Skip to content
This repository was archived by the owner on Jun 12, 2021. It is now read-only.

New session handling #106

Merged
angelakis merged 9 commits into from
Apr 1, 2021
Merged

New session handling #106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3d38ae1
Properly handle dict
nsklikas Mar 31, 2021
1db7d76
Allow grant to infer token_handler
nsklikas Mar 31, 2021
9c4a825
State is optional
nsklikas Mar 31, 2021
15b257d
Check if token and authorization exist on pkce
nsklikas Mar 31, 2021
7a29c5d
Handle unknown token
nsklikas Mar 31, 2021
28507c7
Don't return state in token response
nsklikas Mar 31, 2021
3010dcc
Get token from grant instead of manager
nsklikas Mar 31, 2021
aa2dad9
Keep backwards compatibility with client claims
nsklikas Mar 31, 2021
58e8a09
Filter scopes per client
nsklikas Mar 31, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/oidcendpoint/authz/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,9 @@ def __call__(self, session_id: str, request: Union[dict, Message],

claims = request.get("claims")
if claims:
args["claims"] = claims.to_dict()
if isinstance(request, Message):
claims = claims.to_dict()
args["claims"] = claims

session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
Expand Down
3 changes: 1 addition & 2 deletions src/oidcendpoint/oauth2/authorization.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,6 @@ def mint_token(self, token_type, grant, session_id, based_on=None):
session_id=session_id,
endpoint_context=self.endpoint_context,
token_type=token_type,
token_handler=_mngr.token_handler["access_token"],
based_on=based_on,
usage_rules=usage_rules
)
Expand Down Expand Up @@ -795,7 +794,7 @@ def post_authentication(self, request: Union[dict, Message],
_cookie = new_cookie(
self.endpoint_context,
sid=session_id,
state=request["state"],
state=request.get("state"),
cookie_name=self.endpoint_context.cookie_name["session"],
)

Expand Down
28 changes: 22 additions & 6 deletions src/oidcendpoint/oidc/add_on/pkce.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,11 @@ def post_authn_parse(request, client_id, endpoint_context, **kwargs):
request["code_challenge_method"] = "plain"

if (
request["code_challenge_method"]
not in endpoint_context.args["pkce"]["code_challenge_methods"]
"code_challenge" in request
and (
request["code_challenge_method"]
not in endpoint_context.args["pkce"]["code_challenge_methods"]
)
):
return AuthorizationErrorResponse(
error="invalid_request",
Expand Down Expand Up @@ -121,7 +124,22 @@ def post_token_parse(request, client_id, endpoint_context, **kwargs):


def add_pkce_support(endpoint, **kwargs):
endpoint["authorization"].post_parse_request.append(post_authn_parse)
authn_endpoint = endpoint.get("authorization")
if authn_endpoint is None:
LOGGER.warning(
"No authorization endpoint found, skipping PKCE configuration"
)
return

token_endpoint = endpoint.get("token")
if token_endpoint is None:
LOGGER.warning(
"No token endpoint found, skipping PKCE configuration"
)
return

authn_endpoint.post_parse_request.append(post_authn_parse)
token_endpoint.post_parse_request.append(post_token_parse)

if "essential" not in kwargs:
kwargs["essential"] = False
Expand All @@ -136,6 +154,4 @@ def add_pkce_support(endpoint, **kwargs):
raise ValueError("Unsupported method: {}".format(method))
kwargs["code_challenge_methods"][method] = CC_METHOD[method]

endpoint["authorization"].endpoint_context.args["pkce"] = kwargs

endpoint["token"].post_parse_request.append(post_token_parse)
authn_endpoint.endpoint_context.args["pkce"] = kwargs
6 changes: 3 additions & 3 deletions src/oidcendpoint/oidc/token.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
from oidcendpoint.session.grant import Grant
from oidcendpoint.session.grant import RefreshToken
from oidcendpoint.session.token import Token as sessionToken
from oidcendpoint.token.exception import UnknownToken
from oidcendpoint.util import importer

logger = logging.getLogger(__name__)
Expand Down Expand Up @@ -105,7 +106,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
_session_info = _mngr.get_session_info_by_token(_access_code, grant=True)
grant = _session_info["grant"]

code = _mngr.find_token(_session_info["session_id"], _access_code)
code = grant.get_token(_access_code)
_authn_req = grant.authorization_request

# If redirect_uri was in the initial authorization request
Expand All @@ -128,7 +129,6 @@ def process_request(self, req: Union[Message, dict], **kwargs):
_response = {
"token_type": "Bearer",
"scope": grant.scope,
"state": _authn_req["state"]
}

token = self._mint_token(token_type="access_token",
Expand Down Expand Up @@ -180,7 +180,7 @@ def post_parse_request(self, request: Union[Message, dict],
try:
_session_info = _mngr.get_session_info_by_token(request["code"],
grant=True)
except KeyError:
except (KeyError, UnknownToken):
logger.error("Access Code invalid")
return self.error_cls(error="invalid_grant",
error_description="Unknown code")
Expand Down
25 changes: 12 additions & 13 deletions src/oidcendpoint/session/claims.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,12 @@ def authorization_request_claims(self, session_id: str, usage: Optional[str] = "

def _get_client_claims(self, client_id, usage):
client_info = self.endpoint_context.cdb.get(client_id, {})
return client_info.get("{}_claims".format(usage), {})
client_claims = client_info.get("{}_claims".format(usage), {})
if isinstance(client_claims, list):
client_claims = {k: None for k in client_claims}
return client_claims

def get_claims(self,
session_id: str,
usage: str,
scopes: Optional[str] = None) -> dict:
def get_claims(self, session_id: str, scopes: str, usage: str) -> dict:
"""

:param session_id: Session identifier
Expand Down Expand Up @@ -91,14 +91,13 @@ def get_claims(self,
# Scopes can in some cases equate to set of claims, is that used here ?
if module and module.kwargs.get("add_claims_by_scope"):
if scopes:
_supported = self.endpoint_context.provider_info.get("scopes_supported", [])
if _supported:
_scopes = set(_supported).intersection(set(scopes))
else:
_scopes = scopes

_claims = convert_scopes2claims(_scopes,
map=self.endpoint_context.scope2claims)
_scopes = self.endpoint_context.scopes_handler.filter_scopes(
client_id, self.endpoint_context, scopes
)

_claims = convert_scopes2claims(
_scopes, map=self.endpoint_context.scope2claims
)
claims.update(_claims)

# Bring in claims specification from the authorization request
Expand Down