From 6dd6b4b133feeda805f331b1946ca6b704b9dec6 Mon Sep 17 00:00:00 2001
From: Roland Hedberg <roland@catalogix.se>
Date: Thu, 8 Jul 2021 11:52:56 +0200
Subject: [PATCH] For debugging purpose nice to know what was put in the ID
 Token and also what was in a received ID Token.

---
 example/flask_op/views.py    |  1 +
 requirements.txt             |  2 +-
 src/oidcop/token/id_token.py |  5 +++++
 tests/test_05_id_token.py    | 17 +++++++++++++++++
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/example/flask_op/views.py b/example/flask_op/views.py
index f8e485b6..a10d41fc 100644
--- a/example/flask_op/views.py
+++ b/example/flask_op/views.py
@@ -32,6 +32,7 @@ def _add_cookie(resp, cookie_spec):
               for k,v in cookie_spec.items()
               if k not in ('name',)}
     kwargs["path"] = "/"
+    kwargs["samesite"] = "Lax"
     resp.set_cookie(cookie_spec["name"], **kwargs)
 
 
diff --git a/requirements.txt b/requirements.txt
index 9126daf7..d7aa79dd 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
-oidcmsg>=1.3.0
+oidcmsg>=1.4.0
 pyyaml
 jinja2>=2.11.3
 responses>=0.13.0
diff --git a/src/oidcop/token/id_token.py b/src/oidcop/token/id_token.py
index 6d08ed0d..bf044f68 100755
--- a/src/oidcop/token/id_token.py
+++ b/src/oidcop/token/id_token.py
@@ -134,6 +134,7 @@ def payload(
             self, session_id, alg="RS256", code=None, access_token=None, extra_claims=None,
     ):
         """
+        Collect payload for the ID Token.
 
         :param session_id: Session identifier
         :param alg: Which signing algorithm to use for the IdToken
@@ -197,6 +198,8 @@ def payload(
             except KeyError:
                 pass
 
+        logger.debug(f"Constructed ID Token payload: {_args}")
+
         return _args
 
     def sign_encrypt(
@@ -297,6 +300,8 @@ def info(self, token):
         except JWSException:
             raise UnknownToken()
 
+        logger.debug(f"Received ID Token payload: {_payload}")
+
         if is_expired(_payload["exp"]):
             raise ToOld("Token has expired")
         # All the token metadata
diff --git a/tests/test_05_id_token.py b/tests/test_05_id_token.py
index 8bac2025..38dfbe18 100644
--- a/tests/test_05_id_token.py
+++ b/tests/test_05_id_token.py
@@ -609,3 +609,20 @@ def test_id_token_acr_claim(self):
         _jwt = factory(id_token.value)
         _id_token_content = _jwt.jwt.payload()
         assert _id_token_content["acr"] == "https://refeds.org/profile/mfa"
+
+    def test_id_token_acr_none(self):
+        _req = AREQS.copy()
+        _req["claims"] = {"id_token": {"acr": None}}
+
+        session_id = self._create_session(_req,authn_info="https://refeds.org/profile/mfa")
+        grant = self.session_manager[session_id]
+        code = self._mint_code(grant, session_id)
+        access_token = self._mint_access_token(grant, session_id, code)
+
+        id_token = self._mint_id_token(
+            grant, session_id, token_ref=code, access_token=access_token.value
+        )
+
+        _jwt = factory(id_token.value)
+        _id_token_content = _jwt.jwt.payload()
+        assert _id_token_content["acr"] == "https://refeds.org/profile/mfa"