From 030991d3b2e9087e6100be40df15016149102609 Mon Sep 17 00:00:00 2001 From: Nikos Sklikas Date: Tue, 1 Jun 2021 13:14:42 +0300 Subject: [PATCH] Properly handle id token introsprection --- src/oidcop/oauth2/introspection.py | 3 ++- src/oidcop/session/manager.py | 11 ++++++++--- tests/test_31_oauth2_introspection.py | 22 ++++++++++++++++++++++ 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/src/oidcop/oauth2/introspection.py b/src/oidcop/oauth2/introspection.py index de32f720..c298c12d 100644 --- a/src/oidcop/oauth2/introspection.py +++ b/src/oidcop/oauth2/introspection.py @@ -6,6 +6,7 @@ from oidcop.endpoint import Endpoint from oidcop.token.exception import UnknownToken +from oidcop.token.exception import WrongTokenClass LOGGER = logging.getLogger(__name__) @@ -94,7 +95,7 @@ def process_request(self, request=None, release: Optional[list] = None, **kwargs _session_info = _context.session_manager.get_session_info_by_token( request_token, grant=True ) - except UnknownToken: + except (UnknownToken, WrongTokenClass): return {"response_args": _resp} grant = _session_info["grant"] diff --git a/src/oidcop/session/manager.py b/src/oidcop/session/manager.py index 4ca89870..fde11af8 100644 --- a/src/oidcop/session/manager.py +++ b/src/oidcop/session/manager.py @@ -18,6 +18,7 @@ from .info import ClientSessionInfo from .info import UserSessionInfo from ..token import UnknownToken +from ..token import WrongTokenClass from ..token.handler import TokenHandler logger = logging.getLogger(__name__) @@ -457,8 +458,13 @@ def get_session_info_by_token( authorization_request: bool = False, ) -> dict: _token_info = self.token_handler.info(token_value) - sid = _token_info["sid"] - session_info = self.get_session_info( + sid = _token_info.get("sid") + # If the token is an ID Token then the sid will not be in the + # _token_info + if not sid: + raise WrongTokenClass + + return self.get_session_info( sid, user_session_info=user_session_info, client_session_info=client_session_info, @@ -466,7 +472,6 @@ def get_session_info_by_token( authentication_event=authentication_event, authorization_request=authorization_request, ) - return session_info def get_session_id_by_token(self, token_value: str) -> str: _token_info = self.token_handler.info(token_value) diff --git a/tests/test_31_oauth2_introspection.py b/tests/test_31_oauth2_introspection.py index 52cb6330..39e94b67 100644 --- a/tests/test_31_oauth2_introspection.py +++ b/tests/test_31_oauth2_introspection.py @@ -115,6 +115,9 @@ def create_endpoint(self, jwt_token): "class": "oidcop.token.jwt_token.JWTToken", "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],}, }, + "id_token": { + "class": "oidcop.token.id_token.IDToken", + } }, "endpoint": { "authorization": { @@ -469,3 +472,22 @@ def test_revoked_access_token(self): ) _resp = self.introspection_endpoint.process_request(_req) assert _resp["response_args"]["active"] is False + + def test_introspect_id_token(self): + session_id = self._create_session(AUTH_REQ) + grant = self.token_endpoint.server_get("endpoint_context").authz(session_id, AUTH_REQ) + self.session_manager[session_id] = grant + code = self._mint_token("authorization_code", grant, session_id) + id_token = self._mint_token("id_token", grant, session_id, code) + + _context = self.introspection_endpoint.server_get("endpoint_context") + _req = self.introspection_endpoint.parse_request( + { + "token": id_token.value, + "client_id": "client_1", + "client_secret": _context.cdb["client_1"]["client_secret"], + } + ) + _resp = self.introspection_endpoint.process_request(_req) + + assert _resp["response_args"]["active"] is False