oidc/token.py index 0e51713..27f3894 100755 --- a/src/oidcendpoint/oidc/token.py +++ b/src/oidcendpoint/oidc/token.py @@ -21,6 +21,7 @@ from oidcendpoint.session.grant import Grant from oidcendpoint.session.grant import RefreshToken from oidcendpoint.session.token import Token as sessionToken +from oidcendpoint.token.exception import UnknownToken from oidcendpoint.util import importer logger = logging.getLogger(__name__) @@ -105,7 +106,7 @@ def process_request(self, req: Union[Message, dict], **kwargs): _session_info = _mngr.get_session_info_by_token(_access_code, grant=True) grant = _session_info["grant"] - code = _mngr.find_token(_session_info["session_id"], _access_code) + code = grant.get_token(_access_code) _authn_req = grant.authorization_request # If redirect_uri was in the initial authorization request @@ -128,7 +129,6 @@ def process_request(self, req: Union[Message, dict], **kwargs): _response = { "token_type": "Bearer", "scope": grant.scope, - "state": _authn_req["state"] } token = self._mint_token(token_type="access_token", @@ -180,7 +180,7 @@ def post_parse_request(self, request: Union[Message, dict], try: _session_info = _mngr.get_session_info_by_token(request["code"], grant=True) - except KeyError: + except (KeyError, UnknownToken): logger.error("Access Code invalid") return self.error_cls(error="invalid_grant", error_description="Unknown code") diff --git a/src/oidcendpoint/session/claims.py b/src/oidcendpoint/session/claims.py index b669c02..b389cb4 100755 --- a/src/oidcendpoint/session/claims.py +++ b/src/oidcendpoint/session/claims.py @@ -42,12 +42,12 @@ def authorization_request_claims(self, session_id: str, usage: Optional[str] = " def _get_client_claims(self, client_id, usage): client_info = self.endpoint_context.cdb.get(client_id, {}) - return client_info.get("{}_claims".format(usage), {}) + client_claims = client_info.get("{}_claims".format(usage), {}) + if isinstance(client_claims, list): + client_claims = {k: None for k in client_claims} + return client_claims - def get_claims(self, - session_id: str, - usage: str, - scopes: Optional[str] = None) -> dict: + def get_claims(self, session_id: str, scopes: str, usage: str) -> dict: """ :param session_id: Session identifier @@ -91,14 +91,13 @@ def get_claims(self, # Scopes can in some cases equate to set of claims, is that used here ? if module and module.kwargs.get("add_claims_by_scope"): if scopes: - _supported = self.endpoint_context.provider_info.get("scopes_supported", []) - if _supported: - _scopes = set(_supported).intersection(set(scopes)) - else: - _scopes = scopes - - _claims = convert_scopes2claims(_scopes, - map=self.endpoint_context.scope2claims) + _scopes = self.endpoint_context.scopes_handler.filter_scopes( + client_id, self.endpoint_context, scopes + ) + + _claims = convert_scopes2claims( + _scopes, map=self.endpoint_context.scope2claims + ) claims.update(_claims) # Bring in claims specification from the authorization request