diff --git a/doc/index.rst b/doc/index.rst index 23034e78..719287eb 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -11,6 +11,7 @@ Contents: :maxdepth: 2 intro + move message/index server/index client/index diff --git a/pyproject.toml b/pyproject.toml index e319c2f8..23d32c3d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta" [metadata] name = "idpyoidc" -version = "1.0.9" +version = "1.0.10" author = "Roland Hedberg" author_email = "roland@catalogix.se" description = "Everything OAuth2 and OIDC" diff --git a/src/idpyoidc/__init__.py b/src/idpyoidc/__init__.py index b2f7fd59..87d3712c 100644 --- a/src/idpyoidc/__init__.py +++ b/src/idpyoidc/__init__.py @@ -1,5 +1,5 @@ __author__ = "Roland Hedberg" -__version__ = "1.0.9" +__version__ = "1.0.10" import os from typing import Dict diff --git a/src/idpyoidc/server/oauth2/authorization.py b/src/idpyoidc/server/oauth2/authorization.py index a9dc5967..0d9a9135 100755 --- a/src/idpyoidc/server/oauth2/authorization.py +++ b/src/idpyoidc/server/oauth2/authorization.py @@ -528,7 +528,10 @@ def _unwrap_identity(self, identity): except BadSyntax: return identity else: - _id = b64d(as_bytes(identity)) + try: + _id = b64d(as_bytes(identity)) + except BadSyntax: + return identity return json.loads(as_unicode(_id)) diff --git a/src/idpyoidc/server/oauth2/token.py b/src/idpyoidc/server/oauth2/token.py index 6960b0d3..1600db92 100755 --- a/src/idpyoidc/server/oauth2/token.py +++ b/src/idpyoidc/server/oauth2/token.py @@ -7,11 +7,13 @@ from idpyoidc.message import Message from idpyoidc.message.oauth2 import AccessTokenResponse from idpyoidc.message.oauth2 import ResponseMessage +from idpyoidc.message.oauth2 import TokenExchangeRequest from idpyoidc.message.oidc import TokenErrorResponse from idpyoidc.server.endpoint import Endpoint from idpyoidc.server.exception import ProcessError from idpyoidc.server.oauth2.token_helper import AccessTokenHelper from idpyoidc.server.oauth2.token_helper import RefreshTokenHelper +from idpyoidc.server.session.token import TOKEN_TYPES_MAPPING from idpyoidc.util import importer logger = logging.getLogger(__name__) @@ -125,8 +127,14 @@ def process_request(self, request: Optional[Union[Message, dict]] = None, **kwar _access_token = response_args["access_token"] _context = self.server_get("endpoint_context") + + if isinstance(request, TokenExchangeRequest): + _handler_key = TOKEN_TYPES_MAPPING[request["requested_token_type"]] + else: + _handler_key = "access_token" + _session_info = _context.session_manager.get_session_info_by_token( - _access_token, grant=True + _access_token, grant=True, handler_key=_handler_key ) _cookie = _context.new_cookie( diff --git a/src/idpyoidc/server/oauth2/token_helper.py b/src/idpyoidc/server/oauth2/token_helper.py index bd7ab359..300aefdb 100755 --- a/src/idpyoidc/server/oauth2/token_helper.py +++ b/src/idpyoidc/server/oauth2/token_helper.py @@ -2,6 +2,7 @@ from typing import Optional from typing import Union +from cryptojwt import BadSyntax from cryptojwt.exception import JWKESTException from idpyoidc.exception import ImproperlyConfigured @@ -120,7 +121,9 @@ def process_request(self, req: Union[Message, dict], **kwargs): except KeyError: # Missing code parameter - absolutely fatal return self.error_cls(error="invalid_request", error_description="Missing code") - _session_info = _mngr.get_session_info_by_token(_access_code, grant=True) + _session_info = _mngr.get_session_info_by_token( + _access_code, grant=True, handler_key="authorization_code" + ) client_id = _session_info["client_id"] if client_id != req["client_id"]: logger.debug("{} owner of token".format(client_id)) @@ -208,7 +211,9 @@ def post_parse_request( _mngr = self.endpoint.server_get("endpoint_context").session_manager try: - _session_info = _mngr.get_session_info_by_token(request["code"], grant=True) + _session_info = _mngr.get_session_info_by_token( + request["code"], grant=True, handler_key="authorization_code" + ) except (KeyError, UnknownToken): logger.error("Access Code invalid") return self.error_cls(error="invalid_grant", error_description="Unknown code") @@ -241,7 +246,9 @@ def process_request(self, req: Union[Message, dict], **kwargs): return self.error_cls(error="invalid_request", error_description="Wrong grant_type") token_value = req["refresh_token"] - _session_info = _mngr.get_session_info_by_token(token_value, grant=True) + _session_info = _mngr.get_session_info_by_token( + token_value, grant=True, handler_key="refresh_token" + ) logger.debug("Session info: {}".format(_session_info)) if _session_info["client_id"] != req["client_id"]: @@ -335,7 +342,9 @@ def post_parse_request( _mngr = _context.session_manager try: - _session_info = _mngr.get_session_info_by_token(request["refresh_token"], grant=True) + _session_info = _mngr.get_session_info_by_token( + request["refresh_token"], grant=True, handler_key="refresh_token" + ) except (KeyError, UnknownToken): logger.error("Refresh token invalid") return self.error_cls(error="invalid_grant", error_description="Invalid refresh token") @@ -414,13 +423,18 @@ def post_parse_request(self, request, client_id="", **kwargs): _mngr = _context.session_manager try: - _session_info = _mngr.get_session_info_by_token(request["subject_token"], grant=True) - except (KeyError, UnknownToken): - logger.error("Subject token invalid.") + # token exchange is about minting one token based on another + _handler_key = self.token_types_mapping[request["subject_token_type"]] + _session_info = _mngr.get_session_info_by_token( + request["subject_token"], grant=True, handler_key=_handler_key + ) + except (KeyError, UnknownToken, BadSyntax) as err: + logger.error(f"Subject token invalid ({err}).") return self.error_cls( error="invalid_request", error_description="Subject token invalid" ) + # Find the token instance based on the token value token = _mngr.find_token(_session_info["session_id"], request["subject_token"]) if token.is_active() is False: return self.error_cls( @@ -511,7 +525,10 @@ def process_request(self, request, **kwargs): _context = self.endpoint.server_get("endpoint_context") _mngr = _context.session_manager try: - _session_info = _mngr.get_session_info_by_token(request["subject_token"], grant=True) + _handler_key = self.token_types_mapping[request["subject_token_type"]] + _session_info = _mngr.get_session_info_by_token( + request["subject_token"], grant=True, handler_key=_handler_key + ) except ToOld: logger.error("Subject token has expired.") return self.error_cls( diff --git a/src/idpyoidc/server/oidc/add_on/pkce.py b/src/idpyoidc/server/oidc/add_on/pkce.py index c14f3c09..298b0ac7 100644 --- a/src/idpyoidc/server/oidc/add_on/pkce.py +++ b/src/idpyoidc/server/oidc/add_on/pkce.py @@ -99,7 +99,7 @@ def post_token_parse(request, client_id, endpoint_context, **kwargs): try: _session_info = endpoint_context.session_manager.get_session_info_by_token( - request["code"], grant=True + request["code"], grant=True, handler_key="authorization_code" ) except KeyError: return TokenErrorResponse(error="invalid_grant", error_description="Unknown access grant") diff --git a/src/idpyoidc/server/oidc/token_helper.py b/src/idpyoidc/server/oidc/token_helper.py index 4ddea761..c4b519ae 100755 --- a/src/idpyoidc/server/oidc/token_helper.py +++ b/src/idpyoidc/server/oidc/token_helper.py @@ -2,6 +2,7 @@ from typing import Optional from typing import Union +from cryptojwt import BadSyntax from cryptojwt.jwe.exception import JWEException from cryptojwt.jws.exception import NoSuitableSigningKeys from cryptojwt.jwt import utc_time_sans_frac @@ -29,7 +30,9 @@ def _get_session_info(self, request, session_manager): except KeyError: # Missing code parameter - absolutely fatal return self.error_cls(error="invalid_request", error_description="Missing code") - _session_info = session_manager.get_session_info_by_token(_access_code, grant=True) + _session_info = session_manager.get_session_info_by_token( + _access_code, grant=True, handler_key="authorization_code" + ) logger.debug(f"Session info: {_session_info}") return _session_info, _access_code @@ -174,7 +177,9 @@ def post_parse_request( _mngr = self.endpoint.server_get("endpoint_context").session_manager try: - _session_info = _mngr.get_session_info_by_token(request["code"], grant=True) + _session_info = _mngr.get_session_info_by_token( + request["code"], grant=True, handler_key="authorization_code" + ) except (KeyError, UnknownToken): logger.error("Access Code invalid") return self.error_cls(error="invalid_grant", error_description="Unknown code") @@ -211,7 +216,10 @@ def process_request(self, req: Union[Message, dict], **kwargs): return self.error_cls(error="invalid_request", error_description="Wrong grant_type") token_value = req["refresh_token"] - _session_info = _mngr.get_session_info_by_token(token_value, grant=True) + + _session_info = _mngr.get_session_info_by_token( + token_value, handler_key="refresh_token", grant=True + ) if _session_info["client_id"] != req["client_id"]: logger.debug("{} owner of token".format(_session_info["client_id"])) logger.warning("{} using token it was not given".format(req["client_id"])) @@ -299,7 +307,7 @@ def process_request(self, req: Union[Message, dict], **kwargs): ): revoke_refresh = _context.cdb[req["client_id"]].get("revoke_refresh_on_issue") else: - revoke_refresh = revoke_refresh = self.endpoint.revoke_refresh_on_issue + revoke_refresh = self.endpoint.revoke_refresh_on_issue if revoke_refresh: token.revoke() @@ -328,8 +336,10 @@ def post_parse_request( _mngr = _context.session_manager try: - _session_info = _mngr.get_session_info_by_token(request["refresh_token"], grant=True) - except (KeyError, UnknownToken): + _session_info = _mngr.get_session_info_by_token( + request["refresh_token"], handler_key="refresh_token", grant=True + ) + except (KeyError, UnknownToken, BadSyntax): logger.error("Refresh token invalid") return self.error_cls(error="invalid_grant", error_description="Invalid refresh token") diff --git a/src/idpyoidc/server/oidc/userinfo.py b/src/idpyoidc/server/oidc/userinfo.py index 3af8757e..ebeb2979 100755 --- a/src/idpyoidc/server/oidc/userinfo.py +++ b/src/idpyoidc/server/oidc/userinfo.py @@ -48,7 +48,9 @@ def __init__(self, server_get: Callable, add_claims_by_scope: Optional[bool] = T self.allowed_targets.append("") def get_client_id_from_token(self, endpoint_context, token, request=None): - _info = endpoint_context.session_manager.get_session_info_by_token(token) + _info = endpoint_context.session_manager.get_session_info_by_token( + token, handler_key="access_token" + ) return _info["client_id"] def do_response( @@ -113,7 +115,9 @@ def do_response( def process_request(self, request=None, **kwargs): _mngr = self.server_get("endpoint_context").session_manager try: - _session_info = _mngr.get_session_info_by_token(request["access_token"], grant=True) + _session_info = _mngr.get_session_info_by_token( + request["access_token"], grant=True, handler_key="access_token" + ) except (KeyError, ValueError): return self.error_cls(error="invalid_token", error_description="Invalid Token") diff --git a/src/idpyoidc/server/session/manager.py b/src/idpyoidc/server/session/manager.py index b71962b5..5072aad5 100644 --- a/src/idpyoidc/server/session/manager.py +++ b/src/idpyoidc/server/session/manager.py @@ -14,6 +14,7 @@ from idpyoidc.server.authn_event import AuthnEvent from idpyoidc.server.exception import ConfigurationError from idpyoidc.server.session.database import NoSuchClientSession +from idpyoidc.server.token import Token from idpyoidc.util import rndstr from ..token import UnknownToken @@ -559,13 +560,18 @@ def _compatible_sid(self, sid): def get_session_info_by_token( self, token_value: str, - user_session_info: bool = False, - client_session_info: bool = False, - grant: bool = False, - authentication_event: bool = False, - authorization_request: bool = False, + user_session_info: Optional[bool] = False, + client_session_info: Optional[bool] = False, + grant: Optional[bool] = False, + authentication_event: Optional[bool] = False, + authorization_request: Optional[bool] = False, + handler_key: Optional[str] = "", ) -> dict: - _token_info = self.token_handler.info(token_value) + if handler_key: + _token_info = self.token_handler.handler[handler_key].info(token_value) + else: + _token_info = self.token_handler.info(token_value) + sid = _token_info.get("sid") # If the token is an ID Token then the sid will not be in the # _token_info diff --git a/src/idpyoidc/server/session/token.py b/src/idpyoidc/server/session/token.py index 02c00c9d..0d6d6c80 100644 --- a/src/idpyoidc/server/session/token.py +++ b/src/idpyoidc/server/session/token.py @@ -273,3 +273,9 @@ def __init__( "refresh_token": RefreshToken, "id_token": IDToken, } + +TOKEN_TYPES_MAPPING = { + "urn:ietf:params:oauth:token-type:access_token": "access_token", + "urn:ietf:params:oauth:token-type:refresh_token": "refresh_token", + "urn:ietf:params:oauth:token-type:id_token": "id_token", +} diff --git a/src/idpyoidc/server/token/jwt_token.py b/src/idpyoidc/server/token/jwt_token.py index c0948744..9c8ab32a 100644 --- a/src/idpyoidc/server/token/jwt_token.py +++ b/src/idpyoidc/server/token/jwt_token.py @@ -6,25 +6,26 @@ from idpyoidc.encrypter import init_encrypter from idpyoidc.server.exception import ToOld -from . import is_expired + +from ..constant import DEFAULT_TOKEN_LIFETIME from . import Token +from . import is_expired from .exception import UnknownToken from .exception import WrongTokenClass -from ..constant import DEFAULT_TOKEN_LIFETIME class JWTToken(Token): def __init__( - self, - token_class, - # keyjar: KeyJar = None, - issuer: str = None, - aud: Optional[list] = None, - alg: str = "ES256", - lifetime: int = DEFAULT_TOKEN_LIFETIME, - server_get: Callable = None, - token_type: str = "Bearer", - **kwargs + self, + token_class, + # keyjar: KeyJar = None, + issuer: str = None, + aud: Optional[list] = None, + alg: str = "ES256", + lifetime: int = DEFAULT_TOKEN_LIFETIME, + server_get: Callable = None, + token_type: str = "Bearer", + **kwargs ): Token.__init__(self, token_class, **kwargs) self.token_type = token_type @@ -45,11 +46,11 @@ def load_custom_claims(self, payload: dict = None): return payload def __call__( - self, - session_id: Optional[str] = "", - token_class: Optional[str] = "", - usage_rules: Optional[dict] = None, - **payload + self, + session_id: Optional[str] = "", + token_class: Optional[str] = "", + usage_rules: Optional[dict] = None, + **payload ) -> str: """ Return a token. diff --git a/tests/request123456.jwt b/tests/request123456.jwt index 2e8824e6..0bdafecd 100644 --- a/tests/request123456.jwt +++ b/tests/request123456.jwt @@ -1 +1 @@ -eyJhbGciOiJSUzI1NiIsImtpZCI6IlNVc3dOaTFNUkZsRFQwWTJZalUxWjFSZlFsbzJTM2RFYTNGVFRrVjNMVGhGY25oRFRIRjVlbGsyVlEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICJvWkpBNTRnZTVaUndNalkwOVVLVnpwYkx5MEdNUEwwaCIsICJjbGllbnRfaWQiOiAiY2xpZW50X2lkIiwgImlzcyI6ICJjbGllbnRfaWQiLCAiaWF0IjogMTYzMzU5NTc4OSwgImF1ZCI6IFsiaHR0cHM6Ly9leGFtcGxlLmNvbSJdfQ.KVMPK6leJ5pEXnJ0jXiXu21U176IU9iwkT4FkQV_33jGYTsgdqCqXw5XHR1ciixdcH2cWf0SzTPOgIzGsI4NJiPNdR9xOusYRyYKZciXHq85nrM7fr7dEPaVntWCU6uadH0MNHWCcq2FyBdz2YYDuiFPUXoxkFbfWZoo_jVMAWLxGQtGEitniI49qo0zbeSFck4hBmEtQTUOrGQvg_CjkSZb5oNb5rt_X5T-ZSK9y3AeKru4HLSQRkWj-oD-Fgd60Sm3XqfLQXrx26lk4a8ORah01BMmMsi5jeIUbOTthhhglZhMwoI9xCZ57I4SF7870-PrinIByW8d2keA1-LipQ \ No newline at end of file +eyJhbGciOiJSUzI1NiIsImtpZCI6IlNIRXlZV2N3TlZrMExUZFJPVFp6WjJGVVduZElWWGRhY2sweFdVTTVTRXB3Y1MwM2RWVXhXVTR6UlEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICJGYVVaSm02TDdTc251d2JEbEQ0Z20wbkg2eHpBTTVlR19nWG5sRmlhX19zIiwgImNsaWVudF9pZCI6ICJjbGllbnRfaWQiLCAiaXNzIjogImNsaWVudF9pZCIsICJpYXQiOiAxNjUwMzkzMDQ3LCAiYXVkIjogWyJodHRwczovL2V4YW1wbGUuY29tIl19.ARTBLchcBOpUX5kuvZzVyfw-ad6skc498Ll93sRwGoNrxZosNdHVTP25FtrDx8GVcBoA1OSYFq7Zmx9d7DJib-uukylEQl-5widvWmC0s-14uSRfLiSulqtB43FrCji9dXl6T5uAOgGxzoNo5dVSwfeIcenjqBuiJslxuHy4AQ7S-gRi02E_uEaqWOytkUoOwaIKcMiujbpo4VWOzDv9pK4C6C89uuHSMxfWpwi27T2vFLa6icfuQuXcxOZabs1lJUJt84Aclh_mz58E1YDlowRAuUu8RkpICAnQwxgzlCGwj3mzJxxFVVUCnRVnrB-BG7e3XXQBcf536BtYOyOfCQ \ No newline at end of file diff --git a/tests/test_server_10_session_manager.py b/tests/test_server_10_session_manager.py index d9920f01..c2926696 100644 --- a/tests/test_server_10_session_manager.py +++ b/tests/test_server_10_session_manager.py @@ -364,7 +364,9 @@ def test_get_session_info_by_token(self): grant = self.session_manager.get_grant(_session_id) code = self._mint_token("authorization_code", grant, _session_id) - _session_info = self.session_manager.get_session_info_by_token(code.value) + _session_info = self.session_manager.get_session_info_by_token( + code.value, handler_key="authorization_code" + ) assert set(_session_info.keys()) == { "client_id", diff --git a/tests/test_server_13_user_authn.py b/tests/test_server_13_user_authn.py index c0add4fd..0b537cad 100644 --- a/tests/test_server_13_user_authn.py +++ b/tests/test_server_13_user_authn.py @@ -133,11 +133,13 @@ def test_userpassjinja2(self): def test_basic_auth(self): basic_auth = base64.b64encode(b"diana:krall").decode() ba = BasicAuthn(pwd={"diana": "krall"}, server_get=self.server.server_get) - ba.authenticated_as(client_id="", authorization=f"Basic {basic_auth}") + _info, _time_stamp = ba.authenticated_as(client_id="", authorization=f"Basic {basic_auth}") + assert _info def test_no_auth(self): basic_auth = base64.b64encode( b"D\xfd\x8a\x85\xa6\xd1\x16\xe4\\6\x1e\x9ds~\xc3\t\x95\x99\x83\x91\x1f\xfb:iviviviv" ) ba = SymKeyAuthn(symkey=b"0" * 32, ttl=600, server_get=self.server.server_get) - ba.authenticated_as(client_id="", authorization=basic_auth) + _info, _time_stamp = ba.authenticated_as(client_id="", authorization=basic_auth) + assert _info diff --git a/tests/test_server_24_oauth2_token_endpoint.py b/tests/test_server_24_oauth2_token_endpoint.py index b75d18d7..0e6d52db 100644 --- a/tests/test_server_24_oauth2_token_endpoint.py +++ b/tests/test_server_24_oauth2_token_endpoint.py @@ -353,7 +353,9 @@ def test_do_refresh_access_token(self): _request["refresh_token"] = _resp["response_args"]["refresh_token"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = ["access_token", "refresh_token"] @@ -409,7 +411,9 @@ def test_do_2nd_refresh_access_token(self): # Make sure ID Tokens can also be used by this refesh token _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -578,7 +582,9 @@ def test_refresh_scopes(self): } _token_value = _resp["response_args"]["access_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="access_token" + ) at = self.session_manager.find_token(_session_info["session_id"], _token_value) rt = self.session_manager.find_token( _session_info["session_id"], _resp["response_args"]["refresh_token"] @@ -652,7 +658,9 @@ def test_refresh_more_scopes_2(self): } _token_value = _resp["response_args"]["access_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="access_token" + ) at = self.session_manager.find_token(_session_info["session_id"], _token_value) rt = self.session_manager.find_token( _session_info["session_id"], _resp["response_args"]["refresh_token"] @@ -752,7 +760,9 @@ def test_refresh_token_request_other_client(self): _request["refresh_token"] = _resp["response_args"]["refresh_token"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = ["access_token", "refresh_token"] diff --git a/tests/test_server_26_oidc_userinfo_endpoint.py b/tests/test_server_26_oidc_userinfo_endpoint.py index 2407a10f..2d664b00 100755 --- a/tests/test_server_26_oidc_userinfo_endpoint.py +++ b/tests/test_server_26_oidc_userinfo_endpoint.py @@ -488,7 +488,7 @@ def test_wrong_type_of_token(self): args = self.endpoint.process_request(_req, http_info=http_info) assert isinstance(args, ResponseMessage) - assert args["error_description"] == "Wrong type of token" + assert args["error_description"] == "Invalid Token" def test_invalid_token(self): _auth_req = AUTH_REQ.copy() diff --git a/tests/test_server_30_oidc_end_session.py b/tests/test_server_30_oidc_end_session.py index 2651303e..36f0f9de 100644 --- a/tests/test_server_30_oidc_end_session.py +++ b/tests/test_server_30_oidc_end_session.py @@ -294,7 +294,9 @@ def _mint_token(self, token_class, grant, session_id, token_ref=None): def test_end_session_endpoint_with_cookie(self): _resp = self._code_auth("1234567") _code = _resp["response_args"]["code"] - _session_info = self.session_manager.get_session_info_by_token(_code) + _session_info = self.session_manager.get_session_info_by_token( + _code, handler_key="authorization_code" + ) cookie = self._create_cookie(_session_info["session_id"]) http_info = {"cookie": [cookie]} resp = self.session_endpoint.process_request({"state": "foo"}, http_info=http_info) @@ -342,7 +344,9 @@ def test_end_session_endpoint_with_cookie_dual_login(self): _resp = self._code_auth("1234567") self._code_auth2("abcdefg") _code = _resp["response_args"]["code"] - _session_info = self.session_manager.get_session_info_by_token(_code) + _session_info = self.session_manager.get_session_info_by_token( + _code, handler_key="authorization_code" + ) cookie = self._create_cookie(_session_info["session_id"]) http_info = {"cookie": [cookie]} @@ -362,7 +366,9 @@ def test_end_session_endpoint_with_post_logout_redirect_uri(self): _resp = self._code_auth("1234567") self._code_auth2("abcdefg") _code = _resp["response_args"]["code"] - _session_info = self.session_manager.get_session_info_by_token(_code) + _session_info = self.session_manager.get_session_info_by_token( + _code, handler_key="authorization_code" + ) cookie = self._create_cookie(_session_info["session_id"]) http_info = {"cookie": [cookie]} @@ -477,7 +483,7 @@ def test_logout_from_client_bc(self): _resp = self._code_auth("1234567") _code = _resp["response_args"]["code"] _session_info = self.session_manager.get_session_info_by_token( - _code, client_session_info=True + _code, client_session_info=True, handler_key="authorization_code" ) self.session_endpoint.server_get("endpoint_context").cdb["client_1"][ @@ -505,7 +511,7 @@ def test_logout_from_client_fc(self): _resp = self._code_auth("1234567") _code = _resp["response_args"]["code"] _session_info = self.session_manager.get_session_info_by_token( - _code, client_session_info=True + _code, client_session_info=True, handler_key="authorization_code" ) # del self.session_endpoint.server_get("endpoint_context").cdb['client_1'][ @@ -529,7 +535,7 @@ def test_logout_from_client(self): _resp = self._code_auth("1234567") _code = _resp["response_args"]["code"] _session_info = self.session_manager.get_session_info_by_token( - _code, client_session_info=True, grant=True + _code, client_session_info=True, grant=True, handler_key="authorization_code" ) _grant_code = self.session_manager.find_token(_session_info["session_id"], _code) id_token1 = self._mint_token( @@ -539,7 +545,7 @@ def test_logout_from_client(self): _resp2 = self._code_auth2("abcdefg") _code2 = _resp2["response_args"]["code"] _session_info2 = self.session_manager.get_session_info_by_token( - _code2, client_session_info=True, grant=True + _code2, client_session_info=True, grant=True, handler_key="authorization_code" ) _grant_code2 = self.session_manager.find_token(_session_info2["session_id"], _code2) id_token2 = self._mint_token( @@ -593,7 +599,9 @@ def test_do_verified_logout(self): _resp = self._code_auth("1234567") _code = _resp["response_args"]["code"] - _session_info = self.session_manager.get_session_info_by_token(_code) + _session_info = self.session_manager.get_session_info_by_token( + _code, handler_key="authorization_code" + ) _cdb = self.session_endpoint.server_get("endpoint_context").cdb _cdb["client_1"]["backchannel_logout_uri"] = "https://example.com/bc_logout" _cdb["client_1"]["client_id"] = "client_1" @@ -604,7 +612,9 @@ def test_do_verified_logout(self): def test_logout_from_client_unknow_sid(self): _resp = self._code_auth("1234567") _code = _resp["response_args"]["code"] - _session_info = self.session_manager.get_session_info_by_token(_code) + _session_info = self.session_manager.get_session_info_by_token( + _code, handler_key="authorization_code" + ) self._code_auth2("abcdefg") _uid, _cid, _gid = self.session_manager.decrypt_session_id(_session_info["session_id"]) @@ -615,7 +625,9 @@ def test_logout_from_client_unknow_sid(self): def test_logout_from_client_no_session(self): _resp = self._code_auth("1234567") _code = _resp["response_args"]["code"] - _session_info = self.session_manager.get_session_info_by_token(_code) + _session_info = self.session_manager.get_session_info_by_token( + _code, handler_key="authorization_code" + ) self._code_auth2("abcdefg") # client0 diff --git a/tests/test_server_33_oauth2_pkce.py b/tests/test_server_33_oauth2_pkce.py index a95daf51..ff44eb26 100644 --- a/tests/test_server_33_oauth2_pkce.py +++ b/tests/test_server_33_oauth2_pkce.py @@ -261,7 +261,7 @@ def test_no_code_challenge_method(self): assert isinstance(resp["response_args"], AuthorizationResponse) session_info = self.session_manager.get_session_info_by_token( - resp["response_args"]["code"], grant=True + resp["response_args"]["code"], grant=True, handler_key="authorization_code" ) session_info["grant"].authorization_request["code_challenge_method"] = "plain" diff --git a/tests/test_server_35_oidc_token_endpoint.py b/tests/test_server_35_oidc_token_endpoint.py index 0120db56..1ce18887 100755 --- a/tests/test_server_35_oidc_token_endpoint.py +++ b/tests/test_server_35_oidc_token_endpoint.py @@ -372,7 +372,9 @@ def test_do_refresh_access_token(self): _request["refresh_token"] = _resp["response_args"]["refresh_token"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -418,7 +420,9 @@ def test_do_2nd_refresh_access_token(self): # Make sure ID Tokens can also be used by this refesh token _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -480,7 +484,9 @@ def test_refresh_scopes(self): _request["scope"] = ["openid", "offline_access"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -506,7 +512,9 @@ def test_refresh_scopes(self): ) _token_value = _resp["response_args"]["access_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="access_token" + ) at = self.session_manager.find_token(_session_info["session_id"], _token_value) rt = self.session_manager.find_token( _session_info["session_id"], _resp["response_args"]["refresh_token"] @@ -532,7 +540,9 @@ def test_refresh_more_scopes(self): _request["scope"] = ["openid", "offline_access", "profile"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -567,7 +577,9 @@ def test_refresh_more_scopes_2(self): _request["scope"] = ["openid", "offline_access"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -579,7 +591,9 @@ def test_refresh_more_scopes_2(self): _resp = self.token_endpoint.process_request(request=_req) _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -609,7 +623,9 @@ def test_refresh_more_scopes_2(self): ) _token_value = _resp["response_args"]["access_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="access_token" + ) at = self.session_manager.find_token(_session_info["session_id"], _token_value) rt = self.session_manager.find_token( _session_info["session_id"], _resp["response_args"]["refresh_token"] @@ -643,7 +659,9 @@ def test_refresh_less_scopes(self): _request["scope"] = ["openid", "offline_access"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -680,7 +698,9 @@ def test_refresh_no_openid_scope(self): _request["scope"] = ["offline_access"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -719,7 +739,9 @@ def test_refresh_no_offline_access_scope(self): _request["scope"] = ["openid"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = [ "access_token", @@ -974,7 +996,9 @@ def test_refresh_token_request_other_client(self): _request["refresh_token"] = _resp["response_args"]["refresh_token"] _token_value = _resp["response_args"]["refresh_token"] - _session_info = self.session_manager.get_session_info_by_token(_token_value) + _session_info = self.session_manager.get_session_info_by_token( + _token_value, handler_key="refresh_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], _token_value) _token.usage_rules["supports_minting"] = ["access_token", "refresh_token"] diff --git a/tests/test_server_36_oauth2_token_exchange.py b/tests/test_server_36_oauth2_token_exchange.py index 8d9d9302..f1c34261 100644 --- a/tests/test_server_36_oauth2_token_exchange.py +++ b/tests/test_server_36_oauth2_token_exchange.py @@ -729,7 +729,7 @@ def test_unsupported_subject_token_type(self, unsupported_type): _resp = self.endpoint.process_request(request=_req) assert set(_resp.keys()) == {"error", "error_description"} assert _resp["error"] == "invalid_request" - assert _resp["error_description"] == "Unsupported subject token type" + assert _resp["error_description"] == "Subject token invalid" def test_unsupported_actor_token(self): """ diff --git a/tests/test_server_60_dpop.py b/tests/test_server_60_dpop.py index 1245383a..c048bee5 100644 --- a/tests/test_server_60_dpop.py +++ b/tests/test_server_60_dpop.py @@ -270,6 +270,8 @@ def test_process_request(self): assert _payload["cnf"]["jkt"] == _req["dpop_jkt"] # Make sure DPoP also is in the session access token instance. - _session_info = self.session_manager.get_session_info_by_token(access_token) + _session_info = self.session_manager.get_session_info_by_token( + access_token, handler_key="access_token" + ) _token = self.session_manager.find_token(_session_info["session_id"], access_token) assert _token.token_type == "DPoP"