From 3c5e05f79ca7638e53f5c5ae6ab8fdf73a3aad5e Mon Sep 17 00:00:00 2001
From: Mikko Keskinen <mikko.keskinen@hel.fi>
Date: Fri, 30 Apr 2021 10:22:05 +0300
Subject: [PATCH] Extract token creations to their own methods

This enables subclasses to customize the token and code creation.
---
 oidc_provider/lib/endpoints/authorize.py | 37 +++++++++++++++---------
 oidc_provider/lib/endpoints/token.py     | 30 +++++++++++++------
 2 files changed, 45 insertions(+), 22 deletions(-)

diff --git a/oidc_provider/lib/endpoints/authorize.py b/oidc_provider/lib/endpoints/authorize.py
index 51a75c6f..9d6adc55 100644
--- a/oidc_provider/lib/endpoints/authorize.py
+++ b/oidc_provider/lib/endpoints/authorize.py
@@ -126,6 +126,28 @@ def validate_params(self):
                 raise AuthorizeError(
                     self.params['redirect_uri'], 'invalid_request', self.grant_type)
 
+    def create_code(self):
+        code = create_code(
+            user=self.request.user,
+            client=self.client,
+            scope=self.params['scope'],
+            nonce=self.params['nonce'],
+            is_authentication=self.is_authentication,
+            code_challenge=self.params['code_challenge'],
+            code_challenge_method=self.params['code_challenge_method'],
+        )
+
+        return code
+
+    def create_token(self):
+        token = create_token(
+            user=self.request.user,
+            client=self.client,
+            scope=self.params['scope'],
+        )
+
+        return token
+
     def create_response_uri(self):
         uri = urlsplit(self.params['redirect_uri'])
         query_params = parse_qs(uri.query)
@@ -133,24 +155,13 @@ def create_response_uri(self):
 
         try:
             if self.grant_type in ['authorization_code', 'hybrid']:
-                code = create_code(
-                    user=self.request.user,
-                    client=self.client,
-                    scope=self.params['scope'],
-                    nonce=self.params['nonce'],
-                    is_authentication=self.is_authentication,
-                    code_challenge=self.params['code_challenge'],
-                    code_challenge_method=self.params['code_challenge_method'])
+                code = self.create_code()
                 code.save()
-
             if self.grant_type == 'authorization_code':
                 query_params['code'] = code.code
                 query_params['state'] = self.params['state'] if self.params['state'] else ''
             elif self.grant_type in ['implicit', 'hybrid']:
-                token = create_token(
-                    user=self.request.user,
-                    client=self.client,
-                    scope=self.params['scope'])
+                token = self.create_token()
 
                 # Check if response_type must include access_token in the response.
                 if (self.params['response_type'] in
diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py
index 7ecde44a..991a6675 100644
--- a/oidc_provider/lib/endpoints/token.py
+++ b/oidc_provider/lib/endpoints/token.py
@@ -166,13 +166,23 @@ def create_response_dic(self):
         elif self.params['grant_type'] == 'client_credentials':
             return self.create_client_credentials_response_dic()
 
+    def create_token(self, user, client, scope):
+        token = create_token(
+            user=user,
+            client=client,
+            scope=scope,
+        )
+
+        return token
+
     def create_code_response_dic(self):
         # See https://tools.ietf.org/html/rfc6749#section-4.1
 
-        token = create_token(
+        token = self.create_token(
             user=self.code.user,
             client=self.code.client,
-            scope=self.code.scope)
+            scope=self.code.scope,
+        )
 
         if self.code.is_authentication:
             id_token_dic = create_id_token(
@@ -213,10 +223,11 @@ def create_refresh_response_dic(self):
         if unauthorized_scopes:
             raise TokenError('invalid_scope')
 
-        token = create_token(
+        token = self.create_token(
             user=self.token.user,
             client=self.token.client,
-            scope=scope)
+            scope=scope,
+        )
 
         # If the Token has an id_token it's an Authentication request.
         if self.token.id_token:
@@ -252,10 +263,11 @@ def create_refresh_response_dic(self):
     def create_access_token_response_dic(self):
         # See https://tools.ietf.org/html/rfc6749#section-4.3
         token_scopes = self.validate_requested_scopes()
-        token = create_token(
+        token = self.create_token(
             self.user,
             self.client,
-            token_scopes)
+            token_scopes,
+        )
 
         id_token_dic = create_id_token(
             token=token,
@@ -283,11 +295,11 @@ def create_client_credentials_response_dic(self):
         # See https://tools.ietf.org/html/rfc6749#section-4.4.3
         token_scopes = self.validate_requested_scopes()
 
-        token = create_token(
+        token = self.create_token(
             user=None,
             client=self.client,
-            scope=token_scopes)
-
+            scope=token_scopes,
+        )
         token.save()
 
         return {