From 9429d57f1c0965874c5dd2984debb0da16192f82 Mon Sep 17 00:00:00 2001
From: Nikos Sklikas <nsklikas@admin.grnet.gr>
Date: Mon, 16 Aug 2021 13:49:11 +0300
Subject: [PATCH] Handle ToOld token exception

---
 src/oidcop/client_authn.py              |  3 +++
 tests/test_26_oidc_userinfo_endpoint.py | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/oidcop/client_authn.py b/src/oidcop/client_authn.py
index f02868d9..7678419a 100755
--- a/src/oidcop/client_authn.py
+++ b/src/oidcop/client_authn.py
@@ -22,6 +22,7 @@
 from oidcop.exception import InvalidClient
 from oidcop.exception import MultipleUsage
 from oidcop.exception import NotForMe
+from oidcop.exception import ToOld
 from oidcop.exception import UnknownClient
 from oidcop.util import importer
 
@@ -409,6 +410,8 @@ def verify_client(
         try:
             # get_client_id_from_token is a callback... Do not abuse for code readability.
             auth_info["client_id"] = get_client_id_from_token(endpoint_context, _token, request)
+        except ToOld:
+            raise ValueError("Expired token")
         except KeyError:
             raise ValueError("Unknown token")
 
diff --git a/tests/test_26_oidc_userinfo_endpoint.py b/tests/test_26_oidc_userinfo_endpoint.py
index e61262a8..41ebc65c 100755
--- a/tests/test_26_oidc_userinfo_endpoint.py
+++ b/tests/test_26_oidc_userinfo_endpoint.py
@@ -381,6 +381,27 @@ def test_invalid_token(self):
         assert isinstance(args, ResponseMessage)
         assert args["error_description"] == "Invalid Token"
 
+    def test_expired_token(self, monkeypatch):
+        _auth_req = AUTH_REQ.copy()
+        _auth_req["scope"] = ["openid", "research_and_scholarship"]
+
+        session_id = self._create_session(_auth_req)
+        grant = self.session_manager[session_id]
+        access_token = self._mint_token("access_token", grant, session_id)
+
+        http_info = {"headers": {"authorization": "Bearer {}".format(access_token.value)}}
+
+        def mock():
+            return time_sans_frac() + access_token.expires_at + 1
+
+        monkeypatch.setattr("oidcop.token.time_sans_frac", mock)
+
+        _req = self.endpoint.parse_request({}, http_info=http_info)
+
+        assert _req.to_dict() == {
+            "error": "invalid_token", "error_description": "Expired token"
+        }
+
     def test_userinfo_claims(self):
         _acr = "https://refeds.org/profile/mfa"
         _auth_req = AUTH_REQ.copy()